• Home
• org.sonarsource.javascript
• javascript-checks
• 10.14.0.26080
• source code
• S6329.html

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

org.sonar.l10n.javascript.rules.javascript.S6329.html Maven / Gradle / Ivy

Enabling public network access to cloud resources can affect an organization’s ability to protect its data or internal operations from data theft
or disruption.
Depending on the component, inbound access from the Internet can be enabled via:

  
 a boolean value that explicitly allows access to the public network. 
  
 the assignment of a public IP address. 
  
 database firewall rules that allow public IP ranges. 

Deciding to allow public access may happen for various reasons such as for quick maintenance, time saving, or by accident.
This decision increases the likelihood of attacks on the organization, such as:

  
 data breaches. 
  
 intrusions into the infrastructure to permanently steal from it. 
  
 and various malicious traffic, such as DDoS attacks. 

Ask Yourself Whether
This cloud resource:

  
 should be publicly accessible to any Internet user. 
  
 requires inbound traffic from the Internet to function properly. 

There is a risk if you answered no to any of those questions.
Recommended Secure Coding Practices
Avoid publishing cloud services on the Internet unless they are intended to be publicly accessible, such as customer portals or e-commerce
sites.
Use private networks (and associated private IP addresses) and VPC peering or other secure communication tunnels to communicate with other cloud
components.
The goal is to prevent the component from intercepting traffic coming in via the public IP address. If the cloud resource does not support the
absence of a public IP address, assign a public IP address to it, but do not create listeners for the public IP address.
Sensitive Code Example
For aws-cdk-lib.aws_ec2.Instance and similar
constructs:
import {aws_ec2 as ec2} from 'aws-cdk-lib'

new ec2.Instance(this, "example", {
    instanceType: nanoT2,
    machineImage: ec2.MachineImage.latestAmazonLinux(),
    vpc: vpc,
    vpcSubnets: {subnetType: ec2.SubnetType.PUBLIC} // Sensitive
})

For aws-cdk-lib.aws_ec2.CfnInstance:
import {aws_ec2 as ec2} from 'aws-cdk-lib'

new ec2.CfnInstance(this, "example", {
    instanceType: "t2.micro",
    imageId: "ami-0ea0f26a6d50850c5",
    networkInterfaces: [
        {
            deviceIndex: "0",
            associatePublicIpAddress: true, // Sensitive
            deleteOnTermination: true,
            subnetId: vpc.selectSubnets({subnetType: ec2.SubnetType.PUBLIC}).subnetIds[0]
        }
    ]
})

For aws-cdk-lib.aws_dms.CfnReplicationInstance:
import {aws_ec2 as ec2} from 'aws-cdk-lib'

new dms.CfnReplicationInstance(
    this, "example", {
    replicationInstanceClass: "dms.t2.micro",
    allocatedStorage: 5,
    publiclyAccessible: true, // Sensitive
    replicationSubnetGroupIdentifier: subnetGroup.replicationSubnetGroupIdentifier,
    vpcSecurityGroupIds: [vpc.vpcDefaultSecurityGroup]
})

For aws-cdk-lib.aws_rds.CfnDBInstance:
import {aws_ec2 as ec2} from 'aws-cdk-lib'

const rdsSubnetGroupPublic = new rds.CfnDBSubnetGroup(this, "publicSubnet", {
    dbSubnetGroupDescription: "Subnets",
    dbSubnetGroupName: "publicSn",
    subnetIds: vpc.selectSubnets({
        subnetType: ec2.SubnetType.PUBLIC
    }).subnetIds
})

new rds.CfnDBInstance(this, "example", {
    engine: "postgres",
    masterUsername: "foobar",
    masterUserPassword: "12345678",
    dbInstanceClass: "db.r5.large",
    allocatedStorage: "200",
    iops: 1000,
    dbSubnetGroupName: rdsSubnetGroupPublic.ref,
    publiclyAccessible: true, // Sensitive
    vpcSecurityGroups: [sg.securityGroupId]
})

Compliant Solution
For aws-cdk-lib.aws_ec2.Instance and similar
constructs:
import {aws_ec2 as ec2} from 'aws-cdk-lib'

new ec2.Instance(
    this,
    "example", {
    instanceType: nanoT2,
    machineImage: ec2.MachineImage.latestAmazonLinux(),
    vpc: vpc,
    vpcSubnets: {subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS}
})

For aws-cdk-lib.aws_ec2.CfnInstance:
import {aws_ec2 as ec2} from 'aws-cdk-lib'

new ec2.CfnInstance(this, "example", {
    instanceType: "t2.micro",
    imageId: "ami-0ea0f26a6d50850c5",
    networkInterfaces: [
        {
            deviceIndex: "0",
            associatePublicIpAddress: false,
            deleteOnTermination: true,
            subnetId: vpc.selectSubnets({subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS}).subnetIds[0]
        }
    ]
})

For aws-cdk-lib.aws_dms.CfnReplicationInstance:
import {aws_ec2 as ec2} from 'aws-cdk-lib'

new dms.CfnReplicationInstance(
    this, "example", {
    replicationInstanceClass: "dms.t2.micro",
    allocatedStorage: 5,
    publiclyAccessible: false,
    replicationSubnetGroupIdentifier: subnetGroup.replicationSubnetGroupIdentifier,
    vpcSecurityGroupIds: [vpc.vpcDefaultSecurityGroup]
})

For aws-cdk-lib.aws_rds.CfnDBInstance:
import {aws_ec2 as ec2} from 'aws-cdk-lib'

const rdsSubnetGroupPrivate = new rds.CfnDBSubnetGroup(this, "example",{
    dbSubnetGroupDescription: "Subnets",
    dbSubnetGroupName: "privateSn",
    subnetIds: vpc.selectSubnets({
        subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS
    }).subnetIds
})

new rds.CfnDBInstance(this, "example", {
    engine: "postgres",
    masterUsername: "foobar",
    masterUserPassword: "12345678",
    dbInstanceClass: "db.r5.large",
    allocatedStorage: "200",
    iops: 1000,
    dbSubnetGroupName: rdsSubnetGroupPrivate.ref,
    publiclyAccessible: false,
    vpcSecurityGroups: [sg.securityGroupId]
})

See

  
 AWS Documentation - Amazon EC2 instance IP
  addressing 
  
 AWS Documentation - Public and
  private replication instances 
  
 AWS Documentation - VPC Peering 
  
 CWE - CWE-284 - Improper Access Control 
  
 CWE - CWE-668 - Exposure of Resource to Wrong Sphere