org.sonar.l10n.javascript.rules.javascript.S6321.html Maven / Gradle / Ivy
Why is this an issue?
Cloud platforms such as AWS, Azure, or GCP support virtual firewalls that can be used to restrict access to services by controlling inbound and
outbound traffic.
Any firewall rule allowing traffic from all IP addresses to standard network ports on which administration services
traditionally listen, such as 22 for SSH, can expose these services to exploits and unauthorized access.
What is the potential impact?
Like any other service, administration services can contain vulnerabilities. Administration services run with elevated privileges and thus a
vulnerability could have a high impact on the system.
Additionally, credentials might be leaked through phishing or similar techniques. Attackers who are able to reach the services could use the
credentials to log in to the system.
How to fix it
It is recommended to restrict access to remote administration services to only trusted IP addresses. In practice, trusted IP addresses are those
held by system administrators or those of bastion-like
servers.
Code examples
Noncompliant code example
For aws-cdk-lib.aws_ec2.Instance and other constructs
that support a connections attribute:
import {aws_ec2 as ec2} from 'aws-cdk-lib'
const instance = new ec2.Instance(this, "default-own-security-group",{
instanceType: nanoT2,
machineImage: ec2.MachineImage.latestAmazonLinux(),
vpc: vpc,
instanceName: "test-instance"
})
instance.connections.allowFrom(
ec2.Peer.anyIpv4(), // Noncompliant
ec2.Port.tcp(22),
/*description*/ "Allows SSH from all IPv4"
)
For aws-cdk-lib.aws_ec2.SecurityGroup
import {aws_ec2 as ec2} from 'aws-cdk-lib'
const securityGroup = new ec2.SecurityGroup(this, "custom-security-group", {
vpc: vpc
})
securityGroup.addIngressRule(
ec2.Peer.anyIpv4(), // Noncompliant
ec2.Port.tcpRange(1, 1024)
)
For aws-cdk-lib.aws_ec2.CfnSecurityGroup
import {aws_ec2 as ec2} from 'aws-cdk-lib'
new ec2.CfnSecurityGroup(
this,
"cfn-based-security-group", {
groupDescription: "cfn based security group",
groupName: "cfn-based-security-group",
vpcId: vpc.vpcId,
securityGroupIngress: [
{
ipProtocol: "6",
cidrIp: "0.0.0.0/0", // Noncompliant
fromPort: 22,
toPort: 22
}
]
}
)
For aws-cdk-lib.aws_ec2.CfnSecurityGroupIngress
import {aws_ec2 as ec2} from 'aws-cdk-lib'
new ec2.CfnSecurityGroupIngress( // Noncompliant
this,
"ingress-all-ip-tcp-ssh", {
ipProtocol: "tcp",
cidrIp: "0.0.0.0/0",
fromPort: 22,
toPort: 22,
groupId: securityGroup.attrGroupId
})
Compliant solution
For aws-cdk-lib.aws_ec2.Instance and other constructs
that support a connections attribute:
import {aws_ec2 as ec2} from 'aws-cdk-lib'
const instance = new ec2.Instance(this, "default-own-security-group",{
instanceType: nanoT2,
machineImage: ec2.MachineImage.latestAmazonLinux(),
vpc: vpc,
instanceName: "test-instance"
})
instance.connections.allowFrom(
ec2.Peer.ipv4("192.0.2.0/24"),
ec2.Port.tcp(22),
/*description*/ "Allows SSH from a trusted range"
)
For aws-cdk-lib.aws_ec2.SecurityGroup
import {aws_ec2 as ec2} from 'aws-cdk-lib'
const securityGroup3 = new ec2.SecurityGroup(this, "custom-security-group", {
vpc: vpc
})
securityGroup3.addIngressRule(
ec2.Peer.anyIpv4(),
ec2.Port.tcpRange(1024, 1048)
)
For aws-cdk-lib.aws_ec2.CfnSecurityGroup
import {aws_ec2 as ec2} from 'aws-cdk-lib'
new ec2.CfnSecurityGroup(
this,
"cfn-based-security-group", {
groupDescription: "cfn based security group",
groupName: "cfn-based-security-group",
vpcId: vpc.vpcId,
securityGroupIngress: [
{
ipProtocol: "6",
cidrIp: "192.0.2.0/24",
fromPort: 22,
toPort: 22
}
]
}
)
For aws-cdk-lib.aws_ec2.CfnSecurityGroupIngress
new ec2.CfnSecurityGroupIngress(
this,
"ingress-all-ipv4-tcp-http", {
ipProtocol: "6",
cidrIp: "0.0.0.0/0",
fromPort: 80,
toPort: 80,
groupId: securityGroup.attrGroupId
}
)
Resources
Documentation
- AWS Documentation - Security groups for your VPC
- Azure Documentation - Network security
groups
- GCP Documentation - Firewalls
Standards