Security Group With Unrestricted Access To SSH
- Query id: 65905cec-d691-4320-b320-2000436cb696
- Query name: Security Group With Unrestricted Access To SSH
- Platform: Terraform
- Severity: Medium
- Category: Networking and Firewall
- CWE: 732
- Risk score: 5.2
- URL: Github
Description¶
'SSH' (TCP:22) should not be public in AWS Security Group
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "aws_security_group" "positive1-1" {
name = "allow_tls"
description = "SSH port open"
ingress {
description = "SSH port open"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["192.120.0.0/16", "0.0.0.0/0"]
}
}
resource "aws_security_group" "positive1-2" {
name = "allow_tls"
description = "SSH port open"
ingress {
description = "SSH port open"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["192.120.0.0/16"]
}
ingress {
description = "SSH port open"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["192.121.0.0/16", "0.0.0.0/0"]
}
}
resource "aws_security_group" "positive1-3" {
name = "allow_tls"
description = "SSH port open"
ingress {
description = "SSH port open"
from_port = 22
to_port = 22
protocol = "tcp"
ipv6_cidr_blocks = ["fd00::/8", "::/0"]
}
}
resource "aws_security_group" "positive1-4" {
name = "allow_tls"
description = "SSH port open"
ingress {
description = "SSH port open"
from_port = 22
to_port = 22
protocol = "tcp"
ipv6_cidr_blocks = ["fd01::/8"]
}
ingress {
description = "SSH port open"
from_port = 22
to_port = 22
protocol = "tcp"
ipv6_cidr_blocks = ["fd00::/8", "::/0"]
}
}
resource "aws_security_group" "positive1-5" {
name = "allow_tls"
description = "SSH port open"
ingress {
description = "SSH port open"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["192.120.0.0/16"]
ipv6_cidr_blocks = ["::/0"]
}
}
resource "aws_security_group" "positive1-6" {
name = "allow_tls"
description = "SSH port open"
ingress {
description = "SSH port open"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
ipv6_cidr_blocks = ["fd00::/8"]
}
}
resource "aws_security_group" "positive1-7" {
name = "allow_tls"
description = "SSH port open"
ingress {
description = "SSH port open"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
ipv6_cidr_blocks = ["::/0"]
}
}
Positive test num. 2 - tf file
resource "aws_security_group" "ec2" {
description = "ec2 sg"
name = "secgroup-ec2"
vpc_id = var.vpc_id
}
resource "aws_vpc_security_group_ingress_rule" "positive2-1" {
security_group_id = aws_security_group.ec2.id
description = "SSH port open"
cidr_ipv4 = "0.0.0.0/0"
from_port = 22
ip_protocol = "tcp"
to_port = 22
}
resource "aws_vpc_security_group_ingress_rule" "positive2-2" {
security_group_id = aws_security_group.ec2.id
description = "SSH port open"
cidr_ipv6 = "::/0"
from_port = 22
ip_protocol = "-1"
to_port = 22
}
Positive test num. 3 - tf file
resource "aws_security_group" "ec2" {
description = "ec2 sg"
name = "secgroup-ec2"
vpc_id = var.vpc_id
}
resource "aws_security_group_rule" "positive3-1" {
type = "ingress"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
security_group_id = aws_security_group.ec2.id
description = "SSH port open"
}
resource "aws_security_group_rule" "positive3-2" {
type = "ingress"
from_port = 22
to_port = 22
protocol = "-1"
ipv6_cidr_blocks = ["::/0"]
security_group_id = aws_security_group.ec2.id
description = "SSH port open"
}
Positive test num. 4 - tf file
module "vote_service_sg_ipv4" {
source = "terraform-aws-modules/security-group/aws"
version = "4.3.0"
name = "user-service"
description = "SSH port open"
vpc_id = "vpc-12345678"
ingress_with_cidr_blocks = [
{
description = "TLS from VPC"
from_port = 10
to_port = 30
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
]
}
module "vote_service_sg_ipv6" {
source = "terraform-aws-modules/security-group/aws"
version = "4.3.0"
name = "user-service"
description = "SSH port open"
vpc_id = "vpc-12345678"
ingress_with_ipv6_cidr_blocks = [
{
description = "TLS from VPC"
from_port = 10
to_port = 30
protocol = "tcp"
ipv6_cidr_blocks = ["::/0"]
}
]
}
module "vote_service_sg_ipv4_array" {
source = "terraform-aws-modules/security-group/aws"
version = "4.3.0"
name = "user-service"
description = "SSH port open"
vpc_id = "vpc-12345678"
ingress_with_cidr_blocks = [
{
description = "TLS from VPC"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["192.168.0.0/16", "10.0.0.0/8", "0.0.0.0/0"]
},
{
description = "TLS from VPC"
from_port = 28000
to_port = 28001
protocol = "tcp"
cidr_blocks = ["10.0.0.0/8"]
},
{
description = "TLS from VPC"
from_port = 0
to_port = 40
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
},
]
}
module "vote_service_sg_ipv6_array" {
source = "terraform-aws-modules/security-group/aws"
version = "4.3.0"
name = "user-service"
description = "SSH port open"
vpc_id = "vpc-12345678"
ingress_with_ipv6_cidr_blocks = [
{
description = "TLS from VPC"
from_port = 22
to_port = 22
protocol = "-1"
ipv6_cidr_blocks = ["2001:0db8:85a3:0000:0000:8a2e:0370:7334/24", "2401:fa00:4:1a::abcd/128", "::/0"]
},
{
description = "TLS from VPC"
from_port = 28000
to_port = 28001
protocol = "tcp"
ipv6_cidr_blocks = ["2606:4700:3033::6815:3e3/56"]
},
{
description = "TLS from VPC"
from_port = 0
to_port = 40
protocol = "tcp"
ipv6_cidr_blocks = ["::/0"]
}
]
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "aws_security_group" "negative1-1" {
ingress {
description = "Remote desktop open private"
from_port = 18
to_port = 30
protocol = "tcp"
}
}
resource "aws_security_group" "negative1-2" {
ingress {
description = "TLS from VPC"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["192.120.0.0/16", "75.132.0.0/16"]
}
}
resource "aws_security_group" "negative1-3" {
ingress {
description = "TLS from VPC"
from_port = 22
to_port = 22
protocol = "tcp"
ipv6_cidr_blocks = ["fd00::/8", "fd01::/8"]
}
}
resource "aws_security_group" "negative1-4" {
name = "allow_tls"
description = "sample"
ingress {
description = "sample"
from_port = 30
to_port = 2000
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
ingress {
description = "sample"
from_port = 30
to_port = 2000
protocol = "tcp"
ipv6_cidr_blocks = ["fd00::/8", "::/0"]
}
}
resource "aws_security_group" "negative1-5" {
name = "allow_tls"
description = "sample"
ingress {
description = "sample"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["192.120.0.0/16"]
ipv6_cidr_blocks = ["fd00::/8"]
}
}
resource "aws_security_group" "negative1-6" {
name = "allow_tls"
description = "sample"
ingress {
description = "sample"
from_port = 22
to_port = 22
protocol = "udp"
cidr_blocks = ["0.0.0.0/0"]
}
ingress {
description = "sample"
from_port = 22
to_port = 22
protocol = "udp"
ipv6_cidr_blocks = ["fd00::/8", "::/0"]
}
}
Negative test num. 2 - tf file
resource "aws_security_group" "ec2" {
description = "ec2 sg"
name = "secgroup-ec2"
vpc_id = var.vpc_id
}
resource "aws_vpc_security_group_ingress_rule" "negative2-1" {
security_group_id = aws_security_group.negative.id
from_port = 22
to_port = 22
ip_protocol = "tcp"
description = "TLS from VPC"
}
resource "aws_vpc_security_group_ingress_rule" "negative2-2" {
security_group_id = aws_security_group.ec2.id
cidr_ipv4 = "0.0.1.0/0"
from_port = 22
to_port = 22
ip_protocol = "tcp"
description = "allows RDP from Internet"
}
resource "aws_vpc_security_group_ingress_rule" "negative2-3" {
security_group_id = aws_security_group.ec2.id
cidr_ipv6 = "2001:db8:abcd:0012::/64"
from_port = 22
to_port = 22
ip_protocol = "-1"
description = "allows RDP from Internet"
}
resource "aws_vpc_security_group_ingress_rule" "negative2-4" {
security_group_id = aws_security_group.ec2.id
cidr_ipv4 = "0.0.0.0/0"
from_port = 30
to_port = 2000
ip_protocol = "tcp"
description = "allows RDP from Internet"
}
resource "aws_vpc_security_group_ingress_rule" "negative2-5" {
security_group_id = aws_security_group.ec2.id
cidr_ipv6 = "::/0"
from_port = 30
to_port = 2000
ip_protocol = "tcp"
description = "allows RDP from Internet"
}
resource "aws_vpc_security_group_ingress_rule" "negative2-6" {
security_group_id = aws_security_group.ec2.id
cidr_ipv4 = "0.0.0.0/0"
from_port = 22
to_port = 22
ip_protocol = "udp"
description = "allows RDP from Internet"
}
resource "aws_vpc_security_group_ingress_rule" "negative2-7" {
security_group_id = aws_security_group.ec2.id
cidr_ipv6 = "::/0"
from_port = 22
to_port = 22
ip_protocol = "udp"
description = "allows RDP from Internet"
}
Negative test num. 3 - tf file
resource "aws_security_group" "ec2" {
description = "ec2 sg"
name = "secgroup-ec2"
vpc_id = var.vpc_id
}
resource "aws_security_group_rule" "negative3-1" {
type = "ingress"
from_port = 22
to_port = 22
protocol = "tcp"
security_group_id = aws_security_group.negative.id
description = "TLS from VPC"
}
resource "aws_security_group_rule" "negative3-2" {
type = "ingress"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.1.0/0"]
security_group_id = aws_security_group.ec2.id
description = "allows RDP from Internet (IPv4)"
}
resource "aws_security_group_rule" "negative3-3" {
type = "ingress"
from_port = 15
to_port = 25
protocol = "-1"
ipv6_cidr_blocks = ["2001:db8:abcd:0012::/64"]
security_group_id = aws_security_group.ec2.id
description = "allows RDP from Internet (IPv6)"
}
resource "aws_security_group_rule" "negative3-4" {
type = "ingress"
from_port = 30
to_port = 2000
protocol = "tcp"
ipv6_cidr_blocks = ["::/0"]
security_group_id = aws_security_group.ec2.id
description = "allows RDP from Internet (IPv6)"
}
resource "aws_security_group_rule" "negative3-5" {
type = "ingress"
from_port = 30
to_port = 2000
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
security_group_id = aws_security_group.ec2.id
description = "allows RDP from Internet (IPv4)"
}
resource "aws_security_group_rule" "negative3-6" {
type = "ingress"
from_port = 22
to_port = 22
protocol = "udp"
ipv6_cidr_blocks = ["::/0"]
security_group_id = aws_security_group.ec2.id
description = "allows RDP from Internet (IPv6)"
}
resource "aws_security_group_rule" "negative3-7" {
type = "ingress"
from_port = 22
to_port = 22
protocol = "udp"
cidr_blocks = ["0.0.0.0/0"]
security_group_id = aws_security_group.ec2.id
description = "allows RDP from Internet (IPv4)"
}
Negative test num. 4 - tf file
module "vote_service_sg_ipv4" {
source = "terraform-aws-modules/security-group/aws"
version = "4.3.0"
name = "user-service"
description = "Security group for user-service with custom ports open within VPC, and PostgreSQL publicly open"
vpc_id = "vpc-12345678"
ingress_with_cidr_blocks = [
{
description = "TLS from VPC"
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["1.2.3.4"]
}
]
}
module "vote_service_sg_ipv6" {
source = "terraform-aws-modules/security-group/aws"
version = "4.3.0"
name = "user-service"
description = "Security group for user-service with custom ports open within VPC, and PostgreSQL publicly open"
vpc_id = "vpc-12345678"
ingress_with_ipv6_cidr_blocks = [
{
description = "TLS from VPC"
from_port = 0
to_port = 0
protocol = "tcp"
ipv6_cidr_blocks = ["2001:0db8:85a3:0000:0000:8a2e:0370:7334/64"]
}
]
}
module "vote_service_sg_ipv4_port_22_not_covered" {
source = "terraform-aws-modules/security-group/aws"
version = "4.3.0"
name = "user-service"
description = "Security group for user-service with custom ports open within VPC, and PostgreSQL publicly open"
vpc_id = "vpc-12345678"
ingress_with_cidr_blocks = [
{
description = "TLS from VPC"
from_port = 30
to_port = 2000
protocol = "tcp"
cidr_blocks = ["0.0.0.0"]
}
]
}
module "vote_service_sg_ipv4_array" {
source = "terraform-aws-modules/security-group/aws"
version = "4.3.0"
name = "user-service"
description = "Security group for user-service with custom ports open within VPC, and PostgreSQL publicly open"
vpc_id = "vpc-12345678"
ingress_with_cidr_blocks = [
{
description = "TLS from VPC"
from_port = 22
to_port = 22
protocol = "udp"
cidr_blocks = ["0.0.0.0/0", "8.8.8.8/24"]
},
{
description = "TLS from VPC"
from_port = 28000
to_port = 28001
protocol = "tcp"
cidr_blocks = ["10.0.0.0/16"]
},
{
description = "TLS from VPC"
from_port = 20
to_port = 22
protocol = "tcp"
cidr_blocks = ["192.01.01.02/23"]
}
]
}
module "vote_service_sg_ipv6_array" {
source = "terraform-aws-modules/security-group/aws"
version = "4.3.0"
name = "user-service"
description = "Security group for user-service with custom ports open within VPC, and PostgreSQL publicly open"
vpc_id = "vpc-12345678"
ingress_with_ipv6_cidr_blocks = [
{
description = "TLS from VPC"
from_port = 22
to_port = 22
protocol = "udp"
ipv6_cidr_blocks = ["2001:0db8:85a3::8a2e:0370:7334/64", "::/0"]
},
{
description = "TLS from VPC"
from_port = 28000
to_port = 28001
protocol = "tcp"
ipv6_cidr_blocks = ["10.0.0.0/16"]
},
{
description = "TLS from VPC"
from_port = 20
to_port = 22
protocol = "tcp"
ipv6_cidr_blocks = ["2606:4700:3033::6815:3e3/56"]
},
{
description = "TLS from VPC"
from_port = 28000
to_port = 28001
protocol = "tcp"
ipv6_cidr_blocks = ["::/0"]
}
]
}