RDS has opened a large scope

ID

aws_rds_ec2_group_hosts

Severity

low

Vendor

AWS

Resource

Network

Tags

reachable

Description

RDS security group has more than 256 hosts. Firewall and router configurations should be used to restrict connections between untrusted networks and any system components in the cloud environment.

To fix it you must configure the group with less than 256 hosts, you can use cidr_ip or cidr_ipv6 properties.

Learn more about this topic at AWS Security groups.

Examples

---
- name: Example playbook
  hosts: localhost
  tasks:
    - name: MySQL security group
      amazon.aws.ec2_security_group:
        name: "MySQL_group"
        description: sg with rule descriptions
        vpc_id: vpc-xxxxxxxx
        profile: "{{ aws_profile }}"
        region: us-east-1
        rules:
          - proto: tcp
            ports:
            - 3306
            cidr_ip: 0.0.0.0/0

Mitigation / Fix

---
- name: Example playbook
  hosts: localhost
  tasks:
    - name: MySQL security group
      amazon.aws.ec2_security_group:
        name: "MySQL_group"
        description: sg with rule descriptions
        vpc_id: vpc-xxxxxxxx
        profile: "{{ aws_profile }}"
        region: us-east-1
        rules:
          - proto: tcp
            ports:
            - 3306
            cidr_ip: 192.168.0.0/29