Security Group Rule Without Description
- Query id: 68eb4bf3-f9bf-463d-b5cf-e029bb446d2e
- Query name: Security Group Rule Without Description
- Platform: Terraform
- Severity: Info
- Category: Best Practices
- CWE: 710
- Risk score: 0.0
- URL: Github
Description¶
It's considered a best practice for all rules in AWS Security Group to have a description
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "aws_security_group" "positive1" {
ingress {
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = [aws_vpc.main.cidr_block]
ipv6_cidr_blocks = [aws_vpc.main.ipv6_cidr_block]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
ipv6_cidr_blocks = ["::/0"]
}
}
Positive test num. 2 - tf file
resource "aws_security_group" "positive2-1" {
ingress {
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
ingress {
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
}
resource "aws_security_group" "positive2-2" {
egress {
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
egress {
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
}
Positive test num. 3 - tf file
resource "aws_security_group_rule" "positive3-1" {
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
type = "ingress"
}
resource "aws_security_group_rule" "positive3-2" {
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
type = "egress"
}
Positive test num. 4 - tf file
Positive test num. 5 - tf file
module "positive5_ipv4_array" {
source = "terraform-aws-modules/security-group/aws"
ingress_with_cidr_blocks = [
{
from_port = 2383
to_port = 2383
protocol = "udp"
cidr_blocks = ["0.1.1.1/21", "8.8.8.8/24"]
},
{
from_port = 28000
to_port = 28001
protocol = "tcp"
cidr_blocks = ["10.0.0.0/16"]
}
]
egress_with_cidr_blocks = [
{
from_port = 2383
to_port = 2383
protocol = "udp"
cidr_blocks = ["0.1.1.1/21", "8.8.8.8/24"]
},
{
from_port = 28000
to_port = 28001
protocol = "tcp"
cidr_blocks = ["10.0.0.0/16"]
}
]
}
module "positive5_ipv6_array" {
source = "terraform-aws-modules/security-group/aws"
ingress_with_ipv6_cidr_blocks = [
{
from_port = 2383
to_port = 2383
protocol = "udp"
ipv6_cidr_blocks = ["fd00::/8", "2001:4860:4860::8888/64"]
},
{
from_port = 28000
to_port = 28001
protocol = "tcp"
ipv6_cidr_blocks = ["fc00::/7"]
}
]
egress_with_ipv6_cidr_blocks = [
{
from_port = 2383
to_port = 2383
protocol = "udp"
ipv6_cidr_blocks = ["fd00::/8", "2001:4860:4860::8888/64"]
},
{
from_port = 28000
to_port = 28001
protocol = "tcp"
ipv6_cidr_blocks = ["fc00::/7"]
}
]
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "aws_security_group" "negative1" {
ingress {
description = "sample_description"
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = [aws_vpc.main.cidr_block]
ipv6_cidr_blocks = [aws_vpc.main.ipv6_cidr_block]
}
egress {
description = "sample_description"
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
ipv6_cidr_blocks = ["::/0"]
}
}
Negative test num. 2 - tf file
resource "aws_security_group" "negative2-1" {
ingress {
description = "sample_description"
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
ingress {
description = "sample_description"
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
}
resource "aws_security_group" "negative2-2" {
egress {
description = "sample_description"
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
egress {
description = "sample_description"
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
}
Negative test num. 3 - tf file
resource "aws_security_group_rule" "negative3-1" {
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
type = "ingress"
description = "sample_description"
}
resource "aws_security_group_rule" "negative3-2" {
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
type = "egress"
description = "sample_description"
}
Negative test num. 4 - tf file
resource "aws_vpc_security_group_ingress_rule" "negative4-1" {
description = "sample_description"
cidr_ipv4 = "192.168.1.0/24"
from_port = 80
to_port = 80
ip_protocol = "tcp"
}
resource "aws_vpc_security_group_egress_rule" "negative4-2" {
description = "sample_description"
cidr_ipv4 = "0.0.0.0/0"
from_port = 0
to_port = 0
ip_protocol = "-1"
}
Negative test num. 5 - tf file
module "negative5_ipv4_array" {
source = "terraform-aws-modules/security-group/aws"
ingress_with_cidr_blocks = [
{
description = "sample_description"
from_port = 2383
to_port = 2383
protocol = "udp"
cidr_blocks = ["0.1.1.1/21", "8.8.8.8/24"]
},
{
description = "sample_description"
from_port = 28000
to_port = 28001
protocol = "tcp"
cidr_blocks = ["10.0.0.0/16"]
}
]
egress_with_cidr_blocks = [
{
description = "sample_description"
from_port = 2383
to_port = 2383
protocol = "udp"
cidr_blocks = ["0.1.1.1/21", "8.8.8.8/24"]
},
{
description = "sample_description"
from_port = 28000
to_port = 28001
protocol = "tcp"
cidr_blocks = ["10.0.0.0/16"]
}
]
}
module "negative5_ipv6_array" {
source = "terraform-aws-modules/security-group/aws"
ingress_with_ipv6_cidr_blocks = [
{
description = "sample_description"
from_port = 2383
to_port = 2383
protocol = "udp"
ipv6_cidr_blocks = ["fd00::/8", "2001:4860:4860::8888/64"]
},
{
description = "sample_description"
from_port = 28000
to_port = 28001
protocol = "tcp"
ipv6_cidr_blocks = ["fc00::/7"]
}
]
egress_with_ipv6_cidr_blocks = [
{
description = "sample_description"
from_port = 2383
to_port = 2383
protocol = "udp"
ipv6_cidr_blocks = ["fd00::/8", "2001:4860:4860::8888/64"]
},
{
description = "sample_description"
from_port = 28000
to_port = 28001
protocol = "tcp"
ipv6_cidr_blocks = ["fc00::/7"]
}
]
}