diff --git a/docs/queries/all-queries.md b/docs/queries/all-queries.md index 1fa4fc386b6..a370aa07a36 100644 --- a/docs/queries/all-queries.md +++ b/docs/queries/all-queries.md @@ -1564,17 +1564,20 @@ This page contains all queries. |Beta - Storage Account With Cross Tenant Replication Enabled
50e0a9e3-7360-483c-9873-ba1ea1a7faf8|Terraform|Medium|Access Control|Query details
Documentation
| |Beta - Storage Account With Shared Access Key
45f3e879-f8a7-4102-a3fa-46da5a849870|Terraform|Medium|Access Control|Query details
Documentation
| |Beta - Use Of User Access Administrator Role Is Not Restricted
41d7989b-3be2-4081-8c79-cf903dd174c5|Terraform|Medium|Access Control|Query details
Documentation
| +|Beta - VM Without Admin SSH Public Key Set
a5cfef8f-910e-4fd6-8155-f381b236a492|Terraform|Medium|Access Control|Query details
Documentation
| |Function App Authentication Disabled
e65a0733-94a0-4826-82f4-df529f4c593f|Terraform|Medium|Access Control|Query details
Documentation
| |Role Assignment Not Limit Guest User Permissions
8e75e431-449f-49e9-b56a-c8f1378025cf|Terraform|Medium|Access Control|Query details
Documentation
| |Role Definition Allows Custom Role Creation
3fa5900f-9aac-4982-96b2-a6143d9c99fb|Terraform|Medium|Access Control|Query details
Documentation
| |Storage Share Allows All ACL Permissions
5ed0a5f3-6b81-4a6c-a7d1-0f1d8d9ae806|Terraform|Medium|Access Control|Query details
Documentation
| |Storage Table Allows All ACL Permissions
3ac3e75c-6374-4a32-8ba0-6ed69bda404e|Terraform|Medium|Access Control|Query details
Documentation
| |Azure Instance Using Basic Authentication
dafe30ec-325d-4516-85d1-e8e6776f012c|Terraform|Medium|Best Practices|Query details
Documentation
| +|Beta - VM With Automatic Updates Disabled
187e6d39-5e1e-4afa-9c0a-b79632eef346|Terraform|Medium|Best Practices|Query details
Documentation
| |Key Vault Secrets Content Type Undefined
f8e08a38-fc6e-4915-abbe-a7aadf1d59ef|Terraform|Medium|Best Practices|Query details
Documentation
| |MSSQL Server Database With Alerts Disabled
25cd1853-7e80-4106-9ac3-03f8636c25be|Terraform|Medium|Best Practices|Query details
Documentation
| |Security Contact Email
34664094-59e0-4524-b69f-deaa1a68cce3|Terraform|Medium|Best Practices|Query details
Documentation
| |App Service Not Using Latest TLS Encryption Version
b7b9d1c7-2d3b-49b4-b867-ebbe68d0b643|Terraform|Medium|Encryption|Query details
Documentation
| |Beta - Databricks Workspace Without CMK
416ac446-9a2e-4f6d-84d2-82add788c7da|Terraform|Medium|Encryption|Query details
Documentation
| +|Beta - Disk Encryption On Managed Disk Disabled
68403c84-8497-449b-9946-ae848765813f|Terraform|Medium|Encryption|Query details
Documentation
| |Encryption On Managed Disk Disabled
a99130ab-4c0e-43aa-97f8-78d4fcb30024|Terraform|Medium|Encryption|Query details
Documentation
| |Function App Not Using Latest TLS Encryption Version
45fc717a-bd86-415c-bdd8-677901be1aa6|Terraform|Medium|Encryption|Query details
Documentation
| |MySQL SSL Connection Disabled
73e42469-3a86-4f39-ad78-098f325b4e9f|Terraform|Medium|Encryption|Query details
Documentation
| @@ -1597,6 +1600,7 @@ This page contains all queries. |Small Flow Logs Retention Period
7750fcca-dd03-4d38-b663-4b70289bcfd4|Terraform|Medium|Insecure Configurations|Query details
Documentation
| |VM Not Attached To Network
bbf6b3df-4b65-4f87-82cc-da9f30f8c033|Terraform|Medium|Insecure Configurations|Query details
Documentation
| |Web App Accepting Traffic Other Than HTTPS
11e9a948-c6c3-4a0f-8dcf-b5cf1763cdbe|Terraform|Medium|Insecure Configurations|Query details
Documentation
| +|Beta - VM With Extension Operations Enabled
59528fe9-0c8e-4153-8016-445911a2d933|Terraform|Medium|Insecure Defaults|Query details
Documentation
| |Azure Cognitive Search Public Network Access Enabled
4a9e0f00-0765-4f72-a0d4-d31110b78279|Terraform|Medium|Networking and Firewall|Query details
Documentation
| |Beta - Databricks Workspace Using Default Virtual Network
05d6b52e-11ca-453d-bb3a-21c7c853ee92|Terraform|Medium|Networking and Firewall|Query details
Documentation
| |Firewall Rule Allows Too Many Hosts To Access Redis Cache
a829b715-cf75-4e92-b645-54c9b739edfb|Terraform|Medium|Networking and Firewall|Query details
Documentation
| @@ -1617,7 +1621,7 @@ This page contains all queries. |Beta - Activity Log Alert For Delete Security Solution Not Configured
b97a1065-a86b-442f-86c4-f95afd9b3ac6|Terraform|Medium|Observability|Query details
Documentation
| |Beta - Activity Log Alert For Delete SQL Server Firewall Rule Not Configured
8ce5c61f-5cd1-41bc-b7d9-b26b18efd505|Terraform|Medium|Observability|Query details
Documentation
| |Beta - Activity Log Alert For Service Health Not Configured
f677bd92-3922-4e75-8f0c-2c0f8fbc9609|Terraform|Medium|Observability|Query details
Documentation
| -|Beta - Databricks Diagnostic Logging Unconfigured
0bd3630a-2ae9-4522-9d66-04049654b1df|Terraform|Medium|Observability|Query details
Documentation
| +|Beta - Databricks Diagnostic Logging Not Configured
0bd3630a-2ae9-4522-9d66-04049654b1df|Terraform|Medium|Observability|Query details
Documentation
| |Beta - Diagnostic Settings Without Appropriate Logging
21fa1872-47b3-46ec-9775-f41e85d80cb4|Terraform|Medium|Observability|Query details
Documentation
| |Beta - Resource Without Diagnostic Settings
50f32d3c-096e-406a-bb26-71b3c91c11c0|Terraform|Medium|Observability|Query details
Documentation
| |Beta - Service Without Resource Logging
8a0628ed-6256-4a24-a1ab-54696fb69197|Terraform|Medium|Observability|Query details
Documentation
| @@ -1648,10 +1652,13 @@ This page contains all queries. |SQL Server Predictable Admin Account Name
2ab6de9a-0136-415c-be92-79d2e4fd750f|Terraform|Low|Best Practices|Query details
Documentation
| |Cosmos DB Account Without Tags
56dad03e-e94f-4dd6-93a4-c253a03ff7a0|Terraform|Low|Build Process|Query details
Documentation
| |AKS Disk Encryption Set ID Undefined
b17d8bb8-4c08-4785-867e-cb9e62a622aa|Terraform|Low|Encryption|Query details
Documentation
| +|Beta - Key Vault Without HSM Protection
fbb8e5e0-6dea-41d3-8739-4f2405b0e22a|Terraform|Low|Encryption|Query details
Documentation
| +|Beta - VM Without Encryption At Host
30c7c2f1-c048-49ba-81a4-ae465bbb3335|Terraform|Low|Encryption|Query details
Documentation
| |PostgreSQL Server Infrastructure Encryption Disabled
6425c98b-ca4e-41fe-896a-c78772c131f8|Terraform|Low|Encryption|Query details
Documentation
| |AKS Network Policy Misconfigured
f5342045-b935-402d-adf1-8dbbd09c0eef|Terraform|Low|Insecure Configurations|Query details
Documentation
| |Dashboard Is Enabled
61c3cb8b-0715-47e4-b788-86dde40dd2db|Terraform|Low|Insecure Configurations|Query details
Documentation
| |Azure Front Door WAF Disabled
835a4f2f-df43-437d-9943-545ccfc55961|Terraform|Low|Networking and Firewall|Query details
Documentation
| +|Beta - Container Instances Not Using Private Virtual Networks
71884fcb-ae03-41c8-87b9-22c90353f256|Terraform|Low|Networking and Firewall|Query details
Documentation
| |Sensitive Port Is Exposed To Wide Private Network
c6c7b33d-d7f6-4ab8-8c82-ca0431ecdb7e|Terraform|Low|Networking and Firewall|Query details
Documentation
| |Small Activity Log Retention Period
2b856bf9-8e8c-4005-875f-303a8cba3918|Terraform|Low|Observability|Query details
Documentation
| |Small MSSQL Audit Retention Period
9c301481-e6ec-44f7-8a49-8ec63e2969ea|Terraform|Low|Observability|Query details
Documentation
| diff --git a/docs/queries/azureresourcemanager-queries/azure/e055285c-bc01-48b4-8aa5-8a54acdd29df.md b/docs/queries/azureresourcemanager-queries/azure/e055285c-bc01-48b4-8aa5-8a54acdd29df.md index 928cc0d1ac8..761da6844b6 100644 --- a/docs/queries/azureresourcemanager-queries/azure/e055285c-bc01-48b4-8aa5-8a54acdd29df.md +++ b/docs/queries/azureresourcemanager-queries/azure/e055285c-bc01-48b4-8aa5-8a54acdd29df.md @@ -30,116 +30,74 @@ Every 'Microsoft.Sql/servers/databases' resource should have Auditing Enabled
Positive test num. 4 - bicep file + +```bicep hl_lines="2" +resource sqlServer1 'Microsoft.Sql/servers@2021-02-01-preview' = { + name: 'sqlServer1' + location: resourceGroup().location +} + resource sqlServer1_default 'Microsoft.Sql/servers/auditingSettings@2021-02-01-preview' = { parent: sqlServer1 - name: 'default' + name: 'default_1' properties: { - auditActionsAndGroups: ['DATABASE_LOGOUT_GROUP'] - isAzureMonitorTargetEnabled: true - isStorageSecondaryKeyInUse: true - queueDelayMs: 1000 - retentionDays: 100 - state: 'Enabled' + state: 'Disabled' } } +resource sqlServer1_sqlDatabase1 'Microsoft.Sql/servers/databases@2021-02-01-preview' = { + parent: sqlServer1 + name: 'sqlDatabase1' + location: resourceGroup().location + properties: {} +} + resource sqlServer1_sqlDatabase1_default 'Microsoft.Sql/servers/databases/auditingSettings@2021-02-01-preview' = { parent: sqlServer1_sqlDatabase1 - name: 'default' + name: 'default_2' properties: { - auditActionsAndGroups: ['DATABASE_LOGOUT_GROUP'] - isAzureMonitorTargetEnabled: true - isStorageSecondaryKeyInUse: true - queueDelayMs: 1000 - retentionDays: 100 - state: 'Disabled' + state: 'Enabled' } } ``` -
Positive test num. 4 - json file +
+
Positive test num. 5 - json file -```json hl_lines="34" +```json hl_lines="8 15" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", - "parameters": {}, - "functions": [], - "variables": {}, "resources": [ { - "name": "sqlServer1", "type": "Microsoft.Sql/servers", "apiVersion": "2021-02-01-preview", + "name": "sqlServer1", "location": "[resourceGroup().location]", - "tags": { - "displayName": "sqlServer1" - }, - "properties": { - "administratorLogin": "adminUsername", - "administratorLoginPassword": "adminPassword" - } + "properties": {} }, - { - "type": "Microsoft.Sql/servers/auditingSettings", - "apiVersion": "2021-02-01-preview", - "name": "sqlServer1/default", - "dependsOn": [ - "[resourceId('Microsoft.Sql/servers', 'sqlServer1')]" - ], - "properties": { - "state": "Enabled", - "isAzureMonitorTargetEnabled": true - } - }, { - "name": "sqlServer1/sqlDatabase1", "type": "Microsoft.Sql/servers/databases", "apiVersion": "2021-02-01-preview", + "name": "sqlServer1/sqlDatabase1", "location": "[resourceGroup().location]", - "tags": { - "displayName": "sqlDatabase1" - }, "dependsOn": [ "[resourceId('Microsoft.Sql/servers', 'sqlServer1')]" ], - "properties": { - "collation": "SQL_Latin1_General_CP1_CI_AS", - "edition": "Basic", - "maxSizeBytes": 1073741824, - "requestedServiceObjectiveName": "Basic" - } - }, - { - "type": "Microsoft.Sql/servers/databases/auditingSettings", - "apiVersion": "2021-02-01-preview", - "name": "sqlServer1/sqlDatabase1/default", - "properties": { - "auditActionsAndGroups": [ "DATABASE_LOGOUT_GROUP" ], - "isAzureMonitorTargetEnabled": true, - "isStorageSecondaryKeyInUse": true, - "queueDelayMs": 1000, - "retentionDays": 100, - "state": "Disabled" - } + "properties": {} } - ], - "outputs": {} -} - -``` -
-
Positive test num. 5 - bicep file - -```bicep hl_lines="28" -resource sqlServer1 'Microsoft.Sql/servers@2021-02-01-preview' = { - name: 'sqlServer1' - location: resourceGroup().location - tags: { - displayName: 'sqlServer1' - } - properties: { - administratorLogin: 'adminUsername' - administratorLoginPassword: 'adminPassword' - } -} - -resource sqlServer1_default 'Microsoft.Sql/servers/auditingSettings@2021-02-01-preview' = { - parent: sqlServer1 - name: 'default' - properties: { - auditActionsAndGroups: ['DATABASE_LOGOUT_GROUP'] - isAzureMonitorTargetEnabled: true - isStorageSecondaryKeyInUse: true - queueDelayMs: 1000 - retentionDays: 100 - state: 'Enabled' - } -} - -resource sqlServer1_sqlDatabase1 'Microsoft.Sql/servers/databases@2021-02-01-preview' = { - parent: sqlServer1 - name: 'sqlDatabase1' - location: resourceGroup().location - tags: { - displayName: 'sqlDatabase1' - } - properties: { - collation: 'SQL_Latin1_General_CP1_CI_AS' - edition: 'Basic' - maxSizeBytes: '1073741824' - requestedServiceObjectiveName: 'Basic' - } + ] } ```
Positive test num. 6 - json file -```json hl_lines="24" +```json hl_lines="8 15" { - "properties": { - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": {}, - "functions": [], - "variables": {}, + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.Sql/servers", + "apiVersion": "2021-02-01-preview", + "name": "sqlServer1", + "location": "[resourceGroup().location]", + "properties": {}, "resources": [ { - "name": "sqlServer1", - "type": "Microsoft.Sql/servers", + "type": "databases", "apiVersion": "2021-02-01-preview", + "name": "sqlDatabase1", "location": "[resourceGroup().location]", - "tags": { - "displayName": "sqlServer1" - }, - "properties": { - "administratorLogin": "adminUsername", - "administratorLoginPassword": "adminPassword" - }, - "resources": [ - { - "name": "sqlServer1/sqlDatabase1", - "type": "Microsoft.Sql/servers/databases", - "apiVersion": "2021-02-01-preview", - "location": "[resourceGroup().location]", - "tags": { - "displayName": "sqlDatabase1" - }, - "dependsOn": [ - "[resourceId('Microsoft.Sql/servers', 'sqlServer1')]" - ], - "properties": { - "collation": "SQL_Latin1_General_CP1_CI_AS", - "edition": "Basic", - "maxSizeBytes": "1073741824", - "requestedServiceObjectiveName": "Basic" - } - }, - { - "type": "Microsoft.Sql/servers/auditingSettings", - "apiVersion": "2021-02-01-preview", - "name": "default", - "dependsOn": [ - "[resourceId('Microsoft.Sql/servers', 'sqlServer1')]" - ], - "properties": { - "state": "Enabled", - "isAzureMonitorTargetEnabled": true - } - } - ] + "properties": {} } - ], - "outputs": {} - }, - "parameters": {} - }, - "kind": "template", - "type": "Microsoft.Blueprint/blueprints/artifacts", - "name": "myTemplate" + ] + } + ] } ```
-
Positive test num. 7 - bicep file - -```bicep hl_lines="28" -resource sqlServer1 'Microsoft.Sql/servers@2021-02-01-preview' = { - name: 'sqlServer1' - location: resourceGroup().location - tags: { - displayName: 'sqlServer1' - } - properties: { - administratorLogin: 'adminUsername' - administratorLoginPassword: 'adminPassword' - } -} - -resource sqlServer1_default 'Microsoft.Sql/servers/auditingSettings@2021-02-01-preview' = { - parent: sqlServer1 - name: 'default' - properties: { - auditActionsAndGroups: ['DATABASE_LOGOUT_GROUP'] - isAzureMonitorTargetEnabled: true - isStorageSecondaryKeyInUse: true - queueDelayMs: 1000 - retentionDays: 100 - state: 'Enabled' - } -} - -resource sqlServer1_sqlDatabase1 'Microsoft.Sql/servers/databases@2021-02-01-preview' = { - parent: sqlServer1 - name: 'sqlDatabase1' - location: resourceGroup().location - tags: { - displayName: 'sqlDatabase1' - } - properties: { - collation: 'SQL_Latin1_General_CP1_CI_AS' - edition: 'Basic' - maxSizeBytes: 1073741824 - requestedServiceObjectiveName: 'Basic' - } -} +
Positive test num. 7 - json file -resource sqlServer1_sqlDatabase1_default 'Microsoft.Sql/servers/databases/auditingSettings@2021-02-01-preview' = { - parent: sqlServer1_sqlDatabase1 - name: 'default' - properties: { - auditActionsAndGroups: ['DATABASE_LOGOUT_GROUP'] - isAzureMonitorTargetEnabled: true - isStorageSecondaryKeyInUse: true - queueDelayMs: 1000 - retentionDays: 100 - state: 'Disabled' - } +```json hl_lines="8 23" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.Sql/servers", + "apiVersion": "2021-02-01-preview", + "name": "sqlServer1", + "location": "[resourceGroup().location]", + "properties": {} + }, + { + "type": "Microsoft.Sql/servers/auditingSettings", + "apiVersion": "2021-02-01-preview", + "name": "sqlServer1/default_1", + "properties": { + "state": "Disabled" + } + }, + { + "type": "Microsoft.Sql/servers/databases", + "apiVersion": "2021-02-01-preview", + "name": "sqlServer1/sqlDatabase1", + "location": "[resourceGroup().location]", + "properties": {} + }, + { + "type": "Microsoft.Sql/servers/databases/auditingSettings", + "apiVersion": "2021-02-01-preview", + "name": "sqlServer1/sqlDatabase1/default_2", + "properties": { + "state": "Disabled" + } + } + ] } ```
Positive test num. 8 - json file -```json hl_lines="24" +```json hl_lines="8 23" { - "properties": { - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": {}, - "functions": [], - "variables": {}, + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.Sql/servers", + "apiVersion": "2021-02-01-preview", + "name": "sqlServer1", + "location": "[resourceGroup().location]", + "properties": {}, "resources": [ { - "name": "sqlServer1", - "type": "Microsoft.Sql/servers", + "type": "auditingSettings", "apiVersion": "2021-02-01-preview", - "location": "[resourceGroup().location]", - "tags": { - "displayName": "sqlServer1" - }, + "name": "default_1", "properties": { - "administratorLogin": "adminUsername", - "administratorLoginPassword": "adminPassword" + "state": "Disabled" } }, { - "name": "sqlServer1/sqlDatabase1", - "type": "Microsoft.Sql/servers/databases", + "type": "databases", "apiVersion": "2021-02-01-preview", + "name": "sqlDatabase1", "location": "[resourceGroup().location]", - "tags": { - "displayName": "sqlDatabase1" - }, - "dependsOn": [ - "[resourceId('Microsoft.Sql/servers', 'sqlServer1')]" - ], - "properties": { - "collation": "SQL_Latin1_General_CP1_CI_AS", - "edition": "Basic", - "maxSizeBytes": 1073741824, - "requestedServiceObjectiveName": "Basic" - } - }, - { - "type": "Microsoft.Sql/servers/databases/auditingSettings", - "apiVersion": "2021-02-01-preview", - "name": "sqlServer1/sqlDatabase1/default", - "properties": { - "auditActionsAndGroups": [ "DATABASE_LOGOUT_GROUP" ], - "isAzureMonitorTargetEnabled": true, - "isStorageSecondaryKeyInUse": true, - "queueDelayMs": 1000, - "retentionDays": 100, - "state": "Disabled" - } - }, - { - "type": "Microsoft.Sql/servers/auditingSettings", - "apiVersion": "2021-02-01-preview", - "name": "sqlServer1/default", - "dependsOn": [ - "[resourceId('Microsoft.Sql/servers', 'sqlServer1')]" - ], - "properties": { - "state": "Enabled", - "isAzureMonitorTargetEnabled": true - } + "properties": {}, + "resources": [ + { + "type": "auditingSettings", + "apiVersion": "2021-02-01-preview", + "name": "default_2", + "properties": { + "state": "Disabled" + } + } + ] } - ], - "outputs": {} - }, - "parameters": {} - }, - "kind": "template", - "type": "Microsoft.Blueprint/blueprints/artifacts", - "name": "myTemplate" -} - -``` -
-
Positive test num. 9 - bicep file - -```bicep hl_lines="2" -resource sqlServer 'Microsoft.Sql/servers@2019-06-01-preview' = { - name: sqlServerName - location: location - tags: { - displayName: 'SqlServer' - } - properties: { - administratorLogin: sqlAdministratorLogin - administratorLoginPassword: sqlAdministratorLoginPassword - version: '12.0' - } -} - -resource sqlServer1_default 'Microsoft.Sql/servers/auditingSettings@2021-02-01-preview' = { - parent: sqlServer1 - name: 'default' - properties: { - auditActionsAndGroups: ['DATABASE_LOGOUT_GROUP'] - isAzureMonitorTargetEnabled: true - isStorageSecondaryKeyInUse: true - queueDelayMs: 1000 - retentionDays: 100 - state: 'Enabled' - } -} - -resource sqlAdmin 'Microsoft.Sql/servers/administrators@2019-06-01-preview' = { - name: 'ActiveDirectory' - parent: sqlServer - properties: { - administratorType: 'ActiveDirectory' - login: ADLogin - sid: ADobjectID - tenantId: ADtenantID - } + ] + } + ] } ```
-
Positive test num. 10 - json file +
Positive test num. 9 - json file ```json hl_lines="8" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", - "parameters": {}, - "variables": {}, "resources": [ { - "name": "[variables('sqlServerName')]", "type": "Microsoft.Sql/servers", - "apiVersion": "2019-06-01-preview", - "location": "[parameters('location')]", - "tags": { - "displayName": "SqlServer" - }, - "properties": { - "administratorLogin": "[parameters('sqlAdministratorLogin')]", - "administratorLoginPassword": "[parameters('sqlAdministratorLoginPassword')]", - "version": "12.0" + "apiVersion": "2021-02-01-preview", + "name": "sqlServer1", + "location": "[resourceGroup().location]", + "properties": {} + }, + { + "type": "Microsoft.Sql/servers/auditingSettings", + "apiVersion": "2021-02-01-preview", + "name": "sqlServer1/default_1", + "properties": { + "state": "Disabled" } }, { - "name": "[concat(variables('sqlServerName'),'/ActiveDirectory')]", - "type": "Microsoft.Sql/servers/administrators", - "dependsOn": [ - "[resourceId('Microsoft.Sql/servers', variables('sqlServerName'))]" - ], - "apiVersion": "2019-06-01-preview", + "type": "Microsoft.Sql/servers/databases", + "apiVersion": "2021-02-01-preview", + "name": "sqlServer1/sqlDatabase1", + "location": "[resourceGroup().location]", + "properties": {} + }, + { + "type": "Microsoft.Sql/servers/databases/auditingSettings", + "apiVersion": "2021-02-01-preview", + "name": "sqlServer1/sqlDatabase1/default_2", "properties": { - "administratorType": "ActiveDirectory", - "login": "[variables('ADLogin')]", - "sid": "[variables('ADobjectID')]", - "tenantId": "[variables('ADtenantID')]" + "state": "Enabled" } } ] @@ -597,187 +341,88 @@ resource sqlAdmin 'Microsoft.Sql/servers/administrators@2019-06-01-preview' = { #### Code samples without security vulnerabilities ```bicep title="Negative test num. 1 - bicep file" -resource sqlServer1 'Microsoft.Sql/servers@2021-02-01-preview' = { - name: 'sqlServer1' +resource sql_server 'Microsoft.Sql/servers@2021-02-01-preview' = { + name: 'sql_server' location: resourceGroup().location - tags: { - displayName: 'sqlServer1' - } - properties: { - administratorLogin: 'adminUsername' - administratorLoginPassword: 'adminPassword' - } + properties: {} } -resource sqlServer1_default 'Microsoft.Sql/servers/auditingSettings@2021-02-01-preview' = { - parent: sqlServer1 - name: 'default' +resource sql_server_auditing_settings 'Microsoft.Sql/servers/auditingSettings@2021-02-01-preview' = { + parent: sql_server + name: 'default_1' properties: { - auditActionsAndGroups: ['DATABASE_LOGOUT_GROUP'] - isAzureMonitorTargetEnabled: true - isStorageSecondaryKeyInUse: true - queueDelayMs: 1000 - retentionDays: 100 state: 'Enabled' } } -resource sqlServer1_ssqlDatabase1 'Microsoft.Sql/servers/databases@2021-02-01-preview' = { - parent: sqlServer1 - name: 'ssqlDatabase1' - location: resourceGroup().location - tags: { - displayName: 'sqlDatabase1' - } - properties: { - collation: 'SQL_Latin1_General_CP1_CI_AS' - edition: 'Basic' - maxSizeBytes: 107374182 - requestedServiceObjectiveName: 'Basic' - } -} - -resource sqlServer1_ssqlDatabase1_default 'Microsoft.Sql/servers/databases/auditingSettings@2021-02-01-preview' = { - parent: sqlServer1_ssqlDatabase1 - name: 'default' - properties: { - auditActionsAndGroups: ['DATABASE_LOGOUT_GROUP'] - isAzureMonitorTargetEnabled: true - isStorageSecondaryKeyInUse: true - queueDelayMs: 1000 - retentionDays: 100 - state: 'Enabled' - } -} - - - ``` ```json title="Negative test num. 2 - json file" { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", - "parameters": {}, - "functions": [], - "variables": {}, "resources": [ { - "name": "sqlServer1", "type": "Microsoft.Sql/servers", - "apiVersion": "2021-02-01-preview", + "apiVersion": "2023-02-01-preview", + "name": "sql_server", "location": "[resourceGroup().location]", - "tags": { - "displayName": "sqlServer1" - }, + "properties": {} + }, + { + "type": "Microsoft.Sql/servers/databases", + "apiVersion": "2024-11-01-preview", + "name": "sql_server/sql_databases", + "location": "[resourceGroup().location]", + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers', 'sql_server')]" + ], + "properties": {} + }, + { + "type": "Microsoft.Sql/servers/auditingSettings", + "apiVersion": "2024-11-01-preview", + "name": "sql_server/default", + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers', 'sql_server')]" + ], "properties": { - "administratorLogin": "adminUsername", - "administratorLoginPassword": "adminPassword" - }, + "state": "Enabled" + } + } + ] +} + +``` +```json title="Negative test num. 3 - json file" +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.Sql/servers", + "apiVersion": "2023-02-01-preview", + "name": "sql_server", + "location": "[resourceGroup().location]", + "properties": {}, "resources": [ { - "name": "ssqlDatabase1", "type": "databases", - "apiVersion": "2021-02-01-preview", + "apiVersion": "2024-11-01-preview", + "name": "sql_databases", "location": "[resourceGroup().location]", - "tags": { - "displayName": "sqlDatabase1" - }, - "dependsOn": [ - "[resourceId('Microsoft.Sql/servers', 'sqlServer1')]" - ], - "properties": { - "collation": "SQL_Latin1_General_CP1_CI_AS", - "edition": "Basic", - "maxSizeBytes": 107374182, - "requestedServiceObjectiveName": "Basic" - }, - "resources": [ - { - "type": "auditingSettings", - "apiVersion": "2021-02-01-preview", - "name": "default", - "properties": { - "auditActionsAndGroups": [ "DATABASE_LOGOUT_GROUP" ], - "isAzureMonitorTargetEnabled": true, - "isStorageSecondaryKeyInUse": true, - "queueDelayMs": 1000, - "retentionDays": 100, - "state": "Enabled" - } - } - ] + "properties": {} }, { - "type": "Microsoft.Sql/servers/auditingSettings", - "apiVersion": "2021-02-01-preview", - "name": "default", - "dependsOn": [ - "[resourceId('Microsoft.Sql/servers', 'sqlServer1')]" - ], - "properties": { - "state": "Enabled", - "isAzureMonitorTargetEnabled": true - } + "type": "auditingSettings", + "apiVersion": "2024-11-01-preview", + "name": "default", + "properties": { + "state": "Enabled" + } } ] } - ], - "outputs": {} -} - -``` -```bicep title="Negative test num. 3 - bicep file" -resource sqlServer1 'Microsoft.Sql/servers@2021-02-01-preview' = { - name: 'sqlServer1' - location: resourceGroup().location - tags: { - displayName: 'sqlServer1' - } - properties: { - administratorLogin: 'adminUsername' - administratorLoginPassword: 'adminPassword' - } -} - -resource sqlServer1_default 'Microsoft.Sql/servers/auditingSettings@2021-02-01-preview' = { - parent: sqlServer1 - name: 'default' - properties: { - auditActionsAndGroups: ['DATABASE_LOGOUT_GROUP'] - isAzureMonitorTargetEnabled: true - isStorageSecondaryKeyInUse: true - queueDelayMs: 1000 - retentionDays: 100 - state: 'Enabled' - } -} - -resource sqlServer1_sqlDatabase1 'Microsoft.Sql/servers/databases@2021-02-01-preview' = { - parent: sqlServer1 - name: 'sqlDatabase1' - location: resourceGroup().location - tags: { - displayName: 'sqlDatabase1' - } - properties: { - collation: 'SQL_Latin1_General_CP1_CI_AS' - edition: 'Basic' - maxSizeBytes: 1073741824 - requestedServiceObjectiveName: 'Basic' - } -} - -resource sqlServer1_sqlDatabase1_default 'Microsoft.Sql/servers/databases/auditingSettings@2021-02-01-preview' = { - parent: sqlServer1_sqlDatabase1 - name: 'default' - properties: { - auditActionsAndGroups: ['DATABASE_LOGOUT_GROUP'] - isAzureMonitorTargetEnabled: true - isStorageSecondaryKeyInUse: true - queueDelayMs: 1000 - retentionDays: 100 - state: 'Enabled' - } + ] } ``` @@ -787,238 +432,146 @@ resource sqlServer1_sqlDatabase1_default 'Microsoft.Sql/servers/databases/auditi { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", - "parameters": {}, - "functions": [], - "variables": {}, "resources": [ { - "name": "sqlServer1", "type": "Microsoft.Sql/servers", "apiVersion": "2021-02-01-preview", + "name": "sqlServer1", "location": "[resourceGroup().location]", - "tags": { - "displayName": "sqlServer1" - }, + "properties": {} + }, + { + "type": "Microsoft.Sql/servers/auditingSettings", + "apiVersion": "2021-02-01-preview", + "name": "sqlServer1/default_1", "properties": { - "administratorLogin": "adminUsername", - "administratorLoginPassword": "adminPassword" + "state": "Enabled" } }, { - "name": "sqlServer1/sqlDatabase1", "type": "Microsoft.Sql/servers/databases", "apiVersion": "2021-02-01-preview", + "name": "sqlServer1/sqlDatabase1", "location": "[resourceGroup().location]", - "tags": { - "displayName": "sqlDatabase1" - }, - "dependsOn": [ - "[resourceId('Microsoft.Sql/servers', 'sqlServer1')]" - ], - "properties": { - "collation": "SQL_Latin1_General_CP1_CI_AS", - "edition": "Basic", - "maxSizeBytes": 1073741824, - "requestedServiceObjectiveName": "Basic" - } + "properties": {} }, { "type": "Microsoft.Sql/servers/databases/auditingSettings", "apiVersion": "2021-02-01-preview", - "name": "sqlServer1/sqlDatabase1/default", + "name": "sqlServer1/sqlDatabase1/default_2", "properties": { - "auditActionsAndGroups": [ "DATABASE_LOGOUT_GROUP" ], - "isAzureMonitorTargetEnabled": true, - "isStorageSecondaryKeyInUse": true, - "queueDelayMs": 1000, - "retentionDays": 100, - "state": "Enabled" + "state": "Disabled" } - }, - { - "type": "Microsoft.Sql/servers/auditingSettings", + } + ] +} + +``` +
+
Negative test num. 5 - json file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.Sql/servers", "apiVersion": "2021-02-01-preview", - "name": "default", - "dependsOn": [ - "[resourceId('Microsoft.Sql/servers', 'sqlServer1')]" - ], - "properties": { - "state": "Enabled", - "isAzureMonitorTargetEnabled": true - } - } - ], - "outputs": {} + "name": "sqlServer1", + "location": "[resourceGroup().location]", + "properties": {}, + "resources": [ + { + "type": "auditingSettings", + "apiVersion": "2021-02-01-preview", + "name": "default_1", + "properties": { + "state": "Enabled" + } + }, + { + "type": "databases", + "apiVersion": "2021-02-01-preview", + "name": "sqlDatabase1", + "location": "[resourceGroup().location]", + "properties": {}, + "resources": [ + { + "type": "auditingSettings", + "apiVersion": "2021-02-01-preview", + "name": "default_2", + "properties": { + "state": "Disabled" + } + } + ] + } + ] + } + ] } ```
-
Negative test num. 5 - bicep file +
Negative test num. 6 - bicep file ```bicep -resource sqlServer1 'Microsoft.Sql/servers@2021-02-01-preview' = { - name: 'sqlServer1' +resource sql_databases 'Microsoft.Sql/servers/databases@2021-02-01-preview' = { + parent: sql_server + name: 'sql_databases' location: resourceGroup().location - tags: { - displayName: 'sqlServer1' - } - properties: { - administratorLogin: 'adminUsername' - administratorLoginPassword: 'adminPassword' - } + properties: {} } -resource sqlServer1_default 'Microsoft.Sql/servers/auditingSettings@2021-02-01-preview' = { - parent: sqlServer1 - name: 'default' +resource sql_databases_auditing_settings 'Microsoft.Sql/servers/databases/auditingSettings@2021-02-01-preview' = { + parent: sql_databases + name: 'default_2' properties: { - auditActionsAndGroups: ['DATABASE_LOGOUT_GROUP'] - isAzureMonitorTargetEnabled: true - isStorageSecondaryKeyInUse: true - queueDelayMs: 1000 - retentionDays: 100 state: 'Enabled' } } -resource sqlServer1_ssqlDatabase1 'Microsoft.Sql/servers/databases@2021-02-01-preview' = { - parent: sqlServer1 - name: 'ssqlDatabase1' +``` +
+
Negative test num. 7 - bicep file + +```bicep +resource sql_server 'Microsoft.Sql/servers@2023-02-01-preview' = { + name: 'sql_server' location: resourceGroup().location - tags: { - displayName: 'sqlDatabase1' - } - properties: { - collation: 'SQL_Latin1_General_CP1_CI_AS' - edition: 'Basic' - maxSizeBytes: 107374182 - requestedServiceObjectiveName: 'Basic' - } + properties: {} } -resource sqlServer1_ssqlDatabase1_default 'Microsoft.Sql/servers/databases/auditingSettings@2021-02-01-preview' = { - parent: sqlServer1_ssqlDatabase1 +resource sql_databases 'Microsoft.Sql/servers/databases@2024-11-01-preview' = { + parent: sql_server + name: 'sql_databases' + location: resourceGroup().location + properties: {} +} + +resource sql_server_auditing_settings 'Microsoft.Sql/servers/auditingSettings@2024-11-01-preview' = { + parent: sql_server name: 'default' properties: { - auditActionsAndGroups: ['DATABASE_LOGOUT_GROUP'] - isAzureMonitorTargetEnabled: true - isStorageSecondaryKeyInUse: true - queueDelayMs: 1000 - retentionDays: 100 state: 'Enabled' } } ```
-
Negative test num. 6 - json file - -```json -{ - "properties": { - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": {}, - "functions": [], - "variables": {}, - "resources": [ - { - "name": "sqlServer1", - "type": "Microsoft.Sql/servers", - "apiVersion": "2021-02-01-preview", - "location": "[resourceGroup().location]", - "tags": { - "displayName": "sqlServer1" - }, - "properties": { - "administratorLogin": "adminUsername", - "administratorLoginPassword": "adminPassword" - }, - "resources": [ - { - "name": "ssqlDatabase1", - "type": "databases", - "apiVersion": "2021-02-01-preview", - "location": "[resourceGroup().location]", - "tags": { - "displayName": "sqlDatabase1" - }, - "dependsOn": [ - "[resourceId('Microsoft.Sql/servers', 'sqlServer1')]" - ], - "properties": { - "collation": "SQL_Latin1_General_CP1_CI_AS", - "edition": "Basic", - "maxSizeBytes": 107374182, - "requestedServiceObjectiveName": "Basic" - }, - "resources": [ - { - "type": "auditingSettings", - "apiVersion": "2021-02-01-preview", - "name": "default", - "properties": { - "auditActionsAndGroups": [ "DATABASE_LOGOUT_GROUP" ], - "isAzureMonitorTargetEnabled": true, - "isStorageSecondaryKeyInUse": true, - "queueDelayMs": 1000, - "retentionDays": 100, - "state": "Enabled" - } - } - ] - }, - { - "type": "Microsoft.Sql/servers/auditingSettings", - "apiVersion": "2021-02-01-preview", - "name": "default", - "dependsOn": [ - "[resourceId('Microsoft.Sql/servers', 'sqlServer1')]" - ], - "properties": { - "state": "Enabled", - "isAzureMonitorTargetEnabled": true - } - } - ] - } - ], - "outputs": {} - }, - "parameters": {} - }, - "kind": "template", - "type": "Microsoft.Blueprint/blueprints/artifacts", - "name": "myTemplate" -} - -``` -
-
Negative test num. 7 - bicep file +
Negative test num. 8 - bicep file ```bicep resource sqlServer1 'Microsoft.Sql/servers@2021-02-01-preview' = { name: 'sqlServer1' location: resourceGroup().location - tags: { - displayName: 'sqlServer1' - } - properties: { - administratorLogin: 'adminUsername' - administratorLoginPassword: 'adminPassword' - } } resource sqlServer1_default 'Microsoft.Sql/servers/auditingSettings@2021-02-01-preview' = { parent: sqlServer1 - name: 'default' + name: 'default_1' properties: { - auditActionsAndGroups: ['DATABASE_LOGOUT_GROUP'] - isAzureMonitorTargetEnabled: true - isStorageSecondaryKeyInUse: true - queueDelayMs: 1000 - retentionDays: 100 state: 'Enabled' } } @@ -1027,108 +580,139 @@ resource sqlServer1_sqlDatabase1 'Microsoft.Sql/servers/databases@2021-02-01-pre parent: sqlServer1 name: 'sqlDatabase1' location: resourceGroup().location - tags: { - displayName: 'sqlDatabase1' - } - properties: { - collation: 'SQL_Latin1_General_CP1_CI_AS' - edition: 'Basic' - maxSizeBytes: 1073741824 - requestedServiceObjectiveName: 'Basic' - } + properties: {} } resource sqlServer1_sqlDatabase1_default 'Microsoft.Sql/servers/databases/auditingSettings@2021-02-01-preview' = { parent: sqlServer1_sqlDatabase1 - name: 'default' + name: 'default_2' properties: { - auditActionsAndGroups: ['DATABASE_LOGOUT_GROUP'] - isAzureMonitorTargetEnabled: true - isStorageSecondaryKeyInUse: true - queueDelayMs: 1000 - retentionDays: 100 - state: 'Enabled' + state: 'Disabled' } } ```
-
Negative test num. 8 - json file +
Negative test num. 9 - json file ```json { - "properties": { - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": {}, - "functions": [], - "variables": {}, + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.Sql/servers", + "apiVersion": "2021-02-01-preview", + "name": "sql_server", + "location": "[resourceGroup().location]", + "properties": {} + }, + { + "type": "Microsoft.Sql/servers/auditingSettings", + "apiVersion": "2021-02-01-preview", + "name": "sql_server/default_1", + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers', 'sql_server')]" + ], + "properties": { + "state": "Enabled" + } + } + ] +} + +``` +
+
Negative test num. 10 - json file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.Sql/servers", + "apiVersion": "2021-02-01-preview", + "name": "sql_server", + "location": "[resourceGroup().location]", + "properties": {}, "resources": [ { - "name": "sqlServer1", - "type": "Microsoft.Sql/servers", - "apiVersion": "2021-02-01-preview", - "location": "[resourceGroup().location]", - "tags": { - "displayName": "sqlServer1" - }, - "properties": { - "administratorLogin": "adminUsername", - "administratorLoginPassword": "adminPassword" - } - }, - { - "name": "sqlServer1/sqlDatabase1", - "type": "Microsoft.Sql/servers/databases", + "type": "auditingSettings", "apiVersion": "2021-02-01-preview", - "location": "[resourceGroup().location]", - "tags": { - "displayName": "sqlDatabase1" - }, - "dependsOn": [ - "[resourceId('Microsoft.Sql/servers', 'sqlServer1')]" - ], + "name": "default_1", "properties": { - "collation": "SQL_Latin1_General_CP1_CI_AS", - "edition": "Basic", - "maxSizeBytes": 1073741824, - "requestedServiceObjectiveName": "Basic" + "state": "Enabled" } - }, + } + ] + } + ] +} + +``` +
+
Negative test num. 11 - json file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.Sql/servers/databases", + "apiVersion": "2021-02-01-preview", + "name": "sql_server/sql_databases", + "location": "[resourceGroup().location]", + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers', 'sql_server')]" + ], + "properties": {} + }, + { + "type": "Microsoft.Sql/servers/databases/auditingSettings", + "apiVersion": "2021-02-01-preview", + "name": "sql_server/sql_databases/default_2", + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers/databases', 'sql_server', 'sql_databases')]" + ], + "properties": { + "state": "Enabled" + } + } + ] +} + +``` +
+
Negative test num. 12 - json file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [ + { + "type": "Microsoft.Sql/servers/databases", + "apiVersion": "2021-02-01-preview", + "name": "sql_server/sql_databases", + "location": "[resourceGroup().location]", + "dependsOn": [ + "[resourceId('Microsoft.Sql/servers', 'sql_server')]" + ], + "properties": {}, + "resources": [ { - "type": "Microsoft.Sql/servers/databases/auditingSettings", + "type": "auditingSettings", "apiVersion": "2021-02-01-preview", - "name": "sqlServer1/sqlDatabase1/default", + "name": "default_2", "properties": { - "auditActionsAndGroups": [ "DATABASE_LOGOUT_GROUP" ], - "isAzureMonitorTargetEnabled": true, - "isStorageSecondaryKeyInUse": true, - "queueDelayMs": 1000, - "retentionDays": 100, "state": "Enabled" } - }, - { - "type": "Microsoft.Sql/servers/auditingSettings", - "apiVersion": "2021-02-01-preview", - "name": "default", - "dependsOn": [ - "[resourceId('Microsoft.Sql/servers', 'sqlServer1')]" - ], - "properties": { - "state": "Enabled", - "isAzureMonitorTargetEnabled": true - } } - ], - "outputs": {} - }, - "parameters": {} - }, - "kind": "template", - "type": "Microsoft.Blueprint/blueprints/artifacts", - "name": "myTemplate" + ] + } + ] } ``` diff --git a/docs/queries/cloudformation-queries/aws/0104165b-02d5-426f-abc9-91fb48189899.md b/docs/queries/cloudformation-queries/aws/0104165b-02d5-426f-abc9-91fb48189899.md index 8ffdc242c6f..e32cc17025d 100644 --- a/docs/queries/cloudformation-queries/aws/0104165b-02d5-426f-abc9-91fb48189899.md +++ b/docs/queries/cloudformation-queries/aws/0104165b-02d5-426f-abc9-91fb48189899.md @@ -30,170 +30,123 @@ The IP address in a DB Security Group must not have more than 256 hosts.
### Code samples #### Code samples with security vulnerabilities -```yaml title="Positive test num. 1 - yaml file" hl_lines="18" +```yaml title="Positive test num. 1 - yaml file" hl_lines="8 22 15" Resources: - DBinstance1: - Type: AWS::RDS::DBInstance - Properties: - DBSecurityGroups: - - - Ref: "DbSecurity" - AllocatedStorage: "5" - DBInstanceClass: "db.t3.small" - Engine: "MySQL" - MasterUsername: "YourName" - MasterUserPassword: "YourPassword" - DeletionPolicy: "Snapshot" - DbSecurity: - Type: AWS::RDS::DBSecurityGroup + + DbSecurity: #legacy + Type: AWS::RDS::DBSecurityGroup Properties: GroupDescription: "Ingress for Amazon EC2 security group" DBSecurityGroupIngress: - CIDRIP: 1.2.3.4/23 - -``` -```yaml title="Positive test num. 2 - yaml file" hl_lines="18" -Resources: - DBinstance2: - Type: AWS::RDS::DBInstance - Properties: - DBSecurityGroups: - - - Ref: "DbSecurityByEC2SecurityGroup1" - AllocatedStorage: "5" - DBInstanceClass: "db.t3.small" - Engine: "MySQL" - MasterUsername: "YourName" - MasterUserPassword: "YourPassword" - DeletionPolicy: "Snapshot" + - CIDRIP: 1.2.3.4/23 + DbSecurityByEC2SecurityGroup1: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: "Ingress for Amazon EC2 security group" SecurityGroupIngress: - CidrIp: 1.2.3.4/23 + - CidrIp: 1.2.3.4/23 -``` -```yaml title="Positive test num. 3 - yaml file" hl_lines="18" -Resources: - DBinstance3: - Type: AWS::RDS::DBInstance - Properties: - DBSecurityGroups: - - - Ref: "DbSecurityByEC2SecurityGroup2" - AllocatedStorage: "5" - DBInstanceClass: "db.t3.small" - Engine: "MySQL" - MasterUsername: "YourName" - MasterUserPassword: "YourPassword" - DeletionPolicy: "Snapshot" DbSecurityByEC2SecurityGroup2: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: "Ingress for Amazon EC2 security group" SecurityGroupIngress: - CidrIpv6: 2001:db8:a::123/64 + - CidrIpv6: 2001:db8:a::123/64 ``` -
Positive test num. 4 - json file +```yaml title="Positive test num. 2 - yaml file" hl_lines="19 13 7" +Resources: + + MyDBSecurityGroupIngress: #legacy + Type: AWS::RDS::DBSecurityGroupIngress + Properties: + DBSecurityGroupName: !Ref MyDBSecurityGroup + CIDRIP: 1.2.3.4/23 -```json hl_lines="23" + StandaloneIngressIPv4: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref DbSecurityByEC2SecurityGroup1 + CidrIp: 1.2.3.4/23 + + StandaloneIngressIPv6: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref DbSecurityByEC2SecurityGroup2 + CidrIpv6: 2001:db8:a::123/64 + +``` +```json title="Positive test num. 3 - json file" hl_lines="9 20 31" { "Resources": { - "DBinstance1": { - "DeletionPolicy": "Snapshot", - "Type": "AWS::RDS::DBInstance", + "DbSecurity": { + "Type": "AWS::RDS::DBSecurityGroup", "Properties": { - "DBInstanceClass": "db.t3.small", - "Engine": "MySQL", - "MasterUsername": "YourName", - "MasterUserPassword": "YourPassword", - "DBSecurityGroups": [ + "GroupDescription": "Ingress for Amazon EC2 security group", + "DBSecurityGroupIngress": [ { - "Ref": "DbSecurity" + "CIDRIP": "1.2.3.4/23" } - ], - "AllocatedStorage": "5" + ] } }, - "DbSecurity": { - "Type": "AWS::RDS::DBSecurityGroup", + "DbSecurityByEC2SecurityGroup1": { + "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupDescription": "Ingress for Amazon EC2 security group", - "DBSecurityGroupIngress": { - "CIDRIP": "1.2.3.4/23" - } - } - } - } -} - -``` -
-
Positive test num. 5 - json file - -```json hl_lines="23" -{ - "Resources": { - "DBinstance2": { - "DeletionPolicy": "Snapshot", - "Type": "AWS::RDS::DBInstance", - "Properties": { - "DBSecurityGroups": [ + "SecurityGroupIngress": [ { - "Ref": "DbSecurityByEC2SecurityGroup1" + "CidrIp": "1.2.3.4/23" } - ], - "AllocatedStorage": "5", - "DBInstanceClass": "db.t3.small", - "Engine": "MySQL", - "MasterUsername": "YourName", - "MasterUserPassword": "YourPassword" + ] } }, - "DbSecurityByEC2SecurityGroup1": { + "DbSecurityByEC2SecurityGroup2": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupDescription": "Ingress for Amazon EC2 security group", - "SecurityGroupIngress": { - "CidrIp": "1.2.3.4/23" - } + "SecurityGroupIngress": [ + { + "CidrIpv6": "2001:db8:a::123/64" + } + ] } } } } ``` -
-
Positive test num. 6 - json file +
Positive test num. 4 - json file -```json hl_lines="23" +```json hl_lines="9 18 27" { "Resources": { - "DBinstance3": { - "Type": "AWS::RDS::DBInstance", + "MyDBSecurityGroupIngress": { + "Type": "AWS::RDS::DBSecurityGroupIngress", "Properties": { - "MasterUsername": "YourName", - "MasterUserPassword": "YourPassword", - "DBSecurityGroups": [ - { - "Ref": "DbSecurityByEC2SecurityGroup2" - } - ], - "AllocatedStorage": "5", - "DBInstanceClass": "db.t3.small", - "Engine": "MySQL" - }, - "DeletionPolicy": "Snapshot" + "DBSecurityGroupName": { + "Ref": "MyDBSecurityGroup" + }, + "CIDRIP": "1.2.3.4/23" + } }, - "DbSecurityByEC2SecurityGroup2": { - "Type": "AWS::EC2::SecurityGroup", + "StandaloneIngressIPv4": { + "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { - "GroupDescription": "Ingress for Amazon EC2 security group", - "SecurityGroupIngress": { - "CidrIpv6": "2001:db8:a::123/64" - } + "GroupId": { + "Ref": "DbSecurityByEC2SecurityGroup1" + }, + "CidrIp": "1.2.3.4/23" + } + }, + "StandaloneIngressIPv6": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "DbSecurityByEC2SecurityGroup2" + }, + "CidrIpv6": "2001:db8:a::123/64" } } } @@ -205,57 +158,126 @@ Resources: #### Code samples without security vulnerabilities ```yaml title="Negative test num. 1 - yaml file" -#this code is a correct code for which the query should not find any result Resources: - DBinstance: - Type: AWS::RDS::DBInstance - Properties: - DBSecurityGroups: - - - Ref: "DbSecurityByEC2SecurityGroup" - AllocatedStorage: "5" - DBInstanceClass: "db.t3.small" - Engine: "MySQL" - MasterUsername: "YourName" - MasterUserPassword: "YourPassword" - DeletionPolicy: "Snapshot" + DbSecurityByEC2SecurityGroup: Type: AWS::RDS::DBSecurityGroup Properties: GroupDescription: "Ingress for Amazon EC2 security group" DBSecurityGroupIngress: - CIDRIP: 1.2.3.4/28 + - CIDRIP: 1.2.3.4/28 + + DbSecurityByEC2SecurityGroup1: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: "Ingress for Amazon EC2 security group" + SecurityGroupIngress: + - CidrIp: 1.2.3.4/28 + + DbSecurityByEC2SecurityGroup2: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: "Ingress for Amazon EC2 security group" + SecurityGroupIngress: + - CidrIpv6: 2001:db8:a::123/121 +``` +```yaml title="Negative test num. 2 - yaml file" +Resources: + + MyDBSecurityGroupIngress: #legacy + Type: AWS::RDS::DBSecurityGroupIngress + Properties: + DBSecurityGroupName: !Ref MyDBSecurityGroup + CIDRIP: 1.2.3.4/28 + + StandaloneIngressIPv4: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref DbSecurityByEC2SecurityGroup1 + CidrIp: 1.2.3.4/28 + + StandaloneIngressIPv6: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref DbSecurityByEC2SecurityGroup2 + CidrIpv6: 2001:db8:a::123/121 + ``` -```json title="Negative test num. 2 - json file" +```json title="Negative test num. 3 - json file" { "Resources": { - "DBinstance": { - "Type": "AWS::RDS::DBInstance", + "DbSecurityByEC2SecurityGroup": { + "Type": "AWS::RDS::DBSecurityGroup", "Properties": { - "MasterUsername": "YourName", - "MasterUserPassword": "YourPassword", - "DBSecurityGroups": [ + "GroupDescription": "Ingress for Amazon EC2 security group", + "DBSecurityGroupIngress": [ { - "Ref": "DbSecurityByEC2SecurityGroup" + "CIDRIP": "1.2.3.4/28" } - ], - "AllocatedStorage": "5", - "DBInstanceClass": "db.t3.small", - "Engine": "MySQL" - }, - "DeletionPolicy": "Snapshot" + ] + } }, - "DbSecurityByEC2SecurityGroup": { - "Type": "AWS::RDS::DBSecurityGroup", + "DbSecurityByEC2SecurityGroup1": { + "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupDescription": "Ingress for Amazon EC2 security group", - "DBSecurityGroupIngress": { - "CIDRIP": "1.2.3.4/28" - } + "SecurityGroupIngress": [ + { + "CidrIp": "1.2.3.4/28" + } + ] + } + }, + "DbSecurityByEC2SecurityGroup2": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Ingress for Amazon EC2 security group", + "SecurityGroupIngress": [ + { + "CidrIpv6": "2001:db8:a::123/121" + } + ] } } } } ``` +
Negative test num. 4 - json file + +```json +{ + "Resources": { + "MyDBSecurityGroupIngress": { + "Type": "AWS::RDS::DBSecurityGroupIngress", + "Properties": { + "DBSecurityGroupName": { + "Ref": "MyDBSecurityGroup" + }, + "CIDRIP": "1.2.3.4/28" + } + }, + "StandaloneIngressIPv4": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "DbSecurityByEC2SecurityGroup1" + }, + "CidrIp": "1.2.3.4/28" + } + }, + "StandaloneIngressIPv6": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "DbSecurityByEC2SecurityGroup2" + }, + "CidrIpv6": "2001:db8:a::123/121" + } + } + } +} + +``` +
diff --git a/docs/queries/cloudformation-queries/aws/01d5a458-a6c4-452a-ac50-054d59275b7c.md b/docs/queries/cloudformation-queries/aws/01d5a458-a6c4-452a-ac50-054d59275b7c.md index 5d1c172a453..33a626853d8 100644 --- a/docs/queries/cloudformation-queries/aws/01d5a458-a6c4-452a-ac50-054d59275b7c.md +++ b/docs/queries/cloudformation-queries/aws/01d5a458-a6c4-452a-ac50-054d59275b7c.md @@ -43,7 +43,108 @@ Resources: SecurityGroups: - sgwithoutegress ``` -```json title="Positive test num. 2 - json file" hl_lines="6" +```json title="Positive test num. 2 - json file" hl_lines="9" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "MySGv2": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "SG v2 with empty egress inline", + "VpcId": "vpc-123456", + "SecurityGroupEgress": [] + } + }, + "MyALB": { + "Type": "AWS::ElasticLoadBalancingV2::LoadBalancer", + "Properties": { + "SecurityGroups": [ + "MySGv2" + ], + "Subnets": [ + "subnet-123", + "subnet-456" + ] + } + } + } +} +``` +```yaml title="Positive test num. 3 - yaml file" hl_lines="5" +AWSTemplateFormatVersion: 2010-09-09 +Resources: + MySG: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: "SG with incorrect standalone egress" + VpcId: vpc-123456 + + WrongStandaloneEgress: + Type: AWS::EC2::SecurityGroupEgress + Properties: + GroupId: wrong-ref + CidrIp: 0.0.0.0/0 + IpProtocol: -1 + + MyClassicLB: + Type: AWS::ElasticLoadBalancing::LoadBalancer + Properties: + SecurityGroups: + - MySG + Listeners: + - LoadBalancerPort: 80 + InstancePort: 80 + Protocol: HTTP + Subnets: + - subnet-123 + +``` +
Positive test num. 4 - json file + +```json hl_lines="6" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "MySG": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "SG with incorrect standalone egress", + "VpcId": "vpc-123456" + } + }, + "WrongStandaloneEgress": { + "Type": "AWS::EC2::SecurityGroupEgress", + "Properties": { + "GroupId": "wrong-ref", + "CidrIp": "0.0.0.0/0", + "IpProtocol": -1 + } + }, + "MyClassicLB": { + "Type": "AWS::ElasticLoadBalancing::LoadBalancer", + "Properties": { + "SecurityGroups": [ + "MySG" + ], + "Listeners": [ + { + "LoadBalancerPort": 80, + "InstancePort": 80, + "Protocol": "HTTP" + } + ], + "Subnets": [ + "subnet-123" + ] + } + } + } +} +``` +
+
Positive test num. 5 - json file + +```json hl_lines="6" { "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", "Resources": { @@ -65,6 +166,217 @@ Resources: } ``` +
+
Positive test num. 6 - yaml file + +```yaml hl_lines="5" +AWSTemplateFormatVersion: 2010-09-09 +Resources: + sgwithegress: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Limits security group egress traffic + + sgEgressRule: + Type: AWS::EC2::SecurityGroupEgress + Properties: + GroupId: !Ref wrong_ref + IpProtocol: tcp + FromPort: 80 + ToPort: 80 + CidrIp: 0.0.0.0/0 + + MyLoadBalancer: + Type: AWS::ElasticLoadBalancingV2::LoadBalancer + Properties: + SecurityGroups: + - !Ref sgwithegress + +``` +
+
Positive test num. 7 - json file + +```json hl_lines="6" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Resources": { + "sgwithegress": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Limits security group egress traffic" + } + }, + "sgEgressRule": { + "Type": "AWS::EC2::SecurityGroupEgress", + "Properties": { + "GroupId": { + "Ref": "wrong_ref" + }, + "IpProtocol": "tcp", + "FromPort": 80, + "ToPort": 80, + "CidrIp": "0.0.0.0/0" + } + }, + "MyLoadBalancer": { + "Type": "AWS::ElasticLoadBalancingV2::LoadBalancer", + "Properties": { + "SecurityGroups": [ + { + "Ref": "sgwithegress" + } + ] + } + } + } +} + +``` +
+
Positive test num. 8 - yaml file + +```yaml hl_lines="5" +AWSTemplateFormatVersion: 2010-09-09 +Resources: + MySG: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: "SG without egress inline" + VpcId: vpc-123456 + + MyClassicLB: + Type: AWS::ElasticLoadBalancing::LoadBalancer + Properties: + SecurityGroups: + - MySG + Listeners: + - LoadBalancerPort: 80 + InstancePort: 80 + Protocol: HTTP + Subnets: + - subnet-123 + +``` +
+
Positive test num. 9 - json file + +```json hl_lines="6" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "MySG": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "SG without egress inline", + "VpcId": "vpc-123456" + } + }, + "MyClassicLB": { + "Type": "AWS::ElasticLoadBalancing::LoadBalancer", + "Properties": { + "SecurityGroups": [ + "MySG" + ], + "Listeners": [ + { + "LoadBalancerPort": 80, + "InstancePort": 80, + "Protocol": "HTTP" + } + ], + "Subnets": [ + "subnet-123" + ] + } + } + } +} +``` +
+
Positive test num. 10 - yaml file + +```yaml hl_lines="8" +AWSTemplateFormatVersion: 2010-09-09 +Resources: + MySG: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: "SG with empty egress inline" + VpcId: vpc-123456 + SecurityGroupEgress: [] + + MyClassicLB: + Type: AWS::ElasticLoadBalancing::LoadBalancer + Properties: + SecurityGroups: + - MySG + Listeners: + - LoadBalancerPort: 80 + InstancePort: 80 + Protocol: HTTP + Subnets: + - subnet-123 +``` +
+
Positive test num. 11 - json file + +```json hl_lines="9" +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "MySG": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "SG with empty egress inline", + "VpcId": "vpc-123456", + "SecurityGroupEgress": [] + } + }, + "MyClassicLB": { + "Type": "AWS::ElasticLoadBalancing::LoadBalancer", + "Properties": { + "SecurityGroups": [ + "MySG" + ], + "Listeners": [ + { + "LoadBalancerPort": 80, + "InstancePort": 80, + "Protocol": "HTTP" + } + ], + "Subnets": [ + "subnet-123" + ] + } + } + } +} +``` +
+
Positive test num. 12 - yaml file + +```yaml hl_lines="8" +AWSTemplateFormatVersion: 2010-09-09 +Resources: + MySGv2: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: "SG v2 with empty egress inline" + VpcId: vpc-123456 + SecurityGroupEgress: [] + + MyALB: + Type: AWS::ElasticLoadBalancingV2::LoadBalancer + Properties: + SecurityGroups: + - MySGv2 + Subnets: + - subnet-123 + - subnet-456 + +``` +
#### Code samples without security vulnerabilities @@ -91,18 +403,18 @@ Resources: "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", "Resources": { "sgwithegress": { + "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupDescription": "Limits security group egress traffic", "SecurityGroupEgress": [ { - "IpProtocol": "tcp", - "FromPort": 80, "ToPort": 80, - "CidrIp": "0.0.0.0/0" + "CidrIp": "0.0.0.0/0", + "IpProtocol": "tcp", + "FromPort": 80 } ] - }, - "Type": "AWS::EC2::SecurityGroup" + } }, "MyLoadBalancer": { "Type": "AWS::ElasticLoadBalancing::LoadBalancer", @@ -116,4 +428,229 @@ Resources: } ``` +```yaml title="Negative test num. 3 - yaml file" +AWSTemplateFormatVersion: 2010-09-09 +Resources: + sgwithegress: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Limits security group egress traffic + + sgEgressRule: + Type: AWS::EC2::SecurityGroupEgress + Properties: + GroupId: !Ref sgwithegress + IpProtocol: tcp + FromPort: 80 + ToPort: 80 + CidrIp: 0.0.0.0/0 + + MyLoadBalancer: + Type: AWS::ElasticLoadBalancingV2::LoadBalancer + Properties: + SecurityGroups: + - !Ref sgwithegress + +``` +
Negative test num. 4 - json file + +```json +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Resources": { + "sgwithegress": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Limits security group egress traffic" + } + }, + "sgEgressRule": { + "Type": "AWS::EC2::SecurityGroupEgress", + "Properties": { + "GroupId": { + "Ref": "sgwithegress" + }, + "IpProtocol": "tcp", + "FromPort": 80, + "ToPort": 80, + "CidrIp": "0.0.0.0/0" + } + }, + "MyLoadBalancer": { + "Type": "AWS::ElasticLoadBalancingV2::LoadBalancer", + "Properties": { + "SecurityGroups": [ + { + "Ref": "sgwithegress" + } + ] + } + } + } +} + +``` +
+
Negative test num. 5 - yaml file + +```yaml +AWSTemplateFormatVersion: 2010-09-09 +Resources: + MySG: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: "SG with valid standalone egress" + VpcId: vpc-123456 + + MyStandaloneEgress: + Type: AWS::EC2::SecurityGroupEgress + Properties: + GroupId: !Ref MySG + IpProtocol: -1 + CidrIp: 0.0.0.0/0 + + MyClassicLB: + Type: AWS::ElasticLoadBalancing::LoadBalancer + Properties: + SecurityGroups: + - !Ref MySG + Listeners: + - LoadBalancerPort: 80 + InstancePort: 80 + Protocol: HTTP + Subnets: + - subnet-123 + +``` +
+
Negative test num. 6 - json file + +```json +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "MySG": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "SG with valid standalone egress", + "VpcId": "vpc-123456" + } + }, + "MyStandaloneEgress": { + "Type": "AWS::EC2::SecurityGroupEgress", + "Properties": { + "GroupId": { + "Ref": "MySG" + }, + "IpProtocol": -1, + "CidrIp": "0.0.0.0/0" + } + }, + "MyClassicLB": { + "Type": "AWS::ElasticLoadBalancing::LoadBalancer", + "Properties": { + "SecurityGroups": [ + { + "Ref": "MySG" + } + ], + "Listeners": [ + { + "LoadBalancerPort": 80, + "InstancePort": 80, + "Protocol": "HTTP" + } + ], + "Subnets": [ + "subnet-123" + ] + } + } + } +} +``` +
+
Negative test num. 7 - yaml file + +```yaml +AWSTemplateFormatVersion: 2010-09-09 +Resources: + MySGv2: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: "SG with both inline and standalone egress" + VpcId: vpc-123456 + SecurityGroupEgress: + - IpProtocol: tcp + FromPort: 443 + ToPort: 443 + CidrIp: 0.0.0.0/0 + + MyStandaloneEgressv2: + Type: AWS::EC2::SecurityGroupEgress + Properties: + GroupId: !Ref MySGv2 + IpProtocol: -1 + CidrIp: 0.0.0.0/0 + + MyALB: + Type: AWS::ElasticLoadBalancingV2::LoadBalancer + Properties: + SecurityGroups: + - !Ref MySGv2 + Subnets: + - subnet-aaa + - subnet-bbb + +``` +
+
Negative test num. 8 - json file + +```json +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "MySGv2": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "SG with both inline and standalone egress", + "VpcId": "vpc-123456", + "SecurityGroupEgress": [ + { + "IpProtocol": "tcp", + "FromPort": 443, + "ToPort": 443, + "CidrIp": "0.0.0.0/0" + } + ] + } + }, + "MyStandaloneEgressv2": { + "Type": "AWS::EC2::SecurityGroupEgress", + "Properties": { + "GroupId": { + "Ref": "MySGv2" + }, + "IpProtocol": -1, + "CidrIp": "0.0.0.0/0" + } + }, + "MyALB": { + "Type": "AWS::ElasticLoadBalancingV2::LoadBalancer", + "Properties": { + "SecurityGroups": [ + { + "Ref": "MySGv2" + } + ], + "Subnets": [ + "subnet-aaa", + "subnet-bbb" + ] + } + } + } +} +``` +
diff --git a/docs/queries/cloudformation-queries/aws/1a427b25-2e9e-4298-9530-0499a55e736b.md b/docs/queries/cloudformation-queries/aws/1a427b25-2e9e-4298-9530-0499a55e736b.md index 071e132467a..554e267cb3f 100644 --- a/docs/queries/cloudformation-queries/aws/1a427b25-2e9e-4298-9530-0499a55e736b.md +++ b/docs/queries/cloudformation-queries/aws/1a427b25-2e9e-4298-9530-0499a55e736b.md @@ -39,7 +39,7 @@ Resources: VpcId: Ref: myVPC SecurityGroupIngress: - - IpProtocol: -1 + - IpProtocol: "-1" FromPort: 80 ToPort: 80 CidrIp: 0.0.0.0/0 @@ -65,7 +65,7 @@ Resources: InboundRule: Type: AWS::EC2::SecurityGroupIngress Properties: - IpProtocol: -1 + IpProtocol: "-1" FromPort: 0 ToPort: 65535 SourceSecurityGroupId: @@ -88,7 +88,7 @@ Resources: }, "SecurityGroupIngress": [ { - "IpProtocol": -1, + "IpProtocol": "-1", "FromPort": 80, "ToPort": 80, "CidrIp": "0.0.0.0/0" @@ -128,7 +128,7 @@ Resources: "InboundRule": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { - "IpProtocol": -1, + "IpProtocol": "-1", "FromPort": 0, "ToPort": 65535, "SourceSecurityGroupId": { diff --git a/docs/queries/cloudformation-queries/aws/1cc2fbd7-816c-4fbf-ad6d-38a4afa4312a.md b/docs/queries/cloudformation-queries/aws/1cc2fbd7-816c-4fbf-ad6d-38a4afa4312a.md index f5eec723d1d..6ed7c8aff3b 100644 --- a/docs/queries/cloudformation-queries/aws/1cc2fbd7-816c-4fbf-ad6d-38a4afa4312a.md +++ b/docs/queries/cloudformation-queries/aws/1cc2fbd7-816c-4fbf-ad6d-38a4afa4312a.md @@ -30,7 +30,7 @@ AWS Security Group Egress CIDR should not be open to the world
### Code samples #### Code samples with security vulnerabilities -```yaml title="Positive test num. 1 - yaml file" hl_lines="27 4" +```yaml title="Positive test num. 1 - yaml file" hl_lines="27 19" Resources: InstanceSecurityGroup: Type: AWS::EC2::SecurityGroup @@ -83,7 +83,7 @@ Resources: - TargetSG - GroupId ``` -```json title="Positive test num. 2 - json file" hl_lines="34 5" +```json title="Positive test num. 2 - json file" hl_lines="17 34" { "Resources": { "InstanceSecurityGroup": { diff --git a/docs/queries/cloudformation-queries/aws/494b03d3-bf40-4464-8524-7c56ad0700ed.md b/docs/queries/cloudformation-queries/aws/494b03d3-bf40-4464-8524-7c56ad0700ed.md index f73d7e1c649..775430940b8 100644 --- a/docs/queries/cloudformation-queries/aws/494b03d3-bf40-4464-8524-7c56ad0700ed.md +++ b/docs/queries/cloudformation-queries/aws/494b03d3-bf40-4464-8524-7c56ad0700ed.md @@ -30,357 +30,418 @@ The EC2 instance has a sensitive port connection exposed to the entire networkPositive test num. 4 - yaml file +# IPv6 Rules + Positive1IPv6_1: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: "All ports exposed on all protocols" + SecurityGroupIngress: + - IpProtocol: "-1" + FromPort: 22 + ToPort: 22 + CidrIpv6: "fd00::/0" -```yaml hl_lines="18 14 22" -AWSTemplateFormatVersion: 2010-09-09T00:00:00Z -Resources: - UnsafeSecGroup04: + Positive1IPv6_2: Type: AWS::EC2::SecurityGroup Properties: - SecurityGroupEgress: - - IpProtocol: tcp + GroupDescription: "Port 22 exposed on TCP" + SecurityGroupIngress: + - IpProtocol: "6" FromPort: 22 ToPort: 22 - CidrIp: 0.0.0.0/0 - GroupDescription: Allow LDAP and SNMP - VpcId: my-vpc + CidrIpv6: "fd12:3456:789a::1/0" + + Positive1ArrayTestIPv6: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: "Ports 53 and 137 exposed on UDP" SecurityGroupIngress: - - ToPort: 389 - FromPort: 389 - IpProtocol: "-1" - CidrIp: 10.0.0.0/0 - - ToPort: 150 - FromPort: 180 - IpProtocol: udp - CidrIp: 10.0.0.1/0 - - ToPort: 53 + - IpProtocol: "17" FromPort: 53 - IpProtocol: "-1" - CidrIp: 10.0.0.1/0 - EC2Instance03: + ToPort: 53 + CidrIpv6: "fd00:abcd:1234::42/0" + - IpProtocol: "udp" + FromPort: 137 + ToPort: 137 + CidrIpv6: "fd00:abcd:1234::42/0" + +``` +```yaml title="Positive test num. 2 - yaml file" hl_lines="66 38 75 47 20 84 57 29" +Resources: + EC2Instance01: Type: AWS::EC2::Instance Properties: - SecurityGroups: - - UnsafeSecGroup04 - KeyName: my-new-rsa-key ImageId: ami-79fd7eee InstanceType: t3.medium + SecurityGroupIds: + - !Ref DualStackSecurityGroup + KeyName: my-new-rsa-key -``` -
-
Positive test num. 5 - json file + DualStackSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: "Security group for IPv4 and IPv6 ingress rules" + VpcId: !Ref MyVPC + +# IPv4 Rules + IPv4Ingress1: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref DualStackSecurityGroup + IpProtocol: "6" + FromPort: 22 + ToPort: 22 + CidrIp: "10.0.0.0/0" + + IPv4Ingress2: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref DualStackSecurityGroup + IpProtocol: "tcp" + FromPort: 22 + ToPort: 22 + CidrIp: "192.168.0.0/0" + + IPv4Ingress3: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref DualStackSecurityGroup + IpProtocol: "udp" + FromPort: 53 + ToPort: 53 + CidrIp: "172.16.0.0/0" + + IPv4Ingress4: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref DualStackSecurityGroup + IpProtocol: "udp" + FromPort: 137 + ToPort: 137 + CidrIp: "172.16.0.0/0" + +# IPv6 Rules + IPv6Ingress1: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref DualStackSecurityGroup + IpProtocol: "6" + FromPort: 22 + ToPort: 22 + CidrIpv6: "fd00::/0" -```json hl_lines="25" + IPv6Ingress2: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref DualStackSecurityGroup + IpProtocol: "tcp" + FromPort: 22 + ToPort: 22 + CidrIpv6: "fd12:3456:789a::1/0" + + IPv6Ingress3: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref DualStackSecurityGroup + IpProtocol: "udp" + FromPort: 53 + ToPort: 53 + CidrIpv6: "fd00:abcd:1234::42/0" + + IPv6Ingress4: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref DualStackSecurityGroup + IpProtocol: "udp" + FromPort: 137 + ToPort: 137 + CidrIpv6: "fd00:abcd:1234::42/0" + +``` +```json title="Positive test num. 3 - json file" hl_lines="65 39 107 79 113 53 25 93" { - "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", "Resources": { - "UnsafeSecGroup01": { - "Type": "AWS::EC2::SecurityGroup", - "Properties": { - "SecurityGroupEgress": [ - { - "FromPort": 22, - "ToPort": 22, - "CidrIp": "0.0.0.0/0", - "IpProtocol": "tcp" - } - ], - "GroupDescription": "Allow http and redis", - "VpcId": "my-vpc", - "SecurityGroupIngress": [ - { - "FromPort": 8080, - "ToPort": 8080, - "CidrIp": "127.0.0.1/32", - "IpProtocol": "tcp" - }, - { - "IpProtocol": "tcp", - "FromPort": 6379, - "ToPort": 6379, - "CidrIp": "10.0.0.1/0" - } - ] - } - }, "EC2Instance01": { "Type": "AWS::EC2::Instance", "Properties": { "ImageId": "ami-79fd7eee", "InstanceType": "t3.medium", - "SecurityGroups": [ - "UnsafeSecGroup01" + "SecurityGroupIds": [ + { "Ref": "Positive1IPv4_1" }, + { "Ref": "Positive1IPv4_2" }, + { "Ref": "Positive1ArrayTestIPv4" }, + { "Ref": "Positive1IPv6_1" }, + { "Ref": "Positive1IPv6_2" }, + { "Ref": "Positive1ArrayTestIPv6" } ], "KeyName": "my-new-rsa-key" } - } - } -} - -``` -
-
Positive test num. 6 - json file - -```json hl_lines="17 23" -{ - "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", - "Resources": { - "UnsafeSecGroup02": { + }, + "Positive1IPv4_1": { "Type": "AWS::EC2::SecurityGroup", "Properties": { - "GroupDescription": "Allow http and mysql", - "VpcId": "my-vpc", + "GroupDescription": "All ports exposed on all protocols", + "SecurityGroupIngress": [ + { + "IpProtocol": "17", + "FromPort": 53, + "ToPort": 53, + "CidrIp": "10.0.0.0/0" + } + ] + } + }, + "Positive1IPv4_2": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Port 80 on TCP exposed", "SecurityGroupIngress": [ { "IpProtocol": "tcp", "FromPort": 80, "ToPort": 80, - "CidrIp": "127.0.0.1/32" + "CidrIp": "192.168.0.0/0" + } + ] + } + }, + "Positive1ArrayTestIPv4": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Ports 53 and 137 exposed on UDP", + "SecurityGroupIngress": [ + { + "IpProtocol": "udp", + "FromPort": 53, + "ToPort": 53, + "CidrIp": "172.16.0.0/0" }, { - "CidrIp": "10.0.0.1/0", - "IpProtocol": "tcp", - "FromPort": 1433, - "ToPort": 1434 + "IpProtocol": "6", + "FromPort": 110, + "ToPort": 110, + "CidrIp": "10.68.0.0" }, { - "IpProtocol": "tcp", - "FromPort": 150, - "ToPort": 180, - "CidrIp": "10.0.0.1/0" + "IpProtocol": "udp", + "FromPort": 137, + "ToPort": 137, + "CidrIp": "172.16.0.0/0" } - ], - "SecurityGroupEgress": [ + ] + } + }, + "Positive1IPv6_1": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "All ports exposed on all protocols", + "SecurityGroupIngress": [ { + "IpProtocol": "-1", "FromPort": 22, "ToPort": 22, - "CidrIp": "0.0.0.0/0", - "IpProtocol": "tcp" + "CidrIpv6": "fd00::/0" } ] } }, - "EC2Instance02": { - "Type": "AWS::EC2::Instance", - "Properties": { - "SecurityGroups": [ - "UnsafeSecGroup02" - ], - "KeyName": "my-new-rsa-key", - "ImageId": "ami-79fd7eee", - "InstanceType": "t3.medium" - } - } - } -} - -``` -
-
Positive test num. 7 - json file - -```json hl_lines="24 18" -{ - "Resources": { - "UnsafeSecGroup03": { + "Positive1IPv6_2": { "Type": "AWS::EC2::SecurityGroup", "Properties": { - "SecurityGroupEgress": [ + "GroupDescription": "Port 22 exposed on TCP", + "SecurityGroupIngress": [ { - "CidrIp": "0.0.0.0/0", - "IpProtocol": "tcp", + "IpProtocol": "6", "FromPort": 22, - "ToPort": 22 + "ToPort": 22, + "CidrIpv6": "fd12:3456:789a::1/0" } - ], - "GroupDescription": "Allow http and hadoop", - "VpcId": "my-vpc", + ] + } + }, + "Positive1ArrayTestIPv6": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Ports 53 and 137 exposed on UDP", "SecurityGroupIngress": [ { - "FromPort": 80, - "ToPort": 80, - "CidrIp": "0.0.0.0/0", - "IpProtocol": "tcp" + "IpProtocol": "17", + "FromPort": 53, + "ToPort": 53, + "CidrIpv6": "fd00:abcd:1234::42/0" }, { - "ToPort": 9000, - "CidrIp": "10.0.0.1/0", - "IpProtocol": "tcp", - "FromPort": 9000 + "IpProtocol": "udp", + "FromPort": 137, + "ToPort": 137, + "CidrIpv6": "fd00:abcd:1234::42/0" } ] } - }, - "EC2Instance03": { - "Type": "AWS::EC2::Instance", - "Properties": { - "SecurityGroups": [ - "UnsafeSecGroup03" - ], - "KeyName": "my-new-rsa-key", - "ImageId": "ami-79fd7eee", - "InstanceType": "t3.medium" - } } - }, - "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z" + } } ``` -
-
Positive test num. 8 - json file +
Positive test num. 4 - json file -```json hl_lines="24 18 30" +```json hl_lines="64 34 74 44 84 54 24 94" { + "AWSTemplateFormatVersion": "2010-09-09", "Resources": { - "UnsafeSecGroup04": { - "Type": "AWS::EC2::SecurityGroup", + "EC2Instance01": { + "Type": "AWS::EC2::Instance", "Properties": { - "SecurityGroupEgress": [ - { - "CidrIp": "0.0.0.0/0", - "IpProtocol": "tcp", - "FromPort": 22, - "ToPort": 22 - } + "ImageId": "ami-79fd7eee", + "InstanceType": "t3.medium", + "SecurityGroupIds": [ + { "Ref": "DualStackSecurityGroup" } ], - "GroupDescription": "Allow LDAP and SNMP", - "VpcId": "my-vpc", - "SecurityGroupIngress": [ - { - "CidrIp": "10.0.0.0/0", - "ToPort": 389, - "FromPort": 389, - "IpProtocol": "-1" - }, - { - "FromPort": 180, - "IpProtocol": "udp", - "CidrIp": "10.0.0.1/0", - "ToPort": 150 - }, - { - "IpProtocol": "-1", - "CidrIp": "10.0.0.1/0", - "ToPort": 53, - "FromPort": 53 - } - ] + "KeyName": "my-new-rsa-key" } }, - "EC2Instance03": { - "Type": "AWS::EC2::Instance", + "DualStackSecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", "Properties": { - "SecurityGroups": [ - "UnsafeSecGroup04" - ], - "KeyName": "my-new-rsa-key", - "ImageId": "ami-79fd7eee", - "InstanceType": "t3.medium" + "GroupDescription": "Security group for IPv4 and IPv6 ingress rules", + "VpcId": { "Ref": "MyVPC" } + } + }, + "IPv4Ingress1": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { "Ref": "DualStackSecurityGroup" }, + "IpProtocol": "6", + "FromPort": 22, + "ToPort": 22, + "CidrIp": "10.0.0.0/0" + } + }, + "IPv4Ingress2": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { "Ref": "DualStackSecurityGroup" }, + "IpProtocol": "tcp", + "FromPort": 22, + "ToPort": 22, + "CidrIp": "192.168.0.0/0" + } + }, + "IPv4Ingress3": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { "Ref": "DualStackSecurityGroup" }, + "IpProtocol": "udp", + "FromPort": 53, + "ToPort": 53, + "CidrIp": "172.16.0.0/0" + } + }, + "IPv4Ingress4": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { "Ref": "DualStackSecurityGroup" }, + "IpProtocol": "udp", + "FromPort": 137, + "ToPort": 137, + "CidrIp": "172.16.0.0/0" + } + }, + "IPv6Ingress1": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { "Ref": "DualStackSecurityGroup" }, + "IpProtocol": "6", + "FromPort": 22, + "ToPort": 22, + "CidrIpv6": "fd00::/0" + } + }, + "IPv6Ingress2": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { "Ref": "DualStackSecurityGroup" }, + "IpProtocol": "tcp", + "FromPort": 22, + "ToPort": 22, + "CidrIpv6": "fd12:3456:789a::1/0" + } + }, + "IPv6Ingress3": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { "Ref": "DualStackSecurityGroup" }, + "IpProtocol": "udp", + "FromPort": 53, + "ToPort": 53, + "CidrIpv6": "fd00:abcd:1234::42/0" + } + }, + "IPv6Ingress4": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { "Ref": "DualStackSecurityGroup" }, + "IpProtocol": "udp", + "FromPort": 137, + "ToPort": 137, + "CidrIpv6": "fd00:abcd:1234::42/0" } } - }, - "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z" + } } ``` @@ -389,83 +450,418 @@ Resources: #### Code samples without security vulnerabilities ```yaml title="Negative test num. 1 - yaml file" -AWSTemplateFormatVersion: 2010-09-09T00:00:00Z Resources: - SafeSecGroup: + EC2Instance01: + Type: AWS::EC2::Instance + Properties: + ImageId: ami-79fd7eee + InstanceType: t3.medium + SecurityGroupIds: + - !Ref Negative1IPv4_1 + - !Ref Negative1IPv4_2 + - !Ref Negative1ArrayTestIPv4 + - !Ref Negative1IPv6_1 + - !Ref Negative1IPv6_2 + - !Ref Negative1ArrayTestIPv6 + KeyName: my-new-rsa-key + +# Ipv4 Rules + Negative1IPv4_1: Type: AWS::EC2::SecurityGroup Properties: - SecurityGroupEgress: - - IpProtocol: tcp + GroupDescription: "Incorrect protocol: ICMP" + VpcId: !Ref MyVPC + SecurityGroupIngress: + - IpProtocol: "icmp" FromPort: 22 ToPort: 22 - CidrIp: 127.0.0.1/32 - GroupDescription: Allow http and ssh - VpcId: my-vpc + CidrIp: "10.0.0.0/0" + + Negative1IPv4_2: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: "Unknown port: port 5000" + VpcId: !Ref MyVPC SecurityGroupIngress: - - FromPort: 80 - ToPort: 80 - CidrIp: 127.0.0.1/32 - IpProtocol: tcp - - ToPort: 77 - CidrIp: 127.0.0.1/32 - IpProtocol: all - FromPort: 77 - MyNegativeEC2Instance: + - IpProtocol: "tcp" + FromPort: 5000 + ToPort: 5000 + CidrIp: "192.168.0.0/0" + + Negative1ArrayTestIPv4: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: "Mixed incorrect CIDR and 'All incorrect'" + VpcId: !Ref MyVPC + SecurityGroupIngress: + # incorrect cidr (not exposed) + - IpProtocol: "udp" + FromPort: 53 + ToPort: 53 + CidrIp: "8.8.0.0/16" + # all fields "incorrect" + - IpProtocol: "icmp" + FromPort: 5000 + ToPort: 5000 + CidrIp: "10.68.0.0/14" + +# IPv6 Rules + Negative1IPv6_1: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: "Incorrect protocol: ICMPV6" + SecurityGroupIngress: + - IpProtocol: "58" # protocol number 58 is "icmpv6" = incorrect protocol + FromPort: 22 + ToPort: 22 + CidrIpv6: "fd00::/0" + + Negative1IPv6_2: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: "Unknown port: port 5000" + SecurityGroupIngress: + - IpProtocol: "6" + FromPort: 5000 # unknown port + ToPort: 5000 + CidrIpv6: "fd12:3456:789a::1/0" + + Negative1ArrayTestIPv6: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: "Mixed incorrect CIDR and 'All incorrect'" + SecurityGroupIngress: + - IpProtocol: "udp" + FromPort: 53 + ToPort: 53 + CidrIpv6: "2400:cb00::/32" # incorrect cidr (not exposed) + - IpProtocol: "58" # all fields "incorrect" + FromPort: 110 + ToPort: 110 + CidrIpv6: "fd00:abcd:1234::42/0" + +``` +```yaml title="Negative test num. 2 - yaml file" +Resources: + EC2Instance01: Type: AWS::EC2::Instance Properties: - SecurityGroups: - - SafeSecGroup - KeyName: my-new-rsa-key ImageId: ami-79fd7eee InstanceType: t3.medium + SecurityGroupIds: + - !Ref Negative2SecurityGroup + KeyName: my-new-rsa-key + + Negative2SecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: "Security group for negative test cases" + VpcId: !Ref MyVPC + +# IPv4 Rules + Negative2IPv4Ingress1: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref Negative2SecurityGroup + IpProtocol: "icmp" # incorrect protocol + FromPort: 22 + ToPort: 22 + CidrIp: "10.0.0.0/0" + + Negative2IPv4Ingress2: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref Negative2SecurityGroup + IpProtocol: "tcp" + FromPort: 5000 # unknown port + ToPort: 5000 + CidrIp: "192.168.0.0/0" + + Negative2IPv4Ingress3: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref Negative2SecurityGroup + IpProtocol: "udp" + FromPort: 53 + ToPort: 53 + CidrIp: "8.8.0.0/16" # incorrect cidr (not exposed) + + Negative2IPv4Ingress4: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref Negative2SecurityGroup # all fields "incorrect" + IpProtocol: "icmp" + FromPort: 5000 + ToPort: 5000 + CidrIp: "8.8.0.0/16" + +# IPv6 Rules + Negative2IPv6Ingress1: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref Negative2SecurityGroup + IpProtocol: "58" # protocol number 58 is "icmpv6" = incorrect protocol + FromPort: 22 + ToPort: 22 + CidrIpv6: "fd00::/0" + + Negative2IPv6Ingress2: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref Negative2SecurityGroup + IpProtocol: "tcp" + FromPort: 5000 # unknown port + ToPort: 5000 + CidrIpv6: "fd12:3456:789a::1/0" + + Negative2IPv6Ingress3: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref Negative2SecurityGroup + IpProtocol: "udp" + FromPort: 53 + ToPort: 53 + CidrIpv6: "2400:cb00::/32" # incorrect cidr (not exposed) + + Negative2IPv6Ingress4: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref Negative2SecurityGroup # all fields "incorrect" + IpProtocol: "58" # ICMPv6 + FromPort: 5000 + ToPort: 5000 + CidrIpv6: "2400:cb00::/32" ``` -```json title="Negative test num. 2 - json file" +```json title="Negative test num. 3 - json file" { - "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", "Resources": { - "SafeSecGroup": { + "EC2Instance01": { + "Type": "AWS::EC2::Instance", + "Properties": { + "ImageId": "ami-79fd7eee", + "InstanceType": "t3.medium", + "SecurityGroupIds": [ + { "Ref": "Negative1IPv4_1" }, + { "Ref": "Negative1IPv4_2" }, + { "Ref": "Negative1ArrayTestIPv4" }, + { "Ref": "Negative1IPv6_1" }, + { "Ref": "Negative1IPv6_2" }, + { "Ref": "Negative1ArrayTestIPv6" } + ], + "KeyName": "my-new-rsa-key" + } + }, + "Negative1IPv4_1": { "Type": "AWS::EC2::SecurityGroup", "Properties": { - "GroupDescription": "Allow http and ssh", - "VpcId": "my-vpc", + "GroupDescription": "Incorrect protocol: ICMP", + "VpcId": { "Ref": "MyVPC" }, "SecurityGroupIngress": [ { - "FromPort": 80, - "ToPort": 80, - "CidrIp": "127.0.0.1/32", - "IpProtocol": "tcp" + "IpProtocol": "icmp", + "FromPort": 22, + "ToPort": 22, + "CidrIp": "10.0.0.0/0" + } + ] + } + }, + "Negative1IPv4_2": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Unknown port: port 5000", + "VpcId": { "Ref": "MyVPC" }, + "SecurityGroupIngress": [ + { + "IpProtocol": "tcp", + "FromPort": 5000, + "ToPort": 5000, + "CidrIp": "192.168.0.0/0" + } + ] + } + }, + "Negative1ArrayTestIPv4": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Mixed incorrect CIDR and 'All incorrect'", + "VpcId": { "Ref": "MyVPC" }, + "SecurityGroupIngress": [ + { + "IpProtocol": "udp", + "FromPort": 53, + "ToPort": 53, + "CidrIp": "8.8.0.0/16" }, { - "ToPort": 77, - "CidrIp": "127.0.0.1/32", - "IpProtocol": "all", - "FromPort": 77 + "IpProtocol": "icmp", + "FromPort": 5000, + "ToPort": 5000, + "CidrIp": "10.68.0.0/14" } - ], - "SecurityGroupEgress": [ + ] + } + }, + "Negative1IPv6_1": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Incorrect protocol: ICMPV6", + "SecurityGroupIngress": [ { + "IpProtocol": "58", "FromPort": 22, "ToPort": 22, - "CidrIp": "127.0.0.1/32", - "IpProtocol": "tcp" + "CidrIpv6": "fd00::/0" + } + ] + } + }, + "Negative1IPv6_2": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Unknown port: port 5000", + "SecurityGroupIngress": [ + { + "IpProtocol": "6", + "FromPort": 5000, + "ToPort": 5000, + "CidrIpv6": "fd12:3456:789a::1/0" } ] } }, - "MyNegativeEC2Instance": { + "Negative1ArrayTestIPv6": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Mixed incorrect CIDR and 'All incorrect'", + "SecurityGroupIngress": [ + { + "IpProtocol": "udp", + "FromPort": 53, + "ToPort": 53, + "CidrIpv6": "2400:cb00::/32" + }, + { + "IpProtocol": "58", + "FromPort": 110, + "ToPort": 110, + "CidrIpv6": "fd00:abcd:1234::42/0" + } + ] + } + } + } +} + +``` +
Negative test num. 4 - json file + +```json +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "EC2Instance01": { "Type": "AWS::EC2::Instance", "Properties": { - "SecurityGroups": [ - "SafeSecGroup" - ], - "KeyName": "my-new-rsa-key", "ImageId": "ami-79fd7eee", - "InstanceType": "t3.medium" + "InstanceType": "t3.medium", + "SecurityGroupIds": [ + { "Ref": "Negative2SecurityGroup" } + ], + "KeyName": "my-new-rsa-key" + } + }, + "Negative2SecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Security group for negative test cases", + "VpcId": { "Ref": "MyVPC" } + } + }, + "Negative2IPv4Ingress1": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { "Ref": "Negative2SecurityGroup" }, + "IpProtocol": "icmp", + "FromPort": 22, + "ToPort": 22, + "CidrIp": "10.0.0.0/0" + } + }, + "Negative2IPv4Ingress2": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { "Ref": "Negative2SecurityGroup" }, + "IpProtocol": "tcp", + "FromPort": 5000, + "ToPort": 5000, + "CidrIp": "192.168.0.0/0" + } + }, + "Negative2IPv4Ingress3": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { "Ref": "Negative2SecurityGroup" }, + "IpProtocol": "udp", + "FromPort": 53, + "ToPort": 53, + "CidrIp": "8.8.0.0/16" + } + }, + "Negative2IPv4Ingress4": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { "Ref": "Negative2SecurityGroup" }, + "IpProtocol": "icmp", + "FromPort": 5000, + "ToPort": 5000, + "CidrIp": "8.8.0.0/16" + } + }, + "Negative2IPv6Ingress1": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { "Ref": "Negative2SecurityGroup" }, + "IpProtocol": "58", + "FromPort": 22, + "ToPort": 22, + "CidrIpv6": "fd00::/0" + } + }, + "Negative2IPv6Ingress2": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { "Ref": "Negative2SecurityGroup" }, + "IpProtocol": "tcp", + "FromPort": 5000, + "ToPort": 5000, + "CidrIpv6": "fd12:3456:789a::1/0" + } + }, + "Negative2IPv6Ingress3": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { "Ref": "Negative2SecurityGroup" }, + "IpProtocol": "udp", + "FromPort": 53, + "ToPort": 53, + "CidrIpv6": "2400:cb00::/32" + } + }, + "Negative2IPv6Ingress4": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { "Ref": "Negative2SecurityGroup" }, + "IpProtocol": "58", + "FromPort": 5000, + "ToPort": 5000, + "CidrIpv6": "2400:cb00::/32" } } } } ``` +
diff --git a/docs/queries/cloudformation-queries/aws/5e6c9c68-8a82-408e-8749-ddad78cbb9c5.md b/docs/queries/cloudformation-queries/aws/5e6c9c68-8a82-408e-8749-ddad78cbb9c5.md index 44d6e69c0d0..230022c41b3 100644 --- a/docs/queries/cloudformation-queries/aws/5e6c9c68-8a82-408e-8749-ddad78cbb9c5.md +++ b/docs/queries/cloudformation-queries/aws/5e6c9c68-8a82-408e-8749-ddad78cbb9c5.md @@ -30,7 +30,7 @@ It's considered a best practice for AWS Security Group to have a description
### Code samples #### Code samples with security vulnerabilities -```yaml title="Positive test num. 1 - yaml file" hl_lines="33 4 8 13 19" +```yaml title="Positive test num. 1 - yaml file" hl_lines="33 4 8 13 47 19" Resources: InstanceSecurityGroup: Type: AWS::EC2::SecurityGroup @@ -75,10 +75,38 @@ Resources: Fn::GetAtt: - TargetSG - GroupId + LegacySecurityGroup: + Type: AWS::RDS::DBSecurityGroup + Properties: + DBSecurityGroupName: "sample" ``` -```json title="Positive test num. 2 - json file" hl_lines="5 45 48 56 25" +```json title="Positive test num. 2 - json file" hl_lines="5 69 11 49 19 29" { "Resources": { + "InstanceSecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "VpcId": { + "Ref": "myVPC" + }, + "SecurityGroupIngress": [ + { + "IpProtocol": "tcp", + "FromPort": 80, + "ToPort": 80, + "CidrIp": "0.0.0.0/0" + } + ], + "SecurityGroupEgress": [ + { + "IpProtocol": "tcp", + "FromPort": 80, + "ToPort": 80, + "CidrIp": "0.0.0.0/0" + } + ] + } + }, "OutboundRule": { "Type": "AWS::EC2::SecurityGroupEgress", "Properties": { @@ -102,6 +130,9 @@ Resources: "InboundRule": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { + "IpProtocol": "tcp", + "FromPort": 0, + "ToPort": 65535, "SourceSecurityGroupId": { "Fn::GetAtt": [ "SourceSG", @@ -113,34 +144,13 @@ Resources: "TargetSG", "GroupId" ] - }, - "IpProtocol": "tcp", - "FromPort": 0, - "ToPort": 65535 + } } }, - "InstanceSecurityGroup": { - "Type": "AWS::EC2::SecurityGroup", + "LegacySecurityGroup": { + "Type": "AWS::RDS::DBSecurityGroup", "Properties": { - "SecurityGroupIngress": [ - { - "IpProtocol": "tcp", - "FromPort": 80, - "ToPort": 80, - "CidrIp": "0.0.0.0/0" - } - ], - "SecurityGroupEgress": [ - { - "CidrIp": "0.0.0.0/0", - "IpProtocol": "tcp", - "FromPort": 80, - "ToPort": 80 - } - ], - "VpcId": { - "Ref": "myVPC" - } + "DBSecurityGroupName": "sample" } } } @@ -200,6 +210,11 @@ Resources: Fn::GetAtt: - TargetSG - GroupId + LegacySecurityGroup: + Type: AWS::RDS::DBSecurityGroup + Properties: + DBSecurityGroupName: "sample" + GroupDescription: Legacy description ``` ```json title="Negative test num. 2 - json file" { @@ -208,9 +223,7 @@ Resources: "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupDescription": "Allow http to client host", - "VpcId": { - "Ref": "myVPC" - }, + "VpcId": { "Ref": "myVPC" }, "SecurityGroupIngress": [ { "IpProtocol": "tcp", @@ -222,11 +235,11 @@ Resources: ], "SecurityGroupEgress": [ { + "IpProtocol": "tcp", + "Description": "TCP", "FromPort": 80, "ToPort": 80, - "CidrIp": "0.0.0.0/0", - "IpProtocol": "tcp", - "Description": "TCP" + "CidrIp": "0.0.0.0/0" } ] } @@ -234,21 +247,15 @@ Resources: "OutboundRule": { "Type": "AWS::EC2::SecurityGroupEgress", "Properties": { - "GroupId": { - "Fn::GetAtt": [ - "SourceSG", - "GroupId" - ] - }, "Description": "TCP", "IpProtocol": "tcp", "FromPort": 0, "ToPort": 65535, "DestinationSecurityGroupId": { - "Fn::GetAtt": [ - "TargetSG", - "GroupId" - ] + "Fn::GetAtt": ["TargetSG", "GroupId"] + }, + "GroupId": { + "Fn::GetAtt": ["SourceSG", "GroupId"] } } }, @@ -260,18 +267,19 @@ Resources: "FromPort": 0, "ToPort": 65535, "SourceSecurityGroupId": { - "Fn::GetAtt": [ - "SourceSG", - "GroupId" - ] + "Fn::GetAtt": ["SourceSG", "GroupId"] }, "GroupId": { - "Fn::GetAtt": [ - "TargetSG", - "GroupId" - ] + "Fn::GetAtt": ["TargetSG", "GroupId"] } } + }, + "LegacySecurityGroup": { + "Type": "AWS::RDS::DBSecurityGroup", + "Properties": { + "DBSecurityGroupName": "sample", + "GroupDescription": "Legacy description" + } } } } diff --git a/docs/queries/cloudformation-queries/aws/66f2d8f9-a911-4ced-ae27-34f09690bb2c.md b/docs/queries/cloudformation-queries/aws/66f2d8f9-a911-4ced-ae27-34f09690bb2c.md index 2ef952e3f38..edc98a36f2a 100644 --- a/docs/queries/cloudformation-queries/aws/66f2d8f9-a911-4ced-ae27-34f09690bb2c.md +++ b/docs/queries/cloudformation-queries/aws/66f2d8f9-a911-4ced-ae27-34f09690bb2c.md @@ -25,162 +25,299 @@ hide: - **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/security_groups_allows_unrestricted_outbound_traffic) ### Description -No security group should allow unrestricted egress access
+Security group should never allow unrestricted egress access
[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html) ### Code samples #### Code samples with security vulnerabilities -```yaml title="Positive test num. 1 - yaml file" hl_lines="16" -Parameters: - KeyName: - Description: The EC2 Key Pair to allow SSH access to the instance - Type: 'AWS::EC2::KeyPair::KeyName' +```yaml title="Positive test num. 1 - yaml file" hl_lines="8 16 26" Resources: - Ec2Instance: - Type: 'AWS::EC2::Instance' - Properties: - SecurityGroups: - - !Ref InstanceSecurityGroup - - MyExistingSecurityGroup - KeyName: !Ref KeyName - ImageId: ami-7a11e213 - InstanceSecurityGroup: + Positive1_security_group: Type: 'AWS::EC2::SecurityGroup' Properties: - GroupDescription: Enable SSH access via port 22 - SecurityGroupIngress: - - IpProtocol: tcp - FromPort: '22' - ToPort: '22' - CidrIp: 0.0.0.0/0 + GroupDescription: Open security group + VpcId: !Ref MyVPC SecurityGroupEgress: - - IpProtocol: ALL - FromPort: '22' - ToPort: '22' + - IpProtocol: "-1" + FromPort: 2000 + ToPort: 2000 CidrIp: 0.0.0.0/0 + + # Standalone IPv4 egress rule + Positive1_egress_ipv4: + Type: AWS::EC2::SecurityGroupEgress + Properties: + GroupId: !Ref Positive1_security_group + IpProtocol: "-1" + FromPort: 3000 + ToPort: 3000 + CidrIp: 0.0.0.0/0 + + # Standalone IPv6 egress rule + Positive1_egress_ipv6: + Type: AWS::EC2::SecurityGroupEgress + Properties: + GroupId: !Ref Positive1_security_group + IpProtocol: "-1" + FromPort: 4000 + ToPort: 4000 + CidrIpv6: ::/0 + +``` +```yaml title="Positive test num. 2 - yaml file" hl_lines="8 16" +Resources: + Positive2_security_group: + Type: 'AWS::EC2::SecurityGroup' + Properties: + GroupDescription: Open security group + VpcId: !Ref MyVPC + SecurityGroupEgress: + - IpProtocol: "-1" + FromPort: 2000 + ToPort: 2000 + CidrIpv6: ::/0 + + # Standalone IPv6 egress rule + Positive2_egress_ipv6: + Type: AWS::EC2::SecurityGroupEgress + Properties: + GroupId: !Ref Positive2_security_group + IpProtocol: "-1" + FromPort: 4000 + ToPort: 4000 + CidrIpv6: 0:0:0:0:0:0:0:0/0 + ``` -```json title="Positive test num. 2 - json file" hl_lines="21" +```json title="Positive test num. 3 - json file" hl_lines="34 12 22" { - "Parameters": { - "KeyName": { - "Description": "The EC2 Key Pair to allow SSH access to the instance", - "Type": "AWS::EC2::KeyPair::KeyName" - } - }, "Resources": { - "Ec2Instance": { - "Type": "AWS::EC2::Instance", - "Properties": { - "ImageId": "ami-7a11e213", - "SecurityGroups": [ - "InstanceSecurityGroup", - "MyExistingSecurityGroup" - ], - "KeyName": "KeyName" - } - }, - "InstanceSecurityGroup": { + "Positive3_security_group": { + "Type": "AWS::EC2::SecurityGroup", "Properties": { - "SecurityGroupIngress": [ - { - "CidrIp": "0.0.0.0/0", - "IpProtocol": "tcp", - "FromPort": "22", - "ToPort": "22" - } - ], + "GroupDescription": "Open security group", + "VpcId": { + "Ref": "MyVPC" + }, "SecurityGroupEgress": [ { - "IpProtocol": "ALL", - "FromPort": "22", - "ToPort": "22", + "IpProtocol": "-1", + "FromPort": 2000, + "ToPort": 2000, "CidrIp": "0.0.0.0/0" } - ], - "GroupDescription": "Enable SSH access via port 22" - }, - "Type": "AWS::EC2::SecurityGroup" + ] + } + }, + "Positive3_egress_ipv4": { + "Type": "AWS::EC2::SecurityGroupEgress", + "Properties": { + "GroupId": { + "Ref": "Positive3_security_group" + }, + "IpProtocol": "-1", + "FromPort": 3000, + "ToPort": 3000, + "CidrIp": "0.0.0.0/0" + } + }, + "Positive3_egress_ipv6": { + "Type": "AWS::EC2::SecurityGroupEgress", + "Properties": { + "GroupId": { + "Ref": "Positive3_security_group" + }, + "IpProtocol": "-1", + "FromPort": 4000, + "ToPort": 4000, + "CidrIpv6": "::/0" + } } } } ``` +
Positive test num. 4 - json file + +```json hl_lines="12 22" +{ + "Resources": { + "Positive4_security_group": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Open security group", + "VpcId": { + "Ref": "MyVPC" + }, + "SecurityGroupEgress": [ + { + "IpProtocol": "-1", + "FromPort": 2000, + "ToPort": 2000, + "CidrIpv6": "::/0" + } + ] + } + }, + "Positive4_egress_ipv6": { + "Type": "AWS::EC2::SecurityGroupEgress", + "Properties": { + "GroupId": { + "Ref": "Positive4_security_group" + }, + "IpProtocol": "-1", + "FromPort": 4000, + "ToPort": 4000, + "CidrIpv6": "0:0:0:0:0:0:0:0/0" + } + } + } +} +``` +
#### Code samples without security vulnerabilities ```yaml title="Negative test num. 1 - yaml file" -Parameters: - KeyName: - Description: The EC2 Key Pair to allow SSH access to the instance - Type: 'AWS::EC2::KeyPair::KeyName' Resources: - Ec2Instance: - Type: 'AWS::EC2::Instance' - Properties: - SecurityGroups: - - !Ref InstanceSecurityGroup - - MyExistingSecurityGroup - KeyName: !Ref KeyName - ImageId: ami-7a11e213 - InstanceSecurityGroup: + Negative1_security_group: Type: 'AWS::EC2::SecurityGroup' Properties: - GroupDescription: Enable SSH access via port 22 - SecurityGroupIngress: - - IpProtocol: tcp - FromPort: '22' - ToPort: '22' - CidrIp: 0.0.0.0/0 + GroupDescription: Open security group + VpcId: !Ref MyVPC SecurityGroupEgress: - - IpProtocol: tcp - FromPort: '22' - ToPort: '22' + - IpProtocol: tcp # protocol is not "-1" + FromPort: 2000 + ToPort: 2000 CidrIp: 0.0.0.0/0 + - IpProtocol: "-1" + FromPort: 2000 + ToPort: 2000 + CidrIp: 192.162.0.0/16 # cidr is not 0.0.0.0/0 + - IpProtocol: "-1" + FromPort: 2000 + ToPort: 2000 + CidrIpv6: 2001:0db8::/32 # cidr is not ::/0 + + # Standalone IPv4 egress rules + Negative1_egress_ipv4_1: + Type: AWS::EC2::SecurityGroupEgress + Properties: + GroupId: !Ref Negative1_security_group + IpProtocol: tcp # protocol is not "-1" + FromPort: 3000 + ToPort: 3000 + CidrIp: 0.0.0.0/0 + + Negative1_egress_ipv4_2: + Type: AWS::EC2::SecurityGroupEgress + Properties: + GroupId: !Ref Negative1_security_group + IpProtocol: "-1" + FromPort: 3000 + ToPort: 3000 + CidrIp: 192.162.0.0/16 # cidr is not 0.0.0.0/0 + + # Standalone IPv6 egress rules + Negative1_egress_ipv6_1: + Type: AWS::EC2::SecurityGroupEgress + Properties: + GroupId: !Ref Negative1_security_group + IpProtocol: tcp # protocol is not "-1" + FromPort: 4000 + ToPort: 4000 + CidrIpv6: ::/0 + + Negative1_egress_ipv6_2: + Type: AWS::EC2::SecurityGroupEgress + Properties: + GroupId: !Ref Negative1_security_group + IpProtocol: "-1" + FromPort: 4000 + ToPort: 4000 + CidrIpv6: 2001:0db8::/32 # cidr is not ::/0 + ``` ```json title="Negative test num. 2 - json file" { - "Parameters": { - "KeyName": { - "Description": "The EC2 Key Pair to allow SSH access to the instance", - "Type": "AWS::EC2::KeyPair::KeyName" - } - }, - "Resources": { - "Ec2Instance": { - "Type": "AWS::EC2::Instance", - "Properties": { - "SecurityGroups": [ - "InstanceSecurityGroup", - "MyExistingSecurityGroup" - ], - "KeyName": "KeyName", - "ImageId": "ami-7a11e213" - } - }, - "InstanceSecurityGroup": { - "Type": "AWS::EC2::SecurityGroup", - "Properties": { - "GroupDescription": "Enable SSH access via port 22", - "SecurityGroupIngress": [ - { - "IpProtocol": "tcp", - "FromPort": "22", - "ToPort": "22", - "CidrIp": "0.0.0.0/0" - } - ], - "SecurityGroupEgress": [ - { - "CidrIp": "0.0.0.0/0", - "IpProtocol": "tcp", - "FromPort": "22", - "ToPort": "22" - } - ] - } + "Resources": { + "Negative1_security_group": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Open security group", + "VpcId": { + "Ref": "MyVPC" + }, + "SecurityGroupEgress": [ + { + "IpProtocol": "tcp", + "FromPort": 2000, + "ToPort": 2000, + "CidrIp": "0.0.0.0/0" + }, + { + "IpProtocol": "-1", + "FromPort": 2000, + "ToPort": 2000, + "CidrIp": "192.162.0.0/16" + }, + { + "IpProtocol": "-1", + "FromPort": 2000, + "ToPort": 2000, + "CidrIpv6": "2001:0db8::/32" + } + ] + } + }, + "Negative1_egress_ipv4_1": { + "Type": "AWS::EC2::SecurityGroupEgress", + "Properties": { + "GroupId": { + "Ref": "Negative1_security_group" + }, + "IpProtocol": "tcp", + "FromPort": 3000, + "ToPort": 3000, + "CidrIp": "0.0.0.0/0" + } + }, + "Negative1_egress_ipv4_2": { + "Type": "AWS::EC2::SecurityGroupEgress", + "Properties": { + "GroupId": { + "Ref": "Negative1_security_group" + }, + "IpProtocol": "-1", + "FromPort": 3000, + "ToPort": 3000, + "CidrIp": "192.162.0.0/16" + } + }, + "Negative1_egress_ipv6_1": { + "Type": "AWS::EC2::SecurityGroupEgress", + "Properties": { + "GroupId": { + "Ref": "Negative1_security_group" + }, + "IpProtocol": "tcp", + "FromPort": 4000, + "ToPort": 4000, + "CidrIpv6": "::/0" + } + }, + "Negative1_egress_ipv6_2": { + "Type": "AWS::EC2::SecurityGroupEgress", + "Properties": { + "GroupId": { + "Ref": "Negative1_security_group" + }, + "IpProtocol": "-1", + "FromPort": 4000, + "ToPort": 4000, + "CidrIpv6": "2001:0db8::/32" + } + } } - } } - ``` diff --git a/docs/queries/cloudformation-queries/aws/6e856af2-62d7-4ba2-adc1-73b62cef9cc1.md b/docs/queries/cloudformation-queries/aws/6e856af2-62d7-4ba2-adc1-73b62cef9cc1.md index 889083e7db4..1bbf1accdf9 100644 --- a/docs/queries/cloudformation-queries/aws/6e856af2-62d7-4ba2-adc1-73b62cef9cc1.md +++ b/docs/queries/cloudformation-queries/aws/6e856af2-62d7-4ba2-adc1-73b62cef9cc1.md @@ -30,16 +30,10 @@ hide: ### Code samples #### Code samples with security vulnerabilities -```yaml title="Positive test num. 1 - yaml file" hl_lines="15" +```yaml title="Positive test num. 1 - yaml file" hl_lines="38 10 79 51 22 63" Resources: - Ec2Instance: - Type: 'AWS::EC2::Instance' - Properties: - SecurityGroups: - - !Ref InstanceSecurityGroup - KeyName: mykey - ImageId: '' - InstanceSecurityGroup: +# IPv4 Rules + Positive1IPv4_1: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Allow http to client host @@ -50,123 +44,689 @@ Resources: FromPort: 22 ToPort: 22 CidrIp: 0.0.0.0/0 - SecurityGroupEgress: - - IpProtocol: tcp - FromPort: 80 - ToPort: 80 + + Positive1IPv4_2: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Allow http to client host + VpcId: + Ref: myVPC + SecurityGroupIngress: + - IpProtocol: "-1" + FromPort: 10 + ToPort: 10 CidrIp: 0.0.0.0/0 + + Positive1ArrayTestIPv4: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Allow http to client host + VpcId: + Ref: myVPC + SecurityGroupIngress: + - IpProtocol: "tcp" + FromPort: 0 + ToPort: 30 + CidrIp: 192.0.0.0/16 #should not flag - used to test array index search + - IpProtocol: "6" + FromPort: 10 + ToPort: 40 + CidrIp: 0.0.0.0/0 + +# IPv6 Rules + Positive1IPv6_1: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Allow http to client host + VpcId: + Ref: myVPC + SecurityGroupIngress: + - IpProtocol: "tcp" + FromPort: 22 + ToPort: 22 + CidrIpv6: "::/0" + + Positive1IPv6_2: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Allow http to client host + VpcId: + Ref: myVPC + SecurityGroupIngress: + - IpProtocol: "-1" + FromPort: 10 + ToPort: 10 + CidrIpv6: "::/0" + + Positive1ArrayTestIPv6: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Allow http to client host + VpcId: + Ref: myVPC + SecurityGroupIngress: + - IpProtocol: "tcp" + FromPort: 0 + ToPort: 30 + CidrIpv6: "2400:cb00::/32" #should not flag - used to test array index search + - IpProtocol: "6" + FromPort: 10 + ToPort: 40 + CidrIpv6: "0000:0000:0000:0000:0000:0000:0000:0000/0" ``` -```json title="Positive test num. 2 - json file" hl_lines="27" +```yaml title="Positive test num. 2 - yaml file" hl_lines="40 12 49 21 31" +Resources: + + DualStackSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: "Security group for IPv4 and IPv6 ingress rules" + VpcId: !Ref MyVPC + +# IPv4 Rules + IPv4Ingress1: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref DualStackSecurityGroup + IpProtocol: "-1" + FromPort: 10 + ToPort: 10 + CidrIp: "0.0.0.0/0" + + IPv4Ingress2: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref DualStackSecurityGroup + IpProtocol: "tcp" + FromPort: 10 + ToPort: 40 + CidrIp: "0.0.0.0/0" + +# IPv6 Rules + IPv6Ingress1: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref DualStackSecurityGroup + IpProtocol: "tcp" + FromPort: 0 + ToPort: 30 + CidrIpv6: "::/0" + + IPv6Ingress2: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref DualStackSecurityGroup + IpProtocol: "tcp" + FromPort: 10 + ToPort: 40 + CidrIpv6: "0000:0000:0000:0000:0000:0000:0000:0000/0" + + IPv6Ingress3: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref DualStackSecurityGroup + IpProtocol: "-1" + FromPort: 10 + ToPort: 10 + CidrIpv6: "0000:0000:0000:0000:0000:0000:0000:0000/0" +``` +```json title="Positive test num. 3 - json file" hl_lines="97 10 76 46 25 61" { "Resources": { - "Ec2Instance": { - "Type": "AWS::EC2::Instance", + "Positive1IPv4_1": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Allow http to client host", + "VpcId": { "Ref": "myVPC" }, + "SecurityGroupIngress": [ + { + "IpProtocol": "tcp", + "FromPort": 22, + "ToPort": 22, + "CidrIp": "0.0.0.0/0" + } + ] + } + }, + "Positive1IPv4_2": { + "Type": "AWS::EC2::SecurityGroup", "Properties": { - "ImageId": "", - "SecurityGroups": [ - "InstanceSecurityGroup" - ], - "KeyName": "mykey" + "GroupDescription": "Allow http to client host", + "VpcId": { "Ref": "myVPC" }, + "SecurityGroupIngress": [ + { + "IpProtocol": "-1", + "FromPort": 10, + "ToPort": 10, + "CidrIp": "0.0.0.0/0" + } + ] } }, - "InstanceSecurityGroup": { + "Positive1ArrayTestIPv4": { + "Type": "AWS::EC2::SecurityGroup", "Properties": { - "SecurityGroupEgress": [ + "GroupDescription": "Allow http to client host", + "VpcId": { "Ref": "myVPC" }, + "SecurityGroupIngress": [ { "IpProtocol": "tcp", - "FromPort": 80, - "ToPort": 80, + "FromPort": 0, + "ToPort": 30, + "CidrIp": "192.0.0.0/16" + }, + { + "IpProtocol": "6", + "FromPort": 10, + "ToPort": 40, "CidrIp": "0.0.0.0/0" } - ], + ] + } + }, + "Positive1IPv6_1": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { "GroupDescription": "Allow http to client host", - "VpcId": { - "Ref": "myVPC" - }, + "VpcId": { "Ref": "myVPC" }, "SecurityGroupIngress": [ { + "IpProtocol": "tcp", + "FromPort": 22, "ToPort": 22, - "CidrIp": "0.0.0.0/0", + "CidrIpv6": "::/0" + } + ] + } + }, + "Positive1IPv6_2": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Allow http to client host", + "VpcId": { "Ref": "myVPC" }, + "SecurityGroupIngress": [ + { + "IpProtocol": "-1", + "FromPort": 10, + "ToPort": 10, + "CidrIpv6": "::/0" + } + ] + } + }, + "Positive1ArrayTestIPv6": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Allow http to client host", + "VpcId": { "Ref": "myVPC" }, + "SecurityGroupIngress": [ + { "IpProtocol": "tcp", - "FromPort": 22 + "FromPort": 0, + "ToPort": 30, + "CidrIpv6": "2400:cb00::/32" + }, + { + "IpProtocol": "6", + "FromPort": 10, + "ToPort": 40, + "CidrIpv6": "0000:0000:0000:0000:0000:0000:0000:0000/0" } ] - }, - "Type": "AWS::EC2::SecurityGroup" + } } } } ``` +
Positive test num. 4 - json file + +```json hl_lines="38 14 50 26 62" +{ + "Resources": { + "DualStackSecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Security group for IPv4 and IPv6 ingress rules", + "VpcId": { + "Ref": "MyVPC" + } + } + }, + "IPv4Ingress1": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "DualStackSecurityGroup" + }, + "IpProtocol": "-1", + "FromPort": 10, + "ToPort": 10, + "CidrIp": "0.0.0.0/0" + } + }, + "IPv4Ingress2": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "DualStackSecurityGroup" + }, + "IpProtocol": "tcp", + "FromPort": 10, + "ToPort": 40, + "CidrIp": "0.0.0.0/0" + } + }, + "IPv6Ingress1": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "DualStackSecurityGroup" + }, + "IpProtocol": "tcp", + "FromPort": 0, + "ToPort": 30, + "CidrIpv6": "::/0" + } + }, + "IPv6Ingress2": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "DualStackSecurityGroup" + }, + "IpProtocol": "tcp", + "FromPort": 10, + "ToPort": 40, + "CidrIpv6": "0000:0000:0000:0000:0000:0000:0000:0000/0" + } + }, + "IPv6Ingress3": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "DualStackSecurityGroup" + }, + "IpProtocol": "-1", + "FromPort": 10, + "ToPort": 10, + "CidrIpv6": "0000:0000:0000:0000:0000:0000:0000:0000/0" + } + } + } +} +``` +
#### Code samples without security vulnerabilities ```yaml title="Negative test num. 1 - yaml file" Resources: - Ec2Instance: - Type: 'AWS::EC2::Instance' - Properties: - SecurityGroups: - - !Ref InstanceSecurityGroup - KeyName: mykey - ImageId: '' - InstanceSecurityGroup: +# IPv4 Rules + Negative1IPv4_1: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Allow http to client host VpcId: Ref: myVPC SecurityGroupIngress: - - IpProtocol: tcp - FromPort: 80 - ToPort: 80 - CidrIp: 127.0.0.1/32 - SecurityGroupEgress: - - IpProtocol: tcp - FromPort: 80 - ToPort: 80 - CidrIp: 127.0.0.1/33 + - IpProtocol: "udp" # wrong protocol + FromPort: 22 + ToPort: 22 + CidrIp: 0.0.0.0/0 + + Negative1IPv4_2: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Allow http to client host + VpcId: + Ref: myVPC + SecurityGroupIngress: + - IpProtocol: "tcp" + FromPort: 100 + ToPort: 200 # not catching port 22 + CidrIp: 0.0.0.0/0 + + Negative1ArrayTestIPv4: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Allow http to client host + VpcId: + Ref: myVPC + SecurityGroupIngress: + - IpProtocol: "-1" + FromPort: 0 + ToPort: 30 + CidrIp: 192.0.0.0/16 # CidrIP is not 0:0:0:0/0 + - IpProtocol: udp # all fields "incorrect" + FromPort: 4000 + ToPort: 4000 + CidrIp: 192.120.0.0/16 + +# IPv6 Rules + Negative1IPv6_1: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Allow http to client host + VpcId: + Ref: myVPC + SecurityGroupIngress: + - IpProtocol: "udp" # wrong protocol + FromPort: 22 + ToPort: 22 + CidrIpv6: "::/0" + + Negative1IPv6_2: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Allow http to client host + VpcId: + Ref: myVPC + SecurityGroupIngress: + - IpProtocol: "tcp" + FromPort: 100 + ToPort: 200 # not catching port 22 + CidrIpv6: "0000:0000:0000:0000:0000:0000:0000:0000/0" + + Negative1ArrayTestIPv6: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Allow http to client host + VpcId: + Ref: myVPC + SecurityGroupIngress: + - IpProtocol: "-1" + FromPort: 0 + ToPort: 30 + CidrIpv6: "2400:cb00::/32" # CidrIPv6 is not ::/0 + - IpProtocol: "udp" # all fields "incorrect" + FromPort: 4000 + ToPort: 4000 + CidrIpv6: "2400:cb00::/32" ``` -```json title="Negative test num. 2 - json file" +```yaml title="Negative test num. 2 - yaml file" +Resources: + + Negative2SecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: "Security group for negative test cases" + VpcId: !Ref MyVPC + +# IPv4 Rules + Negative2IPv4Ingress1: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref Negative2SecurityGroup + IpProtocol: "udp" # incorrect protocol + FromPort: 22 + ToPort: 22 + CidrIp: "0.0.0.0/0" + + Negative2IPv4Ingress2: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref Negative2SecurityGroup + IpProtocol: "tcp" + FromPort: 100 # not catching port 22 + ToPort: 200 + CidrIp: "0.0.0.0/0" + + Negative2IPv4Ingress3: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref Negative2SecurityGroup + IpProtocol: "-1" + FromPort: 0 + ToPort: 30 + CidrIp: "8.8.0.0/16" # CidrIP is not 0:0:0:0/0 + + Negative2IPv4Ingress4: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref Negative2SecurityGroup + IpProtocol: "udp" # all fields "incorrect" + FromPort: 4000 + ToPort: 4000 + CidrIp: "8.8.0.0/16" + +# IPv6 Rules + Negative2IPv6Ingress1: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref Negative2SecurityGroup + IpProtocol: "udp" # incorrect protocol + FromPort: 22 + ToPort: 22 + CidrIpv6: "::/0" + + Negative2IPv6Ingress2: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref Negative2SecurityGroup + IpProtocol: "tcp" + FromPort: 4000 # not catching port 22 + ToPort: 4000 + CidrIpv6: "0000:0000:0000:0000:0000:0000:0000:0000/0" + + Negative2IPv6Ingress3: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref Negative2SecurityGroup + IpProtocol: "-1" + FromPort: 0 + ToPort: 30 + CidrIpv6: "2400:cb00::/32" # CidrIPv6 is not ::/0 + + Negative2IPv6Ingress4: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref Negative2SecurityGroup # all fields "incorrect" + IpProtocol: "udp" + FromPort: 4000 + ToPort: 4000 + CidrIpv6: "2400:cb00::/32" +``` +```json title="Negative test num. 3 - json file" { - "Resources": { - "InstanceSecurityGroup": { - "Type": "AWS::EC2::SecurityGroup", - "Properties": { - "GroupDescription": "Allow http to client host", - "VpcId": { - "Ref": "myVPC" + "Negative1IPv4_1": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Allow http to client host", + "VpcId": { "Ref": "myVPC" }, + "SecurityGroupIngress": [ + { + "IpProtocol": "udp", + "FromPort": 22, + "ToPort": 22, + "CidrIp": "0.0.0.0/0" + } + ] + } + }, + "Negative1IPv4_2": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Allow http to client host", + "VpcId": { "Ref": "myVPC" }, + "SecurityGroupIngress": [ + { + "IpProtocol": "tcp", + "FromPort": 100, + "ToPort": 200, + "CidrIp": "0.0.0.0/0" + } + ] + } + }, + "Negative1ArrayTestIPv4": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Allow http to client host", + "VpcId": { "Ref": "myVPC" }, + "SecurityGroupIngress": [ + { + "IpProtocol": "-1", + "FromPort": 0, + "ToPort": 30, + "CidrIp": "192.0.0.0/16" }, - "SecurityGroupIngress": [ - { - "FromPort": 80, - "ToPort": 80, - "CidrIp": "127.0.0.1/32", - "IpProtocol": "tcp" - } - ], - "SecurityGroupEgress": [ - { - "IpProtocol": "tcp", - "FromPort": 80, - "ToPort": 80, - "CidrIp": "127.0.0.1/33" - } - ] - } - }, - "Ec2Instance": { - "Type": "AWS::EC2::Instance", - "Properties": { - "SecurityGroups": [ - "InstanceSecurityGroup" - ], - "KeyName": "mykey", - "ImageId": "" - } + { + "IpProtocol": "udp", + "FromPort": 4000, + "ToPort": 4000, + "CidrIp": "192.120.0.0/16" + } + ] + } + }, + "Negative1IPv6_1": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Allow http to client host", + "VpcId": { "Ref": "myVPC" }, + "SecurityGroupIngress": [ + { + "IpProtocol": "udp", + "FromPort": 22, + "ToPort": 22, + "CidrIpv6": "::/0" + } + ] + } + }, + "Negative1IPv6_2": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Allow http to client host", + "VpcId": { "Ref": "myVPC" }, + "SecurityGroupIngress": [ + { + "IpProtocol": "tcp", + "FromPort": 100, + "ToPort": 200, + "CidrIpv6": "0000:0000:0000:0000:0000:0000:0000:0000/0" + } + ] + } + }, + "Negative1ArrayTestIPv6": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Allow http to client host", + "VpcId": { "Ref": "myVPC" }, + "SecurityGroupIngress": [ + { + "IpProtocol": "-1", + "FromPort": 0, + "ToPort": 30, + "CidrIpv6": "2400:cb00::/32" + }, + { + "IpProtocol": "udp", + "FromPort": 4000, + "ToPort": 4000, + "CidrIpv6": "2400:cb00::/32" + } + ] + } + } +} + +``` +
Negative test num. 4 - json file + +```json +{ + "Negative2SecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Security group for negative test cases", + "VpcId": { "Ref": "MyVPC" } + } + }, + "Negative2IPv4Ingress1": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { "Ref": "Negative2SecurityGroup" }, + "IpProtocol": "udp", + "FromPort": 22, + "ToPort": 22, + "CidrIp": "0.0.0.0/0" + } + }, + "Negative2IPv4Ingress2": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { "Ref": "Negative2SecurityGroup" }, + "IpProtocol": "tcp", + "FromPort": 100, + "ToPort": 200, + "CidrIp": "0.0.0.0/0" + } + }, + "Negative2IPv4Ingress3": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { "Ref": "Negative2SecurityGroup" }, + "IpProtocol": "-1", + "FromPort": 0, + "ToPort": 30, + "CidrIp": "8.8.0.0/16" + } + }, + "Negative2IPv4Ingress4": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { "Ref": "Negative2SecurityGroup" }, + "IpProtocol": "udp", + "FromPort": 4000, + "ToPort": 4000, + "CidrIp": "8.8.0.0/16" + } + }, + "Negative2IPv6Ingress1": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { "Ref": "Negative2SecurityGroup" }, + "IpProtocol": "udp", + "FromPort": 22, + "ToPort": 22, + "CidrIpv6": "::/0" + } + }, + "Negative2IPv6Ingress2": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { "Ref": "Negative2SecurityGroup" }, + "IpProtocol": "tcp", + "FromPort": 4000, + "ToPort": 4000, + "CidrIpv6": "0000:0000:0000:0000:0000:0000:0000:0000/0" + } + }, + "Negative2IPv6Ingress3": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { "Ref": "Negative2SecurityGroup" }, + "IpProtocol": "-1", + "FromPort": 0, + "ToPort": 30, + "CidrIpv6": "2400:cb00::/32" + } + }, + "Negative2IPv6Ingress4": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { "Ref": "Negative2SecurityGroup" }, + "IpProtocol": "udp", + "FromPort": 4000, + "ToPort": 4000, + "CidrIpv6": "2400:cb00::/32" } } } ``` +
diff --git a/docs/queries/cloudformation-queries/aws/78055456-f670-4d2e-94d5-392d1cf4f5e4.md b/docs/queries/cloudformation-queries/aws/78055456-f670-4d2e-94d5-392d1cf4f5e4.md index 4f7879db9c2..963b3a0ab7f 100644 --- a/docs/queries/cloudformation-queries/aws/78055456-f670-4d2e-94d5-392d1cf4f5e4.md +++ b/docs/queries/cloudformation-queries/aws/78055456-f670-4d2e-94d5-392d1cf4f5e4.md @@ -30,154 +30,202 @@ The load balancer of the application with a sensitive port connection is exposed ### Code samples #### Code samples with security vulnerabilities -```yaml title="Positive test num. 1 - yaml file" hl_lines="37" -AWSTemplateFormatVersion: 2010-09-09 +```yaml title="Positive test num. 1 - yaml file" hl_lines="32 71 42 81 50 85 22 61" Resources: - MyLoadBalancer: - Type: AWS::ElasticLoadBalancing::LoadBalancer - Properties: - AvailabilityZones: - - "us-east-2a" - CrossZone: true - Scheme: internet-facing - Listeners: - - InstancePort: '80' - InstanceProtocol: HTTP - LoadBalancerPort: '443' - Protocol: HTTPS - PolicyNames: - - My-SSLNegotiation-Policy - SSLCertificateId: arn:aws:iam::123456789012:server-certificate/my-server-certificate - HealthCheck: - Target: HTTP:80/ - HealthyThreshold: '2' - UnhealthyThreshold: '3' - Interval: '10' - Timeout: '5' - SecurityGroups: - - !Ref LBSecGroup - Policies: - - PolicyName: My-SSLNegotiation-Policy - PolicyType: SSLNegotiationPolicyType - Attributes: - - Name: Reference-Security-Policy - Value: ELBSecurityPolicy-TLS-1-2-2017-01 - LBSecGroup: + LoadBalancer01: + Type: AWS::ElasticLoadBalancing::LoadBalancer + Properties: + Listeners: + - LoadBalancerPort: 80 + InstancePort: 80 + Protocol: HTTP + SecurityGroups: + - !Ref Positive1IPv4_1 + - !Ref Positive1IPv4_2 + - !Ref Positive1ArrayTestIPv4 + - !Ref Positive1IPv6_1 + - !Ref Positive1IPv6_2 + - !Ref Positive1ArrayTestIPv6 + + Positive1IPv4_1: Type: AWS::EC2::SecurityGroup Properties: - GroupDescription: Allow http and ssh - VpcId: my-vpc - SecurityGroupIngress: - - IpProtocol: tcp - FromPort: 50 - ToPort: 80 - CidrIp: 127.0.0.1/0 - - IpProtocol: tcp + GroupDescription: "Allow all protocols on all ports from 10.0.0.0/0" + SecurityGroupIngress: + - IpProtocol: "-1" FromPort: 22 ToPort: 22 - CidrIp: 127.0.0.1/0 - SecurityGroupEgress: - - IpProtocol: tcp + CidrIp: "10.0.0.0/0" + + Positive1IPv4_2: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: "Port 22 on TCP" + SecurityGroupIngress: + - IpProtocol: "6" + FromPort: 22 + ToPort: 22 + CidrIp: "192.168.0.0/0" + + Positive1ArrayTestIPv4: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: "Ports 137 and 138 on UDP" + SecurityGroupIngress: + - IpProtocol: "17" + FromPort: 137 + ToPort: 137 + CidrIp: "172.16.0.0/0" + - IpProtocol: "udp" + FromPort: 137 + ToPort: 137 + CidrIp: "10.68.0.0" # not exposed + - IpProtocol: "udp" + FromPort: 138 + ToPort: 138 + CidrIp: "172.16.0.0/0" + +# IPv6 Rules + Positive1IPv6_1: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: "Allow all ports on all protocols" + SecurityGroupIngress: + - IpProtocol: "6" + FromPort: 22 + ToPort: 22 + CidrIpv6: "fd00::/0" + + Positive1IPv6_2: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: "Allow port 22 on TCP" + SecurityGroupIngress: + - IpProtocol: "tcp" FromPort: 22 ToPort: 22 - CidrIp: 0.0.0.0/0 + CidrIpv6: "fd12:3456:789a::1/0" + + Positive1ArrayTestIPv6: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: "Allow ports 137 and 138 on UDP" + SecurityGroupIngress: + - IpProtocol: "udp" + FromPort: 137 + ToPort: 137 + CidrIpv6: "fd00:abcd:1234::42/0" + - IpProtocol: "udp" + FromPort: 138 + ToPort: 138 + CidrIpv6: "fd00:abcd:1234::42/0" ``` -```yaml title="Positive test num. 2 - yaml file" hl_lines="22" -AWSTemplateFormatVersion: 2010-09-09 -Parameters: - MySubnets: - Description: "My subnet" - Type: List +```yaml title="Positive test num. 2 - yaml file" hl_lines="35 72 44 17 81 54 26 63" Resources: - ApplicationLoadBalancer: + LoadBalancer01: Type: AWS::ElasticLoadBalancingV2::LoadBalancer Properties: - Name: ip-target-alb - Subnets: !Ref MySubnets SecurityGroups: - - !Ref ALBSecGroup - Tags: - - Key: Name - Value: ip-target-alb - ALBSecGroup: + - !Ref DualStackSecurityGroup + + DualStackSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: - GroupDescription: Allow http and ssh - VpcId: my-vpc - SecurityGroupIngress: - - IpProtocol: tcp - FromPort: 80 - ToPort: 80 - CidrIp: 127.0.0.1/32 - - IpProtocol: tcp - FromPort: 6379 - ToPort: 6379 - CidrIp: 127.0.0.1/0 - SecurityGroupEgress: - - IpProtocol: tcp - FromPort: 22 - ToPort: 22 - CidrIp: 0.0.0.0/0 - HTTPALBListener: - Type: AWS::ElasticLoadBalancingV2::Listener + GroupDescription: "Security group for IPv4 and IPv6 ingress rules" + VpcId: !Ref MyVPC + +# IPv4 Rules + IPv4Ingress1: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref DualStackSecurityGroup + IpProtocol: "17" + FromPort: 137 + ToPort: 137 + CidrIp: "10.0.0.0/0" + + IPv4Ingress2: + Type: AWS::EC2::SecurityGroupIngress Properties: - LoadBalancerArn: !Ref ApplicationLoadBalancer - Port: 80 - Protocol: HTTP - DefaultActions: - - Type: forward - TargetGroupArn: !Ref IPTargetGroup - IPTargetGroup: - Type: AWS::ElasticLoadBalancingV2::TargetGroup + GroupId: !Ref DualStackSecurityGroup + IpProtocol: "tcp" + FromPort: 22 + ToPort: 22 + CidrIp: "192.168.0.0/0" + + IPv4Ingress3: + Type: AWS::EC2::SecurityGroupIngress Properties: - VpcId: my-vpc - Port: 80 - Protocol: HTTP - TargetType: ip - Matcher: - HttpCode: '200' - HealthCheckIntervalSeconds: 10 - HealthCheckPath: /health/check - HealthCheckProtocol: HTTP - HealthCheckTimeoutSeconds: 5 - HealthyThresholdCount: 2 - UnhealthyThresholdCount: 2 - TestListenerRule1: - Type: "AWS::ElasticLoadBalancingV2::ListenerRule" + GroupId: !Ref DualStackSecurityGroup + IpProtocol: "udp" + FromPort: 137 + ToPort: 137 + CidrIp: "172.16.0.0/0" + + IPv4Ingress4: + Type: AWS::EC2::SecurityGroupIngress Properties: - Priority: 1 - ListenerArn: !Ref HTTPALBListener - Conditions: - - Field: "host-header" - Values: - - "test1.checkmarx.com" - Actions: - - Type: "forward" - TargetGroupArn: !Ref IPTargetGroup - Order: 1 - ForwardConfig: - TargetGroups: - - TargetGroupArn: !Ref IPTargetGroup - Weight: 1 - TargetGroupStickinessConfig: - Enabled: false + GroupId: !Ref DualStackSecurityGroup + IpProtocol: "udp" + FromPort: 138 + ToPort: 138 + CidrIp: "172.16.0.0/0" + +# IPv6 Rules + IPv6Ingress1: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref DualStackSecurityGroup + IpProtocol: "6" + FromPort: 22 + ToPort: 22 + CidrIpv6: "fd00::/0" + + IPv6Ingress2: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref DualStackSecurityGroup + IpProtocol: "tcp" + FromPort: 22 + ToPort: 22 + CidrIpv6: "fd12:3456:789a::1/0" + + IPv6Ingress3: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref DualStackSecurityGroup + IpProtocol: "udp" + FromPort: 137 + ToPort: 137 + CidrIpv6: "fd00:abcd:1234::42/0" + + IPv6Ingress4: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref DualStackSecurityGroup + IpProtocol: "udp" + FromPort: 138 + ToPort: 138 + CidrIpv6: "fd00:abcd:1234::42/0" ``` -```yaml title="Positive test num. 3 - yaml file" hl_lines="19" -AWSTemplateFormatVersion: 2010-09-09 -Parameters: - MySubnet: - Description: "My subnet" - Type: List +```yaml title="Positive test num. 3 - yaml file" hl_lines="26 30" +# Test for classic load balancing Referencing Vulnerable "AWS::EC2::Instance" Resources: GatewayLoadBalancer: - Type: AWS::ElasticLoadBalancingV2::LoadBalancer + Type: AWS::ElasticLoadBalancing::LoadBalancer + Properties: + Instances: + - !Ref EC2Instance01 + EC2Instance01: + Type: AWS::EC2::Instance Properties: - Name: my-gateway-load-balancer - Scheme: internet-facing - Type: gateway - Subnets: !Ref MySubnet + InstanceType: t3.2xlarge + SecurityGroups: + - !Ref 'InstancesSecGroup' + KeyName: my-rsa-key + ImageId: ami-79fd7eee InstancesSecGroup: Type: AWS::EC2::SecurityGroup Properties: @@ -192,354 +240,198 @@ Resources: FromPort: 636 ToPort: 636 CidrIp: 127.0.0.1/0 - SecurityGroupEgress: - - IpProtocol: tcp - FromPort: 22 - ToPort: 22 - CidrIp: 0.0.0.0/0 - EC2Instance01: - Type: AWS::EC2::Instance - Properties: - InstanceType: t3.2xlarge - SecurityGroups: - - !Ref 'InstancesSecGroup' - KeyName: my-rsa-key - ImageId: ami-79fd7eee - EC2Instance02: - Type: AWS::EC2::Instance - Properties: - InstanceType: t3.2xlarge - SecurityGroups: - - !Ref 'InstancesSecGroup' - KeyName: my-rsa-key - ImageId: ami-79fd7eee - GatewayLoadBalancerTargetGroup: - Type: AWS::ElasticLoadBalancingV2::TargetGroup - Properties: - Name: t10-networklb-target - Port: 443 - Protocol: TCP - VpcId: t10-vpc-id - TargetGroupAttributes: - - Key: deregistration_delay.timeout_seconds - Value: '60' - Targets: - - Id: !Ref EC2Instance01 - Port: 443 - - Id: !Ref EC2Instance02 - Port: 443 - Tags: - - Key: Name - Value: t10-networklb-target - GatewayLoadBalancerListener: - Type: AWS::ElasticLoadBalancingV2::Listener - Properties: - DefaultActions: - - Type: forward - TargetGroupArn: !Ref GatewayLoadBalancerTargetGroup - LoadBalancerArn: !Ref GatewayLoadBalancer - Port: 443 - Protocol: TCP - GatewayLoadBalancerListenerCert: - Type: AWS::ElasticLoadBalancingV2::ListenerCertificate - Properties: - Certificates: - - CertificateArn: arn:aws:acm:eu-west-1:xxxaccountxxx:certificate/123456.... - ListenerArn: !Ref GatewayLoadBalancerListener - + - IpProtocol: udp + FromPort: 1000 + ToPort: 5000 + CidrIpv6: "fd00:abcd:1234::/0" ```
Positive test num. 4 - yaml file -```yaml hl_lines="22" -AWSTemplateFormatVersion: 2010-09-09 -Parameters: - MySubnet: - Description: "My subnet" - Type: List +```yaml hl_lines="32 40 45 17 50 22 55 27" Resources: - NetworkLoadBalancer: + LoadBalancer01: Type: AWS::ElasticLoadBalancingV2::LoadBalancer Properties: - Name: t10-networkloadbalancer - Scheme: internet-facing - Subnets: !Ref MySubnet - Type: network - Tags: - - Key: Name - Value: t10-networklb - ELBInstanceSecGroup: + SecurityGroups: + - !Ref DualStackSecurityGroup + + DualStackSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: - GroupDescription: Allow http and ssh - VpcId: my-vpc - SecurityGroupIngress: - - IpProtocol: tcp - FromPort: 81 - ToPort: 80 - CidrIp: 127.0.0.1/32 - - IpProtocol: tcp - FromPort: 27017 - ToPort: 27018 - CidrIp: 127.0.0.1/0 - SecurityGroupEgress: - - IpProtocol: tcp + GroupDescription: "Security group for IPv4 and IPv6 ingress rules" + VpcId: !Ref MyVPC + SecurityGroupIngress: + # ----------------------- + # IPv4 Rules + # ----------------------- + - IpProtocol: "17" # UDP (protocol 17) + FromPort: 137 + ToPort: 137 + CidrIp: "10.0.0.0/0" + + - IpProtocol: "tcp" FromPort: 22 ToPort: 22 - CidrIp: 0.0.0.0/0 - EC2Instance01: - Type: AWS::EC2::Instance - Properties: - InstanceType: t3.2xlarge - SecurityGroups: - - !Ref 'ELBInstanceSecGroup' - KeyName: my-rsa-key - ImageId: ami-79fd7eee - EC2Instance02: - Type: AWS::EC2::Instance - Properties: - InstanceType: t3.2xlarge - SecurityGroups: - - !Ref 'ELBInstanceSecGroup' - KeyName: my-rsa-key - ImageId: ami-79fd7eee - NetworkLoadBalancerTargetGroup: - Type: AWS::ElasticLoadBalancingV2::TargetGroup - Properties: - Name: t10-networklb-target - Port: 443 - Protocol: TCP - VpcId: t10-vpc-id - TargetGroupAttributes: - - Key: deregistration_delay.timeout_seconds - Value: '60' - Targets: - - Id: !Ref EC2Instance01 - Port: 443 - - Id: !Ref EC2Instance02 - Port: 443 - Tags: - - Key: Name - Value: t10-networklb-target - NetworkLoadBalancerListener: - Type: AWS::ElasticLoadBalancingV2::Listener - Properties: - DefaultActions: - - Type: forward - TargetGroupArn: !Ref NetworkLoadBalancerTargetGroup - LoadBalancerArn: !Ref NetworkLoadBalancer - Port: 443 - Protocol: TCP - NetworkLoadBalancerListenerCert: - Type: AWS::ElasticLoadBalancingV2::ListenerCertificate - Properties: - Certificates: - - CertificateArn: arn:aws:acm:eu-west-1:xxxaccountxxx:certificate/123456.... - ListenerArn: !Ref NetworkLoadBalancerListener + CidrIp: "192.168.0.0/0" + + - IpProtocol: "udp" + FromPort: 137 + ToPort: 137 + CidrIp: "172.16.0.0/0" + + - IpProtocol: "udp" + FromPort: 138 + ToPort: 138 + CidrIp: "172.16.0.0/0" + + # ----------------------- + # IPv6 Rules + # ----------------------- + - IpProtocol: "6" # TCP (protocol 6) + FromPort: 22 + ToPort: 22 + CidrIpv6: "fd00::/0" + + - IpProtocol: "tcp" + FromPort: 22 + ToPort: 22 + CidrIpv6: "fd12:3456:789a::1/0" + + - IpProtocol: "udp" + FromPort: 137 + ToPort: 137 + CidrIpv6: "fd00:abcd:1234::42/0" + + - IpProtocol: "udp" + FromPort: 138 + ToPort: 138 + CidrIpv6: "fd00:abcd:1234::42/0" ```
Positive test num. 5 - json file -```json hl_lines="52" +```json hl_lines="97 69 43 111 83 117 57 29" { "Resources": { - "MyLoadBalancer": { + "LoadBalancer01": { + "Type": "AWS::ElasticLoadBalancing::LoadBalancer", "Properties": { - "Scheme": "internet-facing", "Listeners": [ { - "SSLCertificateId": "arn:aws:iam::123456789012:server-certificate/my-server-certificate", - "InstancePort": "80", - "InstanceProtocol": "HTTP", - "LoadBalancerPort": "443", - "Protocol": "HTTPS", - "PolicyNames": [ - "My-SSLNegotiation-Policy" - ] + "LoadBalancerPort": 80, + "InstancePort": 80, + "Protocol": "HTTP" } ], - "HealthCheck": { - "HealthyThreshold": "2", - "UnhealthyThreshold": "3", - "Interval": "10", - "Timeout": "5", - "Target": "HTTP:80/" - }, "SecurityGroups": [ - "LBSecGroup" - ], - "Policies": [ - { - "Attributes": [ - { - "Name": "Reference-Security-Policy", - "Value": "ELBSecurityPolicy-TLS-1-2-2017-01" - } - ], - "PolicyName": "My-SSLNegotiation-Policy", - "PolicyType": "SSLNegotiationPolicyType" - } - ], - "AvailabilityZones": [ - "us-east-2a" - ], - "CrossZone": true - }, - "Type": "AWS::ElasticLoadBalancing::LoadBalancer" + { "Ref": "Positive1IPv4_1" }, + { "Ref": "Positive1IPv4_2" }, + { "Ref": "Positive1ArrayTestIPv4" }, + { "Ref": "Positive1IPv6_1" }, + { "Ref": "Positive1IPv6_2" }, + { "Ref": "Positive1ArrayTestIPv6" } + ] + } }, - "LBSecGroup": { + "Positive1IPv4_1": { "Type": "AWS::EC2::SecurityGroup", "Properties": { - "GroupDescription": "Allow http and ssh", - "VpcId": "my-vpc", + "GroupDescription": "Allow all protocols on all ports from 10.0.0.0/0", "SecurityGroupIngress": [ { - "IpProtocol": "tcp", - "FromPort": 50, - "ToPort": 80, - "CidrIp": "127.0.0.1/0" - }, - { - "IpProtocol": "tcp", - "FromPort": 22, - "ToPort": 22, - "CidrIp": "127.0.0.1/0" - } - ], - "SecurityGroupEgress": [ - { + "IpProtocol": "-1", "FromPort": 22, "ToPort": 22, - "CidrIp": "0.0.0.0/0", - "IpProtocol": "tcp" + "CidrIp": "10.0.0.0/0" } ] } - } - }, - "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z" -} - -``` -
-
Positive test num. 6 - json file - -```json hl_lines="31" -{ - "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", - "Parameters": { - "MySubnets": { - "Description": "My subnet", - "Type": "List\u003cString\u003e" - } - }, - "Resources": { - "ApplicationLoadBalancer": { - "Type": "AWS::ElasticLoadBalancingV2::LoadBalancer", + }, + "Positive1IPv4_2": { + "Type": "AWS::EC2::SecurityGroup", "Properties": { - "SecurityGroups": [ - "ALBSecGroup" - ], - "Tags": [ + "GroupDescription": "Port 22 on TCP", + "SecurityGroupIngress": [ { - "Key": "Name", - "Value": "ip-target-alb" + "IpProtocol": "6", + "FromPort": 22, + "ToPort": 22, + "CidrIp": "192.168.0.0/0" } - ], - "Name": "ip-target-alb", - "Subnets": "MySubnets" + ] } }, - "ALBSecGroup": { + "Positive1ArrayTestIPv4": { "Type": "AWS::EC2::SecurityGroup", "Properties": { - "GroupDescription": "Allow http and ssh", - "VpcId": "my-vpc", + "GroupDescription": "Ports 137 and 138 on UDP", "SecurityGroupIngress": [ { - "FromPort": 80, - "ToPort": 80, - "CidrIp": "127.0.0.1/32", - "IpProtocol": "tcp" + "IpProtocol": "17", + "FromPort": 137, + "ToPort": 137, + "CidrIp": "172.16.0.0/0" }, { - "IpProtocol": "tcp", - "FromPort": 6379, - "ToPort": 6379, - "CidrIp": "127.0.0.1/0" - } - ], - "SecurityGroupEgress": [ + "IpProtocol": "udp", + "FromPort": 137, + "ToPort": 137, + "CidrIp": "10.68.0.0" + }, { - "ToPort": 22, - "CidrIp": "0.0.0.0/0", - "IpProtocol": "tcp", - "FromPort": 22 + "IpProtocol": "udp", + "FromPort": 138, + "ToPort": 138, + "CidrIp": "172.16.0.0/0" } ] } }, - "HTTPALBListener": { + "Positive1IPv6_1": { + "Type": "AWS::EC2::SecurityGroup", "Properties": { - "DefaultActions": [ + "GroupDescription": "Allow all ports on all protocols", + "SecurityGroupIngress": [ { - "Type": "forward", - "TargetGroupArn": "IPTargetGroup" + "IpProtocol": "6", + "FromPort": 22, + "ToPort": 22, + "CidrIpv6": "fd00::/0" } - ], - "LoadBalancerArn": "ApplicationLoadBalancer", - "Port": 80, - "Protocol": "HTTP" - }, - "Type": "AWS::ElasticLoadBalancingV2::Listener" + ] + } }, - "IPTargetGroup": { - "Type": "AWS::ElasticLoadBalancingV2::TargetGroup", + "Positive1IPv6_2": { + "Type": "AWS::EC2::SecurityGroup", "Properties": { - "HealthCheckIntervalSeconds": 10, - "HealthCheckPath": "/health/check", - "HealthCheckProtocol": "HTTP", - "HealthyThresholdCount": 2, - "VpcId": "my-vpc", - "TargetType": "ip", - "Matcher": { - "HttpCode": "200" - }, - "UnhealthyThresholdCount": 2, - "Port": 80, - "Protocol": "HTTP", - "HealthCheckTimeoutSeconds": 5 + "GroupDescription": "Allow port 22 on TCP", + "SecurityGroupIngress": [ + { + "IpProtocol": "tcp", + "FromPort": 22, + "ToPort": 22, + "CidrIpv6": "fd12:3456:789a::1/0" + } + ] } }, - "TestListenerRule1": { - "Type": "AWS::ElasticLoadBalancingV2::ListenerRule", + "Positive1ArrayTestIPv6": { + "Type": "AWS::EC2::SecurityGroup", "Properties": { - "Priority": 1, - "ListenerArn": "HTTPALBListener", - "Conditions": [ + "GroupDescription": "Allow ports 137 and 138 on UDP", + "SecurityGroupIngress": [ { - "Values": [ - "test1.checkmarx.com" - ], - "Field": "host-header" - } - ], - "Actions": [ + "IpProtocol": "udp", + "FromPort": 137, + "ToPort": 137, + "CidrIpv6": "fd00:abcd:1234::42/0" + }, { - "Type": "forward", - "TargetGroupArn": "IPTargetGroup", - "Order": 1, - "ForwardConfig": { - "TargetGroups": [ - { - "TargetGroupArn": "IPTargetGroup", - "Weight": 1 - } - ], - "TargetGroupStickinessConfig": { - "Enabled": false - } - } + "IpProtocol": "udp", + "FromPort": 138, + "ToPort": 138, + "CidrIpv6": "fd00:abcd:1234::42/0" } ] } @@ -549,702 +441,866 @@ Resources: ```
-
Positive test num. 7 - json file +
Positive test num. 6 - json file -```json hl_lines="28" +```json hl_lines="70 40 80 50 20 90 60 30" { "Resources": { - "GatewayLoadBalancerListenerCert": { - "Type": "AWS::ElasticLoadBalancingV2::ListenerCertificate", + "LoadBalancer01": { + "Type": "AWS::ElasticLoadBalancingV2::LoadBalancer", "Properties": { - "Certificates": [ - { - "CertificateArn": "arn:aws:acm:eu-west-1:xxxaccountxxx:certificate/123456...." - } - ], - "ListenerArn": "GatewayLoadBalancerListener" + "SecurityGroups": [ + { "Ref": "DualStackSecurityGroup" } + ] } }, - "GatewayLoadBalancer": { + "DualStackSecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", "Properties": { - "Name": "my-gateway-load-balancer", - "Scheme": "internet-facing", - "Type": "gateway", - "Subnets": "MySubnet" - }, - "Type": "AWS::ElasticLoadBalancingV2::LoadBalancer" + "GroupDescription": "Security group for IPv4 and IPv6 ingress rules", + "VpcId": { "Ref": "MyVPC" } + } }, - "InstancesSecGroup": { - "Type": "AWS::EC2::SecurityGroup", + "IPv4Ingress1": { + "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { - "GroupDescription": "Allow http and ssh", - "VpcId": "my-vpc", - "SecurityGroupIngress": [ - { - "IpProtocol": "tcp", - "FromPort": 80, - "ToPort": 80, - "CidrIp": "127.0.0.1/32" - }, - { - "ToPort": 636, - "CidrIp": "127.0.0.1/0", - "IpProtocol": "tcp", - "FromPort": 636 - } - ], - "SecurityGroupEgress": [ - { - "CidrIp": "0.0.0.0/0", - "IpProtocol": "tcp", - "FromPort": 22, - "ToPort": 22 - } - ] + "GroupId": { "Ref": "DualStackSecurityGroup" }, + "IpProtocol": "17", + "FromPort": 137, + "ToPort": 137, + "CidrIp": "10.0.0.0/0" } }, - "EC2Instance01": { - "Type": "AWS::EC2::Instance", + "IPv4Ingress2": { + "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { - "InstanceType": "t3.2xlarge", - "SecurityGroups": [ - "InstancesSecGroup" - ], - "KeyName": "my-rsa-key", - "ImageId": "ami-79fd7eee" + "GroupId": { "Ref": "DualStackSecurityGroup" }, + "IpProtocol": "tcp", + "FromPort": 22, + "ToPort": 22, + "CidrIp": "192.168.0.0/0" } }, - "EC2Instance02": { - "Type": "AWS::EC2::Instance", + "IPv4Ingress3": { + "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { - "InstanceType": "t3.2xlarge", - "SecurityGroups": [ - "InstancesSecGroup" - ], - "KeyName": "my-rsa-key", - "ImageId": "ami-79fd7eee" + "GroupId": { "Ref": "DualStackSecurityGroup" }, + "IpProtocol": "udp", + "FromPort": 137, + "ToPort": 137, + "CidrIp": "172.16.0.0/0" } }, - "GatewayLoadBalancerTargetGroup": { - "Type": "AWS::ElasticLoadBalancingV2::TargetGroup", + "IPv4Ingress4": { + "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { - "TargetGroupAttributes": [ - { - "Key": "deregistration_delay.timeout_seconds", - "Value": "60" - } - ], - "Targets": [ - { - "Id": "EC2Instance01", - "Port": 443 - }, - { - "Id": "EC2Instance02", - "Port": 443 - } - ], - "Tags": [ - { - "Key": "Name", - "Value": "t10-networklb-target" - } - ], - "Name": "t10-networklb-target", - "Port": 443, - "Protocol": "TCP", - "VpcId": "t10-vpc-id" + "GroupId": { "Ref": "DualStackSecurityGroup" }, + "IpProtocol": "udp", + "FromPort": 138, + "ToPort": 138, + "CidrIp": "172.16.0.0/0" } }, - "GatewayLoadBalancerListener": { - "Type": "AWS::ElasticLoadBalancingV2::Listener", + "IPv6Ingress1": { + "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { - "DefaultActions": [ - { - "Type": "forward", - "TargetGroupArn": "GatewayLoadBalancerTargetGroup" - } - ], - "LoadBalancerArn": "GatewayLoadBalancer", - "Port": 443, - "Protocol": "TCP" + "GroupId": { "Ref": "DualStackSecurityGroup" }, + "IpProtocol": "6", + "FromPort": 22, + "ToPort": 22, + "CidrIpv6": "fd00::/0" + } + }, + "IPv6Ingress2": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { "Ref": "DualStackSecurityGroup" }, + "IpProtocol": "tcp", + "FromPort": 22, + "ToPort": 22, + "CidrIpv6": "fd12:3456:789a::1/0" + } + }, + "IPv6Ingress3": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { "Ref": "DualStackSecurityGroup" }, + "IpProtocol": "udp", + "FromPort": 137, + "ToPort": 137, + "CidrIpv6": "fd00:abcd:1234::42/0" + } + }, + "IPv6Ingress4": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { "Ref": "DualStackSecurityGroup" }, + "IpProtocol": "udp", + "FromPort": 138, + "ToPort": 138, + "CidrIpv6": "fd00:abcd:1234::42/0" } - } - }, - "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", - "Parameters": { - "MySubnet": { - "Description": "My subnet", - "Type": "List\u003cString\u003e" } } } ```
-
Positive test num. 8 - json file +
Positive test num. 7 - json file -```json hl_lines="97" +```json hl_lines="45 39" { - "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", - "Parameters": { - "MySubnet": { - "Description": "My subnet", - "Type": "List\u003cString\u003e" + "Resources": { + "GatewayLoadBalancer": { + "Type": "AWS::ElasticLoadBalancing::LoadBalancer", + "Properties": { + "Instances": [ + { + "Ref": "EC2Instance01" + } + ] + } + }, + "EC2Instance01": { + "Type": "AWS::EC2::Instance", + "Properties": { + "InstanceType": "t3.2xlarge", + "SecurityGroups": [ + { + "Ref": "InstancesSecGroup" + } + ], + "KeyName": "my-rsa-key", + "ImageId": "ami-79fd7eee" + } + }, + "InstancesSecGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Allow http and ssh", + "VpcId": "my-vpc", + "SecurityGroupIngress": [ + { + "IpProtocol": "tcp", + "FromPort": 80, + "ToPort": 80, + "CidrIp": "127.0.0.1/32" + }, + { + "IpProtocol": "tcp", + "FromPort": 636, + "ToPort": 636, + "CidrIp": "127.0.0.1/0" + }, + { + "IpProtocol": "udp", + "FromPort": 1000, + "ToPort": 5000, + "CidrIpv6": "fd00:abcd:1234::/0" + } + ] + } + } } - }, - "Resources": { - "EC2Instance02": { - "Type": "AWS::EC2::Instance", - "Properties": { - "KeyName": "my-rsa-key", - "ImageId": "ami-79fd7eee", - "InstanceType": "t3.2xlarge", - "SecurityGroups": [ - "ELBInstanceSecGroup" - ] - } - }, - "NetworkLoadBalancerTargetGroup": { - "Type": "AWS::ElasticLoadBalancingV2::TargetGroup", - "Properties": { - "Targets": [ - { - "Id": "EC2Instance01", - "Port": 443 - }, - { - "Id": "EC2Instance02", - "Port": 443 - } - ], - "Tags": [ - { - "Key": "Name", - "Value": "t10-networklb-target" - } - ], - "Name": "t10-networklb-target", - "Port": 443, - "Protocol": "TCP", - "VpcId": "t10-vpc-id", - "TargetGroupAttributes": [ - { - "Key": "deregistration_delay.timeout_seconds", - "Value": "60" - } - ] - } - }, - "NetworkLoadBalancerListener": { - "Type": "AWS::ElasticLoadBalancingV2::Listener", - "Properties": { - "Port": 443, - "Protocol": "TCP", - "DefaultActions": [ - { - "Type": "forward", - "TargetGroupArn": "NetworkLoadBalancerTargetGroup" - } - ], - "LoadBalancerArn": "NetworkLoadBalancer" - } - }, - "NetworkLoadBalancerListenerCert": { - "Type": "AWS::ElasticLoadBalancingV2::ListenerCertificate", - "Properties": { - "Certificates": [ - { - "CertificateArn": "arn:aws:acm:eu-west-1:xxxaccountxxx:certificate/123456...." - } - ], - "ListenerArn": "NetworkLoadBalancerListener" - } - }, - "NetworkLoadBalancer": { - "Properties": { - "Tags": [ - { - "Value": "t10-networklb", - "Key": "Name" - } - ], - "Name": "t10-networkloadbalancer", - "Scheme": "internet-facing", - "Subnets": "MySubnet", - "Type": "network" - }, - "Type": "AWS::ElasticLoadBalancingV2::LoadBalancer" - }, - "ELBInstanceSecGroup": { - "Type": "AWS::EC2::SecurityGroup", - "Properties": { - "GroupDescription": "Allow http and ssh", - "VpcId": "my-vpc", - "SecurityGroupIngress": [ - { - "CidrIp": "127.0.0.1/32", - "IpProtocol": "tcp", - "FromPort": 81, - "ToPort": 80 - }, - { - "FromPort": 27017, - "ToPort": 27018, - "CidrIp": "127.0.0.1/0", - "IpProtocol": "tcp" - } - ], - "SecurityGroupEgress": [ - { - "FromPort": 22, - "ToPort": 22, - "CidrIp": "0.0.0.0/0", - "IpProtocol": "tcp" - } - ] - } - }, - "EC2Instance01": { - "Type": "AWS::EC2::Instance", - "Properties": { - "InstanceType": "t3.2xlarge", - "SecurityGroups": [ - "ELBInstanceSecGroup" - ], - "KeyName": "my-rsa-key", - "ImageId": "ami-79fd7eee" - } - } - } } +``` +
+
Positive test num. 8 - json file +```json hl_lines="64 34 40 46 52 22 58 28" +{ + "Resources": { + "LoadBalancer01": { + "Type": "AWS::ElasticLoadBalancingV2::LoadBalancer", + "Properties": { + "SecurityGroups": [ + { + "Ref": "DualStackSecurityGroup" + } + ] + } + }, + "DualStackSecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Security group for IPv4 and IPv6 ingress rules", + "VpcId": { + "Ref": "MyVPC" + }, + "SecurityGroupIngress": [ + { + "IpProtocol": "17", + "FromPort": 137, + "ToPort": 137, + "CidrIp": "10.0.0.0/0" + }, + { + "IpProtocol": "tcp", + "FromPort": 22, + "ToPort": 22, + "CidrIp": "192.168.0.0/0" + }, + { + "IpProtocol": "udp", + "FromPort": 137, + "ToPort": 137, + "CidrIp": "172.16.0.0/0" + }, + { + "IpProtocol": "udp", + "FromPort": 138, + "ToPort": 138, + "CidrIp": "172.16.0.0/0" + }, + { + "IpProtocol": "6", + "FromPort": 22, + "ToPort": 22, + "CidrIpv6": "fd00::/0" + }, + { + "IpProtocol": "tcp", + "FromPort": 22, + "ToPort": 22, + "CidrIpv6": "fd12:3456:789a::1/0" + }, + { + "IpProtocol": "udp", + "FromPort": 137, + "ToPort": 137, + "CidrIpv6": "fd00:abcd:1234::42/0" + }, + { + "IpProtocol": "udp", + "FromPort": 138, + "ToPort": 138, + "CidrIpv6": "fd00:abcd:1234::42/0" + } + ] + } + } + } +} ```
#### Code samples without security vulnerabilities ```yaml title="Negative test num. 1 - yaml file" -AWSTemplateFormatVersion: 2010-09-09 +# Test classic load balancing - LoadBalancer security groups with inline ingresses Resources: - MyLoadBalancer: - Type: AWS::ElasticLoadBalancing::LoadBalancer - Properties: - AvailabilityZones: - - "us-east-2a" - CrossZone: true - Scheme: internet-facing - Listeners: - - InstancePort: '80' - InstanceProtocol: HTTP - LoadBalancerPort: '443' - Protocol: HTTPS - PolicyNames: - - My-SSLNegotiation-Policy - SSLCertificateId: arn:aws:iam::123456789012:server-certificate/my-server-certificate - HealthCheck: - Target: HTTP:80/ - HealthyThreshold: '2' - UnhealthyThreshold: '3' - Interval: '10' - Timeout: '5' - SecurityGroups: - [ !Ref LBNegativeSecGroup01 ] - Policies: - - PolicyName: My-SSLNegotiation-Policy - PolicyType: SSLNegotiationPolicyType - Attributes: - - Name: Reference-Security-Policy - Value: ELBSecurityPolicy-TLS-1-2-2017-01 - LBNegativeSecGroup01: + LoadBalancer01: + Type: AWS::ElasticLoadBalancing::LoadBalancer + Properties: + SecurityGroups: + - !Ref Negative1IPv4_1 + - !Ref Negative1IPv4_2 + - !Ref Negative1ArrayTestIPv4 + - !Ref Negative1IPv6_1 + - !Ref Negative1IPv6_2 + - !Ref Negative1ArrayTestIPv6 + +# Ipv4 Rules + Negative1IPv4_1: Type: AWS::EC2::SecurityGroup Properties: - GroupDescription: Allow http and ssh - VpcId: my-vpc - SecurityGroupIngress: - - IpProtocol: tcp + GroupDescription: "Incorrect protocol: ICMP" + VpcId: !Ref MyVPC + SecurityGroupIngress: + - IpProtocol: "icmp" FromPort: 22 ToPort: 22 - CidrIp: 127.0.0.1/32 - - IpProtocol: tcp - FromPort: 22 - ToPort: 22 - CidrIp: 127.0.0.1/32 - SecurityGroupEgress: - - IpProtocol: tcp - FromPort: 22 - ToPort: 22 - CidrIp: 0.0.0.0/0 + CidrIp: "10.0.0.0/0" + + Negative1IPv4_2: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: "Unknown port: port 5000" + VpcId: !Ref MyVPC + SecurityGroupIngress: + - IpProtocol: "6" + FromPort: 5000 + ToPort: 5000 + CidrIp: "192.168.0.0/0" + + Negative1ArrayTestIPv4: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: "Mixed incorrect CIDRs and protocols" + VpcId: !Ref MyVPC + SecurityGroupIngress: + # incorrect cidr (not exposed) + - IpProtocol: "udp" + FromPort: 137 + ToPort: 137 + CidrIp: "8.8.0.0/16" + # all fields "incorrect" + - IpProtocol: "icmp" + FromPort: 5000 + ToPort: 5000 + CidrIp: "10.68.0.0/14" + +# IPv6 Rules + Positive1IPv6_1: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: "Incorrect protocol: ICMPV6" + SecurityGroupIngress: + - IpProtocol: "58" # protocol number 58 is "icmpv6" = incorrect protocol + FromPort: 22 + ToPort: 22 + CidrIpv6: "fd00::/0" + + Positive1IPv6_2: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: "Unknown port: port 5000" + SecurityGroupIngress: + - IpProtocol: "tcp" + FromPort: 5000 # unknown port + ToPort: 5000 + CidrIpv6: "fd12:3456:789a::1/0" + + Positive1ArrayTestIPv6: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: "Mixed incorrect CIDR and 'All incorrect'" + SecurityGroupIngress: + - IpProtocol: "udp" + FromPort: 137 + ToPort: 137 + CidrIpv6: "2400:cb00::/32" # incorrect cidr (not exposed) + - IpProtocol: "58" # all fields "incorrect" + FromPort: 110 + ToPort: 110 + CidrIpv6: "fd00:abcd:1234::42/0" ``` -```yaml title="Negative test num. 2 - yaml file" -AWSTemplateFormatVersion: 2010-09-09 -Parameters: - MySubnets: - Description: "My subnet" - Type: List +```json title="Negative test num. 2 - json file" +{ + "Resources": { + "LoadBalancer01": { + "Type": "AWS::ElasticLoadBalancing::LoadBalancer", + "Properties": { + "SecurityGroups": [ + { + "Ref": "MainSecurityGroup" + } + ] + } + }, + "MainSecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Security group containing all negative/positive tests (standalone ingress)", + "VpcId": { + "Ref": "MyVPC" + } + } + }, + "Negative1IPv4_1_Ingress": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "MainSecurityGroup" + }, + "IpProtocol": "icmp", + "FromPort": 22, + "ToPort": 22, + "CidrIp": "10.0.0.0/0" + } + }, + "Negative1IPv4_2_Ingress": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "MainSecurityGroup" + }, + "IpProtocol": "6", + "FromPort": 5000, + "ToPort": 5000, + "CidrIp": "192.168.0.0/0" + } + }, + "Negative1ArrayTestIPv4_Ingress1": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "MainSecurityGroup" + }, + "IpProtocol": "udp", + "FromPort": 137, + "ToPort": 137, + "CidrIp": "8.8.0.0/16" + } + }, + "Negative1ArrayTestIPv4_Ingress2": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "MainSecurityGroup" + }, + "IpProtocol": "icmp", + "FromPort": 5000, + "ToPort": 5000, + "CidrIp": "10.68.0.0/14" + } + }, + "Positive1IPv6_1_Ingress": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "MainSecurityGroup" + }, + "IpProtocol": "58", + "FromPort": 22, + "ToPort": 22, + "CidrIpv6": "fd00::/0" + } + }, + "Positive1IPv6_2_Ingress": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "MainSecurityGroup" + }, + "IpProtocol": "tcp", + "FromPort": 5000, + "ToPort": 5000, + "CidrIpv6": "fd12:3456:789a::1/0" + } + }, + "Positive1ArrayTestIPv6_Ingress1": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "MainSecurityGroup" + }, + "IpProtocol": "udp", + "FromPort": 137, + "ToPort": 137, + "CidrIpv6": "2400:cb00::/32" + } + }, + "Positive1ArrayTestIPv6_Ingress2": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "MainSecurityGroup" + }, + "IpProtocol": "58", + "FromPort": 110, + "ToPort": 110, + "CidrIpv6": "fd00:abcd:1234::42/0" + } + } + } +} +``` +```yaml title="Negative test num. 3 - yaml file" +# Test classic load balancing - LoadBalancer security groups with stand alone ingresses Resources: - ApplicationLoadBalancer: + LoadBalancer01: Type: AWS::ElasticLoadBalancingV2::LoadBalancer Properties: - Name: ip-target-alb - Subnets: !Ref MySubnets SecurityGroups: - - !Ref ALBNegativeSecGroup - Tags: - - Key: Name - Value: ip-target-alb - ALBNegativeSecGroup: + - !Ref Negative2SecurityGroup + + Negative2SecurityGroup: Type: AWS::EC2::SecurityGroup Properties: - GroupDescription: Allow http and ssh - VpcId: my-vpc - SecurityGroupIngress: - - IpProtocol: tcp - FromPort: 22 - ToPort: 22 - CidrIp: 127.0.0.1/32 - - IpProtocol: tcp - FromPort: 77 - ToPort: 77 - CidrIp: 127.0.0.1/0 - SecurityGroupEgress: - - IpProtocol: tcp - FromPort: 22 - ToPort: 22 - CidrIp: 0.0.0.0/0 - HTTPALBListener: - Type: AWS::ElasticLoadBalancingV2::Listener + GroupDescription: "Security group for negative test cases" + VpcId: !Ref MyVPC + +# IPv4 Rules + Negative2IPv4Ingress1: + Type: AWS::EC2::SecurityGroupIngress Properties: - LoadBalancerArn: !Ref ApplicationLoadBalancer - Port: 80 - Protocol: HTTP - DefaultActions: - - Type: forward - TargetGroupArn: !Ref IPTargetGroup - IPTargetGroup: - Type: AWS::ElasticLoadBalancingV2::TargetGroup + GroupId: !Ref Negative2SecurityGroup + IpProtocol: "icmp" # incorrect protocol + FromPort: 22 + ToPort: 22 + CidrIp: "10.0.0.0/0" + + Negative2IPv4Ingress2: + Type: AWS::EC2::SecurityGroupIngress Properties: - VpcId: my-vpc - Port: 80 - Protocol: HTTP - TargetType: ip - Matcher: - HttpCode: '200' - HealthCheckIntervalSeconds: 10 - HealthCheckPath: /health/check - HealthCheckProtocol: HTTP - HealthCheckTimeoutSeconds: 5 - HealthyThresholdCount: 2 - UnhealthyThresholdCount: 2 - TestListenerRule1: - Type: "AWS::ElasticLoadBalancingV2::ListenerRule" + GroupId: !Ref Negative2SecurityGroup + IpProtocol: "tcp" + FromPort: 5000 # unknown port + ToPort: 5000 + CidrIp: "192.168.0.0/0" + + Negative2IPv4Ingress3: + Type: AWS::EC2::SecurityGroupIngress Properties: - Priority: 1 - ListenerArn: !Ref HTTPALBListener - Conditions: - - Field: "host-header" - Values: - - "test1.checkmarx.com" - Actions: - - Type: "forward" - TargetGroupArn: !Ref IPTargetGroup - Order: 1 - ForwardConfig: - TargetGroups: - - TargetGroupArn: !Ref IPTargetGroup - Weight: 1 - TargetGroupStickinessConfig: - Enabled: false + GroupId: !Ref Negative2SecurityGroup + IpProtocol: "udp" + FromPort: 137 + ToPort: 137 + CidrIp: "8.8.0.0/16" # incorrect cidr (not exposed) + + Negative2IPv4Ingress4: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref Negative2SecurityGroup # all fields "incorrect" + IpProtocol: "icmp" + FromPort: 5000 + ToPort: 5000 + CidrIp: "8.8.0.0/16" + +# IPv6 Rules + Negative2IPv6Ingress1: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref Negative2SecurityGroup + IpProtocol: "58" # protocol number 58 is "icmpv6" = incorrect protocol + FromPort: 22 + ToPort: 22 + CidrIpv6: "fd00::/0" + + Negative2IPv6Ingress2: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref Negative2SecurityGroup + IpProtocol: "tcp" + FromPort: 5000 # unknown port + ToPort: 5000 + CidrIpv6: "fd12:3456:789a::1/0" + + Negative2IPv6Ingress3: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref Negative2SecurityGroup + IpProtocol: "udp" + FromPort: 137 + ToPort: 137 + CidrIpv6: "2400:cb00::/32" # incorrect cidr (not exposed) + + Negative2IPv6Ingress4: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref Negative2SecurityGroup # all fields "incorrect" + IpProtocol: "58" # ICMPv6 + FromPort: 5000 + ToPort: 5000 + CidrIpv6: "2400:cb00::/32" ``` -```yaml title="Negative test num. 3 - yaml file" -AWSTemplateFormatVersion: 2010-09-09 -Parameters: - MySubnet: - Description: "My subnet" - Type: List +
Negative test num. 4 - yaml file + +```yaml +# Test for classic load balancing referencing "AWS::EC2::Instance" Resources: - NetworkLoadBalancer: - Type: AWS::ElasticLoadBalancingV2::LoadBalancer + GatewayLoadBalancer: + Type: AWS::ElasticLoadBalancing::LoadBalancer Properties: - Name: t10-networkloadbalancer - Scheme: internet-facing - Subnets: !Ref MySubnet - Type: network - Tags: - - Key: Name - Value: t10-networklb - InstancesNegativeSecGroup: + Instances: + - !Ref EC2Instance01 + + EC2Instance01: + Type: AWS::EC2::Instance + Properties: + InstanceType: t3.2xlarge + SecurityGroups: + - !Ref InstancesSecGroup + KeyName: my-rsa-key + ImageId: ami-79fd7eee + + InstancesSecGroup: Type: AWS::EC2::SecurityGroup Properties: - GroupDescription: Allow http and ssh - VpcId: my-vpc - SecurityGroupIngress: + GroupDescription: Security group for test cases + VpcId: my-vpc + SecurityGroupIngress: + - IpProtocol: tcp - FromPort: 22 - ToPort: 22 + FromPort: 8000 + ToPort: 8000 CidrIp: 127.0.0.1/32 - - IpProtocol: tcp - FromPort: 77 - ToPort: 77 - CidrIp: 127.0.0.1/0 - SecurityGroupEgress: - - IpProtocol: tcp + + - IpProtocol: "icmp" # protocolo inválido FromPort: 22 ToPort: 22 - CidrIp: 0.0.0.0/0 - EC2Instance01: - Type: AWS::EC2::Instance + CidrIp: "10.0.0.0/0" # termina em /0 + + - IpProtocol: "50" # protocolo inválido (ESP) + FromPort: 443 + ToPort: 443 + CidrIp: "192.168.0.0/0" # termina em /0 + +``` +
+
Negative test num. 5 - yaml file + +```yaml +Resources: + LoadBalancer01: + Type: AWS::ElasticLoadBalancingV2::LoadBalancer Properties: - InstanceType: t3.2xlarge - SecurityGroups: [!Ref 'InstancesNegativeSecGroup'] - KeyName: my-rsa-key - ImageId: ami-79fd7eee - EC2Instance02: - Type: AWS::EC2::Instance + SecurityGroups: + - !Ref SGCase1 + - !Ref SGCase2 + - !Ref SGCase3 + - !Ref SGCase4 + - !Ref SGCase5 + - !Ref SGCase6 + + SGCase2: + Type: AWS::EC2::SecurityGroup Properties: - InstanceType: t3.2xlarge - SecurityGroups: [!Ref 'InstancesNegativeSecGroup'] - KeyName: my-rsa-key - ImageId: ami-79fd7eee - NetworkLoadBalancerTargetGroup: - Type: AWS::ElasticLoadBalancingV2::TargetGroup + GroupDescription: "IPv4 Case 2 - /0 without insecure ports" + VpcId: !Ref MyVPC + SecurityGroupIngress: + - IpProtocol: "tcp" + FromPort: 5000 + ToPort: 5000 + CidrIp: "192.168.0.0/0" + + SGCase3: + Type: AWS::EC2::SecurityGroup Properties: - Name: t10-networklb-target - Port: 443 - Protocol: TCP - VpcId: t10-vpc-id - TargetGroupAttributes: - - Key: deregistration_delay.timeout_seconds - Value: 60 - Targets: - - Id: !Ref EC2Instance01 - Port: 443 - - Id: !Ref EC2Instance02 - Port: 443 - Tags: - - Key: Name - Value: t10-networklb-target - NetworkLoadBalancerListener: - Type: AWS::ElasticLoadBalancingV2::Listener + GroupDescription: "IPv4 Case 3 - insecure ports in range, invalid protocol" + VpcId: !Ref MyVPC + SecurityGroupIngress: + - IpProtocol: "icmp" # not -1,6,TCP,UDP,17 + FromPort: 20 + ToPort: 5000 # insecure ports in this range + CidrIp: "8.8.0.0/16" + + SGCase5: + Type: AWS::EC2::SecurityGroup Properties: - DefaultActions: - - Type: forward - TargetGroupArn: !Ref NetworkLoadBalancerTargetGroup - LoadBalancerArn: !Ref NetworkLoadBalancer - Port: 443 - Protocol: TCP - NetworkLoadBalancerListenerCert: - Type: AWS::ElasticLoadBalancingV2::ListenerCertificate + GroupDescription: "IPv6 Case 2 - /0 without insecure ports" + VpcId: !Ref MyVPC + SecurityGroupIngress: + - IpProtocol: "tcp" + FromPort: 5000 + ToPort: 5000 + CidrIpv6: "fd12:3456:789a::1/0" + + SGCase6: + Type: AWS::EC2::SecurityGroup Properties: - Certificates: - - CertificateArn: arn:aws:acm:eu-west-1:xxxaccountxxx:certificate/123456.... - ListenerArn: !Ref NetworkLoadBalancerListener + GroupDescription: "IPv6 Case 3 - insecure ports in range, invalid protocol" + VpcId: !Ref MyVPC + SecurityGroupIngress: + - IpProtocol: "58" # ICMPv6, not in allowed list + FromPort: 20 + ToPort: 5000 + CidrIpv6: "2400:cb00::/32" ``` -
Negative test num. 4 - json file +
+
Negative test num. 6 - yaml file + +```yaml +Resources: + LoadBalancer01: + Type: AWS::ElasticLoadBalancing::LoadBalancer + Properties: + SecurityGroups: + - !Ref MainSecurityGroup + + MainSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: "Security group containing all negative/positive tests (standalone ingress)" + VpcId: !Ref MyVPC + + Negative1IPv4_1_Ingress: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref MainSecurityGroup + IpProtocol: "icmp" + FromPort: 22 + ToPort: 22 + CidrIp: "10.0.0.0/0" + + + Negative1IPv4_2_Ingress: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref MainSecurityGroup + IpProtocol: "6" + FromPort: 5000 + ToPort: 5000 + CidrIp: "192.168.0.0/0" + + + Negative1ArrayTestIPv4_Ingress1: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref MainSecurityGroup + IpProtocol: "udp" + FromPort: 137 + ToPort: 137 + CidrIp: "8.8.0.0/16" # incorrect cidr (not exposed) + + + Negative1ArrayTestIPv4_Ingress2: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref MainSecurityGroup + IpProtocol: "icmp" + FromPort: 5000 + ToPort: 5000 + CidrIp: "10.68.0.0/14" # all fields incorrect + + Positive1IPv6_1_Ingress: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref MainSecurityGroup + IpProtocol: "58" # ICMPv6 + FromPort: 22 + ToPort: 22 + CidrIpv6: "fd00::/0" + + + Positive1IPv6_2_Ingress: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref MainSecurityGroup + IpProtocol: "tcp" + FromPort: 5000 + ToPort: 5000 + CidrIpv6: "fd12:3456:789a::1/0" + + + Positive1ArrayTestIPv6_Ingress1: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref MainSecurityGroup + IpProtocol: "udp" + FromPort: 137 + ToPort: 137 + CidrIpv6: "2400:cb00::/32" # incorrect cidr (not exposed) + + + Positive1ArrayTestIPv6_Ingress2: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref MainSecurityGroup + IpProtocol: "58" # all fields incorrect + FromPort: 110 + ToPort: 110 + CidrIpv6: "fd00:abcd:1234::42/0" + +``` +
+
Negative test num. 7 - json file ```json { - "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", "Resources": { - "MyLoadBalancer": { + "LoadBalancer01": { "Type": "AWS::ElasticLoadBalancing::LoadBalancer", "Properties": { - "HealthCheck": { - "UnhealthyThreshold": "3", - "Interval": "10", - "Timeout": "5", - "Target": "HTTP:80/", - "HealthyThreshold": "2" - }, "SecurityGroups": [ - "LBNegativeSecGroup01" - ], - "Policies": [ - { - "PolicyType": "SSLNegotiationPolicyType", - "Attributes": [ - { - "Name": "Reference-Security-Policy", - "Value": "ELBSecurityPolicy-TLS-1-2-2017-01" - } - ], - "PolicyName": "My-SSLNegotiation-Policy" - } - ], - "AvailabilityZones": [ - "us-east-2a" - ], - "CrossZone": true, - "Scheme": "internet-facing", - "Listeners": [ - { - "LoadBalancerPort": "443", - "Protocol": "HTTPS", - "PolicyNames": [ - "My-SSLNegotiation-Policy" - ], - "SSLCertificateId": "arn:aws:iam::123456789012:server-certificate/my-server-certificate", - "InstancePort": "80", - "InstanceProtocol": "HTTP" - } + { "Ref": "Negative1IPv4_1" }, + { "Ref": "Negative1IPv4_2" }, + { "Ref": "Negative1ArrayTestIPv4" }, + { "Ref": "Negative1IPv6_1" }, + { "Ref": "Negative1IPv6_2" }, + { "Ref": "Negative1ArrayTestIPv6" } ] } }, - "LBNegativeSecGroup01": { + "Negative1IPv4_1": { + "Type": "AWS::EC2::SecurityGroup", "Properties": { - "GroupDescription": "Allow http and ssh", - "VpcId": "my-vpc", + "GroupDescription": "Incorrect protocol: ICMP", + "VpcId": { "Ref": "MyVPC" }, "SecurityGroupIngress": [ { - "IpProtocol": "tcp", - "FromPort": 22, - "ToPort": 22, - "CidrIp": "127.0.0.1/32" - }, - { - "IpProtocol": "tcp", + "IpProtocol": "icmp", "FromPort": 22, "ToPort": 22, - "CidrIp": "127.0.0.1/32" - } - ], - "SecurityGroupEgress": [ - { - "IpProtocol": "tcp", - "FromPort": 22, - "ToPort": 22, - "CidrIp": "0.0.0.0/0" + "CidrIp": "10.0.0.0/0" } ] - }, - "Type": "AWS::EC2::SecurityGroup" - } - } -} - -``` -
-
Negative test num. 5 - json file - -```json -{ - "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", - "Parameters": { - "MySubnets": { - "Description": "My subnet", - "Type": "List\u003cString\u003e" - } - }, - "Resources": { - "IPTargetGroup": { - "Type": "AWS::ElasticLoadBalancingV2::TargetGroup", - "Properties": { - "VpcId": "my-vpc", - "Protocol": "HTTP", - "HealthCheckIntervalSeconds": 10, - "UnhealthyThresholdCount": 2, - "Port": 80, - "TargetType": "ip", - "Matcher": { - "HttpCode": "200" - }, - "HealthCheckPath": "/health/check", - "HealthCheckProtocol": "HTTP", - "HealthCheckTimeoutSeconds": 5, - "HealthyThresholdCount": 2 } }, - "TestListenerRule1": { + "Negative1IPv4_2": { + "Type": "AWS::EC2::SecurityGroup", "Properties": { - "Priority": 1, - "ListenerArn": "HTTPALBListener", - "Conditions": [ - { - "Field": "host-header", - "Values": [ - "test1.checkmarx.com" - ] - } - ], - "Actions": [ + "GroupDescription": "Unknown port: port 5000", + "VpcId": { "Ref": "MyVPC" }, + "SecurityGroupIngress": [ { - "TargetGroupArn": "IPTargetGroup", - "Order": 1, - "ForwardConfig": { - "TargetGroups": [ - { - "TargetGroupArn": "IPTargetGroup", - "Weight": 1 - } - ], - "TargetGroupStickinessConfig": { - "Enabled": false - } - }, - "Type": "forward" + "IpProtocol": "6", + "FromPort": 5000, + "ToPort": 5000, + "CidrIp": "192.168.0.0/0" } ] - }, - "Type": "AWS::ElasticLoadBalancingV2::ListenerRule" + } }, - "ApplicationLoadBalancer": { - "Type": "AWS::ElasticLoadBalancingV2::LoadBalancer", + "Negative1ArrayTestIPv4": { + "Type": "AWS::EC2::SecurityGroup", "Properties": { - "Name": "ip-target-alb", - "Subnets": "MySubnets", - "SecurityGroups": [ - "ALBNegativeSecGroup" - ], - "Tags": [ + "GroupDescription": "Mixed incorrect CIDRs and protocols", + "VpcId": { "Ref": "MyVPC" }, + "SecurityGroupIngress": [ { - "Key": "Name", - "Value": "ip-target-alb" + "IpProtocol": "udp", + "FromPort": 137, + "ToPort": 137, + "CidrIp": "8.8.0.0/16" + }, + { + "IpProtocol": "icmp", + "FromPort": 5000, + "ToPort": 5000, + "CidrIp": "10.68.0.0/14" } ] } }, - "ALBNegativeSecGroup": { + "Positive1IPv6_1": { "Type": "AWS::EC2::SecurityGroup", "Properties": { - "GroupDescription": "Allow http and ssh", - "VpcId": "my-vpc", + "GroupDescription": "Incorrect protocol: ICMPV6", "SecurityGroupIngress": [ { - "IpProtocol": "tcp", + "IpProtocol": "58", "FromPort": 22, "ToPort": 22, - "CidrIp": "127.0.0.1/32" - }, - { - "IpProtocol": "tcp", - "FromPort": 77, - "ToPort": 77, - "CidrIp": "127.0.0.1/0" + "CidrIpv6": "fd00::/0" } - ], - "SecurityGroupEgress": [ + ] + } + }, + "Positive1IPv6_2": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Unknown port: port 5000", + "SecurityGroupIngress": [ { - "CidrIp": "0.0.0.0/0", "IpProtocol": "tcp", - "FromPort": 22, - "ToPort": 22 + "FromPort": 5000, + "ToPort": 5000, + "CidrIpv6": "fd12:3456:789a::1/0" } ] } }, - "HTTPALBListener": { - "Type": "AWS::ElasticLoadBalancingV2::Listener", + "Positive1ArrayTestIPv6": { + "Type": "AWS::EC2::SecurityGroup", "Properties": { - "LoadBalancerArn": "ApplicationLoadBalancer", - "Port": 80, - "Protocol": "HTTP", - "DefaultActions": [ + "GroupDescription": "Mixed incorrect CIDR and 'All incorrect'", + "SecurityGroupIngress": [ + { + "IpProtocol": "udp", + "FromPort": 137, + "ToPort": 137, + "CidrIpv6": "2400:cb00::/32" + }, { - "Type": "forward", - "TargetGroupArn": "IPTargetGroup" + "IpProtocol": "58", + "FromPort": 110, + "ToPort": 110, + "CidrIpv6": "fd00:abcd:1234::42/0" } ] } @@ -1254,138 +1310,104 @@ Resources: ```
-
Negative test num. 6 - json file +
Negative test num. 8 - json file ```json { - "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", - "Parameters": { - "MySubnet": { - "Type": "List\u003cString\u003e", - "Description": "My subnet" - } - }, "Resources": { - "InstancesNegativeSecGroup": { - "Type": "AWS::EC2::SecurityGroup", + "LoadBalancer01": { + "Type": "AWS::ElasticLoadBalancingV2::LoadBalancer", "Properties": { - "GroupDescription": "Allow http and ssh", - "VpcId": "my-vpc", - "SecurityGroupIngress": [ - { - "CidrIp": "127.0.0.1/32", - "IpProtocol": "tcp", - "FromPort": 22, - "ToPort": 22 - }, - { - "IpProtocol": "tcp", - "FromPort": 77, - "ToPort": 77, - "CidrIp": "127.0.0.1/0" - } - ], - "SecurityGroupEgress": [ - { - "CidrIp": "0.0.0.0/0", - "IpProtocol": "tcp", - "FromPort": 22, - "ToPort": 22 - } + "SecurityGroups": [ + { "Ref": "Negative2SecurityGroup" } ] } }, - "EC2Instance01": { - "Type": "AWS::EC2::Instance", + "Negative2SecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", "Properties": { - "InstanceType": "t3.2xlarge", - "SecurityGroups": [ - "InstancesNegativeSecGroup" - ], - "KeyName": "my-rsa-key", - "ImageId": "ami-79fd7eee" + "GroupDescription": "Security group for negative test cases", + "VpcId": { "Ref": "MyVPC" } } }, - "EC2Instance02": { - "Type": "AWS::EC2::Instance", + "Negative2IPv4Ingress1": { + "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { - "InstanceType": "t3.2xlarge", - "SecurityGroups": [ - "InstancesNegativeSecGroup" - ], - "KeyName": "my-rsa-key", - "ImageId": "ami-79fd7eee" + "GroupId": { "Ref": "Negative2SecurityGroup" }, + "IpProtocol": "icmp", + "FromPort": 22, + "ToPort": 22, + "CidrIp": "10.0.0.0/0" } }, - "NetworkLoadBalancerTargetGroup": { - "Type": "AWS::ElasticLoadBalancingV2::TargetGroup", + "Negative2IPv4Ingress2": { + "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { - "Name": "t10-networklb-target", - "Port": 443, - "Protocol": "TCP", - "VpcId": "t10-vpc-id", - "TargetGroupAttributes": [ - { - "Value": 60, - "Key": "deregistration_delay.timeout_seconds" - } - ], - "Targets": [ - { - "Id": "EC2Instance01", - "Port": 443 - }, - { - "Id": "EC2Instance02", - "Port": 443 - } - ], - "Tags": [ - { - "Key": "Name", - "Value": "t10-networklb-target" - } - ] + "GroupId": { "Ref": "Negative2SecurityGroup" }, + "IpProtocol": "tcp", + "FromPort": 5000, + "ToPort": 5000, + "CidrIp": "192.168.0.0/0" } }, - "NetworkLoadBalancerListener": { - "Type": "AWS::ElasticLoadBalancingV2::Listener", + "Negative2IPv4Ingress3": { + "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { - "DefaultActions": [ - { - "Type": "forward", - "TargetGroupArn": "NetworkLoadBalancerTargetGroup" - } - ], - "LoadBalancerArn": "NetworkLoadBalancer", - "Port": 443, - "Protocol": "TCP" + "GroupId": { "Ref": "Negative2SecurityGroup" }, + "IpProtocol": "udp", + "FromPort": 137, + "ToPort": 137, + "CidrIp": "8.8.0.0/16" } }, - "NetworkLoadBalancerListenerCert": { - "Type": "AWS::ElasticLoadBalancingV2::ListenerCertificate", + "Negative2IPv4Ingress4": { + "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { - "Certificates": [ - { - "CertificateArn": "arn:aws:acm:eu-west-1:xxxaccountxxx:certificate/123456...." - } - ], - "ListenerArn": "NetworkLoadBalancerListener" + "GroupId": { "Ref": "Negative2SecurityGroup" }, + "IpProtocol": "icmp", + "FromPort": 5000, + "ToPort": 5000, + "CidrIp": "8.8.0.0/16" } }, - "NetworkLoadBalancer": { - "Type": "AWS::ElasticLoadBalancingV2::LoadBalancer", + "Negative2IPv6Ingress1": { + "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { - "Name": "t10-networkloadbalancer", - "Scheme": "internet-facing", - "Subnets": "MySubnet", - "Type": "network", - "Tags": [ - { - "Key": "Name", - "Value": "t10-networklb" - } - ] + "GroupId": { "Ref": "Negative2SecurityGroup" }, + "IpProtocol": "58", + "FromPort": 22, + "ToPort": 22, + "CidrIpv6": "fd00::/0" + } + }, + "Negative2IPv6Ingress2": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { "Ref": "Negative2SecurityGroup" }, + "IpProtocol": "tcp", + "FromPort": 5000, + "ToPort": 5000, + "CidrIpv6": "fd12:3456:789a::1/0" + } + }, + "Negative2IPv6Ingress3": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { "Ref": "Negative2SecurityGroup" }, + "IpProtocol": "udp", + "FromPort": 137, + "ToPort": 137, + "CidrIpv6": "2400:cb00::/32" + } + }, + "Negative2IPv6Ingress4": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { "Ref": "Negative2SecurityGroup" }, + "IpProtocol": "58", + "FromPort": 5000, + "ToPort": 5000, + "CidrIpv6": "2400:cb00::/32" } } } @@ -1393,4 +1415,165 @@ Resources: ```
+
Negative test num. 9 - json file + +```json +{ + "Resources": { + "GatewayLoadBalancer": { + "Type": "AWS::ElasticLoadBalancing::LoadBalancer", + "Properties": { + "Instances": [ + { + "Ref": "EC2Instance01" + } + ] + } + }, + "EC2Instance01": { + "Type": "AWS::EC2::Instance", + "Properties": { + "InstanceType": "t3.2xlarge", + "SecurityGroups": [ + { + "Ref": "InstancesSecGroup" + } + ], + "KeyName": "my-rsa-key", + "ImageId": "ami-79fd7eee" + } + }, + "InstancesSecGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Security group for test cases", + "VpcId": "my-vpc", + "SecurityGroupIngress": [ + { + "IpProtocol": "tcp", + "FromPort": 8000, + "ToPort": 8000, + "CidrIp": "127.0.0.1/32" + }, + { + "IpProtocol": "icmp", + "FromPort": 22, + "ToPort": 22, + "CidrIp": "10.0.0.0/0" + }, + { + "IpProtocol": "50", + "FromPort": 443, + "ToPort": 443, + "CidrIp": "192.168.0.0/0" + } + ] + } + } + } +} +``` +
+
Negative test num. 10 - json file + +```json +{ + "Resources": { + "LoadBalancer01": { + "Type": "AWS::ElasticLoadBalancingV2::LoadBalancer", + "Properties": { + "SecurityGroups": [ + { + "Ref": "SGCase1" + }, + { + "Ref": "SGCase2" + }, + { + "Ref": "SGCase3" + }, + { + "Ref": "SGCase4" + }, + { + "Ref": "SGCase5" + }, + { + "Ref": "SGCase6" + } + ] + } + }, + "SGCase2": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "IPv4 Case 2 - /0 without insecure ports", + "VpcId": { + "Ref": "MyVPC" + }, + "SecurityGroupIngress": [ + { + "IpProtocol": "tcp", + "FromPort": 5000, + "ToPort": 5000, + "CidrIp": "192.168.0.0/0" + } + ] + } + }, + "SGCase3": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "IPv4 Case 3 - insecure ports in range, invalid protocol", + "VpcId": { + "Ref": "MyVPC" + }, + "SecurityGroupIngress": [ + { + "IpProtocol": "icmp", + "FromPort": 20, + "ToPort": 5000, + "CidrIp": "8.8.0.0/16" + } + ] + } + }, + "SGCase5": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "IPv6 Case 2 - /0 without insecure ports", + "VpcId": { + "Ref": "MyVPC" + }, + "SecurityGroupIngress": [ + { + "IpProtocol": "tcp", + "FromPort": 5000, + "ToPort": 5000, + "CidrIpv6": "fd12:3456:789a::1/0" + } + ] + } + }, + "SGCase6": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "IPv6 Case 3 - insecure ports in range, invalid protocol", + "VpcId": { + "Ref": "MyVPC" + }, + "SecurityGroupIngress": [ + { + "IpProtocol": "58", + "FromPort": 20, + "ToPort": 5000, + "CidrIpv6": "2400:cb00::/32" + } + ] + } + } + } +} +``` +
diff --git a/docs/queries/cloudformation-queries/aws/829ce3b8-065c-41a3-ad57-e0accfea82d2.md b/docs/queries/cloudformation-queries/aws/829ce3b8-065c-41a3-ad57-e0accfea82d2.md index ad3821653d1..9333a78071b 100644 --- a/docs/queries/cloudformation-queries/aws/829ce3b8-065c-41a3-ad57-e0accfea82d2.md +++ b/docs/queries/cloudformation-queries/aws/829ce3b8-065c-41a3-ad57-e0accfea82d2.md @@ -30,40 +30,163 @@ AWS Security Group should not have an unknown port exposed to the entire Interne ### Code samples #### Code samples with security vulnerabilities -```yaml title="Positive test num. 1 - yaml file" hl_lines="9" +```yaml title="Positive test num. 1 - yaml file" hl_lines="65 10 45 14 49 21 56 30" Resources: - InstanceSecurityGroup: +# IPv4 Rules + Positive1IPv4: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Expose unknown port to client host VpcId: Ref: myVPC SecurityGroupIngress: - - IpProtocol: tcp - FromPort: 23 - ToPort: 25 + - IpProtocol: "tcp" + FromPort: 1000 + ToPort: 2000 CidrIp: 0.0.0.0/0 + - IpProtocol: "-1" # "-1" opens all ports + FromPort: 22 + ToPort: 22 + CidrIp: 0.0.0.0/0 + + IPv4Ingress1: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref Positive1IPv4 + IpProtocol: "udp" + FromPort: 1000 + ToPort: 2000 + CidrIp: "0.0.0.0/0" + + IPv4Ingress2: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref Positive1IPv4 + IpProtocol: "-1" + FromPort: 22 + ToPort: 22 + CidrIp: "0.0.0.0/0" + +# IPv6 Rules + Positive1IPv6: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Expose unknown port to client host + VpcId: + Ref: myVPC + SecurityGroupIngress: + - IpProtocol: "tcp" + FromPort: 1000 + ToPort: 2000 + CidrIpv6: "::/0" + - IpProtocol: "-1" # "-1" opens all ports + FromPort: 22 + ToPort: 22 + CidrIpv6: "::/0" + + IPv6Ingress1: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref Positive1IPv6 + IpProtocol: "udp" + FromPort: 1000 + ToPort: 2000 + CidrIpv6: "::/0" + + IPv6Ingress2: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref Positive1IPv6 + IpProtocol: "-1" + FromPort: 22 + ToPort: 22 + CidrIpv6: "0000:0000:0000:0000:0000:0000:0000:0000/0" ``` -```json title="Positive test num. 2 - json file" hl_lines="12" +```json title="Positive test num. 2 - json file" hl_lines="67 36 10 77 16 51 57 26" { "Resources": { - "InstanceSecurityGroup": { + "Positive1IPv4": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupDescription": "Expose unknown port to client host", - "VpcId": { - "Ref": "myVPC" - }, + "VpcId": { "Ref": "myVPC" }, "SecurityGroupIngress": [ { "IpProtocol": "tcp", - "FromPort": 110, - "ToPort": 119, + "FromPort": 1000, + "ToPort": 2000, + "CidrIp": "0.0.0.0/0" + }, + { + "IpProtocol": "-1", + "FromPort": 22, + "ToPort": 22, "CidrIp": "0.0.0.0/0" } ] } + }, + "IPv4Ingress1": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { "Ref": "Positive1IPv4" }, + "IpProtocol": "udp", + "FromPort": 1000, + "ToPort": 2000, + "CidrIp": "0.0.0.0/0" + } + }, + "IPv4Ingress2": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { "Ref": "Positive1IPv4" }, + "IpProtocol": "-1", + "FromPort": 22, + "ToPort": 22, + "CidrIp": "0.0.0.0/0" + } + }, + "Positive1IPv6": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Expose unknown port to client host", + "VpcId": { "Ref": "myVPC" }, + "SecurityGroupIngress": [ + { + "IpProtocol": "tcp", + "FromPort": 1000, + "ToPort": 2000, + "CidrIpv6": "::/0" + }, + { + "IpProtocol": "-1", + "FromPort": 22, + "ToPort": 22, + "CidrIpv6": "::/0" + } + ] + } + }, + "IPv6Ingress1": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { "Ref": "Positive1IPv6" }, + "IpProtocol": "udp", + "FromPort": 1000, + "ToPort": 2000, + "CidrIpv6": "::/0" + } + }, + "IPv6Ingress2": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { "Ref": "Positive1IPv6" }, + "IpProtocol": "-1", + "FromPort": 22, + "ToPort": 22, + "CidrIpv6": "0000:0000:0000:0000:0000:0000:0000:0000/0" + } } } } @@ -74,41 +197,283 @@ Resources: #### Code samples without security vulnerabilities ```yaml title="Negative test num. 1 - yaml file" Resources: - InstanceSecurityGroup: +# IPv4 Rules + Negative1IPv4_1: Type: AWS::EC2::SecurityGroup Properties: - GroupDescription: Expose known ports to client host + GroupDescription: Allow http to client host VpcId: Ref: myVPC SecurityGroupIngress: - - IpProtocol: tcp - FromPort: 20 - ToPort: 23 + - IpProtocol: "udp" + FromPort: 22 # no "unknown" port + ToPort: 22 CidrIp: 0.0.0.0/0 + Negative1ArrayTestIPv4: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Allow http to client host + VpcId: + Ref: myVPC + SecurityGroupIngress: + - IpProtocol: "tcp" + FromPort: 0 + ToPort: 6000 + CidrIp: 192.0.0.0/16 # CidrIP is not 0:0:0:0/0 + - IpProtocol: udp # both fields "incorrect" + FromPort: 22 + ToPort: 22 + CidrIp: 192.120.0.0/16 + +# IPv6 Rules + Negative1IPv6_1: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Allow http to client host + VpcId: + Ref: myVPC + SecurityGroupIngress: + - IpProtocol: "udp" + FromPort: 3389 # no "unknown" port + ToPort: 3389 + CidrIpv6: "::/0" + + Negative1ArrayTestIPv6: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Allow http to client host + VpcId: + Ref: myVPC + SecurityGroupIngress: + - IpProtocol: "tcp" + FromPort: 0 + ToPort: 6000 + CidrIpv6: "2400:cb00::/32" # CidrIPv6 is not ::/0 + - IpProtocol: "udp" # both fields "incorrect" + FromPort: 3389 + ToPort: 3389 + CidrIpv6: "2400:cb00::/32" ``` -```json title="Negative test num. 2 - json file" +```yaml title="Negative test num. 2 - yaml file" +Resources: + + Negative2SecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: "Security group for negative test cases" + VpcId: !Ref MyVPC + +# IPv4 Rules + Negative2IPv4Ingress1: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref Negative2SecurityGroup + IpProtocol: "udp" + FromPort: 22 # no "unknown" port + ToPort: 22 + CidrIp: "0.0.0.0/0" + + Negative2IPv4Ingress2: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref Negative2SecurityGroup + IpProtocol: "tcp" + FromPort: 0 + ToPort: 6000 + CidrIp: "192.0.0.0/16" # CidrIP is not 0:0:0:0/0 + + Negative2IPv4Ingress3: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref Negative2SecurityGroup + IpProtocol: "udp" # both fields "incorrect" + FromPort: 22 + ToPort: 22 + CidrIp: "192.120.0.0/16" + +# IPv6 Rules + Negative2IPv6Ingress1: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref Negative2SecurityGroup + IpProtocol: "udp" + FromPort: 3389 # no "unknown" port + ToPort: 3389 + CidrIpv6: "::/0" + + Negative2IPv6Ingress3: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref Negative2SecurityGroup + IpProtocol: "tcp" + FromPort: 0 + ToPort: 6000 + CidrIpv6: "2400:cb00::/32" # CidrIPv6 is not ::/0 + + Negative2IPv6Ingress4: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref Negative2SecurityGroup + IpProtocol: "udp" # both fields "incorrect" + FromPort: 3389 + ToPort: 3389 + CidrIpv6: "2400:cb00::/32" +``` +```json title="Negative test num. 3 - json file" { "Resources": { - "InstanceSecurityGroup": { + "Negative1IPv4_1": { "Type": "AWS::EC2::SecurityGroup", "Properties": { - "GroupDescription": "Expose known port to client host", - "VpcId": { - "Ref": "myVPC" - }, + "GroupDescription": "Allow http to client host", + "VpcId": { "Ref": "myVPC" }, "SecurityGroupIngress": [ { - "IpProtocol": "tcp", - "FromPort": 80, - "ToPort": 80, + "IpProtocol": "udp", + "FromPort": 22, + "ToPort": 22, "CidrIp": "0.0.0.0/0" } ] } + }, + "Negative1ArrayTestIPv4": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Allow http to client host", + "VpcId": { "Ref": "myVPC" }, + "SecurityGroupIngress": [ + { + "IpProtocol": "tcp", + "FromPort": 0, + "ToPort": 6000, + "CidrIp": "192.0.0.0/16" + }, + { + "IpProtocol": "udp", + "FromPort": 22, + "ToPort": 22, + "CidrIp": "192.120.0.0/16" + } + ] + } + }, + "Negative1IPv6_1": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Allow http to client host", + "VpcId": { "Ref": "myVPC" }, + "SecurityGroupIngress": [ + { + "IpProtocol": "udp", + "FromPort": 3389, + "ToPort": 3389, + "CidrIpv6": "::/0" + } + ] + } + }, + "Negative1ArrayTestIPv6": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Allow http to client host", + "VpcId": { "Ref": "myVPC" }, + "SecurityGroupIngress": [ + { + "IpProtocol": "tcp", + "FromPort": 0, + "ToPort": 6000, + "CidrIpv6": "2400:cb00::/32" + }, + { + "IpProtocol": "udp", + "FromPort": 3389, + "ToPort": 3389, + "CidrIpv6": "2400:cb00::/32" + } + ] + } + } + } +} + +``` +
Negative test num. 4 - json file + +```json +{ + "Resources": { + "Negative2SecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Security group for negative test cases", + "VpcId": { "Ref": "MyVPC" } + } + }, + "Negative2IPv4Ingress1": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { "Ref": "Negative2SecurityGroup" }, + "IpProtocol": "udp", + "FromPort": 22, + "ToPort": 22, + "CidrIp": "0.0.0.0/0" + } + }, + "Negative2IPv4Ingress2": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { "Ref": "Negative2SecurityGroup" }, + "IpProtocol": "tcp", + "FromPort": 0, + "ToPort": 6000, + "CidrIp": "192.0.0.0/16" + } + }, + "Negative2IPv4Ingress3": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { "Ref": "Negative2SecurityGroup" }, + "IpProtocol": "udp", + "FromPort": 22, + "ToPort": 22, + "CidrIp": "192.120.0.0/16" + } + }, + "Negative2IPv6Ingress1": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { "Ref": "Negative2SecurityGroup" }, + "IpProtocol": "udp", + "FromPort": 3389, + "ToPort": 3389, + "CidrIpv6": "::/0" + } + }, + "Negative2IPv6Ingress3": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { "Ref": "Negative2SecurityGroup" }, + "IpProtocol": "tcp", + "FromPort": 0, + "ToPort": 6000, + "CidrIpv6": "2400:cb00::/32" + } + }, + "Negative2IPv6Ingress4": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { "Ref": "Negative2SecurityGroup" }, + "IpProtocol": "udp", + "FromPort": 3389, + "ToPort": 3389, + "CidrIpv6": "2400:cb00::/32" + } } } } ``` +
diff --git a/docs/queries/cloudformation-queries/aws/9564406d-e761-4e61-b8d7-5926e3ab8e79.md b/docs/queries/cloudformation-queries/aws/9564406d-e761-4e61-b8d7-5926e3ab8e79.md index 117119496cd..3f29731df88 100644 --- a/docs/queries/cloudformation-queries/aws/9564406d-e761-4e61-b8d7-5926e3ab8e79.md +++ b/docs/queries/cloudformation-queries/aws/9564406d-e761-4e61-b8d7-5926e3ab8e79.md @@ -30,193 +30,210 @@ The IP address in a DB Security Group should not be '0.0.0.0/0' (IPv4) or '::/0' ### Code samples #### Code samples with security vulnerabilities -```yaml title="Positive test num. 1 - yaml file" hl_lines="6" +```yaml title="Positive test num. 1 - yaml file" hl_lines="32 36 8 20 52 61" Resources: - DBEC2SecurityGroup: + # Legacy RDS DBSecurityGroup with inline ingress + DbSecurityByEC2SecurityGroupInline_pos1: + Type: AWS::RDS::DBSecurityGroup + Properties: + GroupDescription: "Legacy inline ingress" + DBSecurityGroupIngress: + - CIDRIP: 0.0.0.0/0 + + # Legacy RDS DBSecurityGroup with standalone ingress + DbSecurityByEC2SecurityGroupStandalone_pos1: + Type: AWS::RDS::DBSecurityGroup + Properties: + GroupDescription: "Legacy standalone ingress" + + DbSecurityIngressRule_pos1: + Type: AWS::RDS::DBSecurityGroupIngress + Properties: + DBSecurityGroupName: !Ref DbSecurityByEC2SecurityGroupStandalone_pos1 + CIDRIP: 0.0.0.0/0 + + # EC2 Security Group with inline IPv4 and IPv6 rules + DBEC2SecurityGroupInline_pos1: Type: AWS::EC2::SecurityGroup Properties: - GroupDescription: Open database for access + GroupDescription: "Inline IPv4 and IPv6 ingress" + VpcId: !Ref VPC SecurityGroupIngress: - - IpProtocol: tcp - FromPort: 80 - ToPort: 80 - CidrIp: 0.0.0.0/0 - SecurityGroupEgress: - - IpProtocol: tcp - FromPort: 80 - ToPort: 80 - CidrIp: 0.0.0.0/0 - DBInstance: + - IpProtocol: tcp + FromPort: 80 + ToPort: 80 + CidrIp: 0.0.0.0/0 + - IpProtocol: tcp + FromPort: 80 + ToPort: 80 + CidrIpv6: ::/0 + + # EC2 Security Group with standalone ingress rules + DBEC2SecurityGroupStandalone_pos1: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: "Standalone IPv4 and IPv6 ingress" + VpcId: !Ref VPC + + DBEC2SecurityGroupIngress_pos1: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref DBEC2SecurityGroupStandalone_pos1 + IpProtocol: tcp + FromPort: 80 + ToPort: 80 + CidrIp: 0.0.0.0/0 + + DBEC2SecurityGroupIngressIPv6_pos1: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref DBEC2SecurityGroupStandalone_pos1 + IpProtocol: tcp + FromPort: 80 + ToPort: 80 + CidrIpv6: "0000:0000:0000:0000:0000:0000:0000:0000/0" + + # Public RDS Instance referencing all security groups + DBInstance_pos1: Type: AWS::RDS::DBInstance Properties: PubliclyAccessible: true - DBName: - Ref: DBName + DBName: !Ref DBName Engine: MySQL - MultiAZ: - Ref: MultiAZDatabase - MasterUsername: - Ref: DBUser - DBInstanceClass: - Ref: DBClass - AllocatedStorage: - Ref: DBAllocatedStorage - MasterUserPassword: - Ref: DBPassword + DBSecurityGroups: + - !Ref DbSecurityByEC2SecurityGroupInline_pos1 + - !Ref DbSecurityByEC2SecurityGroupStandalone_pos1 VPCSecurityGroups: - - !GetAtt DBEC2SecurityGroup.GroupId + - !Ref DBEC2SecurityGroupInline_pos1 + - !Ref DBEC2SecurityGroupStandalone_pos1 ``` -```yaml title="Positive test num. 2 - yaml file" hl_lines="19" +```yaml title="Positive test num. 2 - yaml file" hl_lines="8" Resources: - DBinstance2: - Type: AWS::RDS::DBInstance - Properties: - PubliclyAccessible: true - DBSecurityGroups: - - - Ref: "DbSecurityByEC2SecurityGroup" - AllocatedStorage: "5" - DBInstanceClass: "db.t3.small" - Engine: "MySQL" - MasterUsername: "YourName" - MasterUserPassword: "YourPassword" - DeletionPolicy: "Snapshot" - DbSecurityByEC2SecurityGroup: - Type: AWS::RDS::DBSecurityGroup + DbSecurityByEC2SecurityGroup_pos2: + Type: AWS::RDS::DBSecurityGroup #legacy-inline Properties: GroupDescription: "Ingress for Amazon EC2 security group" DBSecurityGroupIngress: - CIDRIP: 0.0.0.0/0 - -``` -```yaml title="Positive test num. 3 - yaml file" hl_lines="6" -Resources: - DBEC2SecurityGroup2: - Type: AWS::EC2::SecurityGroup - Properties: - GroupDescription: Open database for access - SecurityGroupIngress: - - IpProtocol: tcp - FromPort: 80 - ToPort: 80 - CidrIpv6: ::/0 - SecurityGroupEgress: - - IpProtocol: tcp - FromPort: 80 - ToPort: 80 - CidrIp: 0.0.0.0/0 - DBInstance3: + DBInstance: Type: AWS::RDS::DBInstance - Properties: - PubliclyAccessible: true + Properties: # Assumes public since "DBSubnetGroupName" is not set DBName: Ref: DBName Engine: MySQL - MultiAZ: - Ref: MultiAZDatabase - MasterUsername: - Ref: DBUser - DBInstanceClass: - Ref: DBClass - AllocatedStorage: - Ref: DBAllocatedStorage - MasterUserPassword: - Ref: DBPassword - VPCSecurityGroups: - - !GetAtt DBEC2SecurityGroup2.GroupId + DBSecurityGroups: + - !Ref DbSecurityByEC2SecurityGroup_pos2 ``` -
Positive test num. 4 - json file - -```json hl_lines="6" +```json title="Positive test num. 3 - json file" hl_lines="70 9 41 47 82 26" { "Resources": { - "DBEC2SecurityGroup": { + "DbSecurityByEC2SecurityGroupInline_pos3": { + "Type": "AWS::RDS::DBSecurityGroup", "Properties": { - "GroupDescription": "Open database for access", + "GroupDescription": "Legacy inline ingress", + "DBSecurityGroupIngress": [ + { + "CIDRIP": "0.0.0.0/0" + } + ] + } + }, + "DbSecurityByEC2SecurityGroupStandalone_pos3": { + "Type": "AWS::RDS::DBSecurityGroup", + "Properties": { + "GroupDescription": "Legacy standalone ingress" + } + }, + "DbSecurityIngressRule_pos3": { + "Type": "AWS::RDS::DBSecurityGroupIngress", + "Properties": { + "DBSecurityGroupName": { + "Ref": "DbSecurityByEC2SecurityGroupStandalone_pos3" + }, + "CIDRIP": "0.0.0.0/0" + } + }, + "DBEC2SecurityGroupInline_pos3": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Inline IPv4 and IPv6 ingress", + "VpcId": { + "Ref": "VPC" + }, "SecurityGroupIngress": [ { "IpProtocol": "tcp", "FromPort": 80, "ToPort": 80, "CidrIp": "0.0.0.0/0" - } - ], - "SecurityGroupEgress": [ + }, { "IpProtocol": "tcp", "FromPort": 80, "ToPort": 80, - "CidrIp": "0.0.0.0/0" + "CidrIpv6": "::/0" } ] - }, - "Type": "AWS::EC2::SecurityGroup" + } }, - "DBInstance": { - "Type": "AWS::RDS::DBInstance", + "DBEC2SecurityGroupStandalone_pos3": { + "Type": "AWS::EC2::SecurityGroup", "Properties": { - "PubliclyAccessible": true, - "Engine": "MySQL", - "MasterUsername": { - "Ref": "DBUser" - }, - "VPCSecurityGroups": [ - "DBEC2SecurityGroup.GroupId" - ], - "DBName": { - "Ref": "DBName" - }, - "MultiAZ": { - "Ref": "MultiAZDatabase" - }, - "DBInstanceClass": { - "Ref": "DBClass" + "GroupDescription": "Standalone IPv4 and IPv6 ingress", + "VpcId": { + "Ref": "VPC" + } + } + }, + "DBEC2SecurityGroupIngress_pos3": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "DBEC2SecurityGroupStandalone_pos3" }, - "AllocatedStorage": { - "Ref": "DBAllocatedStorage" + "IpProtocol": "tcp", + "FromPort": 80, + "ToPort": 80, + "CidrIp": "0.0.0.0/0" + } + }, + "DBEC2SecurityGroupIngressIPv6_pos3": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "DBEC2SecurityGroupStandalone_pos3" }, - "MasterUserPassword": { - "Ref": "DBPassword" - } + "IpProtocol": "tcp", + "FromPort": 80, + "ToPort": 80, + "CidrIpv6": "0000:0000:0000:0000:0000:0000:0000:0000/0" } - } - } -} - -``` -
-
Positive test num. 5 - json file - -```json hl_lines="24" -{ - "Resources": { - "DBinstance2": { + }, + "DBInstance_pos3": { "Type": "AWS::RDS::DBInstance", "Properties": { "PubliclyAccessible": true, + "DBName": { + "Ref": "DBName" + }, + "Engine": "MySQL", "DBSecurityGroups": [ { - "Ref": "DbSecurityByEC2SecurityGroup" + "Ref": "DbSecurityByEC2SecurityGroupInline_pos3" + }, + { + "Ref": "DbSecurityByEC2SecurityGroupStandalone_pos3" } ], - "AllocatedStorage": "5", - "DBInstanceClass": "db.t3.small", - "Engine": "MySQL", - "MasterUsername": "YourName", - "MasterUserPassword": "YourPassword" - }, - "DeletionPolicy": "Snapshot" - }, - "DbSecurityByEC2SecurityGroup": { - "Type": "AWS::RDS::DBSecurityGroup", - "Properties": { - "GroupDescription": "Ingress for Amazon EC2 security group", - "DBSecurityGroupIngress": [ + "VPCSecurityGroups": [ { - "CIDRIP": "0.0.0.0/0" + "Ref": "DBEC2SecurityGroupInline_pos3" + }, + { + "Ref": "DBEC2SecurityGroupStandalone_pos3" } ] } @@ -225,104 +242,61 @@ Resources: } ``` -
-
Positive test num. 6 - json file +
Positive test num. 4 - json file -```json hl_lines="15" +```json hl_lines="9" { "Resources": { - "DBEC2SecurityGroup2": { - "Type": "AWS::EC2::SecurityGroup", + "DbSecurityByEC2SecurityGroup_pos4": { + "Type": "AWS::RDS::DBSecurityGroup", "Properties": { - "SecurityGroupEgress": [ - { - "IpProtocol": "tcp", - "FromPort": 80, - "ToPort": 80, - "CidrIp": "0.0.0.0/0" - } - ], - "GroupDescription": "Open database for access", - "SecurityGroupIngress": [ + "GroupDescription": "Ingress for Amazon EC2 security group", + "DBSecurityGroupIngress": [ { - "CidrIpv6": "::/0", - "IpProtocol": "tcp", - "FromPort": 80, - "ToPort": 80 + "CIDRIP": "0.0.0.0/0" } ] } }, - "DBInstance3": { + "DBInstance": { + "Type": "AWS::RDS::DBInstance", "Properties": { - "Engine": "MySQL", - "AllocatedStorage": { - "Ref": "DBAllocatedStorage" - }, - "MasterUserPassword": { - "Ref": "DBPassword" - }, - "VPCSecurityGroups": [ - "DBEC2SecurityGroup2.GroupId" - ], - "PubliclyAccessible": true, "DBName": { "Ref": "DBName" }, - "MultiAZ": { - "Ref": "MultiAZDatabase" - }, - "MasterUsername": { - "Ref": "DBUser" - }, - "DBInstanceClass": { - "Ref": "DBClass" - } - }, - "Type": "AWS::RDS::DBInstance" + "Engine": "MySQL", + "DBSecurityGroups": [ + { + "Ref": "DbSecurityByEC2SecurityGroup_pos4" + } + ] + } } } } ```
-
Positive test num. 7 - yaml file +
Positive test num. 5 - yaml file -```yaml hl_lines="6" +```yaml hl_lines="8" Resources: - DBEC2SecurityGroup: - Type: AWS::EC2::SecurityGroup + DbSecurityByEC2SecurityGroup_pos5: + Type: AWS::RDS::DBSecurityGroup #legacy-inline Properties: - GroupDescription: Open database for access - SecurityGroupIngress: - - IpProtocol: tcp - FromPort: 80 - ToPort: 80 - CidrIp: 0.0.0.0/0 - SecurityGroupEgress: - - IpProtocol: tcp - FromPort: 80 - ToPort: 80 - CidrIp: 0.0.0.0/0 + GroupDescription: "Ingress for Amazon EC2 security group" + DBSecurityGroupIngress: + - + CIDRIP: 0.0.0.0/0 DBInstance: Type: AWS::RDS::DBInstance Properties: - PubliclyAccessible: "true" + PubliclyAccessible: "true" #quoted string support test DBName: Ref: DBName Engine: MySQL - MultiAZ: - Ref: MultiAZDatabase - MasterUsername: - Ref: DBUser - DBInstanceClass: - Ref: DBClass - AllocatedStorage: - Ref: DBAllocatedStorage - MasterUserPassword: - Ref: DBPassword - VPCSecurityGroups: - - !GetAtt DBEC2SecurityGroup.GroupId + DBSecurityGroups: + - !Ref DbSecurityByEC2SecurityGroup_pos5 ```
@@ -330,84 +304,304 @@ Resources: #### Code samples without security vulnerabilities ```yaml title="Negative test num. 1 - yaml file" -#this code is a correct code for which the query should not find any result Resources: - DBEC2SecurityGroup: + # This sample does not flag because the cidr ips are not 0.0.0.0/0 or ::/0 + # Legacy RDS DBSecurityGroup with inline ingress + DbSecurityByEC2SecurityGroupInline_neg1: + Type: AWS::RDS::DBSecurityGroup + Properties: + GroupDescription: "Legacy inline ingress" + DBSecurityGroupIngress: + - CIDRIP: 1.2.3.4/24 + + # Legacy RDS DBSecurityGroup with standalone ingress + DbSecurityByEC2SecurityGroupStandalone_neg1: + Type: AWS::RDS::DBSecurityGroup + Properties: + GroupDescription: "Legacy standalone ingress" + + DbSecurityIngressRule_neg1: + Type: AWS::RDS::DBSecurityGroupIngress + Properties: + DBSecurityGroupName: !Ref DbSecurityByEC2SecurityGroupStandalone_neg1 + CIDRIP: 1.2.3.4/24 + + # EC2 Security Group with inline IPv4 and IPv6 rules + DBEC2SecurityGroupInline_neg1: Type: AWS::EC2::SecurityGroup Properties: - GroupDescription: Open database for access + GroupDescription: "Inline IPv4 and IPv6 ingress" + VpcId: !Ref VPC SecurityGroupIngress: - - IpProtocol: tcp - FromPort: 80 - ToPort: 80 - CidrIp: 1.2.3.4/24 - - IpProtocol: tcp - FromPort: 80 - ToPort: 80 - CidrIpv6: 2001:0db8:85a3:0000:0000:8a2e:0370:7334 - SecurityGroupEgress: - - IpProtocol: tcp - FromPort: 80 - ToPort: 80 - CidrIp: 0.0.0.0/0 - DBInstance: + - IpProtocol: tcp + FromPort: 80 + ToPort: 80 + CidrIp: 1.2.3.4/24 + - IpProtocol: tcp + FromPort: 80 + ToPort: 80 + CidrIpv6: 2001:0db8:85a3:0000:0000:8a2e:0370:7334 + + # EC2 Security Group with standalone ingress rules + DBEC2SecurityGroupStandalone_neg1: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: "Standalone IPv4 and IPv6 ingress" + VpcId: !Ref VPC + + DBEC2SecurityGroupIngress_neg1: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref DBEC2SecurityGroupStandalone_neg1 + IpProtocol: tcp + FromPort: 80 + ToPort: 80 + CidrIp: 1.2.3.4/24 + + DBEC2SecurityGroupIngressIPv6_neg1: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref DBEC2SecurityGroupStandalone_neg1 + IpProtocol: tcp + FromPort: 80 + ToPort: 80 + CidrIpv6: 2001:0db8:85a3:0000:0000:8a2e:0370:7334 + + # RDS Instance referencing all security groups + DBInstance_neg1: Type: AWS::RDS::DBInstance Properties: PubliclyAccessible: true - DBName: - Ref: DBName + DBName: !Ref DBName Engine: MySQL - MultiAZ: - Ref: MultiAZDatabase - MasterUsername: - Ref: DBUser - DBInstanceClass: - Ref: DBClass - AllocatedStorage: - Ref: DBAllocatedStorage - MasterUserPassword: - Ref: DBPassword + DBSecurityGroups: + - !Ref DbSecurityByEC2SecurityGroupInline_neg1 + - !Ref DbSecurityByEC2SecurityGroupStandalone_neg1 VPCSecurityGroups: - - !GetAtt DBEC2SecurityGroup.GroupId - + - !Ref DBEC2SecurityGroupInline_neg1 + - !Ref DBEC2SecurityGroupStandalone_neg1 ``` ```yaml title="Negative test num. 2 - yaml file" Resources: - DBinstance: + # This sample does not flag because "PubliclyAccessible" is set to false + # Legacy RDS DBSecurityGroup with inline ingress + DbSecurityByEC2SecurityGroupInline_neg2: + Type: AWS::RDS::DBSecurityGroup + Properties: + GroupDescription: "Legacy inline ingress" + DBSecurityGroupIngress: + - CIDRIP: 0.0.0.0/0 + + # Legacy RDS DBSecurityGroup with standalone ingress + DbSecurityByEC2SecurityGroupStandalone_neg2: + Type: AWS::RDS::DBSecurityGroup + Properties: + GroupDescription: "Legacy standalone ingress" + + DbSecurityIngressRule_neg2: + Type: AWS::RDS::DBSecurityGroupIngress + Properties: + DBSecurityGroupName: !Ref DbSecurityByEC2SecurityGroupStandalone_neg2 + CIDRIP: 0.0.0.0/0 + + # EC2 Security Group with inline IPv4 and IPv6 rules + DBEC2SecurityGroupInline_neg2: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: "Inline IPv4 and IPv6 ingress" + VpcId: !Ref VPC + SecurityGroupIngress: + - IpProtocol: tcp + FromPort: 80 + ToPort: 80 + CidrIp: 0.0.0.0/0 + - IpProtocol: tcp + FromPort: 80 + ToPort: 80 + CidrIpv6: ::/0 + + # EC2 Security Group with standalone ingress rules + DBEC2SecurityGroupStandalone_neg2: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: "Standalone IPv4 and IPv6 ingress" + VpcId: !Ref VPC + + DBEC2SecurityGroupIngress_neg2: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref DBEC2SecurityGroupStandalone_neg2 + IpProtocol: tcp + FromPort: 80 + ToPort: 80 + CidrIp: 0.0.0.0/0 + + DBEC2SecurityGroupIngressIPv6_neg2: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref DBEC2SecurityGroupStandalone_neg2 + IpProtocol: tcp + FromPort: 80 + ToPort: 80 + CidrIpv6: "0000:0000:0000:0000:0000:0000:0000:0000/0" + + # RDS Instance referencing all security groups + DBInstance_neg2: + Type: AWS::RDS::DBInstance + Properties: + PubliclyAccessible: false #set to false + DBName: !Ref DBName + Engine: MySQL + DBSecurityGroups: + - !Ref DbSecurityByEC2SecurityGroupInline_neg2 + - !Ref DbSecurityByEC2SecurityGroupStandalone_neg2 + VPCSecurityGroups: + - !Ref DBEC2SecurityGroupInline_neg2 + - !Ref DBEC2SecurityGroupStandalone_neg2 + +``` +```yaml title="Negative test num. 3 - yaml file" +Resources: + # This sample is near identical to Positive1 except that the "!Ref" on the DBInstance are incorrect + DbSecurityByEC2SecurityGroupInline_neg3: + Type: AWS::RDS::DBSecurityGroup + Properties: + GroupDescription: "Legacy inline ingress" + DBSecurityGroupIngress: + - CIDRIP: 0.0.0.0/0 + + DbSecurityByEC2SecurityGroupStandalone_neg3: + Type: AWS::RDS::DBSecurityGroup + Properties: + GroupDescription: "Legacy standalone ingress" + + DbSecurityIngressRule: + Type: AWS::RDS::DBSecurityGroupIngress + Properties: + DBSecurityGroupName: !Ref DbSecurityByEC2SecurityGroupStandalone_neg3 + CIDRIP: 0.0.0.0/0 + + DBEC2SecurityGroupInline_neg3: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: "Inline IPv4 and IPv6 ingress" + VpcId: !Ref VPC + SecurityGroupIngress: + - IpProtocol: tcp + FromPort: 80 + ToPort: 80 + CidrIp: 0.0.0.0/0 + - IpProtocol: tcp + FromPort: 80 + ToPort: 80 + CidrIpv6: ::/0 + + DBEC2SecurityGroupStandalone_neg3: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: "Standalone IPv4 and IPv6 ingress" + VpcId: !Ref VPC + + DBEC2SecurityGroupIngress_neg3: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref DBEC2SecurityGroupStandalone_neg3 + IpProtocol: tcp + FromPort: 80 + ToPort: 80 + CidrIp: 0.0.0.0/0 + + DBEC2SecurityGroupIngressIPv6_neg3: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref DBEC2SecurityGroupStandalone_neg3 + IpProtocol: tcp + FromPort: 80 + ToPort: 80 + CidrIpv6: "0000:0000:0000:0000:0000:0000:0000:0000/0" + + DBInstance_neg3: Type: AWS::RDS::DBInstance Properties: PubliclyAccessible: true + DBName: !Ref DBName + Engine: MySQL DBSecurityGroups: - - - Ref: "DbSecurityByEC2SecurityGroup" - AllocatedStorage: "5" - DBInstanceClass: "db.t3.small" - Engine: "MySQL" - MasterUsername: "YourName" - MasterUserPassword: "YourPassword" - DeletionPolicy: "Snapshot" - DbSecurityByEC2SecurityGroup: - Type: AWS::RDS::DBSecurityGroup + - !Ref invalid_reference_1_neg3 + - !Ref invalid_reference_2_neg3 + VPCSecurityGroups: + - !Ref invalid_reference_3_neg3 + - !Ref invalid_reference_4_neg3 + +``` +
Negative test num. 4 - yaml file + +```yaml +Resources: + DbSecurityByEC2SecurityGroup_neg4: + Type: AWS::RDS::DBSecurityGroup #legacy-inline Properties: GroupDescription: "Ingress for Amazon EC2 security group" DBSecurityGroupIngress: - - CIDRIP: 1.2.3.4/24 + CIDRIP: 0.0.0.0/0 + DBInstance: + Type: AWS::RDS::DBInstance + Properties: # Assumes it is not public since "DBSubnetGroupName" is set + DBName: + Ref: DBName + Engine: MySQL + DBSubnetGroupName: !Ref MyDBSubnetGroup + DBSecurityGroups: + - !Ref DbSecurityByEC2SecurityGroup_neg4 ``` -```json title="Negative test num. 3 - json file" +
+
Negative test num. 5 - json file + +```json { "Resources": { - "DBEC2SecurityGroup": { + "DbSecurityByEC2SecurityGroupInline_neg5": { + "Type": "AWS::RDS::DBSecurityGroup", + "Properties": { + "GroupDescription": "Legacy inline ingress", + "DBSecurityGroupIngress": [ + { + "CIDRIP": "1.2.3.4/24" + } + ] + } + }, + "DbSecurityByEC2SecurityGroupStandalone_neg5": { + "Type": "AWS::RDS::DBSecurityGroup", + "Properties": { + "GroupDescription": "Legacy standalone ingress" + } + }, + "DbSecurityIngressRule_neg5": { + "Type": "AWS::RDS::DBSecurityGroupIngress", + "Properties": { + "DBSecurityGroupName": { + "Ref": "DbSecurityByEC2SecurityGroupStandalone_neg5" + }, + "CIDRIP": "1.2.3.4/24" + } + }, + "DBEC2SecurityGroupInline_neg5": { "Type": "AWS::EC2::SecurityGroup", "Properties": { + "GroupDescription": "Inline IPv4 and IPv6 ingress", + "VpcId": { + "Ref": "VPC" + }, "SecurityGroupIngress": [ { - "CidrIp": "1.2.3.4/24", "IpProtocol": "tcp", "FromPort": 80, - "ToPort": 80 + "ToPort": 80, + "CidrIp": "1.2.3.4/24" }, { "IpProtocol": "tcp", @@ -415,43 +609,183 @@ Resources: "ToPort": 80, "CidrIpv6": "2001:0db8:85a3:0000:0000:8a2e:0370:7334" } + ] + } + }, + "DBEC2SecurityGroupStandalone_neg5": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Standalone IPv4 and IPv6 ingress", + "VpcId": { + "Ref": "VPC" + } + } + }, + "DBEC2SecurityGroupIngress_neg5": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "DBEC2SecurityGroupStandalone_neg5" + }, + "IpProtocol": "tcp", + "FromPort": 80, + "ToPort": 80, + "CidrIp": "1.2.3.4/24" + } + }, + "DBEC2SecurityGroupIngressIPv6_neg5": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "DBEC2SecurityGroupStandalone_neg5" + }, + "IpProtocol": "tcp", + "FromPort": 80, + "ToPort": 80, + "CidrIpv6": "2001:0db8:85a3:0000:0000:8a2e:0370:7334" + } + }, + "DBInstance_neg5": { + "Type": "AWS::RDS::DBInstance", + "Properties": { + "PubliclyAccessible": true, + "DBName": { + "Ref": "DBName" + }, + "Engine": "MySQL", + "DBSecurityGroups": [ + { + "Ref": "DbSecurityByEC2SecurityGroupInline_neg5" + }, + { + "Ref": "DbSecurityByEC2SecurityGroupStandalone_neg5" + } ], - "SecurityGroupEgress": [ + "VPCSecurityGroups": [ + { + "Ref": "DBEC2SecurityGroupInline_neg5" + }, + { + "Ref": "DBEC2SecurityGroupStandalone_neg5" + } + ] + } + } + } +} + +``` +
+
Negative test num. 6 - json file + +```json +{ + "Resources": { + "DbSecurityByEC2SecurityGroupInline_neg6": { + "Type": "AWS::RDS::DBSecurityGroup", + "Properties": { + "GroupDescription": "Legacy inline ingress", + "DBSecurityGroupIngress": [ + { + "CIDRIP": "0.0.0.0/0" + } + ] + } + }, + "DbSecurityByEC2SecurityGroupStandalone_neg6": { + "Type": "AWS::RDS::DBSecurityGroup", + "Properties": { + "GroupDescription": "Legacy standalone ingress" + } + }, + "DbSecurityIngressRule_neg6": { + "Type": "AWS::RDS::DBSecurityGroupIngress", + "Properties": { + "DBSecurityGroupName": { + "Ref": "DbSecurityByEC2SecurityGroupStandalone_neg6" + }, + "CIDRIP": "0.0.0.0/0" + } + }, + "DBEC2SecurityGroupInline_neg6": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Inline IPv4 and IPv6 ingress", + "VpcId": { + "Ref": "VPC" + }, + "SecurityGroupIngress": [ { "IpProtocol": "tcp", "FromPort": 80, "ToPort": 80, "CidrIp": "0.0.0.0/0" + }, + { + "IpProtocol": "tcp", + "FromPort": 80, + "ToPort": 80, + "CidrIpv6": "::/0" } - ], - "GroupDescription": "Open database for access" + ] } }, - "DBInstance": { + "DBEC2SecurityGroupStandalone_neg6": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Standalone IPv4 and IPv6 ingress", + "VpcId": { + "Ref": "VPC" + } + } + }, + "DBEC2SecurityGroupIngress_neg6": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "DBEC2SecurityGroupStandalone_neg6" + }, + "IpProtocol": "tcp", + "FromPort": 80, + "ToPort": 80, + "CidrIp": "0.0.0.0/0" + } + }, + "DBEC2SecurityGroupIngressIPv6_neg6": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "DBEC2SecurityGroupStandalone_neg6" + }, + "IpProtocol": "tcp", + "FromPort": 80, + "ToPort": 80, + "CidrIpv6": "0000:0000:0000:0000:0000:0000:0000:0000/0" + } + }, + "DBInstance_neg6": { "Type": "AWS::RDS::DBInstance", "Properties": { - "PubliclyAccessible": true, + "PubliclyAccessible": false, "DBName": { "Ref": "DBName" }, - "MultiAZ": { - "Ref": "MultiAZDatabase" - }, - "MasterUsername": { - "Ref": "DBUser" - }, - "AllocatedStorage": { - "Ref": "DBAllocatedStorage" - }, "Engine": "MySQL", - "DBInstanceClass": { - "Ref": "DBClass" - }, - "MasterUserPassword": { - "Ref": "DBPassword" - }, + "DBSecurityGroups": [ + { + "Ref": "DbSecurityByEC2SecurityGroupInline_neg6" + }, + { + "Ref": "DbSecurityByEC2SecurityGroupStandalone_neg6" + } + ], "VPCSecurityGroups": [ - "DBEC2SecurityGroup.GroupId" + { + "Ref": "DBEC2SecurityGroupInline_neg6" + }, + { + "Ref": "DBEC2SecurityGroupStandalone_neg6" + } ] } } @@ -459,35 +793,156 @@ Resources: } ``` -
Negative test num. 4 - json file +
+
Negative test num. 7 - json file ```json { "Resources": { - "DBinstance": { + "DbSecurityByEC2SecurityGroupInline_neg7": { + "Type": "AWS::RDS::DBSecurityGroup", + "Properties": { + "GroupDescription": "Legacy inline ingress", + "DBSecurityGroupIngress": [ + { + "CIDRIP": "0.0.0.0/0" + } + ] + } + }, + "DbSecurityByEC2SecurityGroupStandalone_neg7": { + "Type": "AWS::RDS::DBSecurityGroup", + "Properties": { + "GroupDescription": "Legacy standalone ingress" + } + }, + "DbSecurityIngressRule_neg7": { + "Type": "AWS::RDS::DBSecurityGroupIngress", + "Properties": { + "DBSecurityGroupName": { + "Ref": "DbSecurityByEC2SecurityGroupStandalone_neg7" + }, + "CIDRIP": "0.0.0.0/0" + } + }, + "DBEC2SecurityGroupInline_neg7": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Inline IPv4 and IPv6 ingress", + "VpcId": { + "Ref": "VPC" + }, + "SecurityGroupIngress": [ + { + "IpProtocol": "tcp", + "FromPort": 80, + "ToPort": 80, + "CidrIp": "0.0.0.0/0" + }, + { + "IpProtocol": "tcp", + "FromPort": 80, + "ToPort": 80, + "CidrIpv6": "::/0" + } + ] + } + }, + "DBEC2SecurityGroupStandalone_neg7": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Standalone IPv4 and IPv6 ingress", + "VpcId": { + "Ref": "VPC" + } + } + }, + "DBEC2SecurityGroupIngress_neg7": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "DBEC2SecurityGroupStandalone_neg7" + }, + "IpProtocol": "tcp", + "FromPort": 80, + "ToPort": 80, + "CidrIp": "0.0.0.0/0" + } + }, + "DBEC2SecurityGroupIngressIPv6_neg7": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "DBEC2SecurityGroupStandalone_neg7" + }, + "IpProtocol": "tcp", + "FromPort": 80, + "ToPort": 80, + "CidrIpv6": "0000:0000:0000:0000:0000:0000:0000:0000/0" + } + }, + "DBInstance": { "Type": "AWS::RDS::DBInstance", "Properties": { - "AllocatedStorage": "5", - "DBInstanceClass": "db.t3.small", - "Engine": "MySQL", - "MasterUsername": "YourName", - "MasterUserPassword": "YourPassword", "PubliclyAccessible": true, + "DBName": { + "Ref": "DBName" + }, + "Engine": "MySQL", "DBSecurityGroups": [ { - "Ref": "DbSecurityByEC2SecurityGroup" + "Ref": "invalid_reference_1_neg7" + }, + { + "Ref": "invalid_reference_2_neg7" + } + ], + "VPCSecurityGroups": [ + { + "Ref": "invalid_reference_3_neg7" + }, + { + "Ref": "invalid_reference_4_neg7" } ] - }, - "DeletionPolicy": "Snapshot" - }, - "DbSecurityByEC2SecurityGroup": { + } + } + } +} + +``` +
+
Negative test num. 8 - json file + +```json +{ + "Resources": { + "DbSecurityByEC2SecurityGroup_neg8": { "Type": "AWS::RDS::DBSecurityGroup", "Properties": { "GroupDescription": "Ingress for Amazon EC2 security group", "DBSecurityGroupIngress": [ { - "CIDRIP": "1.2.3.4/24" + "CIDRIP": "0.0.0.0/0" + } + ] + } + }, + "DBInstance": { + "Type": "AWS::RDS::DBInstance", + "Properties": { + "DBName": { + "Ref": "DBName" + }, + "Engine": "MySQL", + "DBSubnetGroupName": [ + { + "Ref": "MyDBSubnetGroup" + } + ], + "DBSecurityGroups": [ + { + "Ref": "DbSecurityByEC2SecurityGroup_neg8" } ] } @@ -497,49 +952,26 @@ Resources: ```
-
Negative test num. 5 - yaml file +
Negative test num. 9 - yaml file ```yaml -#this code is a correct code for which the query should not find any result Resources: - DBEC2SecurityGroup: - Type: AWS::EC2::SecurityGroup + DbSecurityByEC2SecurityGroup_neg9: + Type: AWS::RDS::DBSecurityGroup #legacy-inline Properties: - GroupDescription: Open database for access - SecurityGroupIngress: - - IpProtocol: tcp - FromPort: 80 - ToPort: 80 - CidrIp: 1.2.3.4/24 - - IpProtocol: tcp - FromPort: 80 - ToPort: 80 - CidrIpv6: 2001:0db8:85a3:0000:0000:8a2e:0370:7334 - SecurityGroupEgress: - - IpProtocol: tcp - FromPort: 80 - ToPort: 80 - CidrIp: 0.0.0.0/0 - DBInstance: + GroupDescription: "Ingress for Amazon EC2 security group" + DBSecurityGroupIngress: + - + CIDRIP: 0.0.0.0/0 + DBInstance_neg5: Type: AWS::RDS::DBInstance Properties: - PubliclyAccessible: "true" + PubliclyAccessible: "false" #quoted string support test DBName: Ref: DBName Engine: MySQL - MultiAZ: - Ref: MultiAZDatabase - MasterUsername: - Ref: DBUser - DBInstanceClass: - Ref: DBClass - AllocatedStorage: - Ref: DBAllocatedStorage - MasterUserPassword: - Ref: DBPassword - VPCSecurityGroups: - - !GetAtt DBEC2SecurityGroup.GroupId - + DBSecurityGroups: + - !Ref DbSecurityByEC2SecurityGroup_neg9 ```
diff --git a/docs/queries/cloudformation-queries/aws/adcd0082-e90b-4b63-862b-21899f6e6a48.md b/docs/queries/cloudformation-queries/aws/adcd0082-e90b-4b63-862b-21899f6e6a48.md index d9f37ca1df6..b5710d99470 100644 --- a/docs/queries/cloudformation-queries/aws/adcd0082-e90b-4b63-862b-21899f6e6a48.md +++ b/docs/queries/cloudformation-queries/aws/adcd0082-e90b-4b63-862b-21899f6e6a48.md @@ -25,74 +25,169 @@ hide: - **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/security_groups_with_meta_ip) ### Description -Security Groups allows 0.0.0.0/0 for all ports and protocols.
+Security Groups with exposed address should not open to all ports.
[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html) ### Code samples #### Code samples with security vulnerabilities -```yaml title="Positive test num. 1 - yaml file" hl_lines="19" +```yaml title="Positive test num. 1 - yaml file" hl_lines="36 72 12 16 48 52 26 62" Resources: - Ec2Instance: - Type: 'AWS::EC2::Instance' +## Protocol set to "-1" (all ports open regardless of range set) + Positive1_security_group_1: + Type: 'AWS::EC2::SecurityGroup' Properties: - SecurityGroups: - - !Ref InstanceSecurityGroup - KeyName: mykey - ImageId: '' - InstanceSecurityGroup: - Type: AWS::EC2::SecurityGroup + GroupDescription: Open security group + VpcId: !Ref MyVPC + SecurityGroupIngress: + - IpProtocol: "-1" + FromPort: 2000 + ToPort: 2000 + CidrIp: 0.0.0.0/0 + - IpProtocol: "-1" + FromPort: 2000 + ToPort: 2000 + CidrIpv6: ::/0 + + # Standalone IPv4 ingress rule + Positive1_ingress_ipv4_1: + Type: AWS::EC2::SecurityGroupIngress Properties: - GroupDescription: Allow http to client host - VpcId: - Ref: myVPC - SecurityGroupIngress: - - IpProtocol: tcp - FromPort: 0 + GroupId: !Ref Positive1_security_group_1 + IpProtocol: "-1" + FromPort: 3000 + ToPort: 3000 + CidrIp: 0.0.0.0/0 + + # Standalone IPv6 ingress rule + Positive1_ingress_ipv6_1: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref Positive1_security_group_1 + IpProtocol: "-1" + FromPort: 3000 + ToPort: 3000 + CidrIpv6: ::/0 + +## Any protocol with ports 0-65535 (all) open + Positive1_security_group_2: + Type: 'AWS::EC2::SecurityGroup' + Properties: + GroupDescription: Open security group + VpcId: !Ref MyVPC + SecurityGroupIngress: + - IpProtocol: "tcp" + FromPort: 0 ToPort: 65535 CidrIp: 0.0.0.0/0 - SecurityGroupEgress: - - IpProtocol: tcp - FromPort: 80 - ToPort: 80 - CidrIp: 0.0.0.0/0 + - IpProtocol: "udp" + FromPort: 0 + ToPort: 65535 + CidrIpv6: ::/0 + + # Standalone IPv4 ingress rule + Positive1_ingress_ipv4_2: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref Positive1_security_group_2 + IpProtocol: "udp" + FromPort: 0 + ToPort: 65535 + CidrIp: 0.0.0.0/0 + + # Standalone IPv6 ingress rule + Positive1_ingress_ipv6_2: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref Positive1_security_group_2 + IpProtocol: "tcp" + FromPort: 0 + ToPort: 65535 + CidrIpv6: ::/0 ``` -```json title="Positive test num. 2 - json file" hl_lines="24" +```json title="Positive test num. 2 - json file" hl_lines="72 41 13 82 19 54 60 31" { "Resources": { - "Ec2Instance": { + "Positive1_security_group_1": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Open security group", + "VpcId": { "Ref": "MyVPC" }, + "SecurityGroupIngress": [ + { + "IpProtocol": "-1", + "FromPort": 2000, + "ToPort": 2000, + "CidrIp": "0.0.0.0/0" + }, + { + "IpProtocol": "-1", + "FromPort": 2000, + "ToPort": 2000, + "CidrIpv6": "::/0" + } + ] + } + }, + "Positive1_ingress_ipv4_1": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { "Ref": "Positive1_security_group_1" }, + "IpProtocol": "-1", + "FromPort": 3000, + "ToPort": 3000, + "CidrIp": "0.0.0.0/0" + } + }, + "Positive1_ingress_ipv6_1": { + "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { - "SecurityGroups": [ - "InstanceSecurityGroup" - ], - "KeyName": "mykey", - "ImageId": "" - }, - "Type": "AWS::EC2::Instance" + "GroupId": { "Ref": "Positive1_security_group_1" }, + "IpProtocol": "-1", + "FromPort": 3000, + "ToPort": 3000, + "CidrIpv6": "::/0" + } }, - "InstanceSecurityGroup": { + "Positive1_security_group_2": { "Type": "AWS::EC2::SecurityGroup", "Properties": { - "GroupDescription": "Allow http to client host", - "VpcId": { - "Ref": "myVPC" - }, + "GroupDescription": "Open security group", + "VpcId": { "Ref": "MyVPC" }, "SecurityGroupIngress": [ { + "IpProtocol": "tcp", "FromPort": 0, "ToPort": 65535, - "CidrIp": "0.0.0.0/0", - "IpProtocol": "tcp" - } - ], - "SecurityGroupEgress": [ - { - "IpProtocol": "tcp", - "FromPort": 80, - "ToPort": 80, "CidrIp": "0.0.0.0/0" + }, + { + "IpProtocol": "udp", + "FromPort": 0, + "ToPort": 65535, + "CidrIpv6": "::/0" } ] } + }, + "Positive1_ingress_ipv4_2": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { "Ref": "Positive1_security_group_2" }, + "IpProtocol": "udp", + "FromPort": 0, + "ToPort": 65535, + "CidrIp": "0.0.0.0/0" + } + }, + "Positive1_ingress_ipv6_2": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { "Ref": "Positive1_security_group_2" }, + "IpProtocol": "tcp", + "FromPort": 0, + "ToPort": 65535, + "CidrIpv6": "::/0" + } } } } @@ -103,67 +198,160 @@ Resources: #### Code samples without security vulnerabilities ```yaml title="Negative test num. 1 - yaml file" Resources: - Ec2Instance: - Type: 'AWS::EC2::Instance' +# Ipv4 Samples + Negative1_security_group_ipv4: + Type: 'AWS::EC2::SecurityGroup' + Properties: + GroupDescription: Open security group + VpcId: !Ref MyVPC + SecurityGroupIngress: + - IpProtocol: "tcp" + FromPort: 2000 # not opening all ports + ToPort: 2000 + CidrIp: 0.0.0.0/0 + - IpProtocol: "-1" + FromPort: 2000 + ToPort: 2000 + CidrIp: 192.162.0.0/16 # cidr is not 0.0.0.0/0 + + # Standalone IPv4 ingress rules + Negative1_ingress_ipv4_1: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref Negative1_security_group_ipv4 + IpProtocol: "tcp" + FromPort: 3000 # not opening all ports + ToPort: 3000 + CidrIp: 0.0.0.0/0 + + Negative1_ingress_ipv4_2: + Type: AWS::EC2::SecurityGroupIngress Properties: - SecurityGroups: - - !Ref InstanceSecurityGroup - KeyName: mykey - ImageId: '' - InstanceSecurityGroup: - Type: AWS::EC2::SecurityGroup + GroupId: !Ref Negative1_security_group_ipv4 + IpProtocol: "tcp" + FromPort: 0 + ToPort: 65535 + CidrIp: 192.162.0.0/16 # cidr is not 0.0.0.0/0 + +# Ipv6 Samples + Negative1_security_group_ipv6: + Type: 'AWS::EC2::SecurityGroup' + Properties: + GroupDescription: Open security group + VpcId: !Ref MyVPC + SecurityGroupIngress: + - IpProtocol: "tcp" + FromPort: 2000 # not opening all ports + ToPort: 2000 + CidrIpv6: ::/0 + - IpProtocol: "-1" + FromPort: 2000 + ToPort: 2000 + CidrIpv6: 2001:0db8::/32 # cidr is not ::/0 + + # Standalone IPv6 ingress rules + Negative1_ingress_ipv6_1: + Type: AWS::EC2::SecurityGroupIngress Properties: - GroupDescription: Allow http to client host - VpcId: - Ref: myVPC - SecurityGroupIngress: - - IpProtocol: tcp - FromPort: 80 - ToPort: 80 - CidrIp: 127.0.0.1/32 - SecurityGroupEgress: - - IpProtocol: tcp - FromPort: 80 - ToPort: 80 - CidrIp: 127.0.0.1/33 + GroupId: !Ref Negative1_security_group_ipv6 + IpProtocol: "tcp" + FromPort: 4000 # not opening all ports + ToPort: 4000 + CidrIpv6: ::/0 + + Negative1_ingress_ipv6_2: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref Negative1_security_group_ipv6 + IpProtocol: "udp" + FromPort: 0 + ToPort: 65535 + CidrIpv6: 2001:0db8::/32 # cidr is not ::/0 ``` ```json title="Negative test num. 2 - json file" { "Resources": { - "Ec2Instance": { - "Properties": { - "SecurityGroups": [ - "InstanceSecurityGroup" - ], - "KeyName": "mykey", - "ImageId": "" - }, - "Type": "AWS::EC2::Instance" - }, - "InstanceSecurityGroup": { + "Negative1_security_group_ipv4": { "Type": "AWS::EC2::SecurityGroup", "Properties": { - "GroupDescription": "Allow http to client host", - "VpcId": { - "Ref": "myVPC" - }, + "GroupDescription": "Open security group", + "VpcId": { "Ref": "MyVPC" }, "SecurityGroupIngress": [ { - "ToPort": 80, - "CidrIp": "127.0.0.1/32", "IpProtocol": "tcp", - "FromPort": 80 + "FromPort": 2000, + "ToPort": 2000, + "CidrIp": "0.0.0.0/0" + }, + { + "IpProtocol": "-1", + "FromPort": 2000, + "ToPort": 2000, + "CidrIp": "192.162.0.0/16" } - ], - "SecurityGroupEgress": [ + ] + } + }, + "Negative1_ingress_ipv4_1": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { "Ref": "Negative1_security_group_ipv4" }, + "IpProtocol": "tcp", + "FromPort": 3000, + "ToPort": 3000, + "CidrIp": "0.0.0.0/0" + } + }, + "Negative1_ingress_ipv4_2": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { "Ref": "Negative1_security_group_ipv4" }, + "IpProtocol": "tcp", + "FromPort": 0, + "ToPort": 65535, + "CidrIp": "192.162.0.0/16" + } + }, + "Negative1_security_group_ipv6": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Open security group", + "VpcId": { "Ref": "MyVPC" }, + "SecurityGroupIngress": [ { "IpProtocol": "tcp", - "FromPort": 80, - "ToPort": 80, - "CidrIp": "127.0.0.1/33" + "FromPort": 2000, + "ToPort": 2000, + "CidrIpv6": "::/0" + }, + { + "IpProtocol": "-1", + "FromPort": 2000, + "ToPort": 2000, + "CidrIpv6": "2001:0db8::/32" } ] } + }, + "Negative1_ingress_ipv6_1": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { "Ref": "Negative1_security_group_ipv6" }, + "IpProtocol": "tcp", + "FromPort": 4000, + "ToPort": 4000, + "CidrIpv6": "::/0" + } + }, + "Negative1_ingress_ipv6_2": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { "Ref": "Negative1_security_group_ipv6" }, + "IpProtocol": "udp", + "FromPort": 0, + "ToPort": 65535, + "CidrIpv6": "2001:0db8::/32" + } } } } diff --git a/docs/queries/cloudformation-queries/aws/c9846969-d066-431f-9b34-8c4abafe422a.md b/docs/queries/cloudformation-queries/aws/c9846969-d066-431f-9b34-8c4abafe422a.md index f435ea70a5c..b0b0331cf76 100644 --- a/docs/queries/cloudformation-queries/aws/c9846969-d066-431f-9b34-8c4abafe422a.md +++ b/docs/queries/cloudformation-queries/aws/c9846969-d066-431f-9b34-8c4abafe422a.md @@ -20,7 +20,7 @@ hide: - **Platform:** CloudFormation - **Severity:** High - **Category:** Networking and Firewall -- **CWE:** 668 +- **CWE:** 1188 - **Risk score:** 7.7 - **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/remote_desktop_port_open_to_internet) @@ -30,31 +30,154 @@ The Remote Desktop port is open to the internet in a Security Group
### Code samples #### Code samples with security vulnerabilities -```yaml title="Positive test num. 1 - yaml file" hl_lines="8" +```yaml title="Positive test num. 1 - yaml file" hl_lines="38 10 79 51 22 63" Resources: - InstanceSecurityGroup: +# IPv4 Rules + Positive1IPv4_1: Type: AWS::EC2::SecurityGroup Properties: - GroupDescription: Allow rdp to client host + GroupDescription: Allow http to client host VpcId: Ref: myVPC SecurityGroupIngress: - - IpProtocol: tcp + - IpProtocol: "tcp" FromPort: 3389 ToPort: 3389 CidrIp: 0.0.0.0/0 + Positive1IPv4_2: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Allow http to client host + VpcId: + Ref: myVPC + SecurityGroupIngress: + - IpProtocol: "-1" + FromPort: 10 + ToPort: 10 + CidrIp: 0.0.0.0/0 + + Positive1ArrayTestIPv4: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Allow http to client host + VpcId: + Ref: myVPC + SecurityGroupIngress: + - IpProtocol: "tcp" + FromPort: 1000 + ToPort: 4000 + CidrIp: 192.0.0.0/16 + - IpProtocol: "6" + FromPort: 2000 + ToPort: 3400 + CidrIp: 0.0.0.0/0 + +# IPv6 Rules + Positive1IPv6_1: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Allow http to client host + VpcId: + Ref: myVPC + SecurityGroupIngress: + - IpProtocol: "tcp" + FromPort: 3389 + ToPort: 3389 + CidrIpv6: "::/0" + + Positive1IPv6_2: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Allow http to client host + VpcId: + Ref: myVPC + SecurityGroupIngress: + - IpProtocol: "-1" + FromPort: 10 + ToPort: 10 + CidrIpv6: "::/0" + + Positive1ArrayTestIPv6: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Allow http to client host + VpcId: + Ref: myVPC + SecurityGroupIngress: + - IpProtocol: "tcp" + FromPort: 1000 + ToPort: 4000 + CidrIpv6: "2400:cb00::/32" #should not flag - used to test array index search + - IpProtocol: "6" + FromPort: 2000 + ToPort: 3400 + CidrIpv6: "0000:0000:0000:0000:0000:0000:0000:0000/0" ``` -```json title="Positive test num. 2 - json file" hl_lines="10" +```yaml title="Positive test num. 2 - yaml file" hl_lines="40 12 49 21 31" +Resources: + + DualStackSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: "Security group for IPv4 and IPv6 ingress rules" + VpcId: !Ref MyVPC + +# IPv4 Rules + IPv4Ingress1: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref DualStackSecurityGroup + IpProtocol: "-1" + FromPort: 10 + ToPort: 10 + CidrIp: "0.0.0.0/0" + + IPv4Ingress2: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref DualStackSecurityGroup + IpProtocol: "tcp" + FromPort: 3200 + ToPort: 3500 + CidrIp: "0.0.0.0/0" + +# IPv6 Rules + IPv6Ingress1: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref DualStackSecurityGroup + IpProtocol: "tcp" + FromPort: 1000 + ToPort: 4000 + CidrIpv6: "::/0" + + IPv6Ingress2: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref DualStackSecurityGroup + IpProtocol: "tcp" + FromPort: 3200 + ToPort: 3500 + CidrIpv6: "0000:0000:0000:0000:0000:0000:0000:0000/0" + + IPv6Ingress3: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref DualStackSecurityGroup + IpProtocol: "-1" + FromPort: 10 + ToPort: 10 + CidrIpv6: "0000:0000:0000:0000:0000:0000:0000:0000/0" +``` +```json title="Positive test num. 3 - json file" hl_lines="97 10 76 46 25 61" { "Resources": { - "InstanceSecurityGroup": { + "Positive1IPv4_1": { "Type": "AWS::EC2::SecurityGroup", "Properties": { - "GroupDescription": "Allow rdp to client host", - "VpcId": { - "Ref": "myVPC" - }, + "GroupDescription": "Allow http to client host", + "VpcId": { "Ref": "myVPC" }, "SecurityGroupIngress": [ { "IpProtocol": "tcp", @@ -64,45 +187,447 @@ Resources: } ] } + }, + "Positive1IPv4_2": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Allow http to client host", + "VpcId": { "Ref": "myVPC" }, + "SecurityGroupIngress": [ + { + "IpProtocol": "-1", + "FromPort": 10, + "ToPort": 10, + "CidrIp": "0.0.0.0/0" + } + ] + } + }, + "Positive1ArrayTestIPv4": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Allow http to client host", + "VpcId": { "Ref": "myVPC" }, + "SecurityGroupIngress": [ + { + "IpProtocol": "tcp", + "FromPort": 1000, + "ToPort": 4000, + "CidrIp": "192.0.0.0/16" + }, + { + "IpProtocol": "6", + "FromPort": 2000, + "ToPort": 3400, + "CidrIp": "0.0.0.0/0" + } + ] + } + }, + "Positive1IPv6_1": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Allow http to client host", + "VpcId": { "Ref": "myVPC" }, + "SecurityGroupIngress": [ + { + "IpProtocol": "tcp", + "FromPort": 3389, + "ToPort": 3389, + "CidrIpv6": "::/0" + } + ] + } + }, + "Positive1IPv6_2": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Allow http to client host", + "VpcId": { "Ref": "myVPC" }, + "SecurityGroupIngress": [ + { + "IpProtocol": "-1", + "FromPort": 10, + "ToPort": 10, + "CidrIpv6": "::/0" + } + ] + } + }, + "Positive1ArrayTestIPv6": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Allow http to client host", + "VpcId": { "Ref": "myVPC" }, + "SecurityGroupIngress": [ + { + "IpProtocol": "tcp", + "FromPort": 1000, + "ToPort": 4000, + "CidrIpv6": "2400:cb00::/32" + }, + { + "IpProtocol": "6", + "FromPort": 2000, + "ToPort": 3400, + "CidrIpv6": "0000:0000:0000:0000:0000:0000:0000:0000/0" + } + ] + } } } } ``` +
Positive test num. 4 - json file + +```json hl_lines="38 14 50 26 62" +{ + "Resources": { + "DualStackSecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Security group for IPv4 and IPv6 ingress rules", + "VpcId": { + "Ref": "MyVPC" + } + } + }, + "IPv4Ingress1": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "DualStackSecurityGroup" + }, + "IpProtocol": "-1", + "FromPort": 10, + "ToPort": 10, + "CidrIp": "0.0.0.0/0" + } + }, + "IPv4Ingress2": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "DualStackSecurityGroup" + }, + "IpProtocol": "tcp", + "FromPort": 3200, + "ToPort": 3500, + "CidrIp": "0.0.0.0/0" + } + }, + "IPv6Ingress1": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "DualStackSecurityGroup" + }, + "IpProtocol": "tcp", + "FromPort": 1000, + "ToPort": 4000, + "CidrIpv6": "::/0" + } + }, + "IPv6Ingress2": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "DualStackSecurityGroup" + }, + "IpProtocol": "tcp", + "FromPort": 3200, + "ToPort": 3500, + "CidrIpv6": "0000:0000:0000:0000:0000:0000:0000:0000/0" + } + }, + "IPv6Ingress3": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "DualStackSecurityGroup" + }, + "IpProtocol": "-1", + "FromPort": 10, + "ToPort": 10, + "CidrIpv6": "0000:0000:0000:0000:0000:0000:0000:0000/0" + } + } + } +} +``` +
#### Code samples without security vulnerabilities ```yaml title="Negative test num. 1 - yaml file" Resources: - InstanceSecurityGroup: +# IPv4 Rules + Negative1IPv4_1: Type: AWS::EC2::SecurityGroup Properties: - GroupDescription: Allow rdp to client host + GroupDescription: Allow http to client host VpcId: Ref: myVPC SecurityGroupIngress: - - IpProtocol: tcp + - IpProtocol: "udp" # wrong protocol FromPort: 3389 ToPort: 3389 - CidrIp: 192.168.0.0/16 + CidrIp: 0.0.0.0/0 + + Negative1IPv4_2: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Allow http to client host + VpcId: + Ref: myVPC + SecurityGroupIngress: + - IpProtocol: "tcp" + FromPort: 100 + ToPort: 200 # not catching port 3389 + CidrIp: 0.0.0.0/0 + + Negative1ArrayTestIPv4: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Allow http to client host + VpcId: + Ref: myVPC + SecurityGroupIngress: + - IpProtocol: "-1" + FromPort: 2000 + ToPort: 4000 + CidrIp: 192.0.0.0/16 # CidrIP is not 0:0:0:0/0 + - IpProtocol: udp # all fields "incorrect" + FromPort: 1000 + ToPort: 2000 + CidrIp: 192.120.0.0/16 +# IPv6 Rules + Negative1IPv6_1: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Allow http to client host + VpcId: + Ref: myVPC + SecurityGroupIngress: + - IpProtocol: "udp" # wrong protocol + FromPort: 3389 + ToPort: 3389 + CidrIpv6: "::/0" + + Negative1IPv6_2: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Allow http to client host + VpcId: + Ref: myVPC + SecurityGroupIngress: + - IpProtocol: "tcp" + FromPort: 5000 + ToPort: 5000 # not catching port 80 + CidrIpv6: "0000:0000:0000:0000:0000:0000:0000:0000/0" + + Negative1ArrayTestIPv6: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Allow http to client host + VpcId: + Ref: myVPC + SecurityGroupIngress: + - IpProtocol: "-1" + FromPort: 2000 + ToPort: 4000 + CidrIpv6: "2400:cb00::/32" # CidrIPv6 is not ::/0 + - IpProtocol: "udp" # all fields "incorrect" + FromPort: 5000 + ToPort: 5000 + CidrIpv6: "2400:cb00::/32" +``` +```yaml title="Negative test num. 2 - yaml file" +Resources: + + Negative2SecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: "Security group for negative test cases" + VpcId: !Ref MyVPC + +# IPv4 Rules + Negative2IPv4Ingress1: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref Negative2SecurityGroup + IpProtocol: "udp" # incorrect protocol + FromPort: 3389 + ToPort: 3389 + CidrIp: "0.0.0.0/0" + + Negative2IPv4Ingress2: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref Negative2SecurityGroup + IpProtocol: "tcp" + FromPort: 100 # not catching port 3389 + ToPort: 200 + CidrIp: "0.0.0.0/0" + + Negative2IPv4Ingress3: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref Negative2SecurityGroup + IpProtocol: "-1" + FromPort: 2000 + ToPort: 4000 + CidrIp: "8.8.0.0/16" # CidrIP is not 0:0:0:0/0 + + Negative2IPv4Ingress4: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref Negative2SecurityGroup + IpProtocol: "udp" # all fields "incorrect" + FromPort: 5000 + ToPort: 5000 + CidrIp: "8.8.0.0/16" + +# IPv6 Rules + Negative2IPv6Ingress1: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref Negative2SecurityGroup + IpProtocol: "udp" # incorrect protocol + FromPort: 3389 + ToPort: 3389 + CidrIpv6: "::/0" + + Negative2IPv6Ingress2: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref Negative2SecurityGroup + IpProtocol: "tcp" + FromPort: 5000 # not catching port 3389 + ToPort: 5000 + CidrIpv6: "0000:0000:0000:0000:0000:0000:0000:0000/0" + + Negative2IPv6Ingress3: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref Negative2SecurityGroup + IpProtocol: "-1" + FromPort: 2000 + ToPort: 4000 + CidrIpv6: "2400:cb00::/32" # CidrIPv6 is not ::/0 + + Negative2IPv6Ingress4: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref Negative2SecurityGroup # all fields "incorrect" + IpProtocol: "udp" + FromPort: 5000 + ToPort: 5000 + CidrIpv6: "2400:cb00::/32" ``` -```json title="Negative test num. 2 - json file" +```json title="Negative test num. 3 - json file" { "Resources": { - "InstanceSecurityGroup": { + "Negative1IPv4_1": { "Type": "AWS::EC2::SecurityGroup", "Properties": { - "GroupDescription": "Allow rdp to client host", - "VpcId": { - "Ref": "myVPC" - }, + "GroupDescription": "Allow http to client host", + "VpcId": { "Ref": "myVPC" }, + "SecurityGroupIngress": [ + { + "IpProtocol": "udp", + "FromPort": 3389, + "ToPort": 3389, + "CidrIp": "0.0.0.0/0" + } + ] + } + }, + "Negative1IPv4_2": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Allow http to client host", + "VpcId": { "Ref": "myVPC" }, "SecurityGroupIngress": [ { "IpProtocol": "tcp", + "FromPort": 100, + "ToPort": 200, + "CidrIp": "0.0.0.0/0" + } + ] + } + }, + "Negative1ArrayTestIPv4": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Allow http to client host", + "VpcId": { "Ref": "myVPC" }, + "SecurityGroupIngress": [ + { + "IpProtocol": "-1", + "FromPort": 2000, + "ToPort": 4000, + "CidrIp": "192.0.0.0/16" + }, + { + "IpProtocol": "udp", + "FromPort": 1000, + "ToPort": 2000, + "CidrIp": "192.120.0.0/16" + } + ] + } + }, + "Negative1IPv6_1": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Allow http to client host", + "VpcId": { "Ref": "myVPC" }, + "SecurityGroupIngress": [ + { + "IpProtocol": "udp", "FromPort": 3389, "ToPort": 3389, - "CidrIp": "192.168.0.0/16" + "CidrIpv6": "::/0" + } + ] + } + }, + "Negative1IPv6_2": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Allow http to client host", + "VpcId": { "Ref": "myVPC" }, + "SecurityGroupIngress": [ + { + "IpProtocol": "tcp", + "FromPort": 5000, + "ToPort": 5000, + "CidrIpv6": "0000:0000:0000:0000:0000:0000:0000:0000/0" + } + ] + } + }, + "Negative1ArrayTestIPv6": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Allow http to client host", + "VpcId": { "Ref": "myVPC" }, + "SecurityGroupIngress": [ + { + "IpProtocol": "-1", + "FromPort": 2000, + "ToPort": 4000, + "CidrIpv6": "2400:cb00::/32" + }, + { + "IpProtocol": "udp", + "FromPort": 5000, + "ToPort": 5000, + "CidrIpv6": "2400:cb00::/32" } ] } @@ -111,4 +636,119 @@ Resources: } ``` +
Negative test num. 4 - json file + +```json +{ + "Resources": { + "Negative2SecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Security group for negative test cases", + "VpcId": { + "Ref": "MyVPC" + } + } + }, + "Negative2IPv4Ingress1": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "Negative2SecurityGroup" + }, + "IpProtocol": "udp", + "FromPort": 3389, + "ToPort": 3389, + "CidrIp": "0.0.0.0/0" + } + }, + "Negative2IPv4Ingress2": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "Negative2SecurityGroup" + }, + "IpProtocol": "tcp", + "FromPort": 100, + "ToPort": 200, + "CidrIp": "0.0.0.0/0" + } + }, + "Negative2IPv4Ingress3": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "Negative2SecurityGroup" + }, + "IpProtocol": "tcp", + "FromPort": 2000, + "ToPort": 4000, + "CidrIp": "8.8.0.0/16" + } + }, + "Negative2IPv4Ingress4": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "Negative2SecurityGroup" + }, + "IpProtocol": "-1", + "FromPort": 5000, + "ToPort": 5000, + "CidrIp": "8.8.0.0/16" + } + }, + "Negative2IPv6Ingress1": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "Negative2SecurityGroup" + }, + "IpProtocol": "udp", + "FromPort": 3389, + "ToPort": 3389, + "CidrIpv6": "::/0" + } + }, + "Negative2IPv6Ingress2": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "Negative2SecurityGroup" + }, + "IpProtocol": "tcp", + "FromPort": 5000, + "ToPort": 5000, + "CidrIpv6": "0000:0000:0000:0000:0000:0000:0000:0000/0" + } + }, + "Negative2IPv6Ingress3": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "Negative2SecurityGroup" + }, + "IpProtocol": "-1", + "FromPort": 2000, + "ToPort": 4000, + "CidrIpv6": "2400:cb00::/32" + } + }, + "Negative2IPv6Ingress4": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "Negative2SecurityGroup" + }, + "IpProtocol": "udp", + "FromPort": 5000, + "ToPort": 5000, + "CidrIpv6": "2400:cb00::/32" + } + } + } +} + +``` +
diff --git a/docs/queries/cloudformation-queries/aws/cdbb0467-2957-4a77-9992-7b55b29df7b7.md b/docs/queries/cloudformation-queries/aws/cdbb0467-2957-4a77-9992-7b55b29df7b7.md index cf510537889..f9a5501d3f0 100644 --- a/docs/queries/cloudformation-queries/aws/cdbb0467-2957-4a77-9992-7b55b29df7b7.md +++ b/docs/queries/cloudformation-queries/aws/cdbb0467-2957-4a77-9992-7b55b29df7b7.md @@ -25,163 +25,350 @@ hide: - **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/security_groups_with_exhibited_admin_ports) ### Description -Security Groups should not have ports open in (20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389)
+Security Groups should not have ports 20, 21, 22, 23, 115, 137, 138, 139, 2049 or 3389 open
[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html) ### Code samples #### Code samples with security vulnerabilities -```yaml title="Positive test num. 1 - yaml file" hl_lines="15" +```yaml title="Positive test num. 1 - yaml file" hl_lines="8 16 26" Resources: - Ec2Instance: - Type: 'AWS::EC2::Instance' + Positive1_security_group: + Type: 'AWS::EC2::SecurityGroup' Properties: - SecurityGroups: - - !Ref InstanceSecurityGroup - KeyName: mykey - ImageId: '' - InstanceSecurityGroup: - Type: AWS::EC2::SecurityGroup - Properties: - GroupDescription: Allow http to client host - VpcId: - Ref: myVPC - SecurityGroupIngress: - - IpProtocol: tcp - FromPort: 20 - ToPort: 20 + GroupDescription: Enable SSH access via port 22 + VpcId: !Ref MyVPC + SecurityGroupIngress: + - IpProtocol: "-1" + FromPort: 22 + ToPort: 22 CidrIp: 0.0.0.0/0 - SecurityGroupEgress: + + # Standalone IPv4 ingress rule + Positive1_ingress_ipv4: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref Positive1_security_group + IpProtocol: tcp + FromPort: 0 # exposes 20, 21, 22, 23 + ToPort: 100 + CidrIp: 0.0.0.0/0 + + # Standalone IPv6 ingress rule + Positive1_ingress_ipv6: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref Positive1_security_group + IpProtocol: udp + FromPort: 2000 #exposes 2049 + ToPort: 2060 + CidrIpv6: ::/0 + +``` +```yaml title="Positive test num. 2 - yaml file" hl_lines="34 8 12 16 24" +Resources: + Positive2_security_group: + Type: 'AWS::EC2::SecurityGroup' + Properties: + GroupDescription: Enable SSH access via port 22 + VpcId: !Ref MyVPC + SecurityGroupIngress: - IpProtocol: tcp - FromPort: 80 - ToPort: 80 + FromPort: 0 + ToPort: 100 CidrIp: 0.0.0.0/0 + - IpProtocol: udp + FromPort: 0 + ToPort: 100 + CidrIpv6: ::/0 + - IpProtocol: "-1" + FromPort: 22 + ToPort: 22 + CidrIpv6: ::/0 + + # Standalone IPv4 ingress rule + Positive2_ingress_ipv4: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref Positive2_security_group + IpProtocol: "-1" + FromPort: 0 + ToPort: 100 + CidrIp: 0.0.0.0/0 + + # Standalone IPv6 ingress rule + Positive1_ingress_ipv6: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref Positive2_security_group + IpProtocol: "-1" + FromPort: 0 + ToPort: 100 + CidrIpv6: ::/0 ``` -```json title="Positive test num. 2 - json file" hl_lines="19" +```json title="Positive test num. 3 - json file" hl_lines="34 12 22" { "Resources": { - "Ec2Instance": { - "Type": "AWS::EC2::Instance", - "Properties": { - "ImageId": "", - "SecurityGroups": [ - "InstanceSecurityGroup" - ], - "KeyName": "mykey" - } - }, - "InstanceSecurityGroup": { + "Positive1_security_group": { "Type": "AWS::EC2::SecurityGroup", "Properties": { + "GroupDescription": "Enable SSH access via port 22", "VpcId": { - "Ref": "myVPC" + "Ref": "MyVPC" }, "SecurityGroupIngress": [ { - "CidrIp": "0.0.0.0/0", - "IpProtocol": "tcp", - "FromPort": 20, - "ToPort": 20 - } - ], - "SecurityGroupEgress": [ - { - "IpProtocol": "tcp", - "FromPort": 80, - "ToPort": 80, + "IpProtocol": "-1", + "FromPort": 22, + "ToPort": 22, "CidrIp": "0.0.0.0/0" } - ], - "GroupDescription": "Allow http to client host" + ] + } + }, + "Positive1_ingress_ipv4": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "Positive1_security_group" + }, + "IpProtocol": "tcp", + "FromPort": 0, + "ToPort": 100, + "CidrIp": "0.0.0.0/0" + } + }, + "Positive1_ingress_ipv6": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "Positive1_security_group" + }, + "IpProtocol": "udp", + "FromPort": 2000, + "ToPort": 2060, + "CidrIpv6": "::/0" } } } } ``` +
Positive test num. 4 - json file + +```json hl_lines="34 12 46 18 24" +{ + "Resources": { + "Positive2_security_group": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Enable SSH access via port 22", + "VpcId": { + "Ref": "MyVPC" + }, + "SecurityGroupIngress": [ + { + "IpProtocol": "tcp", + "FromPort": 0, + "ToPort": 100, + "CidrIp": "0.0.0.0/0" + }, + { + "IpProtocol": "udp", + "FromPort": 0, + "ToPort": 100, + "CidrIpv6": "::/0" + }, + { + "IpProtocol": "-1", + "FromPort": 22, + "ToPort": 22, + "CidrIpv6": "::/0" + } + ] + } + }, + "Positive2_ingress_ipv4": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "Positive2_security_group" + }, + "IpProtocol": "-1", + "FromPort": 0, + "ToPort": 100, + "CidrIp": "0.0.0.0/0" + } + }, + "Positive1_ingress_ipv6": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "Positive2_security_group" + }, + "IpProtocol": "-1", + "FromPort": 0, + "ToPort": 100, + "CidrIpv6": "::/0" + } + } + } +} +``` +
#### Code samples without security vulnerabilities ```yaml title="Negative test num. 1 - yaml file" Resources: - Ec2Instance: - Type: 'AWS::EC2::Instance' + Negative1_security_group: + Type: 'AWS::EC2::SecurityGroup' Properties: - SecurityGroups: - - !Ref InstanceSecurityGroup - KeyName: mykey - ImageId: '' - InstanceSecurityGroup: - Type: AWS::EC2::SecurityGroup + GroupDescription: Open security group + VpcId: !Ref MyVPC + SecurityGroupIngress: + - IpProtocol: tcp + FromPort: 5000 # does not expose admin port + ToPort: 5000 + CidrIp: 0.0.0.0/0 + - IpProtocol: "-1" + FromPort: 0 + ToPort: 0 + CidrIp: 192.162.0.0/16 # cidr is not 0.0.0.0/0 + - IpProtocol: udp + FromPort: 0 + ToPort: 20000 + CidrIpv6: 2001:0db8::/32 # cidr is not ::/0 + - IpProtocol: udp + FromPort: 5000 # does not expose admin port + ToPort: 5000 + CidrIpv6: ::/0 + + # Standalone IPv4 ingress rules + Negative1_ingress_ipv4_1: + Type: AWS::EC2::SecurityGroupIngress Properties: - GroupDescription: Allow http to client host - VpcId: - Ref: myVPC - SecurityGroupIngress: - - IpProtocol: tcp - FromPort: 80 - ToPort: 80 - CidrIp: 127.0.0.1/32 - SecurityGroupEgress: - - IpProtocol: tcp - FromPort: 80 - ToPort: 80 - CidrIp: 127.0.0.1/33 + GroupId: !Ref Negative1_security_group + IpProtocol: tcp + FromPort: 5000 # does not expose admin port + ToPort: 5000 + CidrIp: 0.0.0.0/0 + + Negative1_ingress_ipv4_2: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref Negative1_security_group + IpProtocol: "-1" + FromPort: 3000 + ToPort: 3000 + CidrIp: 192.162.0.0/16 # cidr is not 0.0.0.0/0 + + # Standalone IPv6 ingress rules + Negative1_ingress_ipv6_1: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref Negative1_security_group + IpProtocol: tcp + FromPort: 5000 # does not expose admin port + ToPort: 5000 + CidrIpv6: ::/0 + + Negative1_ingress_ipv6_2: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref Negative1_security_group + IpProtocol: udp + FromPort: 0 + ToPort: 20000 + CidrIpv6: 2001:0db8::/32 # cidr is not ::/0 + ``` ```json title="Negative test num. 2 - json file" { - "Resources": { - "Ec2Instance": { - "Type": "AWS::EC2::Instance", - "Properties": { - "SecurityGroups": [ - "InstanceSecurityGroup" - ], - "KeyName": "mykey", - "ImageId": "" - } - }, - "InstanceSecurityGroup": { - "Properties": { - "VpcId": { - "Ref": "myVPC" + "Resources": { + "Negative1_security_group": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Open security group", + "VpcId": { + "Ref": "MyVPC" + }, + "SecurityGroupIngress": [ + { + "IpProtocol": "tcp", + "FromPort": 5000, + "ToPort": 5000, + "CidrIp": "0.0.0.0/0" + }, + { + "IpProtocol": "-1", + "FromPort": 0, + "ToPort": 0, + "CidrIp": "192.162.0.0/16" + }, + { + "IpProtocol": "udp", + "FromPort": 0, + "ToPort": 20000, + "CidrIpv6": "2001:0db8::/32" + }, + { + "IpProtocol": "udp", + "FromPort": 5000, + "ToPort": 5000, + "CidrIpv6": "::/0" + } + ] + } }, - "SecurityGroupIngress": [ - { - "IpProtocol": "tcp", - "FromPort": 80, - "ToPort": 80, - "CidrIp": "127.0.0.1/32" - } - ], - "SecurityGroupEgress": [ - { - "CidrIp": "127.0.0.1/33", - "IpProtocol": "tcp", - "FromPort": 80, - "ToPort": 80 - } - ], - "GroupDescription": "Allow http to client host" - }, - "Type": "AWS::EC2::SecurityGroup" + "Negative1_ingress_ipv4_1": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "Negative1_security_group" + }, + "IpProtocol": "tcp", + "FromPort": 5000, + "ToPort": 5000, + "CidrIp": "0.0.0.0/0" + } + }, + "Negative1_ingress_ipv4_2": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "Negative1_security_group" + }, + "IpProtocol": "-1", + "FromPort": 3000, + "ToPort": 3000, + "CidrIp": "192.162.0.0/16" + } + }, + "Negative1_ingress_ipv6_1": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "Negative1_security_group" + }, + "IpProtocol": "tcp", + "FromPort": 5000, + "ToPort": 5000, + "CidrIpv6": "::/0" + } + }, + "Negative1_ingress_ipv6_2": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "Negative1_security_group" + }, + "IpProtocol": "udp", + "FromPort": 0, + "ToPort": 20000, + "CidrIpv6": "2001:0db8::/32" + } + } } - } } - -``` -```yaml title="Negative test num. 3 - yaml file" -AWSTemplateFormatVersion: 2010-09-09 -Resources: - InstanceSecurityGroup: - Type: AWS::EC2::SecurityGroup - Properties: - GroupDescription: Allow http to client host - VpcId: - Ref: myVPC - SecurityGroupIngress: - - IpProtocol: tcp - FromPort: 22 - ToPort: 22 - CidrIp: 11.22.33.44/32 ``` diff --git a/docs/queries/cloudformation-queries/aws/dae9c373-8287-462f-8746-6f93dad93610.md b/docs/queries/cloudformation-queries/aws/dae9c373-8287-462f-8746-6f93dad93610.md index 2ebf73b7c2d..454679695f3 100644 --- a/docs/queries/cloudformation-queries/aws/dae9c373-8287-462f-8746-6f93dad93610.md +++ b/docs/queries/cloudformation-queries/aws/dae9c373-8287-462f-8746-6f93dad93610.md @@ -30,7 +30,7 @@ AWS Security Group Egress should have a single port
### Code samples #### Code samples with security vulnerabilities -```yaml title="Positive test num. 1 - yaml file" hl_lines="4 22" +```yaml title="Positive test num. 1 - yaml file" hl_lines="22 15" Resources: InstanceSecurityGroup: Type: AWS::EC2::SecurityGroup @@ -81,7 +81,7 @@ Resources: - TargetSG - GroupId ``` -```json title="Positive test num. 2 - json file" hl_lines="32 5" +```json title="Positive test num. 2 - json file" hl_lines="32 21" { "Resources": { "InstanceSecurityGroup": { diff --git a/docs/queries/cloudformation-queries/aws/ddfc4eaa-af23-409f-b96c-bf5c45dc4daa.md b/docs/queries/cloudformation-queries/aws/ddfc4eaa-af23-409f-b96c-bf5c45dc4daa.md index 93de1fef61f..8163fcb1b6a 100644 --- a/docs/queries/cloudformation-queries/aws/ddfc4eaa-af23-409f-b96c-bf5c45dc4daa.md +++ b/docs/queries/cloudformation-queries/aws/ddfc4eaa-af23-409f-b96c-bf5c45dc4daa.md @@ -30,31 +30,154 @@ The HTTP port is open to the internet in a Security Group
### Code samples #### Code samples with security vulnerabilities -```yaml title="Positive test num. 1 - yaml file" hl_lines="9" +```yaml title="Positive test num. 1 - yaml file" hl_lines="38 10 79 51 22 63" Resources: - InstanceSecurityGroup: +# IPv4 Rules + Positive1IPv4_1: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Allow http to client host VpcId: Ref: myVPC SecurityGroupIngress: - - IpProtocol: tcp + - IpProtocol: "tcp" FromPort: 80 ToPort: 80 CidrIp: 0.0.0.0/0 + Positive1IPv4_2: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Allow http to client host + VpcId: + Ref: myVPC + SecurityGroupIngress: + - IpProtocol: "-1" + FromPort: 10 + ToPort: 10 + CidrIp: 0.0.0.0/0 + + Positive1ArrayTestIPv4: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Allow http to client host + VpcId: + Ref: myVPC + SecurityGroupIngress: + - IpProtocol: "tcp" + FromPort: 0 + ToPort: 1000 + CidrIp: 192.0.0.0/16 + - IpProtocol: "6" + FromPort: 0 + ToPort: 100 + CidrIp: 0.0.0.0/0 + +# IPv6 Rules + Positive1IPv6_1: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Allow http to client host + VpcId: + Ref: myVPC + SecurityGroupIngress: + - IpProtocol: "tcp" + FromPort: 80 + ToPort: 80 + CidrIpv6: "::/0" + + Positive1IPv6_2: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Allow http to client host + VpcId: + Ref: myVPC + SecurityGroupIngress: + - IpProtocol: "-1" + FromPort: 10 + ToPort: 10 + CidrIpv6: "::/0" + + Positive1ArrayTestIPv6: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Allow http to client host + VpcId: + Ref: myVPC + SecurityGroupIngress: + - IpProtocol: "tcp" + FromPort: 0 + ToPort: 1000 + CidrIpv6: "2400:cb00::/32" #should not flag - used to test array index search + - IpProtocol: "6" + FromPort: 70 + ToPort: 90 + CidrIpv6: "0000:0000:0000:0000:0000:0000:0000:0000/0" +``` +```yaml title="Positive test num. 2 - yaml file" hl_lines="40 12 49 21 31" +Resources: + + DualStackSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: "Security group for IPv4 and IPv6 ingress rules" + VpcId: !Ref MyVPC + +# IPv4 Rules + IPv4Ingress1: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref DualStackSecurityGroup + IpProtocol: "-1" + FromPort: 10 + ToPort: 10 + CidrIp: "0.0.0.0/0" + + IPv4Ingress2: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref DualStackSecurityGroup + IpProtocol: "tcp" + FromPort: 70 + ToPort: 90 + CidrIp: "0.0.0.0/0" + +# IPv6 Rules + IPv6Ingress1: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref DualStackSecurityGroup + IpProtocol: "tcp" + FromPort: 80 + ToPort: 80 + CidrIpv6: "::/0" + + IPv6Ingress2: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref DualStackSecurityGroup + IpProtocol: "tcp" + FromPort: 70 + ToPort: 90 + CidrIpv6: "0000:0000:0000:0000:0000:0000:0000:0000/0" + + IPv6Ingress3: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref DualStackSecurityGroup + IpProtocol: "-1" + FromPort: 10 + ToPort: 10 + CidrIpv6: "0000:0000:0000:0000:0000:0000:0000:0000/0" ``` -```json title="Positive test num. 2 - json file" hl_lines="12" +```json title="Positive test num. 3 - json file" hl_lines="97 10 76 46 25 61" { "Resources": { - "InstanceSecurityGroup": { + "Positive1IPv4_1": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupDescription": "Allow http to client host", - "VpcId": { - "Ref": "myVPC" - }, + "VpcId": { "Ref": "myVPC" }, "SecurityGroupIngress": [ { "IpProtocol": "tcp", @@ -64,66 +187,568 @@ Resources: } ] } + }, + "Positive1IPv4_2": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Allow http to client host", + "VpcId": { "Ref": "myVPC" }, + "SecurityGroupIngress": [ + { + "IpProtocol": "-1", + "FromPort": 10, + "ToPort": 10, + "CidrIp": "0.0.0.0/0" + } + ] + } + }, + "Positive1ArrayTestIPv4": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Allow http to client host", + "VpcId": { "Ref": "myVPC" }, + "SecurityGroupIngress": [ + { + "IpProtocol": "tcp", + "FromPort": 0, + "ToPort": 1000, + "CidrIp": "192.0.0.0/16" + }, + { + "IpProtocol": "6", + "FromPort": 0, + "ToPort": 100, + "CidrIp": "0.0.0.0/0" + } + ] + } + }, + "Positive1IPv6_1": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Allow http to client host", + "VpcId": { "Ref": "myVPC" }, + "SecurityGroupIngress": [ + { + "IpProtocol": "tcp", + "FromPort": 80, + "ToPort": 80, + "CidrIpv6": "::/0" + } + ] + } + }, + "Positive1IPv6_2": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Allow http to client host", + "VpcId": { "Ref": "myVPC" }, + "SecurityGroupIngress": [ + { + "IpProtocol": "-1", + "FromPort": 10, + "ToPort": 10, + "CidrIpv6": "::/0" + } + ] + } + }, + "Positive1ArrayTestIPv6": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Allow http to client host", + "VpcId": { "Ref": "myVPC" }, + "SecurityGroupIngress": [ + { + "IpProtocol": "tcp", + "FromPort": 0, + "ToPort": 1000, + "CidrIpv6": "2400:cb00::/32" + }, + { + "IpProtocol": "6", + "FromPort": 70, + "ToPort": 90, + "CidrIpv6": "0000:0000:0000:0000:0000:0000:0000:0000/0" + } + ] + } } } } ``` -```yaml title="Positive test num. 3 - yaml file" hl_lines="9" +
Positive test num. 4 - json file + +```json hl_lines="38 14 50 26 62" +{ + "Resources": { + "DualStackSecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Security group for IPv4 and IPv6 ingress rules", + "VpcId": { + "Ref": "MyVPC" + } + } + }, + "IPv4Ingress1": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "DualStackSecurityGroup" + }, + "IpProtocol": "-1", + "FromPort": 10, + "ToPort": 10, + "CidrIp": "0.0.0.0/0" + } + }, + "IPv4Ingress2": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "DualStackSecurityGroup" + }, + "IpProtocol": "tcp", + "FromPort": 70, + "ToPort": 90, + "CidrIp": "0.0.0.0/0" + } + }, + "IPv6Ingress1": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "DualStackSecurityGroup" + }, + "IpProtocol": "tcp", + "FromPort": 80, + "ToPort": 80, + "CidrIpv6": "::/0" + } + }, + "IPv6Ingress2": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "DualStackSecurityGroup" + }, + "IpProtocol": "tcp", + "FromPort": 70, + "ToPort": 90, + "CidrIpv6": "0000:0000:0000:0000:0000:0000:0000:0000/0" + } + }, + "IPv6Ingress3": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "DualStackSecurityGroup" + }, + "IpProtocol": "-1", + "FromPort": 10, + "ToPort": 10, + "CidrIpv6": "0000:0000:0000:0000:0000:0000:0000:0000/0" + } + } + } +} +``` +
+ + +#### Code samples without security vulnerabilities +```yaml title="Negative test num. 1 - yaml file" Resources: - InstanceSecurityGroup: +# IPv4 Rules + Negative1IPv4_1: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Allow http to client host VpcId: Ref: myVPC SecurityGroupIngress: - - IpProtocol: tcp - FromPort: 70 - ToPort: 90 + - IpProtocol: "udp" # wrong protocol + FromPort: 80 + ToPort: 80 CidrIp: 0.0.0.0/0 -``` + Negative1IPv4_2: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Allow http to client host + VpcId: + Ref: myVPC + SecurityGroupIngress: + - IpProtocol: "tcp" + FromPort: 100 + ToPort: 200 # not catching port 80 + CidrIp: 0.0.0.0/0 + Negative1ArrayTestIPv4: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Allow http to client host + VpcId: + Ref: myVPC + SecurityGroupIngress: + - IpProtocol: "-1" + FromPort: 0 + ToPort: 1000 + CidrIp: 192.0.0.0/16 # CidrIP is not 0:0:0:0/0 + - IpProtocol: "udp" # all fields "incorrect" + FromPort: 1000 + ToPort: 2000 + CidrIp: 192.120.0.0/16 -#### Code samples without security vulnerabilities -```yaml title="Negative test num. 1 - yaml file" -Resources: - InstanceSecurityGroup: +# IPv6 Rules + Negative1IPv6_1: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Allow http to client host VpcId: Ref: myVPC SecurityGroupIngress: - - IpProtocol: tcp + - IpProtocol: "udp" # wrong protocol FromPort: 80 ToPort: 80 - CidrIp: 192.168.0.0/16 + CidrIpv6: "::/0" + + Negative1IPv6_2: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Allow http to client host + VpcId: + Ref: myVPC + SecurityGroupIngress: + - IpProtocol: "tcp" + FromPort: 5000 + ToPort: 5000 # not catching port 80 + CidrIpv6: "0000:0000:0000:0000:0000:0000:0000:0000/0" + Negative1ArrayTestIPv6: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Allow http to client host + VpcId: + Ref: myVPC + SecurityGroupIngress: + - IpProtocol: "-1" + FromPort: 0 + ToPort: 1000 + CidrIpv6: "2400:cb00::/32" # CidrIpv6 is not ::/0 + - IpProtocol: "udp" # all fields "incorrect" + FromPort: 1000 + ToPort: 2000 + CidrIpv6: "2400:cb00::/32" ``` -```json title="Negative test num. 2 - json file" +```yaml title="Negative test num. 2 - yaml file" +Resources: + + Negative2SecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: "Security group for negative test cases" + VpcId: !Ref MyVPC + +# IPv4 Rules + Negative2IPv4Ingress1: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref Negative2SecurityGroup + IpProtocol: "udp" # incorrect protocol + FromPort: 80 + ToPort: 80 + CidrIp: "0.0.0.0/0" + + Negative2IPv4Ingress2: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref Negative2SecurityGroup + IpProtocol: "tcp" + FromPort: 100 # not catching port 80 + ToPort: 200 + CidrIp: "0.0.0.0/0" + + Negative2IPv4Ingress3: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref Negative2SecurityGroup + IpProtocol: "-1" + FromPort: 0 + ToPort: 100 + CidrIp: "8.8.0.0/16" # CidrIP is not 0:0:0:0/0 + + Negative2IPv4Ingress4: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref Negative2SecurityGroup + IpProtocol: "udp" # all fields "incorrect" + FromPort: 5000 + ToPort: 5000 + CidrIp: "8.8.0.0/16" + +# IPv6 Rules + Negative2IPv6Ingress1: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref Negative2SecurityGroup + IpProtocol: "udp" # incorrect protocol + FromPort: 80 + ToPort: 80 + CidrIpv6: "::/0" + + Negative2IPv6Ingress2: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref Negative2SecurityGroup + IpProtocol: "tcp" + FromPort: 5000 # not catching port 80 + ToPort: 5000 + CidrIpv6: "0000:0000:0000:0000:0000:0000:0000:0000/0" + + Negative2IPv6Ingress3: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref Negative2SecurityGroup + IpProtocol: "-1" + FromPort: 0 + ToPort: 100 + CidrIpv6: "2400:cb00::/32" # CidrIP is not 0:0:0:0/0 + + Negative2IPv6Ingress4: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref Negative2SecurityGroup # all fields "incorrect" + IpProtocol: "udp" + FromPort: 5000 + ToPort: 5000 + CidrIpv6: "2400:cb00::/32" +``` +```json title="Negative test num. 3 - json file" { "Resources": { - "InstanceSecurityGroup": { + "Negative1IPv4_1": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupDescription": "Allow http to client host", - "VpcId": { - "Ref": "myVPC" - }, + "VpcId": { "Ref": "myVPC" }, + "SecurityGroupIngress": [ + { + "IpProtocol": "udp", + "FromPort": 80, + "ToPort": 80, + "CidrIp": "0.0.0.0/0" + } + ] + } + }, + "Negative1IPv4_2": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Allow http to client host", + "VpcId": { "Ref": "myVPC" }, "SecurityGroupIngress": [ { "IpProtocol": "tcp", + "FromPort": 100, + "ToPort": 200, + "CidrIp": "0.0.0.0/0" + } + ] + } + }, + "Negative1ArrayTestIPv4": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Allow http to client host", + "VpcId": { "Ref": "myVPC" }, + "SecurityGroupIngress": [ + { + "IpProtocol": "-1", + "FromPort": 0, + "ToPort": 1000, + "CidrIp": "192.0.0.0/16" + }, + { + "IpProtocol": "udp", + "FromPort": 1000, + "ToPort": 2000, + "CidrIp": "192.120.0.0/16" + } + ] + } + }, + "Negative1IPv6_1": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Allow http to client host", + "VpcId": { "Ref": "myVPC" }, + "SecurityGroupIngress": [ + { + "IpProtocol": "udp", "FromPort": 80, "ToPort": 80, - "CidrIp": "192.168.0.0/16" + "CidrIpv6": "::/0" + } + ] + } + }, + "Negative1IPv6_2": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Allow http to client host", + "VpcId": { "Ref": "myVPC" }, + "SecurityGroupIngress": [ + { + "IpProtocol": "tcp", + "FromPort": 5000, + "ToPort": 5000, + "CidrIpv6": "0000:0000:0000:0000:0000:0000:0000:0000/0" } ] } + }, + "Negative1ArrayTestIPv6": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Allow http to client host", + "VpcId": { "Ref": "myVPC" }, + "SecurityGroupIngress": [ + { + "IpProtocol": "-1", + "FromPort": 0, + "ToPort": 1000, + "CidrIpv6": "2400:cb00::/32" + }, + { + "IpProtocol": "udp", + "FromPort": 1000, + "ToPort": 2000, + "CidrIpv6": "2400:cb00::/32" + } + ] + } + } + } +} + +``` +
Negative test num. 4 - json file + +```json +{ + "Resources": { + "Negative2SecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Security group for negative test cases", + "VpcId": { + "Ref": "MyVPC" + } + } + }, + "Negative2IPv4Ingress1": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "Negative2SecurityGroup" + }, + "IpProtocol": "udp", + "FromPort": 80, + "ToPort": 80, + "CidrIp": "0.0.0.0/0" + } + }, + "Negative2IPv4Ingress2": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "Negative2SecurityGroup" + }, + "IpProtocol": "tcp", + "FromPort": 100, + "ToPort": 200, + "CidrIp": "0.0.0.0/0" + } + }, + "Negative2IPv4Ingress3": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "Negative2SecurityGroup" + }, + "IpProtocol": "-1", + "FromPort": 0, + "ToPort": 100, + "CidrIp": "8.8.0.0/16" + } + }, + "Negative2IPv4Ingress4": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "Negative2SecurityGroup" + }, + "IpProtocol": "udp", + "FromPort": 5000, + "ToPort": 5000, + "CidrIp": "8.8.0.0/16" + } + }, + "Negative2IPv6Ingress1": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "Negative2SecurityGroup" + }, + "IpProtocol": "udp", + "FromPort": 22, + "ToPort": 22, + "CidrIpv6": "::/0" + } + }, + "Negative2IPv6Ingress2": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "Negative2SecurityGroup" + }, + "IpProtocol": "tcp", + "FromPort": 5000, + "ToPort": 5000, + "CidrIpv6": "0000:0000:0000:0000:0000:0000:0000:0000/0" + } + }, + "Negative2IPv6Ingress3": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "Negative2SecurityGroup" + }, + "IpProtocol": "-1", + "FromPort": 22, + "ToPort": 22, + "CidrIpv6": "2400:cb00::/32" + } + }, + "Negative2IPv6Ingress4": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "Negative2SecurityGroup" + }, + "IpProtocol": "udp", + "FromPort": 5000, + "ToPort": 5000, + "CidrIpv6": "2400:cb00::/32" + } } } } ``` +
diff --git a/docs/queries/cloudformation-queries/aws/e200a6f3-c589-49ec-9143-7421d4a2c845.md b/docs/queries/cloudformation-queries/aws/e200a6f3-c589-49ec-9143-7421d4a2c845.md index 50878414a42..87fa6aa983d 100644 --- a/docs/queries/cloudformation-queries/aws/e200a6f3-c589-49ec-9143-7421d4a2c845.md +++ b/docs/queries/cloudformation-queries/aws/e200a6f3-c589-49ec-9143-7421d4a2c845.md @@ -25,7 +25,7 @@ hide: - **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/elb_with_security_group_without_inbound_rules) ### Description -An AWS Elastic Load Balancer (ELB) shouldn't have security groups without outbound rules
+An AWS Elastic Load Balancer (ELB) shouldn't have security groups without inbound rules
[Documentation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html#cfn-ec2-securitygroup-securitygroupingress) ### Code samples @@ -65,6 +65,69 @@ Resources: } ``` +```yaml title="Positive test num. 3 - yaml file" hl_lines="5" +AWSTemplateFormatVersion: 2010-09-09 +Resources: + sgwithingress: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Limits security group egress traffic + + sgIngressRule: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref wrong_ref + IpProtocol: tcp + FromPort: 80 + ToPort: 80 + CidrIp: 0.0.0.0/0 + + MyLoadBalancer: + Type: AWS::ElasticLoadBalancingV2::LoadBalancer + Properties: + SecurityGroups: + - !Ref sgwithingress + +``` +
Positive test num. 4 - json file + +```json hl_lines="6" +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Resources": { + "sgwithingress": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Limits security group egress traffic" + } + }, + "sgIngressRule": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "wrong_ref" + }, + "IpProtocol": "tcp", + "FromPort": 80, + "ToPort": 80, + "CidrIp": "0.0.0.0/0" + } + }, + "MyLoadBalancer": { + "Type": "AWS::ElasticLoadBalancingV2::LoadBalancer", + "Properties": { + "SecurityGroups": [ + { + "Ref": "sgwithingress" + } + ] + } + } + } +} + +``` +
#### Code samples without security vulnerabilities @@ -116,4 +179,67 @@ Resources: } ``` +```yaml title="Negative test num. 3 - yaml file" +AWSTemplateFormatVersion: 2010-09-09 +Resources: + sgwithingress: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Limits security group egress traffic + + sgIngressRule: + Type: AWS::EC2::SecurityGroupIngress + Properties: + GroupId: !Ref sgwithingress + IpProtocol: tcp + FromPort: 80 + ToPort: 80 + CidrIp: 0.0.0.0/0 + + MyLoadBalancer: + Type: AWS::ElasticLoadBalancingV2::LoadBalancer + Properties: + SecurityGroups: + - !Ref sgwithingress + +``` +
Negative test num. 4 - json file + +```json +{ + "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", + "Resources": { + "sgwithingress": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "Limits security group egress traffic" + } + }, + "sgIngressRule": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "sgwithingress" + }, + "IpProtocol": "tcp", + "FromPort": 80, + "ToPort": 80, + "CidrIp": "0.0.0.0/0" + } + }, + "MyLoadBalancer": { + "Type": "AWS::ElasticLoadBalancingV2::LoadBalancer", + "Properties": { + "SecurityGroups": [ + { + "Ref": "sgwithingress" + } + ] + } + } + } +} + +``` +
diff --git a/docs/queries/cloudformation-queries/aws/e415f8d3-fc2b-4f52-88ab-1129e8c8d3f5.md b/docs/queries/cloudformation-queries/aws/e415f8d3-fc2b-4f52-88ab-1129e8c8d3f5.md index 73c895a02ad..cb8ba7e270d 100644 --- a/docs/queries/cloudformation-queries/aws/e415f8d3-fc2b-4f52-88ab-1129e8c8d3f5.md +++ b/docs/queries/cloudformation-queries/aws/e415f8d3-fc2b-4f52-88ab-1129e8c8d3f5.md @@ -25,2259 +25,310 @@ hide: - **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/cloudFormation/aws/fully_open_ingress) ### Description -ECS Service's security group should not allow unrestricted access to all ports from all IPv4 addresses
+ECS Service's security group should not allow unrestricted access to all ports from all IPv4 or IPv6 addresses
[Documentation](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/get-set-up-for-amazon-ecs.html#create-a-base-security-group) ### Code samples #### Code samples with security vulnerabilities -```yaml title="Positive test num. 1 - yaml file" hl_lines="32 24" -AWSTemplateFormatVersion: '2010-09-09' -Parameters: - VpcId: - Type: AWS::EC2::VPC::Id - Description: Select a VPC that allows instances access to the Internet. - SubnetId: - Type: List - Description: Select at two subnets in your selected VPC. +```yaml title="Positive test num. 1 - yaml file" hl_lines="19 37 46 23" Resources: - ECSCluster: - Type: AWS::ECS::Cluster - EcsSecurityGroup: - Type: AWS::EC2::SecurityGroup - Properties: - GroupDescription: ECS Security Group - VpcId: !Ref 'VpcId' - EcsSecurityGroupHTTPinbound02: - Type: AWS::EC2::SecurityGroupIngress - Properties: - GroupId: !Ref 'EcsSecurityGroup' - IpProtocol: tcp - FromPort: 80 - ToPort: 0 - CidrIp: 0.0.0.0/0 - EcsSecurityGroupSSHinbound: - Type: AWS::EC2::SecurityGroupIngress - Properties: - GroupId: !Ref 'EcsSecurityGroup' - IpProtocol: tcp - FromPort: 22 - ToPort: 0 - CidrIp: 0.0.0.0/0 - EcsSecurityGroupALBports: - Type: AWS::EC2::SecurityGroupIngress - Properties: - GroupId: !Ref 'EcsSecurityGroup' - IpProtocol: tcp - FromPort: 31000 - ToPort: 61000 - SourceSecurityGroupId: !Ref 'EcsSecurityGroup' - CloudwatchLogsGroup: - Type: AWS::Logs::LogGroup - Properties: - LogGroupName: !Join ['-', [ECSLogGroup, !Ref 'AWS::StackName']] - RetentionInDays: 14 - TaskDefinition: - Type: AWS::ECS::TaskDefinition - Properties: - Family: !Join ['', [!Ref 'AWS::StackName', -ecs-demo-app]] - ContainerDefinitions: - - Name: simple-app - Cpu: 10 - Essential: true - Image: httpd:2.4 - Memory: 300 - LogConfiguration: - LogDriver: awslogs - Options: - awslogs-group: !Ref 'CloudwatchLogsGroup' - awslogs-region: !Ref 'AWS::Region' - awslogs-stream-prefix: ecs-demo-app - MountPoints: - - ContainerPath: /usr/local/apache2/htdocs - SourceVolume: my-vol - PortMappings: - - ContainerPort: 80 - - Name: busybox - Cpu: 10 - Command: ['/bin/sh -c "while true; do echo '' Amazon ECS - Sample App'' > bottom; cat top date bottom > /usr/local/apache2/htdocs/index.html - ; sleep 1; done"'] - EntryPoint: [sh, -c] - Essential: false - Image: busybox - Memory: 200 - LogConfiguration: - LogDriver: awslogs - Options: - awslogs-group: !Ref 'CloudwatchLogsGroup' - awslogs-region: !Ref 'AWS::Region' - awslogs-stream-prefix: ecs-demo-app - VolumesFrom: - - SourceContainer: simple-app - Volumes: - - Name: my-vol - ECSALB: - Type: AWS::ElasticLoadBalancingV2::LoadBalancer - Properties: - Name: ECSALB - Scheme: internet-facing - LoadBalancerAttributes: - - Key: idle_timeout.timeout_seconds - Value: '30' - Subnets: !Ref 'SubnetId' - SecurityGroups: [!Ref 'EcsSecurityGroup'] - ALBListener: - Type: AWS::ElasticLoadBalancingV2::Listener - Properties: - DefaultActions: - - Type: forward - TargetGroupArn: !Ref 'ECSTG' - LoadBalancerArn: !Ref 'ECSALB' - Port: 80 - Protocol: HTTP - ECSALBListenerRule: - Type: AWS::ElasticLoadBalancingV2::ListenerRule - Properties: - Actions: - - Type: forward - TargetGroupArn: !Ref 'ECSTG' - Conditions: - - Field: path-pattern - Values: [/] - ListenerArn: !Ref 'ALBListener' - Priority: 1 - ECSTG: - Type: AWS::ElasticLoadBalancingV2::TargetGroup - Properties: - HealthCheckIntervalSeconds: 10 - HealthCheckPath: / - HealthCheckProtocol: HTTP - HealthCheckTimeoutSeconds: 5 - HealthyThresholdCount: 2 - Name: ECSTG - Port: 80 - Protocol: HTTP - UnhealthyThresholdCount: 2 - VpcId: !Ref 'VpcId' - ECSAutoScalingGroup: - Type: AWS::AutoScaling::AutoScalingGroup - Properties: - VPCZoneIdentifier: !Ref 'SubnetId' - LaunchConfigurationName: !Ref 'ContainerInstances' - MinSize: '1' - MaxSize: 4 - DesiredCapacity: 2 - CreationPolicy: - ResourceSignal: - Timeout: PT15M - UpdatePolicy: - AutoScalingReplacingUpdate: - WillReplace: true - ContainerInstances: - Type: AWS::AutoScaling::LaunchConfiguration - Properties: - ImageId: ami-128731982dhash - SecurityGroups: [!Ref 'EcsSecurityGroup'] - InstanceType: t2.small - IamInstanceProfile: !Ref 'EC2InstanceProfile' - KeyName: my-ssh-key - UserData: - Fn::Base64: !Sub | - #!/bin/bash -xe - echo ECS_CLUSTER=${ECSCluster} >> /etc/ecs/ecs.config - yum install -y aws-cfn-bootstrap - /opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackName} --resource ECSAutoScalingGroup --region ${AWS::Region} - service: + Sample_Service: Type: AWS::ECS::Service Properties: Cluster: !Ref 'ECSCluster' - DesiredCount: 1 - LoadBalancers: - - ContainerName: simple-app - ContainerPort: 80 - TargetGroupArn: !Ref 'ECSTG' - Role: !Ref 'ECSServiceRole' - TaskDefinition: !Ref 'TaskDefinition' - ECSServiceRole: - Type: AWS::IAM::Role - Properties: - AssumeRolePolicyDocument: - Statement: - - Effect: Allow - Principal: - Service: [ecs.amazonaws.com] - Action: ['sts:AssumeRole'] - Path: / - Policies: - - PolicyName: ecs-service - PolicyDocument: - Statement: - - Effect: Allow - Action: ['elasticloadbalancing:DeregisterInstancesFromLoadBalancer', 'elasticloadbalancing:DeregisterTargets', - 'elasticloadbalancing:Describe*', 'elasticloadbalancing:RegisterInstancesWithLoadBalancer', - 'elasticloadbalancing:RegisterTargets', 'ec2:Describe*', 'ec2:AuthorizeSecurityGroupIngress'] - Resource: '*' - ServiceScalingTarget: - Type: AWS::ApplicationAutoScaling::ScalableTarget - Properties: - MaxCapacity: 2 - MinCapacity: 1 - ResourceId: !Join ['', [service/, !Ref 'ECSCluster', /, !GetAtt [service, Name]]] - RoleARN: !GetAtt [AutoscalingRole, Arn] - ScalableDimension: ecs:service:DesiredCount - ServiceNamespace: ecs - ServiceScalingPolicy: - Type: AWS::ApplicationAutoScaling::ScalingPolicy - Properties: - PolicyName: AStepPolicy - PolicyType: StepScaling - ScalingTargetId: !Ref 'ServiceScalingTarget' - StepScalingPolicyConfiguration: - AdjustmentType: PercentChangeInCapacity - Cooldown: 60 - MetricAggregationType: Average - StepAdjustments: - - MetricIntervalLowerBound: 0 - ScalingAdjustment: 200 - ALB500sAlarmScaleUp: - Type: AWS::CloudWatch::Alarm - Properties: - EvaluationPeriods: 1 - Statistic: Average - Threshold: 10 - AlarmDescription: Alarm if our ALB generates too many HTTP 500s. - Period: 60 - AlarmActions: [!Ref 'ServiceScalingPolicy'] - Namespace: AWS/ApplicationELB - Dimensions: - - Name: LoadBalancer - Value: !GetAtt - - ECSALB - - LoadBalancerFullName - ComparisonOperator: GreaterThanThreshold - MetricName: HTTPCode_ELB_5XX_Count - EC2Role: - Type: AWS::IAM::Role - Properties: - AssumeRolePolicyDocument: - Statement: - - Effect: Allow - Principal: - Service: [ec2.amazonaws.com] - Action: ['sts:AssumeRole'] - Path: / - Policies: - - PolicyName: ecs-service - PolicyDocument: - Statement: - - Effect: Allow - Action: ['ecs:CreateCluster', 'ecs:DeregisterContainerInstance', 'ecs:DiscoverPollEndpoint', - 'ecs:Poll', 'ecs:RegisterContainerInstance', 'ecs:StartTelemetrySession', - 'ecs:Submit*', 'logs:CreateLogStream', 'logs:PutLogEvents'] - Resource: '*' - AutoscalingRole: - Type: AWS::IAM::Role - Properties: - AssumeRolePolicyDocument: - Statement: - - Effect: Allow - Principal: - Service: [application-autoscaling.amazonaws.com] - Action: ['sts:AssumeRole'] - Path: / - Policies: - - PolicyName: service-autoscaling - PolicyDocument: - Statement: - - Effect: Allow - Action: ['application-autoscaling:*', 'cloudwatch:DescribeAlarms', 'cloudwatch:PutMetricAlarm', - 'ecs:DescribeServices', 'ecs:UpdateService'] - Resource: '*' - EC2InstanceProfile: - Type: AWS::IAM::InstanceProfile - Properties: - Path: / - Roles: [!Ref 'EC2Role'] -Outputs: - ecsservice: - Value: !Ref 'service' - ecscluster: - Value: !Ref 'ECSCluster' - ECSALB: - Description: Your ALB DNS URL - Value: !Join ['', [!GetAtt [ECSALB, DNSName]]] - taskdef: - Value: !Ref 'TaskDefinition' - -``` -```yaml title="Positive test num. 2 - yaml file" hl_lines="24" -AWSTemplateFormatVersion: '2010-09-09' -Parameters: - VpcId: - Type: AWS::EC2::VPC::Id - Description: Select a VPC that allows instances access to the Internet. - SubnetId: - Type: List - Description: Select at two subnets in your selected VPC. -Resources: - ECSCluster: + Sample_Cluster: Type: AWS::ECS::Cluster - EcsSecurityGroup: + + # EC2 Security Group with inline IPv4 and IPv6 rules + DBEC2SecurityGroupInline: Type: AWS::EC2::SecurityGroup Properties: - GroupDescription: ECS Security Group - VpcId: !Ref 'VpcId' - EcsSecurityGroupHTTPinbound: - Type: AWS::EC2::SecurityGroupIngress + GroupDescription: "Inline IPv4 and IPv6 ingress" + VpcId: !Ref VPC + SecurityGroupIngress: + - IpProtocol: "tcp" + FromPort: 0 + ToPort: 65535 + CidrIp: 0.0.0.0/0 + - IpProtocol: "udp" + FromPort: 0 + ToPort: 65535 + CidrIpv6: ::/0 + + # EC2 Security Group with standalone ingress rules + DBEC2SecurityGroupStandalone: + Type: AWS::EC2::SecurityGroup Properties: - GroupId: !Ref 'EcsSecurityGroup' - IpProtocol: tcp - FromPort: 80 - ToPort: 0 - CidrIp: 0.0.0.0/0 - EcsSecurityGroupSSHinbound: + GroupDescription: "Standalone IPv4 and IPv6 ingress" + VpcId: !Ref VPC + + DBEC2SecurityGroupIngress: Type: AWS::EC2::SecurityGroupIngress Properties: - GroupId: !Ref 'EcsSecurityGroup' - IpProtocol: tcp - FromPort: 22 - ToPort: 22 + GroupId: !Ref DBEC2SecurityGroupStandalone + IpProtocol: "-1" CidrIp: 0.0.0.0/0 - EcsSecurityGroupALBports: + + DBEC2SecurityGroupIngressIPv6: Type: AWS::EC2::SecurityGroupIngress Properties: - GroupId: !Ref 'EcsSecurityGroup' - IpProtocol: tcp - FromPort: 31000 - ToPort: 61000 - SourceSecurityGroupId: !Ref 'EcsSecurityGroup' - CloudwatchLogsGroup: - Type: AWS::Logs::LogGroup - Properties: - LogGroupName: !Join ['-', [ECSLogGroup, !Ref 'AWS::StackName']] - RetentionInDays: 14 - TaskDefinition: - Type: AWS::ECS::TaskDefinition - Properties: - Family: !Join ['', [!Ref 'AWS::StackName', -ecs-demo-app]] - ContainerDefinitions: - - Name: simple-app - Cpu: 10 - Essential: true - Image: httpd:2.4 - Memory: 300 - LogConfiguration: - LogDriver: awslogs - Options: - awslogs-group: !Ref 'CloudwatchLogsGroup' - awslogs-region: !Ref 'AWS::Region' - awslogs-stream-prefix: ecs-demo-app - MountPoints: - - ContainerPath: /usr/local/apache2/htdocs - SourceVolume: my-vol - PortMappings: - - ContainerPort: 80 - - Name: busybox - Cpu: 10 - Command: ['/bin/sh -c "while true; do echo '' Amazon ECS - Sample App'' > bottom; cat top date bottom > /usr/local/apache2/htdocs/index.html - ; sleep 1; done"'] - EntryPoint: [sh, -c] - Essential: false - Image: busybox - Memory: 200 - LogConfiguration: - LogDriver: awslogs - Options: - awslogs-group: !Ref 'CloudwatchLogsGroup' - awslogs-region: !Ref 'AWS::Region' - awslogs-stream-prefix: ecs-demo-app - VolumesFrom: - - SourceContainer: simple-app - Volumes: - - Name: my-vol - ECSALB: - Type: AWS::ElasticLoadBalancingV2::LoadBalancer - Properties: - Name: ECSALB - Scheme: internet-facing - LoadBalancerAttributes: - - Key: idle_timeout.timeout_seconds - Value: '30' - Subnets: !Ref 'SubnetId' - SecurityGroups: [!Ref 'EcsSecurityGroup'] - ALBListener: - Type: AWS::ElasticLoadBalancingV2::Listener - Properties: - DefaultActions: - - Type: forward - TargetGroupArn: !Ref 'ECSTG' - LoadBalancerArn: !Ref 'ECSALB' - Port: 80 - Protocol: HTTP - ECSALBListenerRule: - Type: AWS::ElasticLoadBalancingV2::ListenerRule - Properties: - Actions: - - Type: forward - TargetGroupArn: !Ref 'ECSTG' - Conditions: - - Field: path-pattern - Values: [/] - ListenerArn: !Ref 'ALBListener' - Priority: 1 - ECSTG: - Type: AWS::ElasticLoadBalancingV2::TargetGroup - Properties: - HealthCheckIntervalSeconds: 10 - HealthCheckPath: / - HealthCheckProtocol: HTTP - HealthCheckTimeoutSeconds: 5 - HealthyThresholdCount: 2 - Name: ECSTG - Port: 80 - Protocol: HTTP - UnhealthyThresholdCount: 2 - VpcId: !Ref 'VpcId' - ECSAutoScalingGroup: - Type: AWS::AutoScaling::AutoScalingGroup - Properties: - VPCZoneIdentifier: !Ref 'SubnetId' - LaunchConfigurationName: !Ref 'ContainerInstances' - MinSize: '1' - MaxSize: 4 - DesiredCapacity: 2 - CreationPolicy: - ResourceSignal: - Timeout: PT15M - UpdatePolicy: - AutoScalingReplacingUpdate: - WillReplace: true - ContainerInstances: - Type: AWS::AutoScaling::LaunchConfiguration - Properties: - ImageId: ami-09bee01cc997a78a6 - SecurityGroups: [!Ref 'EcsSecurityGroup'] - InstanceType: t2.small - IamInstanceProfile: !Ref 'EC2InstanceProfile' - KeyName: my-ssh-key - UserData: - Fn::Base64: !Sub | - #!/bin/bash -xe - echo ECS_CLUSTER=${ECSCluster} >> /etc/ecs/ecs.config - yum install -y aws-cfn-bootstrap - /opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackName} --resource ECSAutoScalingGroup --region ${AWS::Region} - service: - Type: AWS::ECS::Service - Properties: - Cluster: !Ref 'ECSCluster' - DesiredCount: 1 - LoadBalancers: - - ContainerName: simple-app - ContainerPort: 80 - TargetGroupArn: !Ref 'ECSTG' - Role: !Ref 'ECSServiceRole' - TaskDefinition: !Ref 'TaskDefinition' - ECSServiceRole: - Type: AWS::IAM::Role - Properties: - AssumeRolePolicyDocument: - Statement: - - Effect: Allow - Principal: - Service: [ecs.amazonaws.com] - Action: ['sts:AssumeRole'] - Path: / - Policies: - - PolicyName: ecs-service - PolicyDocument: - Statement: - - Effect: Allow - Action: ['elasticloadbalancing:DeregisterInstancesFromLoadBalancer', 'elasticloadbalancing:DeregisterTargets', - 'elasticloadbalancing:Describe*', 'elasticloadbalancing:RegisterInstancesWithLoadBalancer', - 'elasticloadbalancing:RegisterTargets', 'ec2:Describe*', 'ec2:AuthorizeSecurityGroupIngress'] - Resource: '*' - ServiceScalingTarget: - Type: AWS::ApplicationAutoScaling::ScalableTarget - Properties: - MaxCapacity: 2 - MinCapacity: 1 - ResourceId: !Join ['', [service/, !Ref 'ECSCluster', /, !GetAtt [service, Name]]] - RoleARN: !GetAtt [AutoscalingRole, Arn] - ScalableDimension: ecs:service:DesiredCount - ServiceNamespace: ecs - ServiceScalingPolicy: - Type: AWS::ApplicationAutoScaling::ScalingPolicy - Properties: - PolicyName: AStepPolicy - PolicyType: StepScaling - ScalingTargetId: !Ref 'ServiceScalingTarget' - StepScalingPolicyConfiguration: - AdjustmentType: PercentChangeInCapacity - Cooldown: 60 - MetricAggregationType: Average - StepAdjustments: - - MetricIntervalLowerBound: 0 - ScalingAdjustment: 200 - ALB500sAlarmScaleUp: - Type: AWS::CloudWatch::Alarm - Properties: - EvaluationPeriods: 1 - Statistic: Average - Threshold: 10 - AlarmDescription: Alarm if our ALB generates too many HTTP 500s. - Period: 60 - AlarmActions: [!Ref 'ServiceScalingPolicy'] - Namespace: AWS/ApplicationELB - Dimensions: - - Name: LoadBalancer - Value: !GetAtt - - ECSALB - - LoadBalancerFullName - ComparisonOperator: GreaterThanThreshold - MetricName: HTTPCode_ELB_5XX_Count - EC2Role: - Type: AWS::IAM::Role - Properties: - AssumeRolePolicyDocument: - Statement: - - Effect: Allow - Principal: - Service: [ec2.amazonaws.com] - Action: ['sts:AssumeRole'] - Path: / - Policies: - - PolicyName: ecs-service - PolicyDocument: - Statement: - - Effect: Allow - Action: ['ecs:CreateCluster', 'ecs:DeregisterContainerInstance', 'ecs:DiscoverPollEndpoint', - 'ecs:Poll', 'ecs:RegisterContainerInstance', 'ecs:StartTelemetrySession', - 'ecs:Submit*', 'logs:CreateLogStream', 'logs:PutLogEvents'] - Resource: '*' - AutoscalingRole: - Type: AWS::IAM::Role - Properties: - AssumeRolePolicyDocument: - Statement: - - Effect: Allow - Principal: - Service: [application-autoscaling.amazonaws.com] - Action: ['sts:AssumeRole'] - Path: / - Policies: - - PolicyName: service-autoscaling - PolicyDocument: - Statement: - - Effect: Allow - Action: ['application-autoscaling:*', 'cloudwatch:DescribeAlarms', 'cloudwatch:PutMetricAlarm', - 'ecs:DescribeServices', 'ecs:UpdateService'] - Resource: '*' - EC2InstanceProfile: - Type: AWS::IAM::InstanceProfile - Properties: - Path: / - Roles: [!Ref 'EC2Role'] + GroupId: !Ref DBEC2SecurityGroupStandalone + IpProtocol: "tcp" + FromPort: 0 + ToPort: 65535 + CidrIpv6: "0000:0000:0000:0000:0000:0000:0000:0000/0" + + # RDS Instance referencing all security groups + DBInstance: + Type: AWS::RDS::DBInstance + Properties: + PubliclyAccessible: true + DBName: !Ref DBName + Engine: MySQL + VPCSecurityGroups: + - !Ref DBEC2SecurityGroupInline + - !Ref DBEC2SecurityGroupStandalone ``` -```json title="Positive test num. 3 - json file" hl_lines="115 326" +```json title="Positive test num. 2 - json file" hl_lines="32 65 26 53" { - "AWSTemplateFormatVersion": "2010-09-09", - "Parameters": { - "VpcId": { - "Type": "AWS::EC2::VPC::Id", - "Description": "Select a VPC that allows instances access to the Internet." - }, - "SubnetId": { - "Type": "List\u003cAWS::EC2::Subnet::Id\u003e", - "Description": "Select at two subnets in your selected VPC." - } - }, "Resources": { - "ECSCluster": { - "Type": "AWS::ECS::Cluster" - }, - "EcsSecurityGroupALBports": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "IpProtocol": "tcp", - "FromPort": 31000, - "ToPort": 61000, - "SourceSecurityGroupId": "EcsSecurityGroup", - "GroupId": "EcsSecurityGroup" - } - }, - "ECSServiceRole": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "Service": [ - "ecs.amazonaws.com" - ] - }, - "Action": [ - "sts:AssumeRole" - ] - } - ] - }, - "Path": "/", - "Policies": [ - { - "PolicyName": "ecs-service", - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:DeregisterTargets", - "elasticloadbalancing:Describe*", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:RegisterTargets", - "ec2:Describe*", - "ec2:AuthorizeSecurityGroupIngress" - ], - "Resource": "*", - "Effect": "Allow" - } - ] - } - } - ] - } - }, - "AutoscalingRole": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "Service": [ - "application-autoscaling.amazonaws.com" - ] - }, - "Action": [ - "sts:AssumeRole" - ] - } - ] - }, - "Path": "/", - "Policies": [ - { - "PolicyName": "service-autoscaling", - "PolicyDocument": { - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "application-autoscaling:*", - "cloudwatch:DescribeAlarms", - "cloudwatch:PutMetricAlarm", - "ecs:DescribeServices", - "ecs:UpdateService" - ], - "Resource": "*" - } - ] - } - } - ] - } - }, - "EcsSecurityGroupSSHinbound": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "ToPort": 0, - "CidrIp": "0.0.0.0/0", - "GroupId": "EcsSecurityGroup", - "IpProtocol": "tcp", - "FromPort": 22 - } - }, - "ECSALB": { - "Properties": { - "Name": "ECSALB", - "Scheme": "internet-facing", - "LoadBalancerAttributes": [ - { - "Key": "idle_timeout.timeout_seconds", - "Value": "30" - } - ], - "Subnets": "SubnetId", - "SecurityGroups": [ - "EcsSecurityGroup" - ] - }, - "Type": "AWS::ElasticLoadBalancingV2::LoadBalancer" - }, - "ECSAutoScalingGroup": { - "Type": "AWS::AutoScaling::AutoScalingGroup", - "Properties": { - "VPCZoneIdentifier": "SubnetId", - "LaunchConfigurationName": "ContainerInstances", - "MinSize": "1", - "MaxSize": 4, - "DesiredCapacity": 2 - }, - "CreationPolicy": { - "ResourceSignal": { - "Timeout": "PT15M" - } - }, - "UpdatePolicy": { - "AutoScalingReplacingUpdate": { - "WillReplace": true - } - } - }, - "ServiceScalingTarget": { - "Type": "AWS::ApplicationAutoScaling::ScalableTarget", - "Properties": { - "MaxCapacity": 2, - "MinCapacity": 1, - "ResourceId": [ - "", - [ - "service/", - "ECSCluster", - "/", - [ - "service", - "Name" - ] - ] - ], - "RoleARN": [ - "AutoscalingRole", - "Arn" - ], - "ScalableDimension": "ecs:service:DesiredCount", - "ServiceNamespace": "ecs" - } - }, - "ServiceScalingPolicy": { - "Type": "AWS::ApplicationAutoScaling::ScalingPolicy", - "Properties": { - "PolicyType": "StepScaling", - "ScalingTargetId": "ServiceScalingTarget", - "StepScalingPolicyConfiguration": { - "StepAdjustments": [ - { - "MetricIntervalLowerBound": 0, - "ScalingAdjustment": 200 - } - ], - "AdjustmentType": "PercentChangeInCapacity", - "Cooldown": 60, - "MetricAggregationType": "Average" - }, - "PolicyName": "AStepPolicy" - } - }, - "EC2Role": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "Service": [ - "ec2.amazonaws.com" - ] - }, - "Action": [ - "sts:AssumeRole" - ] - } - ] - }, - "Path": "/", - "Policies": [ - { - "PolicyName": "ecs-service", - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "ecs:CreateCluster", - "ecs:DeregisterContainerInstance", - "ecs:DiscoverPollEndpoint", - "ecs:Poll", - "ecs:RegisterContainerInstance", - "ecs:StartTelemetrySession", - "ecs:Submit*", - "logs:CreateLogStream", - "logs:PutLogEvents" - ], - "Resource": "*", - "Effect": "Allow" - } - ] - } - } - ] - } - }, - "ECSTG": { - "Type": "AWS::ElasticLoadBalancingV2::TargetGroup", - "Properties": { - "HealthCheckIntervalSeconds": 10, - "HealthCheckProtocol": "HTTP", - "HealthCheckTimeoutSeconds": 5, - "Name": "ECSTG", - "Port": 80, - "Protocol": "HTTP", - "HealthCheckPath": "/", - "HealthyThresholdCount": 2, - "UnhealthyThresholdCount": 2, - "VpcId": "VpcId" - } - }, - "service": { + "Sample_Service": { "Type": "AWS::ECS::Service", "Properties": { - "Cluster": "ECSCluster", - "DesiredCount": 1, - "LoadBalancers": [ - { - "ContainerName": "simple-app", - "ContainerPort": 80, - "TargetGroupArn": "ECSTG" - } - ], - "Role": "ECSServiceRole", - "TaskDefinition": "TaskDefinition" + "Cluster": { + "Ref": "ECSCluster" + } } }, - "ALB500sAlarmScaleUp": { - "Properties": { - "Threshold": 10, - "Dimensions": [ - { - "Name": "LoadBalancer", - "Value": [ - "ECSALB", - "LoadBalancerFullName" - ] - } - ], - "ComparisonOperator": "GreaterThanThreshold", - "MetricName": "HTTPCode_ELB_5XX_Count", - "EvaluationPeriods": 1, - "AlarmDescription": "Alarm if our ALB generates too many HTTP 500s.", - "Period": 60, - "AlarmActions": [ - "ServiceScalingPolicy" - ], - "Namespace": "AWS/ApplicationELB", - "Statistic": "Average" - }, - "Type": "AWS::CloudWatch::Alarm" - }, - "EC2InstanceProfile": { - "Type": "AWS::IAM::InstanceProfile", - "Properties": { - "Path": "/", - "Roles": [ - "EC2Role" - ] - } + "Sample_Cluster": { + "Type": "AWS::ECS::Cluster" }, - "EcsSecurityGroup": { + "DBEC2SecurityGroupInline": { "Type": "AWS::EC2::SecurityGroup", "Properties": { - "VpcId": "VpcId", - "GroupDescription": "ECS Security Group" - } - }, - "EcsSecurityGroupHTTPinbound02": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": "EcsSecurityGroup", - "IpProtocol": "tcp", - "FromPort": 80, - "ToPort": 0, - "CidrIp": "0.0.0.0/0" - } - }, - "CloudwatchLogsGroup": { - "Type": "AWS::Logs::LogGroup", - "Properties": { - "LogGroupName": [ - "-", - [ - "ECSLogGroup", - "AWS::StackName" - ] - ], - "RetentionInDays": 14 - } - }, - "TaskDefinition": { - "Type": "AWS::ECS::TaskDefinition", - "Properties": { - "Family": [ - "", - [ - "AWS::StackName", - "-ecs-demo-app" - ] - ], - "ContainerDefinitions": [ + "GroupDescription": "Inline IPv4 and IPv6 ingress", + "VpcId": { + "Ref": "VPC" + }, + "SecurityGroupIngress": [ { - "Name": "simple-app", - "Cpu": 10, - "Essential": true, - "Image": "httpd:2.4", - "Memory": 300, - "LogConfiguration": { - "LogDriver": "awslogs", - "Options": { - "awslogs-group": "CloudwatchLogsGroup", - "awslogs-region": "AWS::Region", - "awslogs-stream-prefix": "ecs-demo-app" - } - }, - "MountPoints": [ - { - "ContainerPath": "/usr/local/apache2/htdocs", - "SourceVolume": "my-vol" - } - ], - "PortMappings": [ - { - "ContainerPort": 80 - } - ] + "IpProtocol": "tcp", + "FromPort": 0, + "ToPort": 65535, + "CidrIp": "0.0.0.0/0" }, { - "VolumesFrom": [ - { - "SourceContainer": "simple-app" - } - ], - "Name": "busybox", - "Cpu": 10, - "Command": [ - "/bin/sh -c \"while true; do echo '\u003chtml\u003e \u003chead\u003e \u003ctitle\u003eAmazon ECS Sample App\u003c/title\u003e\u003c/head\u003e\u003c/html\u003e' \u003e bottom; cat top date bottom \u003e /usr/local/apache2/htdocs/index.html ; sleep 1; done\"" - ], - "Image": "busybox", - "Memory": 200, - "LogConfiguration": { - "LogDriver": "awslogs", - "Options": { - "awslogs-stream-prefix": "ecs-demo-app", - "awslogs-group": "CloudwatchLogsGroup", - "awslogs-region": "AWS::Region" - } - }, - "EntryPoint": [ - "sh", - "-c" - ], - "Essential": false - } - ], - "Volumes": [ - { - "Name": "my-vol" - } - ] - } - }, - "ALBListener": { - "Type": "AWS::ElasticLoadBalancingV2::Listener", - "Properties": { - "LoadBalancerArn": "ECSALB", - "Port": 80, - "Protocol": "HTTP", - "DefaultActions": [ - { - "Type": "forward", - "TargetGroupArn": "ECSTG" + "IpProtocol": "udp", + "FromPort": 0, + "ToPort": 65535, + "CidrIpv6": "::/0" } ] } }, - "ECSALBListenerRule": { - "Type": "AWS::ElasticLoadBalancingV2::ListenerRule", - "Properties": { - "Actions": [ - { - "Type": "forward", - "TargetGroupArn": "ECSTG" - } - ], - "Conditions": [ - { - "Values": [ - "/" - ], - "Field": "path-pattern" - } - ], - "ListenerArn": "ALBListener", - "Priority": 1 - } - }, - "ContainerInstances": { - "Type": "AWS::AutoScaling::LaunchConfiguration", + "DBEC2SecurityGroupStandalone": { + "Type": "AWS::EC2::SecurityGroup", "Properties": { - "ImageId": "ami-128731982dhash", - "SecurityGroups": [ - "EcsSecurityGroup" - ], - "InstanceType": "t2.small", - "IamInstanceProfile": "EC2InstanceProfile", - "KeyName": "my-ssh-key", - "UserData": { - "Fn::Base64": "#!/bin/bash -xe\necho ECS_CLUSTER=${ECSCluster} \u003e\u003e /etc/ecs/ecs.config\nyum install -y aws-cfn-bootstrap\n/opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackName} --resource ECSAutoScalingGroup --region ${AWS::Region}\n" + "GroupDescription": "Standalone IPv4 and IPv6 ingress", + "VpcId": { + "Ref": "VPC" } } - } - }, - "Outputs": { - "ecscluster": { - "Value": "ECSCluster" - }, - "ECSALB": { - "Description": "Your ALB DNS URL", - "Value": [ - "", - [ - [ - "ECSALB", - "DNSName" - ] - ] - ] - }, - "taskdef": { - "Value": "TaskDefinition" - }, - "ecsservice": { - "Value": "service" - } - } -} - -``` -
Positive test num. 4 - json file - -```json hl_lines="268" -{ - "Resources": { - "TaskDefinition": { - "Type": "AWS::ECS::TaskDefinition", - "Properties": { - "Family": [ - "", - [ - "AWS::StackName", - "-ecs-demo-app" - ] - ], - "ContainerDefinitions": [ - { - "Essential": true, - "Image": "httpd:2.4", - "Memory": 300, - "LogConfiguration": { - "LogDriver": "awslogs", - "Options": { - "awslogs-group": "CloudwatchLogsGroup", - "awslogs-region": "AWS::Region", - "awslogs-stream-prefix": "ecs-demo-app" - } - }, - "MountPoints": [ - { - "SourceVolume": "my-vol", - "ContainerPath": "/usr/local/apache2/htdocs" - } - ], - "PortMappings": [ - { - "ContainerPort": 80 - } - ], - "Name": "simple-app", - "Cpu": 10 - }, - { - "EntryPoint": [ - "sh", - "-c" - ], - "Essential": false, - "Memory": 200, - "Command": [ - "/bin/sh -c \"while true; do echo '\u003chtml\u003e \u003chead\u003e \u003ctitle\u003eAmazon ECS Sample App\u003c/title\u003e\u003c/head\u003e\u003cbody\u003e\u003c/body\u003e\u003c/html\u003e' \u003e bottom; cat top date bottom \u003e /usr/local/apache2/htdocs/index.html ; sleep 1; done\"" - ], - "Cpu": 10, - "Image": "busybox", - "LogConfiguration": { - "LogDriver": "awslogs", - "Options": { - "awslogs-stream-prefix": "ecs-demo-app", - "awslogs-group": "CloudwatchLogsGroup", - "awslogs-region": "AWS::Region" - } - }, - "VolumesFrom": [ - { - "SourceContainer": "simple-app" - } - ], - "Name": "busybox" - } - ], - "Volumes": [ - { - "Name": "my-vol" - } - ] - } }, - "ALBListener": { - "Type": "AWS::ElasticLoadBalancingV2::Listener", - "Properties": { - "DefaultActions": [ - { - "Type": "forward", - "TargetGroupArn": "ECSTG" - } - ], - "LoadBalancerArn": "ECSALB", - "Port": 80, - "Protocol": "HTTP" - } - }, - "ECSServiceRole": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "Service": [ - "ecs.amazonaws.com" - ] - }, - "Action": [ - "sts:AssumeRole" - ] - } - ] - }, - "Path": "/", - "Policies": [ - { - "PolicyName": "ecs-service", - "PolicyDocument": { - "Statement": [ - { - "Action": [ - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:DeregisterTargets", - "elasticloadbalancing:Describe*", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:RegisterTargets", - "ec2:Describe*", - "ec2:AuthorizeSecurityGroupIngress" - ], - "Resource": "*", - "Effect": "Allow" - } - ] - } - } - ] - } - }, - "ALB500sAlarmScaleUp": { - "Type": "AWS::CloudWatch::Alarm", - "Properties": { - "Period": 60, - "Dimensions": [ - { - "Name": "LoadBalancer", - "Value": [ - "ECSALB", - "LoadBalancerFullName" - ] - } - ], - "ComparisonOperator": "GreaterThanThreshold", - "AlarmDescription": "Alarm if our ALB generates too many HTTP 500s.", - "Statistic": "Average", - "Threshold": 10, - "AlarmActions": [ - "ServiceScalingPolicy" - ], - "Namespace": "AWS/ApplicationELB", - "MetricName": "HTTPCode_ELB_5XX_Count", - "EvaluationPeriods": 1 - } - }, - "service": { - "Type": "AWS::ECS::Service", - "Properties": { - "TaskDefinition": "TaskDefinition", - "Cluster": "ECSCluster", - "DesiredCount": 1, - "LoadBalancers": [ - { - "ContainerName": "simple-app", - "ContainerPort": 80, - "TargetGroupArn": "ECSTG" - } - ], - "Role": "ECSServiceRole" - } - }, - "EcsSecurityGroupSSHinbound": { + "DBEC2SecurityGroupIngress": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { - "GroupId": "EcsSecurityGroup", - "IpProtocol": "tcp", - "FromPort": 22, - "ToPort": 22, + "GroupId": { + "Ref": "DBEC2SecurityGroupStandalone" + }, + "IpProtocol": "-1", "CidrIp": "0.0.0.0/0" } }, - "EcsSecurityGroupALBports": { + "DBEC2SecurityGroupIngressIPv6": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { - "FromPort": 31000, - "ToPort": 61000, - "SourceSecurityGroupId": "EcsSecurityGroup", - "GroupId": "EcsSecurityGroup", - "IpProtocol": "tcp" - } - }, - "CloudwatchLogsGroup": { - "Type": "AWS::Logs::LogGroup", - "Properties": { - "RetentionInDays": 14, - "LogGroupName": [ - "-", - [ - "ECSLogGroup", - "AWS::StackName" - ] - ] - } - }, - "ECSALB": { - "Type": "AWS::ElasticLoadBalancingV2::LoadBalancer", - "Properties": { - "Scheme": "internet-facing", - "LoadBalancerAttributes": [ - { - "Key": "idle_timeout.timeout_seconds", - "Value": "30" - } - ], - "Subnets": "SubnetId", - "SecurityGroups": [ - "EcsSecurityGroup" - ], - "Name": "ECSALB" - } - }, - "ECSALBListenerRule": { - "Type": "AWS::ElasticLoadBalancingV2::ListenerRule", - "Properties": { - "Actions": [ - { - "Type": "forward", - "TargetGroupArn": "ECSTG" - } - ], - "Conditions": [ - { - "Field": "path-pattern", - "Values": [ - "/" - ] - } - ], - "ListenerArn": "ALBListener", - "Priority": 1 - } - }, - "ContainerInstances": { - "Type": "AWS::AutoScaling::LaunchConfiguration", - "Properties": { - "IamInstanceProfile": "EC2InstanceProfile", - "KeyName": "my-ssh-key", - "UserData": { - "Fn::Base64": "#!/bin/bash -xe\necho ECS_CLUSTER=${ECSCluster} \u003e\u003e /etc/ecs/ecs.config\nyum install -y aws-cfn-bootstrap\n/opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackName} --resource ECSAutoScalingGroup --region ${AWS::Region}\n" + "GroupId": { + "Ref": "DBEC2SecurityGroupStandalone" }, - "ImageId": "ami-09bee01cc997a78a6", - "SecurityGroups": [ - "EcsSecurityGroup" - ], - "InstanceType": "t2.small" - } - }, - "ECSCluster": { - "Type": "AWS::ECS::Cluster" - }, - "EcsSecurityGroupHTTPinbound": { - "Properties": { - "GroupId": "EcsSecurityGroup", "IpProtocol": "tcp", - "FromPort": 80, - "ToPort": 0, - "CidrIp": "0.0.0.0/0" - }, - "Type": "AWS::EC2::SecurityGroupIngress" - }, - "ECSTG": { - "Type": "AWS::ElasticLoadBalancingV2::TargetGroup", - "Properties": { - "Name": "ECSTG", - "Port": 80, - "VpcId": "VpcId", - "HealthCheckPath": "/", - "HealthCheckProtocol": "HTTP", - "HealthyThresholdCount": 2, - "Protocol": "HTTP", - "UnhealthyThresholdCount": 2, - "HealthCheckIntervalSeconds": 10, - "HealthCheckTimeoutSeconds": 5 + "FromPort": 0, + "ToPort": 65535, + "CidrIpv6": "0000:0000:0000:0000:0000:0000:0000:0000/0" } }, - "ServiceScalingTarget": { - "Type": "AWS::ApplicationAutoScaling::ScalableTarget", + "DBInstance": { + "Type": "AWS::RDS::DBInstance", "Properties": { - "MaxCapacity": 2, - "MinCapacity": 1, - "ResourceId": [ - "", - [ - "service/", - "ECSCluster", - "/", - [ - "service", - "Name" - ] - ] - ], - "RoleARN": [ - "AutoscalingRole", - "Arn" - ], - "ScalableDimension": "ecs:service:DesiredCount", - "ServiceNamespace": "ecs" - } - }, - "AutoscalingRole": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "Service": [ - "application-autoscaling.amazonaws.com" - ] - }, - "Action": [ - "sts:AssumeRole" - ] - } - ] + "PubliclyAccessible": true, + "DBName": { + "Ref": "DBName" }, - "Path": "/", - "Policies": [ + "Engine": "MySQL", + "VPCSecurityGroups": [ { - "PolicyName": "service-autoscaling", - "PolicyDocument": { - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "application-autoscaling:*", - "cloudwatch:DescribeAlarms", - "cloudwatch:PutMetricAlarm", - "ecs:DescribeServices", - "ecs:UpdateService" - ], - "Resource": "*" - } - ] - } - } - ] - } - }, - "EcsSecurityGroup": { - "Type": "AWS::EC2::SecurityGroup", - "Properties": { - "GroupDescription": "ECS Security Group", - "VpcId": "VpcId" - } - }, - "ECSAutoScalingGroup": { - "CreationPolicy": { - "ResourceSignal": { - "Timeout": "PT15M" - } - }, - "UpdatePolicy": { - "AutoScalingReplacingUpdate": { - "WillReplace": true - } - }, - "Type": "AWS::AutoScaling::AutoScalingGroup", - "Properties": { - "VPCZoneIdentifier": "SubnetId", - "LaunchConfigurationName": "ContainerInstances", - "MinSize": "1", - "MaxSize": 4, - "DesiredCapacity": 2 - } - }, - "ServiceScalingPolicy": { - "Type": "AWS::ApplicationAutoScaling::ScalingPolicy", - "Properties": { - "PolicyName": "AStepPolicy", - "PolicyType": "StepScaling", - "ScalingTargetId": "ServiceScalingTarget", - "StepScalingPolicyConfiguration": { - "AdjustmentType": "PercentChangeInCapacity", - "Cooldown": 60, - "MetricAggregationType": "Average", - "StepAdjustments": [ - { - "MetricIntervalLowerBound": 0, - "ScalingAdjustment": 200 - } - ] - } - } - }, - "EC2Role": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Principal": { - "Service": [ - "ec2.amazonaws.com" - ] - }, - "Action": [ - "sts:AssumeRole" - ], - "Effect": "Allow" - } - ] - }, - "Path": "/", - "Policies": [ + "Ref": "DBEC2SecurityGroupInline" + }, { - "PolicyName": "ecs-service", - "PolicyDocument": { - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "ecs:CreateCluster", - "ecs:DeregisterContainerInstance", - "ecs:DiscoverPollEndpoint", - "ecs:Poll", - "ecs:RegisterContainerInstance", - "ecs:StartTelemetrySession", - "ecs:Submit*", - "logs:CreateLogStream", - "logs:PutLogEvents" - ], - "Resource": "*" - } - ] - } + "Ref": "DBEC2SecurityGroupStandalone" } ] } - }, - "EC2InstanceProfile": { - "Properties": { - "Path": "/", - "Roles": [ - "EC2Role" - ] - }, - "Type": "AWS::IAM::InstanceProfile" - } - }, - "AWSTemplateFormatVersion": "2010-09-09", - "Parameters": { - "VpcId": { - "Type": "AWS::EC2::VPC::Id", - "Description": "Select a VPC that allows instances access to the Internet." - }, - "SubnetId": { - "Type": "List\u003cAWS::EC2::Subnet::Id\u003e", - "Description": "Select at two subnets in your selected VPC." } } } ``` -
#### Code samples without security vulnerabilities ```yaml title="Negative test num. 1 - yaml file" -AWSTemplateFormatVersion: '2010-09-09' -Parameters: - VpcId: - Type: AWS::EC2::VPC::Id - Description: Select a VPC that allows instances access to the Internet. - SubnetId: - Type: List - Description: Select at two subnets in your selected VPC. Resources: - ECSCluster: + Sample_Service: + Type: AWS::ECS::Service + Properties: + Cluster: !Ref 'ECSCluster' + Sample_Cluster: Type: AWS::ECS::Cluster - EcsSecurityGroup: + + # EC2 Security Group with inline IPv4 and IPv6 rules + DBEC2SecurityGroupInline: Type: AWS::EC2::SecurityGroup Properties: - GroupDescription: ECS Security Group - VpcId: !Ref 'VpcId' - EcsSecurityGroupHTTPinbound: - Type: AWS::EC2::SecurityGroupIngress + GroupDescription: "Inline IPv4 and IPv6 ingress" + VpcId: !Ref VPC + SecurityGroupIngress: + - IpProtocol: "tcp" + FromPort: 0 + ToPort: 65534 #does not expose all ports + CidrIp: 0.0.0.0/0 + - IpProtocol: "udp" + FromPort: 0 + ToPort: 65535 + CidrIpv6: 2607:f0d0:1002:51::4/56 #cidr not exposed + + # EC2 Security Group with standalone ingress rules + DBEC2SecurityGroupStandalone: + Type: AWS::EC2::SecurityGroup Properties: - GroupId: !Ref 'EcsSecurityGroup' - IpProtocol: tcp - FromPort: 80 - ToPort: 80 - CidrIp: 0.0.0.0/0 - EcsSecurityGroupSSHinbound: + GroupDescription: "Standalone IPv4 and IPv6 ingress" + VpcId: !Ref VPC + + DBEC2SecurityGroupIngress: Type: AWS::EC2::SecurityGroupIngress Properties: - GroupId: !Ref 'EcsSecurityGroup' - IpProtocol: tcp - FromPort: 22 - ToPort: 22 - CidrIp: 0.0.0.0/0 - EcsSecurityGroupALBports: + GroupId: !Ref DBEC2SecurityGroupStandalone + IpProtocol: "-1" + CidrIp: 192.162.0.0/16 #cidr not exposed + + DBEC2SecurityGroupIngressIPv6: Type: AWS::EC2::SecurityGroupIngress Properties: - GroupId: !Ref 'EcsSecurityGroup' - IpProtocol: tcp - FromPort: 31000 - ToPort: 61000 - SourceSecurityGroupId: !Ref 'EcsSecurityGroup' - CloudwatchLogsGroup: - Type: AWS::Logs::LogGroup - Properties: - LogGroupName: !Join ['-', [ECSLogGroup, !Ref 'AWS::StackName']] - RetentionInDays: 14 - TaskDefinition: - Type: AWS::ECS::TaskDefinition - Properties: - Family: !Join ['', [!Ref 'AWS::StackName', -ecs-demo-app]] - ContainerDefinitions: - - Name: simple-app - Cpu: 10 - Essential: true - Image: httpd:2.4 - Memory: 300 - LogConfiguration: - LogDriver: awslogs - Options: - awslogs-group: !Ref 'CloudwatchLogsGroup' - awslogs-region: !Ref 'AWS::Region' - awslogs-stream-prefix: ecs-demo-app - MountPoints: - - ContainerPath: /usr/local/apache2/htdocs - SourceVolume: my-vol - PortMappings: - - ContainerPort: 80 - - Name: busybox - Cpu: 10 - Command: ['/bin/sh -c "while true; do echo '' Amazon ECS - Sample App'' > bottom; cat top date bottom > /usr/local/apache2/htdocs/index.html - ; sleep 1; done"'] - EntryPoint: [sh, -c] - Essential: false - Image: busybox - Memory: 200 - LogConfiguration: - LogDriver: awslogs - Options: - awslogs-group: !Ref 'CloudwatchLogsGroup' - awslogs-region: !Ref 'AWS::Region' - awslogs-stream-prefix: ecs-demo-app - VolumesFrom: - - SourceContainer: simple-app - Volumes: - - Name: my-vol - ECSALB: - Type: AWS::ElasticLoadBalancingV2::LoadBalancer - Properties: - Name: ECSALB - Scheme: internet-facing - LoadBalancerAttributes: - - Key: idle_timeout.timeout_seconds - Value: '30' - Subnets: !Ref 'SubnetId' - SecurityGroups: [!Ref 'EcsSecurityGroup'] - ALBListener: - Type: AWS::ElasticLoadBalancingV2::Listener - Properties: - DefaultActions: - - Type: forward - TargetGroupArn: !Ref 'ECSTG' - LoadBalancerArn: !Ref 'ECSALB' - Port: 80 - Protocol: HTTP - ECSALBListenerRule: - Type: AWS::ElasticLoadBalancingV2::ListenerRule - Properties: - Actions: - - Type: forward - TargetGroupArn: !Ref 'ECSTG' - Conditions: - - Field: path-pattern - Values: [/] - ListenerArn: !Ref 'ALBListener' - Priority: 1 - ECSTG: - Type: AWS::ElasticLoadBalancingV2::TargetGroup - Properties: - HealthCheckIntervalSeconds: 10 - HealthCheckPath: / - HealthCheckProtocol: HTTP - HealthCheckTimeoutSeconds: 5 - HealthyThresholdCount: 2 - Name: ECSTG - Port: 80 - Protocol: HTTP - UnhealthyThresholdCount: 2 - VpcId: !Ref 'VpcId' - ECSAutoScalingGroup: - Type: AWS::AutoScaling::AutoScalingGroup - Properties: - VPCZoneIdentifier: !Ref 'SubnetId' - LaunchConfigurationName: !Ref 'ContainerInstances' - MinSize: '1' - MaxSize: 4 - DesiredCapacity: 2 - CreationPolicy: - ResourceSignal: - Timeout: PT15M - UpdatePolicy: - AutoScalingReplacingUpdate: - WillReplace: true - ContainerInstances: - Type: AWS::AutoScaling::LaunchConfiguration - Properties: - ImageId: ami-09bee01cc997a78a6 - SecurityGroups: [!Ref 'EcsSecurityGroup'] - InstanceType: t2.small - IamInstanceProfile: !Ref 'EC2InstanceProfile' - KeyName: my-ssh-key - UserData: - Fn::Base64: !Sub | - #!/bin/bash -xe - echo ECS_CLUSTER=${ECSCluster} >> /etc/ecs/ecs.config - yum install -y aws-cfn-bootstrap - /opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackName} --resource ECSAutoScalingGroup --region ${AWS::Region} - service: - Type: AWS::ECS::Service - Properties: - Cluster: !Ref 'ECSCluster' - DesiredCount: 1 - LoadBalancers: - - ContainerName: simple-app - ContainerPort: 80 - TargetGroupArn: !Ref 'ECSTG' - Role: !Ref 'ECSServiceRole' - TaskDefinition: !Ref 'taskdefinition' - ECSServiceRole: - Type: AWS::IAM::Role - Properties: - AssumeRolePolicyDocument: - Statement: - - Effect: Allow - Principal: - Service: [ecs.amazonaws.com] - Action: ['sts:AssumeRole'] - Path: / - Policies: - - PolicyName: ecs-service - PolicyDocument: - Statement: - - Effect: Allow - Action: ['elasticloadbalancing:DeregisterInstancesFromLoadBalancer', 'elasticloadbalancing:DeregisterTargets', - 'elasticloadbalancing:Describe*', 'elasticloadbalancing:RegisterInstancesWithLoadBalancer', - 'elasticloadbalancing:RegisterTargets', 'ec2:Describe*', 'ec2:AuthorizeSecurityGroupIngress'] - Resource: '*' - ServiceScalingTarget: - Type: AWS::ApplicationAutoScaling::ScalableTarget - Properties: - MaxCapacity: 2 - MinCapacity: 1 - ResourceId: !Join ['', [service/, !Ref 'ECSCluster', /, !GetAtt [service, Name]]] - RoleARN: !GetAtt [AutoscalingRole, Arn] - ScalableDimension: ecs:service:DesiredCount - ServiceNamespace: ecs - ServiceScalingPolicy: - Type: AWS::ApplicationAutoScaling::ScalingPolicy - Properties: - PolicyName: AStepPolicy - PolicyType: StepScaling - ScalingTargetId: !Ref 'ServiceScalingTarget' - StepScalingPolicyConfiguration: - AdjustmentType: PercentChangeInCapacity - Cooldown: 60 - MetricAggregationType: Average - StepAdjustments: - - MetricIntervalLowerBound: 0 - ScalingAdjustment: 200 - ALB500sAlarmScaleUp: - Type: AWS::CloudWatch::Alarm - Properties: - EvaluationPeriods: 1 - Statistic: Average - Threshold: 10 - AlarmDescription: Alarm if our ALB generates too many HTTP 500s. - Period: 60 - AlarmActions: [!Ref 'ServiceScalingPolicy'] - Namespace: AWS/ApplicationELB - Dimensions: - - Name: LoadBalancer - Value: !GetAtt - - ECSALB - - LoadBalancerFullName - ComparisonOperator: GreaterThanThreshold - MetricName: HTTPCode_ELB_5XX_Count - EC2Role: - Type: AWS::IAM::Role - Properties: - AssumeRolePolicyDocument: - Statement: - - Effect: Allow - Principal: - Service: [ec2.amazonaws.com] - Action: ['sts:AssumeRole'] - Path: / - Policies: - - PolicyName: ecs-service - PolicyDocument: - Statement: - - Effect: Allow - Action: ['ecs:CreateCluster', 'ecs:DeregisterContainerInstance', 'ecs:DiscoverPollEndpoint', - 'ecs:Poll', 'ecs:RegisterContainerInstance', 'ecs:StartTelemetrySession', - 'ecs:Submit*', 'logs:CreateLogStream', 'logs:PutLogEvents'] - Resource: '*' - AutoscalingRole: - Type: AWS::IAM::Role - Properties: - AssumeRolePolicyDocument: - Statement: - - Effect: Allow - Principal: - Service: [application-autoscaling.amazonaws.com] - Action: ['sts:AssumeRole'] - Path: / - Policies: - - PolicyName: service-autoscaling - PolicyDocument: - Statement: - - Effect: Allow - Action: ['application-autoscaling:*', 'cloudwatch:DescribeAlarms', 'cloudwatch:PutMetricAlarm', - 'ecs:DescribeServices', 'ecs:UpdateService'] - Resource: '*' - EC2InstanceProfile: - Type: AWS::IAM::InstanceProfile - Properties: - Path: / - Roles: [!Ref 'EC2Role'] + GroupId: !Ref DBEC2SecurityGroupStandalone + IpProtocol: "tcp" + FromPort: 0 + ToPort: 34000 #does not expose all ports + CidrIpv6: ::/0 + + # RDS Instance referencing all security groups + DBInstance: + Type: AWS::RDS::DBInstance + Properties: + PubliclyAccessible: true + DBName: !Ref DBName + Engine: MySQL + VPCSecurityGroups: + - !Ref DBEC2SecurityGroupInline + - !Ref DBEC2SecurityGroupStandalone + ``` ```json title="Negative test num. 2 - json file" { - "AWSTemplateFormatVersion": "2010-09-09", - "Parameters": { - "VpcId": { - "Type": "AWS::EC2::VPC::Id", - "Description": "Select a VPC that allows instances access to the Internet." - }, - "SubnetId": { - "Description": "Select at two subnets in your selected VPC.", - "Type": "List\u003cAWS::EC2::Subnet::Id\u003e" - } - }, "Resources": { - "EcsSecurityGroupHTTPinbound": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "CidrIp": "0.0.0.0/0", - "GroupId": "EcsSecurityGroup", - "IpProtocol": "tcp", - "FromPort": 80, - "ToPort": 80 - } - }, - "EcsSecurityGroupALBports": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "GroupId": "EcsSecurityGroup", - "IpProtocol": "tcp", - "FromPort": 31000, - "ToPort": 61000, - "SourceSecurityGroupId": "EcsSecurityGroup" - } - }, - "CloudwatchLogsGroup": { - "Type": "AWS::Logs::LogGroup", - "Properties": { - "LogGroupName": [ - "-", - [ - "ECSLogGroup", - "AWS::StackName" - ] - ], - "RetentionInDays": 14 - } - }, - "ALBListener": { - "Type": "AWS::ElasticLoadBalancingV2::Listener", - "Properties": { - "DefaultActions": [ - { - "Type": "forward", - "TargetGroupArn": "ECSTG" - } - ], - "LoadBalancerArn": "ECSALB", - "Port": 80, - "Protocol": "HTTP" - } - }, - "ECSALBListenerRule": { - "Type": "AWS::ElasticLoadBalancingV2::ListenerRule", - "Properties": { - "Actions": [ - { - "TargetGroupArn": "ECSTG", - "Type": "forward" - } - ], - "Conditions": [ - { - "Field": "path-pattern", - "Values": [ - "/" - ] - } - ], - "ListenerArn": "ALBListener", - "Priority": 1 - } - }, - "ALB500sAlarmScaleUp": { - "Properties": { - "Dimensions": [ - { - "Name": "LoadBalancer", - "Value": [ - "ECSALB", - "LoadBalancerFullName" - ] - } - ], - "ComparisonOperator": "GreaterThanThreshold", - "MetricName": "HTTPCode_ELB_5XX_Count", - "Statistic": "Average", - "Threshold": 10, - "AlarmDescription": "Alarm if our ALB generates too many HTTP 500s.", - "Period": 60, - "EvaluationPeriods": 1, - "AlarmActions": [ - "ServiceScalingPolicy" - ], - "Namespace": "AWS/ApplicationELB" - }, - "Type": "AWS::CloudWatch::Alarm" - }, - "AutoscalingRole": { - "Type": "AWS::IAM::Role", + "Sample_Service": { + "Type": "AWS::ECS::Service", "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "Service": [ - "application-autoscaling.amazonaws.com" - ] - }, - "Action": [ - "sts:AssumeRole" - ] - } - ] - }, - "Path": "/", - "Policies": [ - { - "PolicyName": "service-autoscaling", - "PolicyDocument": { - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "application-autoscaling:*", - "cloudwatch:DescribeAlarms", - "cloudwatch:PutMetricAlarm", - "ecs:DescribeServices", - "ecs:UpdateService" - ], - "Resource": "*" - } - ] - } - } - ] + "Cluster": { + "Ref": "ECSCluster" + } } }, - "ECSCluster": { + "Sample_Cluster": { "Type": "AWS::ECS::Cluster" }, - "ECSServiceRole": { - "Type": "AWS::IAM::Role", + "DBEC2SecurityGroupInline": { + "Type": "AWS::EC2::SecurityGroup", "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "Service": [ - "ecs.amazonaws.com" - ] - }, - "Action": [ - "sts:AssumeRole" - ] - } - ] + "GroupDescription": "Inline IPv4 and IPv6 ingress", + "VpcId": { + "Ref": "VPC" }, - "Path": "/", - "Policies": [ + "SecurityGroupIngress": [ + { + "IpProtocol": "tcp", + "FromPort": 0, + "ToPort": 65534, + "CidrIp": "0.0.0.0/0" + }, { - "PolicyName": "ecs-service", - "PolicyDocument": { - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:DeregisterTargets", - "elasticloadbalancing:Describe*", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:RegisterTargets", - "ec2:Describe*", - "ec2:AuthorizeSecurityGroupIngress" - ], - "Resource": "*" - } - ] - } + "IpProtocol": "udp", + "FromPort": 0, + "ToPort": 65535, + "CidrIpv6": "2607:f0d0:1002:51::4/56" } ] } }, - "ServiceScalingPolicy": { - "Type": "AWS::ApplicationAutoScaling::ScalingPolicy", - "Properties": { - "PolicyName": "AStepPolicy", - "PolicyType": "StepScaling", - "ScalingTargetId": "ServiceScalingTarget", - "StepScalingPolicyConfiguration": { - "Cooldown": 60, - "MetricAggregationType": "Average", - "StepAdjustments": [ - { - "MetricIntervalLowerBound": 0, - "ScalingAdjustment": 200 - } - ], - "AdjustmentType": "PercentChangeInCapacity" - } - } - }, - "EC2InstanceProfile": { - "Type": "AWS::IAM::InstanceProfile", - "Properties": { - "Path": "/", - "Roles": [ - "EC2Role" - ] - } - }, - "ECSAutoScalingGroup": { - "Type": "AWS::AutoScaling::AutoScalingGroup", + "DBEC2SecurityGroupStandalone": { + "Type": "AWS::EC2::SecurityGroup", "Properties": { - "VPCZoneIdentifier": "SubnetId", - "LaunchConfigurationName": "ContainerInstances", - "MinSize": "1", - "MaxSize": 4, - "DesiredCapacity": 2 - }, - "CreationPolicy": { - "ResourceSignal": { - "Timeout": "PT15M" - } - }, - "UpdatePolicy": { - "AutoScalingReplacingUpdate": { - "WillReplace": true + "GroupDescription": "Standalone IPv4 and IPv6 ingress", + "VpcId": { + "Ref": "VPC" } } }, - "ECSALB": { - "Type": "AWS::ElasticLoadBalancingV2::LoadBalancer", - "Properties": { - "Scheme": "internet-facing", - "LoadBalancerAttributes": [ - { - "Key": "idle_timeout.timeout_seconds", - "Value": "30" - } - ], - "Subnets": "SubnetId", - "SecurityGroups": [ - "EcsSecurityGroup" - ], - "Name": "ECSALB" - } - }, - "ECSTG": { - "Type": "AWS::ElasticLoadBalancingV2::TargetGroup", + "DBEC2SecurityGroupIngress": { + "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { - "Name": "ECSTG", - "Protocol": "HTTP", - "HealthCheckPath": "/", - "HealthCheckTimeoutSeconds": 5, - "HealthyThresholdCount": 2, - "UnhealthyThresholdCount": 2, - "VpcId": "VpcId", - "HealthCheckIntervalSeconds": 10, - "HealthCheckProtocol": "HTTP", - "Port": 80 + "GroupId": { + "Ref": "DBEC2SecurityGroupStandalone" + }, + "IpProtocol": "-1", + "CidrIp": "192.162.0.0/16" } }, - "EC2Role": { - "Type": "AWS::IAM::Role", + "DBEC2SecurityGroupIngressIPv6": { + "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "Service": [ - "ec2.amazonaws.com" - ] - }, - "Action": [ - "sts:AssumeRole" - ] - } - ] + "GroupId": { + "Ref": "DBEC2SecurityGroupStandalone" }, - "Path": "/", - "Policies": [ - { - "PolicyName": "ecs-service", - "PolicyDocument": { - "Statement": [ - { - "Resource": "*", - "Effect": "Allow", - "Action": [ - "ecs:CreateCluster", - "ecs:DeregisterContainerInstance", - "ecs:DiscoverPollEndpoint", - "ecs:Poll", - "ecs:RegisterContainerInstance", - "ecs:StartTelemetrySession", - "ecs:Submit*", - "logs:CreateLogStream", - "logs:PutLogEvents" - ] - } - ] - } - } - ] + "IpProtocol": "tcp", + "FromPort": 0, + "ToPort": 34000, + "CidrIpv6": "::/0" } }, - "TaskDefinition": { + "DBInstance": { + "Type": "AWS::RDS::DBInstance", "Properties": { - "Volumes": [ - { - "Name": "my-vol" - } - ], - "Family": [ - "", - [ - "AWS::StackName", - "-ecs-demo-app" - ] - ], - "ContainerDefinitions": [ + "PubliclyAccessible": true, + "DBName": { + "Ref": "DBName" + }, + "Engine": "MySQL", + "VPCSecurityGroups": [ { - "Image": "httpd:2.4", - "Memory": 300, - "LogConfiguration": { - "LogDriver": "awslogs", - "Options": { - "awslogs-group": "CloudwatchLogsGroup", - "awslogs-region": "AWS::Region", - "awslogs-stream-prefix": "ecs-demo-app" - } - }, - "MountPoints": [ - { - "ContainerPath": "/usr/local/apache2/htdocs", - "SourceVolume": "my-vol" - } - ], - "PortMappings": [ - { - "ContainerPort": 80 - } - ], - "Name": "simple-app", - "Cpu": 10, - "Essential": true + "Ref": "DBEC2SecurityGroupInline" }, { - "VolumesFrom": [ - { - "SourceContainer": "simple-app" - } - ], - "Cpu": 10, - "EntryPoint": [ - "sh", - "-c" - ], - "Essential": false, - "Image": "busybox", - "Memory": 200, - "LogConfiguration": { - "LogDriver": "awslogs", - "Options": { - "awslogs-stream-prefix": "ecs-demo-app", - "awslogs-group": "CloudwatchLogsGroup", - "awslogs-region": "AWS::Region" - } - }, - "Name": "busybox", - "Command": [ - "/bin/sh -c \"while true; do echo '\u003chtml\u003e \u003chead\u003e \u003ctitle\u003eAmazon ECS Sample App\u003c/title\u003e\u003c/head\u003e\u003cbody\u003e\u003c/body\u003e\u003c/html\u003e' \u003e bottom; cat top date bottom \u003e /usr/local/apache2/htdocs/index.html ; sleep 1; done\"" - ] + "Ref": "DBEC2SecurityGroupStandalone" } ] - }, - "Type": "AWS::ECS::TaskDefinition" - }, - "EcsSecurityGroupSSHinbound": { - "Type": "AWS::EC2::SecurityGroupIngress", - "Properties": { - "ToPort": 22, - "CidrIp": "0.0.0.0/0", - "GroupId": "EcsSecurityGroup", - "IpProtocol": "tcp", - "FromPort": 22 - } - }, - "ContainerInstances": { - "Type": "AWS::AutoScaling::LaunchConfiguration", - "Properties": { - "ImageId": "ami-09bee01cc997a78a6", - "SecurityGroups": [ - "EcsSecurityGroup" - ], - "InstanceType": "t2.small", - "IamInstanceProfile": "EC2InstanceProfile", - "KeyName": "my-ssh-key", - "UserData": { - "Fn::Base64": "#!/bin/bash -xe\necho ECS_CLUSTER=${ECSCluster} \u003e\u003e /etc/ecs/ecs.config\nyum install -y aws-cfn-bootstrap\n/opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackName} --resource ECSAutoScalingGroup --region ${AWS::Region}\n" - } - } - }, - "service": { - "Type": "AWS::ECS::Service", - "Properties": { - "Cluster": "ECSCluster", - "DesiredCount": 1, - "LoadBalancers": [ - { - "ContainerPort": 80, - "TargetGroupArn": "ECSTG", - "ContainerName": "simple-app" - } - ], - "Role": "ECSServiceRole", - "TaskDefinition": "taskdefinition" - } - }, - "ServiceScalingTarget": { - "Properties": { - "MinCapacity": 1, - "ResourceId": [ - "", - [ - "service/", - "ECSCluster", - "/", - [ - "service", - "Name" - ] - ] - ], - "RoleARN": [ - "AutoscalingRole", - "Arn" - ], - "ScalableDimension": "ecs:service:DesiredCount", - "ServiceNamespace": "ecs", - "MaxCapacity": 2 - }, - "Type": "AWS::ApplicationAutoScaling::ScalableTarget" - }, - "EcsSecurityGroup": { - "Type": "AWS::EC2::SecurityGroup", - "Properties": { - "GroupDescription": "ECS Security Group", - "VpcId": "VpcId" } } } diff --git a/docs/queries/cloudformation-queries/aws/ea33fcf7-394b-4d11-a228-985c5d08f205.md b/docs/queries/cloudformation-queries/aws/ea33fcf7-394b-4d11-a228-985c5d08f205.md index 13fb51bf07d..e12ea6602f6 100644 --- a/docs/queries/cloudformation-queries/aws/ea33fcf7-394b-4d11-a228-985c5d08f205.md +++ b/docs/queries/cloudformation-queries/aws/ea33fcf7-394b-4d11-a228-985c5d08f205.md @@ -30,21 +30,9 @@ Check if default security group does not restrict all inbound and outbound traff ### Code samples #### Code samples with security vulnerabilities -```yaml title="Positive test num. 1 - yaml file" hl_lines="16" -Parameters: - KeyName: - Description: The EC2 Key Pair to allow SSH access to the instance - Type: 'AWS::EC2::KeyPair::KeyName' +```yaml title="Positive test num. 1 - yaml file" hl_lines="4 15" Resources: - Ec2Instance: - Type: 'AWS::EC2::Instance' - Properties: - SecurityGroups: - - !Ref InstanceSecurityGroup - - MyExistingSecurityGroup - KeyName: !Ref KeyName - ImageId: ami-7a11e213 - InstanceSecurityGroup: + InstanceSecurityGroup_ingress: # inline ingress Type: 'AWS::EC2::SecurityGroup' Properties: GroupName: default @@ -54,33 +42,51 @@ Resources: FromPort: '22' ToPort: '22' CidrIp: 0.0.0.0/0 + + InstanceSecurityGroup_egress: # inline egress + Type: 'AWS::EC2::SecurityGroup' + Properties: + GroupName: default + GroupDescription: Enable SSH access via port 22 SecurityGroupEgress: - IpProtocol: tcp FromPort: '22' ToPort: '22' CidrIp: 0.0.0.0/0 + +``` +```yaml title="Positive test num. 2 - yaml file" hl_lines="11 20" +Resources: + InstanceSecurityGroup_default: # ref + Type: 'AWS::EC2::SecurityGroup' + Properties: + GroupName: default + GroupDescription: Enable SSH access via port 22 + + InstanceSecurityGroupIngress: + Type: 'AWS::EC2::SecurityGroupIngress' # standalone ingress + Properties: + GroupId: !Ref InstanceSecurityGroup_default # ref + IpProtocol: tcp + FromPort: 22 + ToPort: 22 + CidrIp: 0.0.0.0/0 + + InstanceSecurityGroupEgress: + Type: 'AWS::EC2::SecurityGroupEgress' # standalone egress + Properties: + GroupId: !Ref InstanceSecurityGroup_default # ref + IpProtocol: tcp + FromPort: 22 + ToPort: 22 + CidrIp: 0.0.0.0/0 + ``` -```json title="Positive test num. 2 - json file" hl_lines="21" +```json title="Positive test num. 3 - json file" hl_lines="20 5" { - "Parameters": { - "KeyName": { - "Description": "The EC2 Key Pair to allow SSH access to the instance", - "Type": "AWS::EC2::KeyPair::KeyName" - } - }, "Resources": { - "Ec2Instance": { - "Type": "AWS::EC2::Instance", - "Properties": { - "SecurityGroups": [ - "InstanceSecurityGroup", - "MyExistingSecurityGroup" - ], - "KeyName": "KeyName", - "ImageId": "ami-7a11e213" - } - }, - "InstanceSecurityGroup": { + "InstanceSecurityGroup_ingress": { + "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupName": "default", "GroupDescription": "Enable SSH access via port 22", @@ -91,74 +97,185 @@ Resources: "ToPort": "22", "CidrIp": "0.0.0.0/0" } - ], + ] + } + }, + "InstanceSecurityGroup_egress": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupName": "default", + "GroupDescription": "Enable SSH access via port 22", "SecurityGroupEgress": [ { + "IpProtocol": "tcp", "FromPort": "22", "ToPort": "22", - "CidrIp": "0.0.0.0/0", - "IpProtocol": "tcp" + "CidrIp": "0.0.0.0/0" } ] - }, - "Type": "AWS::EC2::SecurityGroup" + } + } + } +} +``` +
Positive test num. 4 - json file + +```json hl_lines="25 13" +{ + "Resources": { + "InstanceSecurityGroup_default": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupName": "default", + "GroupDescription": "Enable SSH access via port 22" + } + }, + "InstanceSecurityGroupIngress": { + "Type": "AWS::EC2::SecurityGroupIngress", + "Properties": { + "GroupId": { + "Ref": "InstanceSecurityGroup_default" + }, + "IpProtocol": "tcp", + "FromPort": 22, + "ToPort": 22, + "CidrIp": "0.0.0.0/0" + } + }, + "InstanceSecurityGroupEgress": { + "Type": "AWS::EC2::SecurityGroupEgress", + "Properties": { + "GroupId": { + "Ref": "InstanceSecurityGroup_default" + }, + "IpProtocol": "tcp", + "FromPort": 22, + "ToPort": 22, + "CidrIp": "0.0.0.0/0" + } } } } ``` +
#### Code samples without security vulnerabilities ```yaml title="Negative test num. 1 - yaml file" -Parameters: - KeyName: - Description: The EC2 Key Pair to allow SSH access to the instance - Type: 'AWS::EC2::KeyPair::KeyName' Resources: - Ec2Instance: - Type: 'AWS::EC2::Instance' - Properties: - SecurityGroups: - - !Ref InstanceSecurityGroup - - MyExistingSecurityGroup - KeyName: !Ref KeyName - ImageId: ami-7a11e213 InstanceSecurityGroup: Type: 'AWS::EC2::SecurityGroup' Properties: GroupName: default GroupDescription: Enable SSH access via port 22 ``` -```json title="Negative test num. 2 - json file" +```yaml title="Negative test num. 2 - yaml file" +Resources: + InstanceSecurityGroup_not_named_default: # def + Type: 'AWS::EC2::SecurityGroup' + Properties: + GroupName: not_default # name is not "default" + GroupDescription: Enable SSH access via port 22 + SecurityGroupIngress: # inline ingress + - IpProtocol: tcp + FromPort: '22' + ToPort: '22' + CidrIp: 0.0.0.0/0 + SecurityGroupEgress: # inline egress + - IpProtocol: tcp + FromPort: '22' + ToPort: '22' + CidrIp: 0.0.0.0/0 + + InstanceSecurityGroupIngress: + Type: 'AWS::EC2::SecurityGroupIngress' # standalone ingress + Properties: + GroupId: !Ref InstanceSecurityGroup_not_named_default # def + IpProtocol: tcp + FromPort: 22 + ToPort: 22 + CidrIp: 0.0.0.0/0 + + InstanceSecurityGroupEgress: + Type: 'AWS::EC2::SecurityGroupEgress' # standalone egress + Properties: + GroupId: !Ref InstanceSecurityGroup_not_named_default # def + IpProtocol: tcp + FromPort: 22 + ToPort: 22 + CidrIp: 0.0.0.0/0 + +``` +```json title="Negative test num. 3 - json file" { - "Parameters": { - "KeyName": { - "Description": "The EC2 Key Pair to allow SSH access to the instance", - "Type": "AWS::EC2::KeyPair::KeyName" + "Resources": { + "InstanceSecurityGroup": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupName": "default", + "GroupDescription": "Enable SSH access via port 22" + } } - }, + } +} + +``` +
Negative test num. 4 - json file + +```json +{ "Resources": { - "Ec2Instance": { - "Type": "AWS::EC2::Instance", + "InstanceSecurityGroup_not_named_default": { + "Type": "AWS::EC2::SecurityGroup", "Properties": { - "SecurityGroups": [ - "InstanceSecurityGroup", - "MyExistingSecurityGroup" + "GroupName": "not_default", + "GroupDescription": "Enable SSH access via port 22", + "SecurityGroupIngress": [ + { + "IpProtocol": "tcp", + "FromPort": "22", + "ToPort": "22", + "CidrIp": "0.0.0.0/0" + } ], - "KeyName": "KeyName", - "ImageId": "ami-7a11e213" + "SecurityGroupEgress": [ + { + "IpProtocol": "tcp", + "FromPort": "22", + "ToPort": "22", + "CidrIp": "0.0.0.0/0" + } + ] } }, - "InstanceSecurityGroup": { - "Type": "AWS::EC2::SecurityGroup", + "InstanceSecurityGroupIngress": { + "Type": "AWS::EC2::SecurityGroupIngress", "Properties": { - "GroupName": "default", - "GroupDescription": "Enable SSH access via port 22" + "GroupId": { + "Ref": "InstanceSecurityGroup_not_named_default" + }, + "IpProtocol": "tcp", + "FromPort": 22, + "ToPort": 22, + "CidrIp": "0.0.0.0/0" + } + }, + "InstanceSecurityGroupEgress": { + "Type": "AWS::EC2::SecurityGroupEgress", + "Properties": { + "GroupId": { + "Ref": "InstanceSecurityGroup_not_named_default" + }, + "IpProtocol": "tcp", + "FromPort": 22, + "ToPort": 22, + "CidrIp": "0.0.0.0/0" } } } } ``` +
diff --git a/docs/queries/cloudformation-queries/aws/ee464fc2-54a6-4e22-b10a-c6dcd2474d0c.md b/docs/queries/cloudformation-queries/aws/ee464fc2-54a6-4e22-b10a-c6dcd2474d0c.md index c3246e5b03f..ec9866ca94b 100644 --- a/docs/queries/cloudformation-queries/aws/ee464fc2-54a6-4e22-b10a-c6dcd2474d0c.md +++ b/docs/queries/cloudformation-queries/aws/ee464fc2-54a6-4e22-b10a-c6dcd2474d0c.md @@ -39,19 +39,19 @@ Resources: VpcId: Ref: myVPC SecurityGroupIngress: - - IpProtocol: -1 + - IpProtocol: "-1" FromPort: 80 ToPort: 80 CidrIp: 0.0.0.0/0 SecurityGroupEgress: - - IpProtocol: -1 + - IpProtocol: "-1" FromPort: 80 ToPort: 80 CidrIp: 0.0.0.0/0 OutboundRule: Type: AWS::EC2::SecurityGroupEgress Properties: - IpProtocol: -1 + IpProtocol: "-1" FromPort: 0 ToPort: 65535 DestinationSecurityGroupId: @@ -65,7 +65,7 @@ Resources: InboundRule: Type: AWS::EC2::SecurityGroupIngress Properties: - IpProtocol: -1 + IpProtocol: "-1" FromPort: 0 ToPort: 65535 SourceSecurityGroupId: @@ -90,7 +90,7 @@ Resources: "SecurityGroupIngress": [ { "CidrIp": "0.0.0.0/0", - "IpProtocol": -1, + "IpProtocol": "-1", "FromPort": 80, "ToPort": 80 } @@ -98,7 +98,7 @@ Resources: "SecurityGroupEgress": [ { "CidrIp": "0.0.0.0/0", - "IpProtocol": -1, + "IpProtocol": "-1", "FromPort": 80, "ToPort": 80 } @@ -120,7 +120,7 @@ Resources: "GroupId" ] }, - "IpProtocol": -1, + "IpProtocol": "-1", "FromPort": 0, "ToPort": 65535 } @@ -133,7 +133,7 @@ Resources: "GroupId" ] }, - "IpProtocol": -1, + "IpProtocol": "-1", "FromPort": 0, "ToPort": 65535, "SourceSecurityGroupId": { diff --git a/docs/queries/common-queries/a88baa34-e2ad-44ea-ad6f-8cac87bc7c71.md b/docs/queries/common-queries/a88baa34-e2ad-44ea-ad6f-8cac87bc7c71.md index b12d155cfbb..41b9c6b1278 100644 --- a/docs/queries/common-queries/a88baa34-e2ad-44ea-ad6f-8cac87bc7c71.md +++ b/docs/queries/common-queries/a88baa34-e2ad-44ea-ad6f-8cac87bc7c71.md @@ -3285,7 +3285,45 @@ output clientName string = clientModule.outputs.clientName ```
-
Negative test num. 56 - json file +
Negative test num. 56 - tf file + +```tf +resource "aws_secretsmanager_secret_version" "secret_version" { + for_each = { for k, v in var.clients.scram : k => v if var.enabled && var.client_sasl_scram_enabled } + + secret_id = aws_secretsmanager_secret.client_secret[each.key].id # use of indexes + secret_string = jsonencode({ "username" : join("_", [var.product, each.key, var.environment == "dev" ? var.environment : var.stack]), "password" : random_password.client_password[each.key].result }) +} + +resource "aws_secretsmanager_secret_version" "secret_version_2" { + for_each = { for k, v in var.clients.scram : k => v if var.enabled && var.client_sasl_scram_enabled } + + secret_id = aws_secretsmanager_secret.client_secret[each.key].id # use of indexes + secret_string = jsonencode({ "username" : join("_", [var.product, each.key, var.environment == "dev" ? var.environment : var.stack]), "password" : random_password[each.key].client_password.result }) +} + +resource "aws_secretsmanager_secret_version" "secret_version_3" { + for_each = { for k, v in var.clients.scram : k => v if var.enabled && var.client_sasl_scram_enabled } + + secret_id = aws_secretsmanager_secret.client_secret[each.key].id # use of indexes + secret_string = jsonencode({ "username" : join("_", [var.product, each.key, var.environment == "dev" ? var.environment : var.stack]), "password" : random_password["index"].client_password.result }) +} + +resource "aws_msk_scram_secret_association" "msk_secret_association" { + count = var.enabled && var.client_sasl_scram_enabled ? 1 : 0 + cluster_arn = aws_msk_cluster.kafka[0].arn + secret_arn_list = [for secret in aws_secretsmanager_secret.client_secret : secret.arn] # short reference +} + +resource "aws_msk_scram_secret_association" "msk_secret_association_2" { + count = var.enabled && var.client_sasl_scram_enabled ? 1 : 0 + cluster_arn = aws_msk_cluster.kafka[0].arn + secret_arn_list = [for secret in aws_secretsmanager_secret.client_secret : null] # short reference +} + +``` +
+
Negative test num. 57 - json file ```json { @@ -3305,7 +3343,7 @@ output clientName string = clientModule.outputs.clientName ```
-
Negative test num. 57 - tf file +
Negative test num. 58 - tf file ```tf resource "google_container_cluster" "primary3" { @@ -3330,7 +3368,7 @@ resource "google_container_cluster" "primary3" { ```
-
Negative test num. 58 - tf file +
Negative test num. 59 - tf file ```tf resource "google_container_cluster" "primary5" { @@ -3355,7 +3393,7 @@ resource "google_container_cluster" "primary5" { ```
-
Negative test num. 59 - tf file +
Negative test num. 60 - tf file ```tf resource "google_secret_manager_secret" "secret-basic" { diff --git a/docs/queries/terraform-queries.md b/docs/queries/terraform-queries.md index 9bc42855edf..46b19a22d49 100644 --- a/docs/queries/terraform-queries.md +++ b/docs/queries/terraform-queries.md @@ -472,17 +472,20 @@ Below are listed queries related to Terraform AZURE: |Beta - Storage Account With Cross Tenant Replication Enabled
50e0a9e3-7360-483c-9873-ba1ea1a7faf8|Medium|Access Control|Query details
Documentation
| |Beta - Storage Account With Shared Access Key
45f3e879-f8a7-4102-a3fa-46da5a849870|Medium|Access Control|Query details
Documentation
| |Beta - Use Of User Access Administrator Role Is Not Restricted
41d7989b-3be2-4081-8c79-cf903dd174c5|Medium|Access Control|Query details
Documentation
| +|Beta - VM Without Admin SSH Public Key Set
a5cfef8f-910e-4fd6-8155-f381b236a492|Medium|Access Control|Query details
Documentation
| |Function App Authentication Disabled
e65a0733-94a0-4826-82f4-df529f4c593f|Medium|Access Control|Query details
Documentation
| |Role Assignment Not Limit Guest User Permissions
8e75e431-449f-49e9-b56a-c8f1378025cf|Medium|Access Control|Query details
Documentation
| |Role Definition Allows Custom Role Creation
3fa5900f-9aac-4982-96b2-a6143d9c99fb|Medium|Access Control|Query details
Documentation
| |Storage Share Allows All ACL Permissions
5ed0a5f3-6b81-4a6c-a7d1-0f1d8d9ae806|Medium|Access Control|Query details
Documentation
| |Storage Table Allows All ACL Permissions
3ac3e75c-6374-4a32-8ba0-6ed69bda404e|Medium|Access Control|Query details
Documentation
| |Azure Instance Using Basic Authentication
dafe30ec-325d-4516-85d1-e8e6776f012c|Medium|Best Practices|Query details
Documentation
| +|Beta - VM With Automatic Updates Disabled
187e6d39-5e1e-4afa-9c0a-b79632eef346|Medium|Best Practices|Query details
Documentation
| |Key Vault Secrets Content Type Undefined
f8e08a38-fc6e-4915-abbe-a7aadf1d59ef|Medium|Best Practices|Query details
Documentation
| |MSSQL Server Database With Alerts Disabled
25cd1853-7e80-4106-9ac3-03f8636c25be|Medium|Best Practices|Query details
Documentation
| |Security Contact Email
34664094-59e0-4524-b69f-deaa1a68cce3|Medium|Best Practices|Query details
Documentation
| |App Service Not Using Latest TLS Encryption Version
b7b9d1c7-2d3b-49b4-b867-ebbe68d0b643|Medium|Encryption|Query details
Documentation
| |Beta - Databricks Workspace Without CMK
416ac446-9a2e-4f6d-84d2-82add788c7da|Medium|Encryption|Query details
Documentation
| +|Beta - Disk Encryption On Managed Disk Disabled
68403c84-8497-449b-9946-ae848765813f|Medium|Encryption|Query details
Documentation
| |Encryption On Managed Disk Disabled
a99130ab-4c0e-43aa-97f8-78d4fcb30024|Medium|Encryption|Query details
Documentation
| |Function App Not Using Latest TLS Encryption Version
45fc717a-bd86-415c-bdd8-677901be1aa6|Medium|Encryption|Query details
Documentation
| |MySQL SSL Connection Disabled
73e42469-3a86-4f39-ad78-098f325b4e9f|Medium|Encryption|Query details
Documentation
| @@ -505,6 +508,7 @@ Below are listed queries related to Terraform AZURE: |Small Flow Logs Retention Period
7750fcca-dd03-4d38-b663-4b70289bcfd4|Medium|Insecure Configurations|Query details
Documentation
| |VM Not Attached To Network
bbf6b3df-4b65-4f87-82cc-da9f30f8c033|Medium|Insecure Configurations|Query details
Documentation
| |Web App Accepting Traffic Other Than HTTPS
11e9a948-c6c3-4a0f-8dcf-b5cf1763cdbe|Medium|Insecure Configurations|Query details
Documentation
| +|Beta - VM With Extension Operations Enabled
59528fe9-0c8e-4153-8016-445911a2d933|Medium|Insecure Defaults|Query details
Documentation
| |Azure Cognitive Search Public Network Access Enabled
4a9e0f00-0765-4f72-a0d4-d31110b78279|Medium|Networking and Firewall|Query details
Documentation
| |Beta - Databricks Workspace Using Default Virtual Network
05d6b52e-11ca-453d-bb3a-21c7c853ee92|Medium|Networking and Firewall|Query details
Documentation
| |Firewall Rule Allows Too Many Hosts To Access Redis Cache
a829b715-cf75-4e92-b645-54c9b739edfb|Medium|Networking and Firewall|Query details
Documentation
| @@ -525,7 +529,7 @@ Below are listed queries related to Terraform AZURE: |Beta - Activity Log Alert For Delete Security Solution Not Configured
b97a1065-a86b-442f-86c4-f95afd9b3ac6|Medium|Observability|Query details
Documentation
| |Beta - Activity Log Alert For Delete SQL Server Firewall Rule Not Configured
8ce5c61f-5cd1-41bc-b7d9-b26b18efd505|Medium|Observability|Query details
Documentation
| |Beta - Activity Log Alert For Service Health Not Configured
f677bd92-3922-4e75-8f0c-2c0f8fbc9609|Medium|Observability|Query details
Documentation
| -|Beta - Databricks Diagnostic Logging Unconfigured
0bd3630a-2ae9-4522-9d66-04049654b1df|Medium|Observability|Query details
Documentation
| +|Beta - Databricks Diagnostic Logging Not Configured
0bd3630a-2ae9-4522-9d66-04049654b1df|Medium|Observability|Query details
Documentation
| |Beta - Diagnostic Settings Without Appropriate Logging
21fa1872-47b3-46ec-9775-f41e85d80cb4|Medium|Observability|Query details
Documentation
| |Beta - Resource Without Diagnostic Settings
50f32d3c-096e-406a-bb26-71b3c91c11c0|Medium|Observability|Query details
Documentation
| |Beta - Service Without Resource Logging
8a0628ed-6256-4a24-a1ab-54696fb69197|Medium|Observability|Query details
Documentation
| @@ -556,10 +560,13 @@ Below are listed queries related to Terraform AZURE: |SQL Server Predictable Admin Account Name
2ab6de9a-0136-415c-be92-79d2e4fd750f|Low|Best Practices|Query details
Documentation
| |Cosmos DB Account Without Tags
56dad03e-e94f-4dd6-93a4-c253a03ff7a0|Low|Build Process|Query details
Documentation
| |AKS Disk Encryption Set ID Undefined
b17d8bb8-4c08-4785-867e-cb9e62a622aa|Low|Encryption|Query details
Documentation
| +|Beta - Key Vault Without HSM Protection
fbb8e5e0-6dea-41d3-8739-4f2405b0e22a|Low|Encryption|Query details
Documentation
| +|Beta - VM Without Encryption At Host
30c7c2f1-c048-49ba-81a4-ae465bbb3335|Low|Encryption|Query details
Documentation
| |PostgreSQL Server Infrastructure Encryption Disabled
6425c98b-ca4e-41fe-896a-c78772c131f8|Low|Encryption|Query details
Documentation
| |AKS Network Policy Misconfigured
f5342045-b935-402d-adf1-8dbbd09c0eef|Low|Insecure Configurations|Query details
Documentation
| |Dashboard Is Enabled
61c3cb8b-0715-47e4-b788-86dde40dd2db|Low|Insecure Configurations|Query details
Documentation
| |Azure Front Door WAF Disabled
835a4f2f-df43-437d-9943-545ccfc55961|Low|Networking and Firewall|Query details
Documentation
| +|Beta - Container Instances Not Using Private Virtual Networks
71884fcb-ae03-41c8-87b9-22c90353f256|Low|Networking and Firewall|Query details
Documentation
| |Sensitive Port Is Exposed To Wide Private Network
c6c7b33d-d7f6-4ab8-8c82-ca0431ecdb7e|Low|Networking and Firewall|Query details
Documentation
| |Small Activity Log Retention Period
2b856bf9-8e8c-4005-875f-303a8cba3918|Low|Observability|Query details
Documentation
| |Small MSSQL Audit Retention Period
9c301481-e6ec-44f7-8a49-8ec63e2969ea|Low|Observability|Query details
Documentation
| diff --git a/docs/queries/terraform-queries/aws/151187cb-0efc-481c-babd-ad24e3c9bc22.md b/docs/queries/terraform-queries/aws/151187cb-0efc-481c-babd-ad24e3c9bc22.md index eb055511a4e..b4ecafb714a 100644 --- a/docs/queries/terraform-queries/aws/151187cb-0efc-481c-babd-ad24e3c9bc22.md +++ b/docs/queries/terraform-queries/aws/151187cb-0efc-481c-babd-ad24e3c9bc22.md @@ -480,7 +480,7 @@ resource "aws_security_group_rule" "negative3-3" { type = "ingress" from_port = 3200 to_port = 3400 - protocol = "-1" + protocol = "-1" ipv6_cidr_blocks = ["2001:db8:abcd:0012::/64"] security_group_id = aws_security_group.ec2.id description = "allows RDP from Internet (IPv6)" @@ -500,7 +500,7 @@ resource "aws_security_group_rule" "negative3-5" { type = "ingress" from_port = 2000 to_port = 2500 - protocol = "tcp" + protocol = "tcp" ipv6_cidr_blocks = ["::/0"] security_group_id = aws_security_group.ec2.id description = "allows RDP from Internet (IPv6)" @@ -516,15 +516,16 @@ resource "aws_security_group_rule" "negative3-6" { description = "allows RDP from Internet (IPv4)" } -resource "aws_security_group_rule" "negative3-6" { +resource "aws_security_group_rule" "negative3-7" { type = "ingress" from_port = 3389 to_port = 3389 - protocol = "udp" + protocol = "udp" ipv6_cidr_blocks = ["::/0"] security_group_id = aws_security_group.ec2.id description = "allows RDP from Internet (IPv6)" } + ```
Negative test num. 4 - tf file diff --git a/docs/queries/terraform-queries/aws/4849211b-ac39-479e-ae78-5694d506cb24.md b/docs/queries/terraform-queries/aws/4849211b-ac39-479e-ae78-5694d506cb24.md index 4164237e581..e3d510d52ed 100644 --- a/docs/queries/terraform-queries/aws/4849211b-ac39-479e-ae78-5694d506cb24.md +++ b/docs/queries/terraform-queries/aws/4849211b-ac39-479e-ae78-5694d506cb24.md @@ -506,6 +506,36 @@ module "fake" {
Negative test num. 5 - tf file +```tf +resource "aws_security_group" "MSK-SG" { + count = var.enabled ? 1 : 0 + + name = local.msk_cluster_name + description = join(" ", [local.msk_cluster_name, "SG"]) + vpc_id = module.data_infra_lookups[0].vpc_id + + tags = merge( + module.tags[0].map, + { Name = local.msk_cluster_name } + ) +} + +resource "aws_security_group_rule" "inbound_to_communicate_with_prometheus" { + count = var.enabled ? 1 : 0 + + description = "Rule which allows prometheus to connect to kafka" + type = "ingress" + from_port = 11001 + to_port = 11002 + protocol = "tcp" + cidr_blocks = flatten([module.tf-common-network-blocks[0].office_ip_cidrs, module.data_infra_lookups[0].all_vpc_cidrs]) + security_group_id = aws_security_group.MSK-SG[0].id +} + +``` +
+
Negative test num. 6 - tf file + ```tf resource "aws_security_group" "allow_tls" { name = "allow_tls" @@ -545,7 +575,7 @@ module "security_groups_test" { ```
-
Negative test num. 6 - tf file +
Negative test num. 7 - tf file ```tf # given: @@ -592,7 +622,7 @@ resource "aws_instance" "negative3" { ```
-
Negative test num. 7 - tf file +
Negative test num. 8 - tf file ```tf terraform { @@ -698,7 +728,7 @@ resource "aws_instance" "cowrie_server" { ```
-
Negative test num. 8 - tf file +
Negative test num. 9 - tf file ```tf # given: @@ -746,7 +776,7 @@ resource "aws_eks_cluster" "negative3" { ```
-
Negative test num. 9 - tf file +
Negative test num. 10 - tf file ```tf resource "aws_security_group" "example" { @@ -774,7 +804,7 @@ resource "aws_elasticache_replication_group" "redis" { } ```
-
Negative test num. 10 - tf file +
Negative test num. 11 - tf file ```tf resource "aws_security_group" "test" { @@ -789,7 +819,7 @@ module "fake" { ```
-
Negative test num. 11 - tf file +
Negative test num. 12 - tf file ```tf resource "aws_security_group" "allow_tls" { @@ -829,7 +859,7 @@ resource "aws_lb" "test" { ```
-
Negative test num. 12 - tf file +
Negative test num. 13 - tf file ```tf resource "aws_security_group" "allow_tls" { diff --git a/docs/queries/terraform-queries/aws/54c417bf-c762-48b9-9d31-b3d87047e3f0.md b/docs/queries/terraform-queries/aws/54c417bf-c762-48b9-9d31-b3d87047e3f0.md index d6537bd3d83..93c82684160 100644 --- a/docs/queries/terraform-queries/aws/54c417bf-c762-48b9-9d31-b3d87047e3f0.md +++ b/docs/queries/terraform-queries/aws/54c417bf-c762-48b9-9d31-b3d87047e3f0.md @@ -530,7 +530,7 @@ resource "aws_security_group_rule" "negative3-6" { description = "Remote desktop open private" } -resource "aws_security_group_rule" "negative3-6" { +resource "aws_security_group_rule" "negative3-7" { type = "ingress" from_port = 2383 to_port = 2383 @@ -539,6 +539,7 @@ resource "aws_security_group_rule" "negative3-6" { security_group_id = aws_security_group.negative.id description = "Remote desktop open private" } + ```
Negative test num. 4 - tf file diff --git a/docs/queries/terraform-queries/aws/ffac8a12-322e-42c1-b9b9-81ff85c39ef7.md b/docs/queries/terraform-queries/aws/ffac8a12-322e-42c1-b9b9-81ff85c39ef7.md index 11c81a49bf4..4122cb1f41e 100644 --- a/docs/queries/terraform-queries/aws/ffac8a12-322e-42c1-b9b9-81ff85c39ef7.md +++ b/docs/queries/terraform-queries/aws/ffac8a12-322e-42c1-b9b9-81ff85c39ef7.md @@ -374,7 +374,7 @@ resource "aws_security_group" "negative1-5" { } } -resource "aws_security_group" "negative1-5" { +resource "aws_security_group" "negative1-6" { name = "allow_tls" description = "sample" @@ -394,6 +394,7 @@ resource "aws_security_group" "negative1-5" { ipv6_cidr_blocks = ["fd00::/8", "::/0"] } } + ``` ```tf title="Negative test num. 2 - tf file" resource "aws_security_group" "ec2" { diff --git a/docs/queries/terraform-queries/azure/0bd3630a-2ae9-4522-9d66-04049654b1df.md b/docs/queries/terraform-queries/azure/0bd3630a-2ae9-4522-9d66-04049654b1df.md index b106c93342e..122631867d3 100644 --- a/docs/queries/terraform-queries/azure/0bd3630a-2ae9-4522-9d66-04049654b1df.md +++ b/docs/queries/terraform-queries/azure/0bd3630a-2ae9-4522-9d66-04049654b1df.md @@ -1,5 +1,5 @@ --- -title: Beta - Databricks Diagnostic Logging Unconfigured +title: Beta - Databricks Diagnostic Logging Not Configured hide: toc: true navigation: true @@ -16,13 +16,13 @@ hide: - **Query id:** 0bd3630a-2ae9-4522-9d66-04049654b1df -- **Query name:** Beta - Databricks Diagnostic Logging Unconfigured +- **Query name:** Beta - Databricks Diagnostic Logging Not Configured - **Platform:** Terraform - **Severity:** Medium - **Category:** Observability - **CWE:** 778 - **Risk score:** 3.0 -- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/databricks_diagnostic_logging_unconfigured) +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/databricks_diagnostic_logging_not_configured) ### Description Ensure that logging for Azure Databricks is 'Enabled' for categories: 'accounts','Filesystem','clusters','notebook' and 'jobs', with one or more of the following destinations: 'Azure Log Analytics workspace', 'Azure Storage Account', 'Azure Event Hubs'
diff --git a/docs/queries/terraform-queries/azure/187e6d39-5e1e-4afa-9c0a-b79632eef346.md b/docs/queries/terraform-queries/azure/187e6d39-5e1e-4afa-9c0a-b79632eef346.md new file mode 100644 index 00000000000..9a9137dbdc4 --- /dev/null +++ b/docs/queries/terraform-queries/azure/187e6d39-5e1e-4afa-9c0a-b79632eef346.md @@ -0,0 +1,142 @@ +--- +title: Beta - VM With Automatic Updates Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 187e6d39-5e1e-4afa-9c0a-b79632eef346 +- **Query name:** Beta - VM With Automatic Updates Disabled +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Best Practices +- **CWE:** 1329 +- **Risk score:** 3.0 +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/vm_with_automatic_updates_disabled) + +### Description +Windows based VMs should enabled automatic updates
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/4.50.0/docs/resources/windows_virtual_machine.html#automatic_updates_enabled-3) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Positive test num. 1 - tf file" hl_lines="24 11 37" +resource "azurerm_windows_virtual_machine" "positive1" { + name = "positive1-machine" + resource_group_name = azurerm_resource_group.positive1.name + location = azurerm_resource_group.positive1.location + size = "Standard_F2" + admin_username = "adminuser" + network_interface_ids = [ + azurerm_network_interface.positive1.id, + ] + + enable_automatic_updates = false +} + +resource "azurerm_windows_virtual_machine" "positive2" { + name = "positive2-machine" + resource_group_name = azurerm_resource_group.positive2.name + location = azurerm_resource_group.positive2.location + size = "Standard_F2" + admin_username = "adminuser" + network_interface_ids = [ + azurerm_network_interface.positive2.id, + ] + + automatic_updates_enabled = false +} + + +resource "azurerm_windows_virtual_machine_scale_set" "positive3" { + name = "positive3-vmss" + resource_group_name = azurerm_resource_group.positive3.name + location = azurerm_resource_group.positive3.location + sku = "Standard_F2" + instances = 1 + admin_username = "adminuser" + computer_name_prefix = "vm-" + + enable_automatic_updates = false +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_windows_virtual_machine" "negative1" { + name = "negative1-machine" + resource_group_name = azurerm_resource_group.negative1.name + location = azurerm_resource_group.negative1.location + size = "Standard_F2" + admin_username = "adminuser" + network_interface_ids = [ + azurerm_network_interface.negative1.id, + ] + + enable_automatic_updates = true +} + +resource "azurerm_windows_virtual_machine" "negative2" { + name = "negative2-machine" + resource_group_name = azurerm_resource_group.negative2.name + location = azurerm_resource_group.negative2.location + size = "Standard_F2" + admin_username = "adminuser" + network_interface_ids = [ + azurerm_network_interface.negative2.id, + ] + + automatic_updates_enabled = true # newer field +} + +resource "azurerm_windows_virtual_machine_scale_set" "negative3" { + name = "negative3-vmss" + resource_group_name = azurerm_resource_group.negative3.name + location = azurerm_resource_group.negative3.location + sku = "Standard_F2" + instances = 1 + admin_username = "adminuser" + computer_name_prefix = "vm-" + + enable_automatic_updates = true +} + +resource "azurerm_windows_virtual_machine" "negative4" { + name = "negative4-machine" + resource_group_name = azurerm_resource_group.negative4.name + location = azurerm_resource_group.negative4.location + size = "Standard_F2" + admin_username = "adminuser" + network_interface_ids = [ + azurerm_network_interface.negative4.id, + ] + + # missing "enable_automatic_updates" and "automatic_updates_enabled" - defaults to true +} + +resource "azurerm_windows_virtual_machine_scale_set" "negative5" { + name = "negative5-vmss" + resource_group_name = azurerm_resource_group.negative5.name + location = azurerm_resource_group.negative5.location + sku = "Standard_F2" + instances = 1 + admin_username = "adminuser" + computer_name_prefix = "vm-" + + # missing "enable_automatic_updates" - defaults to true +} + +``` + diff --git a/docs/queries/terraform-queries/azure/30c7c2f1-c048-49ba-81a4-ae465bbb3335.md b/docs/queries/terraform-queries/azure/30c7c2f1-c048-49ba-81a4-ae465bbb3335.md new file mode 100644 index 00000000000..161fc966b12 --- /dev/null +++ b/docs/queries/terraform-queries/azure/30c7c2f1-c048-49ba-81a4-ae465bbb3335.md @@ -0,0 +1,198 @@ +--- +title: Beta - VM Without Encryption At Host +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 30c7c2f1-c048-49ba-81a4-ae465bbb3335 +- **Query name:** Beta - VM Without Encryption At Host +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Encryption +- **CWE:** 326 +- **Risk score:** 1.0 +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/vm_without_encryption_at_host) + +### Description +VM resources should enable encryption at host for improved data security
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/windows_virtual_machine.html#encryption_at_host_enabled-1) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Positive test num. 1 - tf file" hl_lines="24 1" +resource "azurerm_linux_virtual_machine" "positive1_1" { + name = "positive1_1-machine" + resource_group_name = azurerm_resource_group.positive1_1.name + location = azurerm_resource_group.positive1_1.location + size = "Standard_F2" + admin_username = "adminuser" + network_interface_ids = [ + azurerm_network_interface.positive1_1.id, + ] + + # missing "encryption_at_host_enabled" +} + +resource "azurerm_linux_virtual_machine" "positive1_2" { + name = "positive1_2-machine" + resource_group_name = azurerm_resource_group.positive1_2.name + location = azurerm_resource_group.positive1_2.location + size = "Standard_F2" + admin_username = "adminuser" + network_interface_ids = [ + azurerm_network_interface.positive1_2.id, + ] + + encryption_at_host_enabled = false # set to false +} + +``` +```tf title="Positive test num. 2 - tf file" hl_lines="1 20" +resource "azurerm_linux_virtual_machine_scale_set" "positive2_1" { + name = "positive2_1-vmss" + resource_group_name = azurerm_resource_group.positive2_1.name + location = azurerm_resource_group.positive2_1.location + sku = "Standard_F2" + instances = 1 + admin_username = "adminuser" + + # missing "encryption_at_host_enabled" +} + +resource "azurerm_linux_virtual_machine_scale_set" "positive2_2" { + name = "positive2_2-vmss" + resource_group_name = azurerm_resource_group.positive2_2.name + location = azurerm_resource_group.positive2_2.location + sku = "Standard_F2" + instances = 1 + admin_username = "adminuser" + + encryption_at_host_enabled = false # set to false +} + +``` +```tf title="Positive test num. 3 - tf file" hl_lines="1 22" +resource "azurerm_windows_virtual_machine" "positive3_1" { + name = "positive3_1-machine" + resource_group_name = azurerm_resource_group.positive3_1.name + location = azurerm_resource_group.positive3_1.location + size = "Standard_F2" + network_interface_ids = [ + azurerm_network_interface.positive3_1.id, + ] + + # missing "encryption_at_host_enabled" +} + +resource "azurerm_windows_virtual_machine" "positive3_2" { + name = "positive3_2-machine" + resource_group_name = azurerm_resource_group.positive3_2.name + location = azurerm_resource_group.positive3_2.location + size = "Standard_F2" + network_interface_ids = [ + azurerm_network_interface.positive3_2.id, + ] + + encryption_at_host_enabled = false # set to false +} + +``` +
Positive test num. 4 - tf file + +```tf hl_lines="1 20" +resource "azurerm_windows_virtual_machine_scale_set" "positive4_1" { + name = "positive4_1-vmss" + resource_group_name = azurerm_resource_group.positive4_1.name + location = azurerm_resource_group.positive4_1.location + sku = "Standard_F2" + computer_name_prefix = "vm-" + + # missing "encryption_at_host_enabled" +} + +resource "azurerm_windows_virtual_machine_scale_set" "positive4_2" { + name = "positive4_2-machine" + resource_group_name = azurerm_resource_group.positive4_2.name + location = azurerm_resource_group.positive4_2.location + size = "Standard_F2" + network_interface_ids = [ + azurerm_network_interface.positive4_2.id, + ] + + encryption_at_host_enabled = false # set to false +} + +``` +
+ + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_linux_virtual_machine" "negative1" { + name = "negative1-machine" + resource_group_name = azurerm_resource_group.negative1.name + location = azurerm_resource_group.negative1.location + size = "Standard_F2" + admin_username = "adminuser" + network_interface_ids = [ + azurerm_network_interface.negative1.id, + ] + + encryption_at_host_enabled = true +} + +``` +```tf title="Negative test num. 2 - tf file" +resource "azurerm_linux_virtual_machine_scale_set" "negative2" { + name = "negative2-vmss" + resource_group_name = azurerm_resource_group.negative2.name + location = azurerm_resource_group.negative2.location + sku = "Standard_F2" + instances = 1 + admin_username = "adminuser" + + encryption_at_host_enabled = true +} + +``` +```tf title="Negative test num. 3 - tf file" +resource "azurerm_windows_virtual_machine" "negative3" { + name = "negative3-machine" + resource_group_name = azurerm_resource_group.negative3.name + location = azurerm_resource_group.negative3.location + size = "Standard_F2" + network_interface_ids = [ + azurerm_network_interface.negative3.id, + ] + + encryption_at_host_enabled = true +} + +``` +
Negative test num. 4 - tf file + +```tf +resource "azurerm_windows_virtual_machine_scale_set" "negative4" { + name = "negative4-vmss" + resource_group_name = azurerm_resource_group.negative4.name + location = azurerm_resource_group.negative4.location + sku = "Standard_F2" + computer_name_prefix = "vm-" + + encryption_at_host_enabled = true +} + +``` +
+ diff --git a/docs/queries/terraform-queries/azure/59528fe9-0c8e-4153-8016-445911a2d933.md b/docs/queries/terraform-queries/azure/59528fe9-0c8e-4153-8016-445911a2d933.md new file mode 100644 index 00000000000..327c65990d0 --- /dev/null +++ b/docs/queries/terraform-queries/azure/59528fe9-0c8e-4153-8016-445911a2d933.md @@ -0,0 +1,198 @@ +--- +title: Beta - VM With Extension Operations Enabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 59528fe9-0c8e-4153-8016-445911a2d933 +- **Query name:** Beta - VM With Extension Operations Enabled +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Insecure Defaults +- **CWE:** 250 +- **Risk score:** 3.0 +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/vm_with_extension_operations_enabled) + +### Description +Virtual machine resources should disable extension_operations since they can provide administrative privileges to processes
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/linux_virtual_machine#allow_extension_operations-1) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Positive test num. 1 - tf file" hl_lines="24 1" +resource "azurerm_linux_virtual_machine" "positive1_1" { + name = "positive1_1-machine" + resource_group_name = azurerm_resource_group.positive1_1.name + location = azurerm_resource_group.positive1_1.location + size = "Standard_F2" + admin_username = "adminuser" + network_interface_ids = [ + azurerm_network_interface.positive1_1.id, + ] + + # missing "allow_extension_operations" +} + +resource "azurerm_linux_virtual_machine" "positive1_2" { + name = "positive1_2-machine" + resource_group_name = azurerm_resource_group.positive1_2.name + location = azurerm_resource_group.positive1_2.location + size = "Standard_F2" + admin_username = "adminuser" + network_interface_ids = [ + azurerm_network_interface.positive1_2.id, + ] + + allow_extension_operations = true # set to true +} + +``` +```tf title="Positive test num. 2 - tf file" hl_lines="1 20" +resource "azurerm_linux_virtual_machine_scale_set" "positive2_1" { + name = "positive2_1-vmss" + resource_group_name = azurerm_resource_group.positive2_1.name + location = azurerm_resource_group.positive2_1.location + sku = "Standard_F2" + instances = 1 + admin_username = "adminuser" + + # missing "extension_operations_enabled" +} + +resource "azurerm_linux_virtual_machine_scale_set" "positive2_2" { + name = "positive2_2-vmss" + resource_group_name = azurerm_resource_group.positive2_2.name + location = azurerm_resource_group.positive2_2.location + sku = "Standard_F2" + instances = 1 + admin_username = "adminuser" + + extension_operations_enabled = true # set to true +} + +``` +```tf title="Positive test num. 3 - tf file" hl_lines="1 22" +resource "azurerm_windows_virtual_machine" "positive3_1" { + name = "positive3_1-machine" + resource_group_name = azurerm_resource_group.positive3_1.name + location = azurerm_resource_group.positive3_1.location + size = "Standard_F2" + network_interface_ids = [ + azurerm_network_interface.positive3_1.id, + ] + + # missing "allow_extension_operations" +} + +resource "azurerm_windows_virtual_machine" "positive3_2" { + name = "positive3_2-machine" + resource_group_name = azurerm_resource_group.positive3_2.name + location = azurerm_resource_group.positive3_2.location + size = "Standard_F2" + network_interface_ids = [ + azurerm_network_interface.positive3_2.id, + ] + + allow_extension_operations = true # set to true +} + +``` +
Positive test num. 4 - tf file + +```tf hl_lines="1 20" +resource "azurerm_windows_virtual_machine_scale_set" "positive4_1" { + name = "positive4_1-vmss" + resource_group_name = azurerm_resource_group.positive4_1.name + location = azurerm_resource_group.positive4_1.location + sku = "Standard_F2" + computer_name_prefix = "vm-" + + # missing "extension_operations_enabled" +} + +resource "azurerm_windows_virtual_machine_scale_set" "positive4_2" { + name = "positive4_2-machine" + resource_group_name = azurerm_resource_group.positive4_2.name + location = azurerm_resource_group.positive4_2.location + size = "Standard_F2" + network_interface_ids = [ + azurerm_network_interface.positive4_2.id, + ] + + extension_operations_enabled = true # set to true +} + +``` +
+ + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_linux_virtual_machine" "negative1" { + name = "negative1-machine" + resource_group_name = azurerm_resource_group.negative1.name + location = azurerm_resource_group.negative1.location + size = "Standard_F2" + admin_username = "adminuser" + network_interface_ids = [ + azurerm_network_interface.negative1.id, + ] + + allow_extension_operations = false +} + +``` +```tf title="Negative test num. 2 - tf file" +resource "azurerm_linux_virtual_machine_scale_set" "negative2" { + name = "negative2-vmss" + resource_group_name = azurerm_resource_group.negative2.name + location = azurerm_resource_group.negative2.location + sku = "Standard_F2" + instances = 1 + admin_username = "adminuser" + + extension_operations_enabled = false +} + +``` +```tf title="Negative test num. 3 - tf file" +resource "azurerm_windows_virtual_machine" "negative3" { + name = "negative3-machine" + resource_group_name = azurerm_resource_group.negative3.name + location = azurerm_resource_group.negative3.location + size = "Standard_F2" + network_interface_ids = [ + azurerm_network_interface.negative3.id, + ] + + allow_extension_operations = false +} + +``` +
Negative test num. 4 - tf file + +```tf +resource "azurerm_windows_virtual_machine_scale_set" "negative4" { + name = "negative4-vmss" + resource_group_name = azurerm_resource_group.negative4.name + location = azurerm_resource_group.negative4.location + sku = "Standard_F2" + computer_name_prefix = "vm-" + + extension_operations_enabled = false +} + +``` +
+ diff --git a/docs/queries/terraform-queries/azure/68403c84-8497-449b-9946-ae848765813f.md b/docs/queries/terraform-queries/azure/68403c84-8497-449b-9946-ae848765813f.md new file mode 100644 index 00000000000..86016b23274 --- /dev/null +++ b/docs/queries/terraform-queries/azure/68403c84-8497-449b-9946-ae848765813f.md @@ -0,0 +1,73 @@ +--- +title: Beta - Disk Encryption On Managed Disk Disabled +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 68403c84-8497-449b-9946-ae848765813f +- **Query name:** Beta - Disk Encryption On Managed Disk Disabled +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Encryption +- **CWE:** 922 +- **Risk score:** 3.0 +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/disk_encryption_on_managed_disk_disabled) + +### Description +Using disk encryption on managed disks data improves confidentiality, compliance, and control over encryption keys, ensuring sensitive information at rest is protected against unauthorized access
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/managed_disk#disk_encryption_set_id-1) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Positive test num. 1 - tf file" hl_lines="1" +resource "azurerm_managed_disk" "positive1" { + name = "secure-vm-disk" + location = azurerm_resource_group.positive1.location + resource_group_name = azurerm_resource_group.positive1.name + storage_account_type = "Premium_LRS" + create_option = "Empty" + disk_size_gb = 128 + + # missing "secure_vm_disk_encryption_set_id" and "disk_encryption_set_id" +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_managed_disk" "negative1" { + name = "standard-disk" + location = azurerm_resource_group.negative1.location + resource_group_name = azurerm_resource_group.negative1.name + storage_account_type = "Premium_LRS" + create_option = "Empty" + disk_size_gb = 128 + + disk_encryption_set_id = azurerm_disk_encryption_set.negative1.id +} + +resource "azurerm_managed_disk" "negative2" { + name = "secure-vm-disk" + location = azurerm_resource_group.negative2.location + resource_group_name = azurerm_resource_group.negative2.name + storage_account_type = "Premium_LRS" + create_option = "Empty" + disk_size_gb = 128 + + secure_vm_disk_encryption_set_id = azurerm_disk_encryption_set.secure_vm.id +} + +``` + diff --git a/docs/queries/terraform-queries/azure/71884fcb-ae03-41c8-87b9-22c90353f256.md b/docs/queries/terraform-queries/azure/71884fcb-ae03-41c8-87b9-22c90353f256.md new file mode 100644 index 00000000000..1f128aa8044 --- /dev/null +++ b/docs/queries/terraform-queries/azure/71884fcb-ae03-41c8-87b9-22c90353f256.md @@ -0,0 +1,108 @@ +--- +title: Beta - Container Instances Not Using Private Virtual Networks +hide: + toc: true + navigation: true +--- + + + +- **Query id:** 71884fcb-ae03-41c8-87b9-22c90353f256 +- **Query name:** Beta - Container Instances Not Using Private Virtual Networks +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Networking and Firewall +- **CWE:** 306 +- **Risk score:** 1.0 +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/container_instances_not_using_private_virtual_networks) + +### Description +Ensuring container instances use private vNets reduces public exposure and limits potential security risks.
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/4.54.0/docs/resources/container_group) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Positive test num. 1 - tf file" hl_lines="1" +resource "azurerm_container_group" "positive1" { + name = "cg-positive1" + location = "westeurope" + resource_group_name = "rg-test" + os_type = "Linux" + + container { + name = "app" + image = "nginx" + cpu = 1 + memory = 1 + } +} + +``` +```tf title="Positive test num. 2 - tf file" hl_lines="7" +resource "azurerm_container_group" "positive2" { + name = "cg-positive2" + location = "westeurope" + resource_group_name = "rg-test" + os_type = "Linux" + + ip_address_type = "Public" + + container { + name = "app" + image = "nginx" + cpu = 1 + memory = 1 + } +} + +``` +```tf title="Positive test num. 3 - tf file" hl_lines="7" +resource "azurerm_container_group" "positive3" { + name = "cg-positive3" + location = "westeurope" + resource_group_name = "rg-test" + os_type = "Linux" + + ip_address_type = "None" + + container { + name = "app" + image = "nginx" + cpu = 1 + memory = 1 + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_container_group" "negative" { + name = "cg-negative" + location = "westeurope" + resource_group_name = "rg-test" + os_type = "Linux" + + ip_address_type = "Private" + + subnet_ids=[module.subnets["snet_aci"].id] + + container { + name = "app" + image = "nginx" + cpu = 1 + memory = 1 + } +} + +``` + diff --git a/docs/queries/terraform-queries/azure/a5cfef8f-910e-4fd6-8155-f381b236a492.md b/docs/queries/terraform-queries/azure/a5cfef8f-910e-4fd6-8155-f381b236a492.md new file mode 100644 index 00000000000..6c45f262792 --- /dev/null +++ b/docs/queries/terraform-queries/azure/a5cfef8f-910e-4fd6-8155-f381b236a492.md @@ -0,0 +1,355 @@ +--- +title: Beta - VM Without Admin SSH Public Key Set +hide: + toc: true + navigation: true +--- + + + +- **Query id:** a5cfef8f-910e-4fd6-8155-f381b236a492 +- **Query name:** Beta - VM Without Admin SSH Public Key Set +- **Platform:** Terraform +- **Severity:** Medium +- **Category:** Access Control +- **CWE:** 521 +- **Risk score:** 3.0 +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/vm_without_admin_ssh_public_key_set) + +### Description +All linux based virtual machines should set SSH keys for enchanced security
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/linux_virtual_machine#public_key-1) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Positive test num. 1 - tf file" hl_lines="24 1 40 45" +resource "azurerm_linux_virtual_machine" "positive1_1" { + name = "positive1_1-machine" + resource_group_name = azurerm_resource_group.positive1_1.name + location = azurerm_resource_group.positive1_1.location + size = "Standard_F2" + admin_username = "adminuser" + network_interface_ids = [ + azurerm_network_interface.positive1_1.id, + ] + + # missing "admin_ssh_key" +} + +resource "azurerm_linux_virtual_machine" "positive1_2" { + name = "positive1_2-machine" + resource_group_name = azurerm_resource_group.positive1_2.name + location = azurerm_resource_group.positive1_2.location + size = "Standard_F2" + admin_username = "adminuser" + network_interface_ids = [ + azurerm_network_interface.positive1_2.id, + ] + + admin_ssh_key { # single ssh key + username = "adminuser" + # missing "public_key" (tecnically required) + } +} + +resource "azurerm_linux_virtual_machine" "positive1_3" { + name = "positive1_3-machine" + resource_group_name = azurerm_resource_group.positive1_3.name + location = azurerm_resource_group.positive1_3.location + size = "Standard_F2" + admin_username = "adminuser" + network_interface_ids = [ + azurerm_network_interface.positive1_3.id, + ] + + admin_ssh_key { # ssh key array + username = "adminuser_1" + # missing "public_key" (tecnically required) + } + + admin_ssh_key { + username = "adminuser_2" + # missing "public_key" (tecnically required) + } +} + +``` +```tf title="Positive test num. 2 - tf file" hl_lines="24 1 40 45" +resource "azurerm_linux_virtual_machine_scale_set" "positive2_1" { + name = "positive2_1-machine" + resource_group_name = azurerm_resource_group.positive2_1.name + location = azurerm_resource_group.positive2_1.location + size = "Standard_F2" + admin_username = "adminuser" + network_interface_ids = [ + azurerm_network_interface.positive2_1.id, + ] + + # missing "admin_ssh_key" +} + +resource "azurerm_linux_virtual_machine_scale_set" "positive2_2" { + name = "positive2_2-machine" + resource_group_name = azurerm_resource_group.positive2_2.name + location = azurerm_resource_group.positive2_2.location + size = "Standard_F2" + admin_username = "adminuser" + network_interface_ids = [ + azurerm_network_interface.positive2_2.id, + ] + + admin_ssh_key { # single ssh key + username = "adminuser" + # missing "public_key" (tecnically required) + } +} + +resource "azurerm_linux_virtual_machine_scale_set" "positive2_3" { + name = "positive2_3-machine" + resource_group_name = azurerm_resource_group.positive2_3.name + location = azurerm_resource_group.positive2_3.location + size = "Standard_F2" + admin_username = "adminuser" + network_interface_ids = [ + azurerm_network_interface.positive2_3.id, + ] + + admin_ssh_key { # ssh key array + username = "adminuser_1" + # missing "public_key" (tecnically required) + } + + admin_ssh_key { + username = "adminuser_2" + # missing "public_key" (tecnically required) + } +} + +``` +```json title="Positive test num. 3 - json file" hl_lines="20" + +{ + "format_version": "1.2", + "terraform_version": "1.11.2", + "planned_values": { + "root_module": { + "child_modules": [ + { + "address": "module.example_module", + "resources": [ + { + "address": "module.example_module.azurerm_linux_virtual_machine.example_vm[0]", + "mode": "managed", + "type": "azurerm_linux_virtual_machine", + "name": "example_vm", + "index": 0, + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "schema_version": 0, + "values": { + "admin_ssh_key": [], + "name": "example-vm", + "location": "westeurope", + "resource_group_name": "example-rg", + "size": "Standard_D2s_v5", + "admin_username": "localadm", + "disable_password_authentication": false, + "provision_vm_agent": true, + "allow_extension_operations": true, + "priority": "Regular", + "identity": [ + { + "type": "SystemAssigned", + "identity_ids": null + } + ], + "os_disk": [ + { + "name": "example-vm-osdisk", + "caching": "ReadWrite", + "storage_account_type": "StandardSSD_LRS", + "write_accelerator_enabled": false + } + ], + "source_image_id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/example-rg/providers/Microsoft.Compute/galleries/exampleGallery/images/RHEL8_Mutable/versions/latest", + "tags": { + "environment": "test", + "project": "sample" + }, + "zone": "1" + }, + "sensitive_values": { + "admin_password": true + } + } + ] + } + ] + } + }, + "resource_changes": [ + { + "address": "module.example_module.azurerm_linux_virtual_machine.example_vm[0]", + "module_address": "module.example_module", + "mode": "managed", + "type": "azurerm_linux_virtual_machine", + "name": "example_vm", + "index": 0, + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "change": { + "actions": ["create"], + "before": null, + "after": { + "name": "example-vm", + "location": "westeurope", + "resource_group_name": "example-rg", + "size": "Standard_D2s_v5", + "admin_username": "localadm", + "disable_password_authentication": false, + "provision_vm_agent": true, + "allow_extension_operations": true, + "identity": [ + { + "type": "SystemAssigned", + "identity_ids": null + } + ], + "os_disk": [ + { + "name": "example-vm-osdisk", + "caching": "ReadWrite", + "storage_account_type": "StandardSSD_LRS" + } + ], + "source_image_id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/example-rg/providers/Microsoft.Compute/galleries/exampleGallery/images/RHEL8_Mutable/versions/latest", + "tags": { + "environment": "test", + "project": "sample" + }, + "zone": "1" + }, + "after_unknown": { + "id": true, + "private_ip_address": true, + "public_ip_address": true, + "virtual_machine_id": true + } + } + } + ], + "configuration": { + "provider_config": { + "azurerm": { + "name": "azurerm", + "full_name": "registry.terraform.io/hashicorp/azurerm", + "version_constraint": "~> 4.8", + "expressions": { + "features": [ + { + "key_vault": [ + { + "purge_soft_delete_on_destroy": { "constant_value": false }, + "purge_soft_deleted_keys_on_destroy": { "constant_value": false }, + "recover_soft_deleted_key_vaults": { "constant_value": true }, + "recover_soft_deleted_keys": { "constant_value": true } + } + ] + } + ], + "resource_provider_registrations": { "constant_value": "none" } + } + } + } + } +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_linux_virtual_machine" "negative1_1" { + name = "negative1_1-machine" + resource_group_name = azurerm_resource_group.negative1_1.name + location = azurerm_resource_group.negative1_1.location + size = "Standard_F2" + admin_username = "adminuser" + network_interface_ids = [ + azurerm_network_interface.negative1_1.id, + ] + + admin_ssh_key { # single ssh key + username = "adminuser" + public_key = file("~/.ssh/id_rsa.pub") + } +} + +resource "azurerm_linux_virtual_machine" "negative1_2" { + name = "negative1_2-machine" + resource_group_name = azurerm_resource_group.negative1_2.name + location = azurerm_resource_group.negative1_2.location + size = "Standard_F2" + admin_username = "adminuser" + network_interface_ids = [ + azurerm_network_interface.negative1_2.id, + ] + + admin_ssh_key { # ssh key array + username = "adminuser_1" + public_key = file("~/.ssh/id_rsa.pub") + } + + admin_ssh_key { + username = "adminuser_2" + public_key = file("~/.ssh/id_rsa.pub") + } +} + +``` +```tf title="Negative test num. 2 - tf file" +resource "azurerm_linux_virtual_machine_scale_set" "negative2_1" { + name = "negative2_1-machine" + resource_group_name = azurerm_resource_group.negative2_1.name + location = azurerm_resource_group.negative2_1.location + size = "Standard_F2" + admin_username = "adminuser" + network_interface_ids = [ + azurerm_network_interface.negative2_1.id, + ] + + admin_ssh_key { # single ssh key + username = "adminuser" + public_key = file("~/.ssh/id_rsa.pub") + } +} + +resource "azurerm_linux_virtual_machine_scale_set" "negative2_2" { + name = "negative2_2-machine" + resource_group_name = azurerm_resource_group.negative2_2.name + location = azurerm_resource_group.negative2_2.location + size = "Standard_F2" + admin_username = "adminuser" + network_interface_ids = [ + azurerm_network_interface.negative2_2.id, + ] + + admin_ssh_key { # ssh key array + username = "adminuser_1" + public_key = file("~/.ssh/id_rsa.pub") + } + + admin_ssh_key { + username = "adminuser_2" + public_key = file("~/.ssh/id_rsa.pub") + } +} + +``` + diff --git a/docs/queries/terraform-queries/azure/a99130ab-4c0e-43aa-97f8-78d4fcb30024.md b/docs/queries/terraform-queries/azure/a99130ab-4c0e-43aa-97f8-78d4fcb30024.md index 4c32d6c6735..98f15f9f4de 100644 --- a/docs/queries/terraform-queries/azure/a99130ab-4c0e-43aa-97f8-78d4fcb30024.md +++ b/docs/queries/terraform-queries/azure/a99130ab-4c0e-43aa-97f8-78d4fcb30024.md @@ -30,7 +30,7 @@ Ensure that the encryption is active on the disk
### Code samples #### Code samples with security vulnerabilities -```tf title="Positive test num. 1 - tf file" hl_lines="10 18" +```tf title="Positive test num. 1 - tf file" hl_lines="33 10 44 14" resource "azurerm_managed_disk" "positive1" { name = "acctestmd" location = "West US 2" @@ -39,12 +39,8 @@ resource "azurerm_managed_disk" "positive1" { create_option = "Empty" disk_size_gb = "1" - encryption_settings = { - enabled = false - } - - tags = { - environment = "staging" + encryption_settings { + enabled = false # legacy } } @@ -55,12 +51,32 @@ resource "azurerm_managed_disk" "positive2" { storage_account_type = "Standard_LRS" create_option = "Empty" disk_size_gb = "1" - - tags = { - environment = "staging" - } + # missing "encryption_settings" +} + +resource "azurerm_managed_disk" "positive3" { + name = "acctestmd" + location = "West US 2" + resource_group_name = azurerm_resource_group.example.name + storage_account_type = "Standard_LRS" + create_option = "Empty" + disk_size_gb = "1" + + encryption_settings {} +} + +resource "azurerm_managed_disk" "positive4" { + name = "acctestmd" + location = "West US 2" + resource_group_name = azurerm_resource_group.example.name + storage_account_type = "Standard_LRS" + create_option = "Empty" + disk_size_gb = "1" + + encryption_settings = [] # simulates "tfplan" } + ``` @@ -74,13 +90,66 @@ resource "azurerm_managed_disk" "negative1" { storage_account_type = "Standard_LRS" create_option = "Empty" disk_size_gb = "1" - - encryption_settings = { - enabled = true + + encryption_settings { + enabled = true # legacy + } +} + +resource "azurerm_managed_disk" "negative2" { + name = "acctestmd" + location = "West US 2" + resource_group_name = azurerm_resource_group.example.name + storage_account_type = "Standard_LRS" + create_option = "Empty" + disk_size_gb = "1" + + encryption_settings { + + disk_encryption_key { + secret_url = "sample_url" + source_vault_id = "sample_id" + } + + key_encryption_key { + secret_url = "sample_url" + source_vault_id = "sample_id" + } + + } +} + +resource "azurerm_managed_disk" "negative3" { + name = "acctestmd" + location = "West US 2" + resource_group_name = azurerm_resource_group.example.name + storage_account_type = "Standard_LRS" + create_option = "Empty" + disk_size_gb = "1" + + encryption_settings { + disk_encryption_key { + secret_url = "sample_url" + source_vault_id = "sample_id" + } } - tags = { - environment = "staging" +} + +resource "azurerm_managed_disk" "negative4" { + name = "acctestmd" + location = "West US 2" + resource_group_name = azurerm_resource_group.example.name + storage_account_type = "Standard_LRS" + create_option = "Empty" + disk_size_gb = "1" + + encryption_settings { + key_encryption_key { + secret_url = "sample_url" + source_vault_id = "sample_id" + } } } + ``` diff --git a/docs/queries/terraform-queries/azure/d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28.md b/docs/queries/terraform-queries/azure/d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28.md index d58edd56d00..f3ec605609e 100644 --- a/docs/queries/terraform-queries/azure/d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28.md +++ b/docs/queries/terraform-queries/azure/d7ba74da-2da0-4d4b-83c8-2fd72a3f6c28.md @@ -156,7 +156,7 @@ resource "azurerm_mariadb_firewall_rule" "mariadb_fw3" { ```
Positive test num. 4 - tf file -```tf hl_lines="25 42 33" +```tf hl_lines="24 41 32" resource "azurerm_resource_group" "psql_rg" { name = "example-postgres-rg" location = "West US" @@ -167,7 +167,6 @@ resource "azurerm_postgresql_server" "psql_server" { location = azurerm_resource_group.psql_rg.location resource_group_name = azurerm_resource_group.psql_rg.name administrator_login = "psqladmin" - administrator_login_password = "MyS3cureP4ss!" sku_name = "B_Gen5_2" storage_mb = 5120 version = "11" @@ -201,6 +200,7 @@ resource "azurerm_postgresql_firewall_rule" "psql_fw3" { start_ip_address = "0.0.0.0" end_ip_address = "0.0.0.0" } + ```
Positive test num. 5 - tf file diff --git a/docs/queries/terraform-queries/azure/dafe30ec-325d-4516-85d1-e8e6776f012c.md b/docs/queries/terraform-queries/azure/dafe30ec-325d-4516-85d1-e8e6776f012c.md index 3348932ee8f..85cd0ad51d1 100644 --- a/docs/queries/terraform-queries/azure/dafe30ec-325d-4516-85d1-e8e6776f012c.md +++ b/docs/queries/terraform-queries/azure/dafe30ec-325d-4516-85d1-e8e6776f012c.md @@ -30,7 +30,7 @@ Azure Instances should use SSH Key instead of basic authentication
### Code samples #### Code samples with security vulnerabilities -```tf title="Positive test num. 1 - tf file" hl_lines="1" +```tf title="Positive test num. 1 - tf file" hl_lines="9" resource "azurerm_virtual_machine" "positive1" { name = "${var.prefix}-vm" location = azurerm_resource_group.main.location @@ -44,52 +44,140 @@ resource "azurerm_virtual_machine" "positive1" { } ``` -```tf title="Positive test num. 2 - tf file" hl_lines="1" -resource "azurerm_linux_virtual_machine" "positive1" { +```tf title="Positive test num. 2 - tf file" hl_lines="8" +resource "azurerm_linux_virtual_machine" "positive2" { name = "${var.prefix}-vm" location = azurerm_resource_group.main.location resource_group_name = azurerm_resource_group.main.name network_interface_ids = [] vm_size = "Standard_DS1_v2" + disable_password_authentication = false } ``` +```tf title="Positive test num. 3 - tf file" hl_lines="9" +resource "azurerm_linux_virtual_machine_scale_set" "positive3" { + name = "positive3-vmss" + resource_group_name = azurerm_resource_group.positive3.name + location = azurerm_resource_group.positive3.location + sku = "Standard_F2" + instances = 1 + admin_username = "adminuser" + + disable_password_authentication = false +} + +``` +
Positive test num. 4 - tf file + +```tf hl_lines="7" +resource "azurerm_virtual_machine_scale_set" "positive4" { + name = "${var.prefix}-vm" + location = azurerm_resource_group.main.location + resource_group_name = azurerm_resource_group.main.name + + os_profile_linux_config { + disable_password_authentication = false + } +} + +``` +
#### Code samples without security vulnerabilities ```tf title="Negative test num. 1 - tf file" -resource "azurerm_linux_virtual_machine" "negative1" { +resource "azurerm_virtual_machine" "negative1_1" { name = "${var.prefix}-vm" location = azurerm_resource_group.main.location resource_group_name = azurerm_resource_group.main.name network_interface_ids = [azurerm_network_interface.main.id] vm_size = "Standard_DS1_v2" - admin_ssh_key { - username = "adminuser" - public_key = file("~/.ssh/id_rsa.pub") + os_profile_linux_config { + disable_password_authentication = true } } +resource "azurerm_virtual_machine" "negative1_2" { + name = "${var.prefix}-vm" + location = azurerm_resource_group.main.location + resource_group_name = azurerm_resource_group.main.name + network_interface_ids = [azurerm_network_interface.main.id] + vm_size = "Standard_DS1_v2" + + # missing "os_profile_linux_config" - means it is not a linux vm +} + ``` ```tf title="Negative test num. 2 - tf file" -resource "azurerm_virtual_machine" "negative1" { +resource "azurerm_linux_virtual_machine" "negative2_1" { + name = "${var.prefix}-vm" + location = azurerm_resource_group.main.location + resource_group_name = azurerm_resource_group.main.name + network_interface_ids = [azurerm_network_interface.main.id] + vm_size = "Standard_DS1_v2" + + # missing "disable_password_authentication" - defaults to true +} + +resource "azurerm_linux_virtual_machine" "negative2_2" { name = "${var.prefix}-vm" location = azurerm_resource_group.main.location resource_group_name = azurerm_resource_group.main.name network_interface_ids = [azurerm_network_interface.main.id] vm_size = "Standard_DS1_v2" + disable_password_authentication = true +} + +``` +```tf title="Negative test num. 3 - tf file" +resource "azurerm_linux_virtual_machine_scale_set" "negative3_1" { + name = "negative3_1-vmss" + resource_group_name = azurerm_resource_group.negative3_1.name + location = azurerm_resource_group.negative3_1.location + sku = "Standard_F2" + instances = 1 + admin_username = "adminuser" + + # missing "disable_password_authentication" - defaults to true +} + +resource "azurerm_linux_virtual_machine_scale_set" "negative3_2" { + name = "negative3_2-vmss" + resource_group_name = azurerm_resource_group.negative3_2.name + location = azurerm_resource_group.negative3_2.location + sku = "Standard_F2" + instances = 1 + admin_username = "adminuser" + + disable_password_authentication = true +} + +``` +
Negative test num. 4 - tf file + +```tf +resource "azurerm_virtual_machine_scale_set" "negative4_1" { + name = "${var.prefix}-vm" + location = azurerm_resource_group.main.location + resource_group_name = azurerm_resource_group.main.name + os_profile_linux_config { disable_password_authentication = true } +} - admin_ssh_key { - username = "adminuser" - public_key = file("~/.ssh/id_rsa.pub") - } +resource "azurerm_virtual_machine_scale_set" "negative4_2" { + name = "${var.prefix}-vm" + location = azurerm_resource_group.main.location + resource_group_name = azurerm_resource_group.main.name + + # missing "os_profile_linux_config" - means it is not a linux vm } ``` +
diff --git a/docs/queries/terraform-queries/azure/fbb8e5e0-6dea-41d3-8739-4f2405b0e22a.md b/docs/queries/terraform-queries/azure/fbb8e5e0-6dea-41d3-8739-4f2405b0e22a.md new file mode 100644 index 00000000000..6c04d7db60f --- /dev/null +++ b/docs/queries/terraform-queries/azure/fbb8e5e0-6dea-41d3-8739-4f2405b0e22a.md @@ -0,0 +1,68 @@ +--- +title: Beta - Key Vault Without HSM Protection +hide: + toc: true + navigation: true +--- + + + +- **Query id:** fbb8e5e0-6dea-41d3-8739-4f2405b0e22a +- **Query name:** Beta - Key Vault Without HSM Protection +- **Platform:** Terraform +- **Severity:** Low +- **Category:** Encryption +- **CWE:** 326 +- **Risk score:** 1.0 +- **URL:** [Github](https://github.com/Checkmarx/kics/tree/master/assets/queries/terraform/azure/key_vault_without_hsm_protection) + +### Description +Key Vaults should set key type to one that uses HSM for added security
+[Documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_key#key_type-1) + +### Code samples +#### Code samples with security vulnerabilities +```tf title="Positive test num. 1 - tf file" hl_lines="11 4" +resource "azurerm_key_vault_key" "positive1" { + name = "positive1-certificate" + key_vault_id = azurerm_key_vault.example.id + key_type = "RSA" + key_size = 2048 +} + +resource "azurerm_key_vault_key" "positive2" { + name = "positive2-certificate" + key_vault_id = azurerm_key_vault.example.id + key_type = "EC" + key_size = 2048 +} + +``` + + +#### Code samples without security vulnerabilities +```tf title="Negative test num. 1 - tf file" +resource "azurerm_key_vault_key" "negative1" { + name = "negative1-certificate" + key_vault_id = azurerm_key_vault.example.id + key_type = "RSA-HSM" + key_size = 2048 +} + +resource "azurerm_key_vault_key" "negative2" { + name = "negative2-certificate" + key_vault_id = azurerm_key_vault.example.id + key_type = "EC-HSM" + key_size = 2048 +} + +``` +