Security Group Without Description

• Query id: cb3f5ed6-0d18-40de-a93d-b3538db31e8c
• Query name: Security Group Without Description
• Platform: Terraform
• Severity: Info
• Category: Best Practices
• CWE: 710
• Risk score: 0.0
• URL: Github

Description

It's considered a best practice for AWS Security Group to have a description
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file

resource "aws_security_group" "positive1-1" {
  name        = "positive1-1"
  vpc_id      = aws_vpc.main.id

}

resource "aws_security_group" "positive1-2" {
  name        = "positive1-2"
  vpc_id      = aws_vpc.main.id
  description = null

}

Positive test num. 2 - tf file

module "positive2-1" {
  source  = "terraform-aws-modules/security-group/aws"
  version = "4.3.0"

  name        = "positive2-1"
  vpc_id      = "vpc-12345678"

}

module "positive2-2" {
  source  = "terraform-aws-modules/security-group/aws"
  version = "4.3.0"

  name        = "positive2-2"
  description = null
  vpc_id      = "vpc-12345678"

}

Code samples without security vulnerabilities

Negative test num. 1 - tf file

resource "aws_security_group" "negative1" {
  name        = "negative1"
  description = "Allow TLS inbound traffic"
  vpc_id      = aws_vpc.main.id

}

Negative test num. 2 - tf file

module "negative2" {
  source  = "terraform-aws-modules/security-group/aws"
  version = "4.3.0"

  name        = "negative2"
  description = "Security group for user-service with custom ports open within VPC, and PostgreSQL publicly open"
  vpc_id      = "vpc-12345678"

}