VPC Default Security Group Accepts All Traffic

• Query id: 9a4ef195-74b9-4c58-b8ed-2b2fe4353a75
• Query name: VPC Default Security Group Accepts All Traffic
• Platform: Terraform
• Severity: High
• Category: Networking and Firewall
• URL: Github

Description

Default Security Group attached to every VPC should restrict all traffic
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file

resource "aws_vpc" "mainvpc" {
  cidr_block = "10.1.0.0/16"
}

resource "aws_default_security_group" "default" {
  vpc_id = aws_vpc.mainvpc.id

  ingress = [
    {
      protocol  = -1
      self      = true
      from_port = 0
      to_port   = 0
    }
  ]

  egress = [
    {
      from_port   = 0
      to_port     = 0
      protocol    = "-1"
    }
  ]
}

Positive test num. 2 - tf file

resource "aws_vpc" "mainvpc3" {
  cidr_block = "10.1.0.0/16"
}

resource "aws_default_security_group" "default3" {
  vpc_id = aws_vpc.mainvpc3.id

  ingress = [
    {
      protocol  = -1
      self      = true
      from_port = 0
      to_port   = 0
      ipv6_cidr_blocks = ["::/0"]
    }
  ]

  egress = [
    {
      from_port   = 0
      to_port     = 0
      protocol    = "-1"
      cidr_blocks = ["0.0.0.0/0"]
    }
  ]
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file

resource "aws_vpc" "mainvpc2" {
  cidr_block = "10.1.0.0/16"
}

resource "aws_default_security_group" "default2" {
  vpc_id = aws_vpc.mainvpc2.id
}