HTTP Port Open To Internet
- Query id: ffac8a12-322e-42c1-b9b9-81ff85c39ef7
- Query name: HTTP Port Open To Internet
- Platform: Terraform
- Severity: Medium
- Category: Networking and Firewall
- CWE: 319
- Risk score: 4.9
- URL: Github
Description¶
The HTTP port is open to the internet in a Security Group
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "aws_security_group" "positive1-1" {
name = "allow_tls"
description = "HTTP port open"
ingress {
description = "HTTP port open"
from_port = 78
to_port = 91
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
}
resource "aws_security_group" "positive1-2" {
name = "allow_tls"
description = "HTTP port open"
ingress {
description = "HTTP port open"
from_port = 60
to_port = 85
protocol = "tcp"
cidr_blocks = ["0.0.0.2/0"]
}
ingress {
description = "HTTP port open"
from_port = 65
to_port = 81
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
}
resource "aws_security_group" "positive1-3" {
name = "allow_tls"
description = "HTTP port open"
ingress {
description = "HTTP port open"
from_port = 22
to_port = 88
protocol = "tcp"
ipv6_cidr_blocks = ["::/0"]
}
}
resource "aws_security_group" "positive1-4" {
name = "allow_tls"
description = "HTTP port open"
ingress {
description = "HTTP port open"
from_port = 60
to_port = 85
protocol = "tcp"
ipv6_cidr_blocks = ["fd01::/8"]
}
ingress {
description = "HTTP port open"
from_port = 65
to_port = 81
protocol = "tcp"
ipv6_cidr_blocks = ["fd00::/8", "::/0"]
}
}
resource "aws_security_group" "positive1-5" {
name = "allow_tls"
description = "HTTP port open"
ingress {
description = "HTTP port open"
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["192.120.0.0/16"]
ipv6_cidr_blocks = ["::/0"]
}
}
resource "aws_security_group" "positive1-6" {
name = "allow_tls"
description = "HTTP port open"
ingress {
description = "HTTP port open"
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
ipv6_cidr_blocks = ["fd00::/8"]
}
}
resource "aws_security_group" "positive1-7" {
name = "allow_tls"
description = "HTTP port open"
ingress {
description = "HTTP port open"
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
ipv6_cidr_blocks = ["::/0"]
}
}
Positive test num. 2 - tf file
resource "aws_security_group" "ec2" {
description = "ec2 sg"
name = "secgroup-ec2"
vpc_id = var.vpc_id
}
resource "aws_vpc_security_group_ingress_rule" "positive2-1" {
security_group_id = aws_security_group.ec2.id
description = "HTTP port open"
cidr_ipv4 = "0.0.0.0/0"
from_port = 70
ip_protocol = "tcp"
to_port = 82
}
resource "aws_vpc_security_group_ingress_rule" "positive2-2" {
security_group_id = aws_security_group.ec2.id
description = "HTTP port open"
cidr_ipv6 = "::/0"
from_port = 79
ip_protocol = "-1"
to_port = 100
}
Positive test num. 3 - tf file
resource "aws_security_group" "ec2" {
description = "ec2 sg"
name = "secgroup-ec2"
vpc_id = var.vpc_id
}
resource "aws_security_group_rule" "positive3-1" {
type = "ingress"
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
security_group_id = aws_security_group.ec2.id
description = "HTTP port open"
}
resource "aws_security_group_rule" "positive3-2" {
type = "ingress"
from_port = 80
to_port = 80
protocol = "-1"
ipv6_cidr_blocks = ["::/0"]
security_group_id = aws_security_group.ec2.id
description = "HTTP port open"
}
Positive test num. 4 - tf file
module "vote_service_sg_ipv4" {
source = "terraform-aws-modules/security-group/aws"
version = "4.3.0"
name = "user-service"
description = "HTTP port open"
vpc_id = "vpc-12345678"
ingress_with_cidr_blocks = [
{
description = "TLS from VPC"
from_port = 70
to_port = 120
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
]
}
module "vote_service_sg_ipv6" {
source = "terraform-aws-modules/security-group/aws"
version = "4.3.0"
name = "user-service"
description = "HTTP port open"
vpc_id = "vpc-12345678"
ingress_with_ipv6_cidr_blocks = [
{
description = "TLS from VPC"
from_port = 70
to_port = 120
protocol = "tcp"
ipv6_cidr_blocks = ["::/0"]
}
]
}
module "vote_service_sg_ipv4_array" {
source = "terraform-aws-modules/security-group/aws"
version = "4.3.0"
name = "user-service"
description = "HTTP port open"
vpc_id = "vpc-12345678"
ingress_with_cidr_blocks = [
{
description = "TLS from VPC"
from_port = 0
to_port = 100
protocol = "tcp"
cidr_blocks = ["192.168.0.0/16", "10.0.0.0/8", "0.0.0.0/0"]
},
{
description = "TLS from VPC"
from_port = 28000
to_port = 28001
protocol = "tcp"
cidr_blocks = ["10.0.0.0/8"]
},
{
description = "TLS from VPC"
from_port = 78
to_port = 84
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
},
]
}
module "vote_service_sg_ipv6_array" {
source = "terraform-aws-modules/security-group/aws"
version = "4.3.0"
name = "user-service"
description = "HTTP port open"
vpc_id = "vpc-12345678"
ingress_with_ipv6_cidr_blocks = [
{
description = "TLS from VPC"
from_port = 0
to_port = 100
protocol = "-1"
ipv6_cidr_blocks = ["2001:0db8:85a3:0000:0000:8a2e:0370:7334/24", "2401:fa00:4:1a::abcd/128", "::/0"]
},
{
description = "TLS from VPC"
from_port = 28000
to_port = 28001
protocol = "tcp"
ipv6_cidr_blocks = ["2606:4700:3033::6815:3e3/56"]
},
{
description = "TLS from VPC"
from_port = 79
to_port = 81
protocol = "tcp"
ipv6_cidr_blocks = ["::/0"]
}
]
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "aws_security_group" "negative1-1" {
ingress {
description = "Remote desktop open private"
from_port = 70
to_port = 81
protocol = "tcp"
}
}
resource "aws_security_group" "negative1-2" {
ingress {
description = "Remote desktop open private"
from_port = 79
to_port = 100
protocol = "tcp"
cidr_blocks = ["0.1.0.0/0"]
}
}
resource "aws_security_group" "negative1-3" {
ingress {
description = "Remote desktop open private"
from_port = 3380
to_port = 3450
protocol = "tcp"
ipv6_cidr_blocks = ["2001:db8:abcd:0012::/64"]
}
}
resource "aws_security_group" "negative1-4" {
name = "allow_tls"
description = "sample"
ingress {
description = "sample"
from_port = 100
to_port = 200
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
ingress {
description = "sample"
from_port = 100
to_port = 200
protocol = "tcp"
ipv6_cidr_blocks = ["fd00::/8", "::/0"]
}
}
resource "aws_security_group" "negative1-5" {
name = "allow_tls"
description = "sample"
ingress {
description = "sample"
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["192.120.0.0/16"]
ipv6_cidr_blocks = ["fd00::/8"]
}
}
resource "aws_security_group" "negative1-5" {
name = "allow_tls"
description = "sample"
ingress {
description = "sample"
from_port = 80
to_port = 80
protocol = "udp"
cidr_blocks = ["0.0.0.0/0"]
}
ingress {
description = "sample"
from_port = 80
to_port = 80
protocol = "udp"
ipv6_cidr_blocks = ["fd00::/8", "::/0"]
}
}
Negative test num. 2 - tf file
resource "aws_security_group" "ec2" {
description = "ec2 sg"
name = "secgroup-ec2"
vpc_id = var.vpc_id
}
resource "aws_vpc_security_group_ingress_rule" "negative2-1" {
security_group_id = aws_security_group.negative.id
from_port = 80
to_port = 80
ip_protocol = "tcp"
description = "TLS from VPC"
}
resource "aws_vpc_security_group_ingress_rule" "negative2-2" {
security_group_id = aws_security_group.ec2.id
cidr_ipv4 = "0.0.1.0/0"
from_port = 80
to_port = 80
ip_protocol = "tcp"
description = "allows RDP from Internet"
}
resource "aws_vpc_security_group_ingress_rule" "negative2-3" {
security_group_id = aws_security_group.ec2.id
cidr_ipv6 = "2001:db8:abcd:0012::/64"
from_port = 80
to_port = 80
ip_protocol = "-1"
description = "allows RDP from Internet"
}
resource "aws_vpc_security_group_ingress_rule" "negative2-4" {
security_group_id = aws_security_group.ec2.id
cidr_ipv6 = "::/0"
from_port = 3380
to_port = 3459
ip_protocol = "tcp"
description = "allows RDP from Internet"
}
resource "aws_vpc_security_group_ingress_rule" "negative2-5" {
security_group_id = aws_security_group.ec2.id
cidr_ipv4 = "0.0.0.0/0"
from_port = 3380
to_port = 3459
ip_protocol = "tcp"
description = "allows RDP from Internet"
}
resource "aws_vpc_security_group_ingress_rule" "negative2-6" {
security_group_id = aws_security_group.ec2.id
cidr_ipv6 = "::/0"
from_port = 80
to_port = 80
ip_protocol = "udp"
description = "allows RDP from Internet"
}
resource "aws_vpc_security_group_ingress_rule" "negative2-7" {
security_group_id = aws_security_group.ec2.id
cidr_ipv4 = "0.0.0.0/0"
from_port = 80
to_port = 80
ip_protocol = "udp"
description = "allows RDP from Internet"
}
Negative test num. 3 - tf file
resource "aws_security_group" "ec2" {
description = "ec2 sg"
name = "secgroup-ec2"
vpc_id = var.vpc_id
}
resource "aws_security_group_rule" "negative3-1" {
type = "ingress"
from_port = 80
to_port = 80
protocol = "tcp"
security_group_id = aws_security_group.negative.id
description = "TLS from VPC"
}
resource "aws_security_group_rule" "negative3-2" {
type = "ingress"
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["0.0.1.0/0"]
security_group_id = aws_security_group.ec2.id
description = "allows RDP from Internet (IPv4)"
}
resource "aws_security_group_rule" "negative3-3" {
type = "ingress"
from_port = 79
to_port = 100
protocol = "-1"
ipv6_cidr_blocks = ["2001:db8:abcd:0012::/64"]
security_group_id = aws_security_group.ec2.id
description = "allows RDP from Internet (IPv6)"
}
resource "aws_security_group_rule" "negative3-4" {
type = "ingress"
from_port = 3380
to_port = 3580
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
security_group_id = aws_security_group.ec2.id
description = "allows RDP from Internet (IPv4)"
}
resource "aws_security_group_rule" "negative3-5" {
type = "ingress"
from_port = 3380
to_port = 3580
protocol = "tcp"
ipv6_cidr_blocks = ["::/0"]
security_group_id = aws_security_group.ec2.id
description = "allows RDP from Internet (IPv6)"
}
resource "aws_security_group_rule" "negative3-6" {
type = "ingress"
from_port = 80
to_port = 80
protocol = "udp"
cidr_blocks = ["0.0.0.0/0"]
security_group_id = aws_security_group.ec2.id
description = "allows RDP from Internet (IPv4)"
}
resource "aws_security_group_rule" "negative3-7" {
type = "ingress"
from_port = 80
to_port = 80
protocol = "udp"
cidr_blocks = ["0.0.0.0/0"]
security_group_id = aws_security_group.ec2.id
description = "allows RDP from Internet (IPv4)"
}
Negative test num. 4 - tf file
module "vote_service_sg_ipv4" {
source = "terraform-aws-modules/security-group/aws"
version = "4.3.0"
name = "user-service"
description = "Security group for user-service with custom ports open within VPC, and PostgreSQL publicly open"
vpc_id = "vpc-12345678"
ingress_with_cidr_blocks = [
{
description = "TLS from VPC"
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["1.2.3.4"]
}
]
}
module "vote_service_sg_ipv6" {
source = "terraform-aws-modules/security-group/aws"
version = "4.3.0"
name = "user-service"
description = "Security group for user-service with custom ports open within VPC, and PostgreSQL publicly open"
vpc_id = "vpc-12345678"
ingress_with_ipv6_cidr_blocks = [
{
description = "TLS from VPC"
from_port = 0
to_port = 0
protocol = "tcp"
ipv6_cidr_blocks = ["2001:0db8:85a3:0000:0000:8a2e:0370:7334/64"]
}
]
}
module "vote_service_sg_ipv4_array" {
source = "terraform-aws-modules/security-group/aws"
version = "4.3.0"
name = "user-service"
description = "Security group for user-service with custom ports open within VPC, and PostgreSQL publicly open"
vpc_id = "vpc-12345678"
ingress_with_cidr_blocks = [
{
description = "TLS from VPC"
from_port = 0
to_port = 100
protocol = "udp"
cidr_blocks = ["0.1.1.1/21", "8.8.8.8/24"]
},
{
description = "TLS from VPC"
from_port = 28000
to_port = 28001
protocol = "tcp"
cidr_blocks = ["10.0.0.0/16"]
},
{
description = "TLS from VPC"
from_port = 20
to_port = 22
protocol = "tcp"
cidr_blocks = ["192.01.01.02/23"]
},
{
description = "TLS from VPC"
from_port = 0
to_port = 100
protocol = "udp"
cidr_blocks = ["0.0.0.0/0"]
}
]
}
module "vote_service_sg_ipv6_array_udp_and_exposed_ip" {
source = "terraform-aws-modules/security-group/aws"
version = "4.3.0"
name = "user-service"
description = "Security group for user-service with custom ports open within VPC, and PostgreSQL publicly open"
vpc_id = "vpc-12345678"
ingress_with_ipv6_cidr_blocks = [
{
description = "TLS from VPC"
from_port = 0
to_port = 100
protocol = "udp"
ipv6_cidr_blocks = ["::/0"]
}
]
}
module "vote_service_sg_ipv6_array_port_80_not_covered" {
source = "terraform-aws-modules/security-group/aws"
version = "4.3.0"
name = "user-service"
description = "Security group for user-service with custom ports open within VPC, and PostgreSQL publicly open"
vpc_id = "vpc-12345678"
ingress_with_ipv6_cidr_blocks = [
{
description = "TLS from VPC"
from_port = 2830
to_port = 3000
protocol = "tcp"
ipv6_cidr_blocks = ["::/0"]
}
]
}
module "vote_service_sg_ipv4_array_port_80_not_covered" {
source = "terraform-aws-modules/security-group/aws"
version = "4.3.0"
name = "user-service"
description = "Security group for user-service with custom ports open within VPC, and PostgreSQL publicly open"
vpc_id = "vpc-12345678"
ingress_with_cidr_blocks = [
{
description = "TLS from VPC"
from_port = 2500
to_port = 3000
protocol = "tcp"
cidr_blocks = ["0.1.1.1/21", "0.0.0.0/0"]
}
]
}