EC2 security group has unrestricted traffic access

ID

aws_ec2_group_unrestricted_traffic

Severity

critical

Vendor

AWS

Resource

Network

Tags

asvs50-v13.1.1, reachable

Description

EC2 security group has unrestricted traffic access. Unrestricted access can increase opportunities for malicious activities.

To fix it, you must configure range ips different to: cidr_ip=0.0.0.0/0 or cidr_ipv6=::/0 and a minimum ports range, not from_port=0 and to_port=65535 or from_port=-1 or to_port=-1.

Learn more about this topic at AWS CIDR subnet reservation.

Examples

---
- name: Example playbook
  hosts: localhost
  tasks:
    - name: example using ICMP types and codes
      amazon.aws.ec2_security_group:
        name: "{{ name }}"
        description: sg for ICMP
        vpc_id: vpc-xxxxxxxx
        profile: "{{ aws_profile }}"
        region: us-east-1
        rules:
          - proto: icmp
            icmp_type: 3
            icmp_code: 1
            cidr_ip: 0.0.0.0/0
            from_port: -1

Mitigation / Fix

---
- name: Example playbook
  hosts: localhost
  tasks:
    - name: example using ICMP types and codes
      amazon.aws.ec2_security_group:
        name: "{{ name }}"
        description: sg for ICMP
        vpc_id: vpc-xxxxxxxx
        profile: "{{ aws_profile }}"
        region: us-east-1
        rules:
          - proto: icmp
            icmp_type: 3
            icmp_code: 1
            cidr_ip: 172.16.0.0/12
            from_port: 80
            to_port: 80