org.sonar.l10n.py.rules.python.S6321.html Maven / Gradle / Ivy
Why is this an issue?
Cloud platforms such as AWS, Azure, or GCP support virtual firewalls that can be used to restrict access to services by controlling inbound and
outbound traffic.
Any firewall rule allowing traffic from all IP addresses to standard network ports on which administration services
traditionally listen, such as 22 for SSH, can expose these services to exploits and unauthorized access.
What is the potential impact?
Like any other service, administration services can contain vulnerabilities. Administration services run with elevated privileges and thus a
vulnerability could have a high impact on the system.
Additionally, credentials might be leaked through phishing or similar techniques. Attackers who are able to reach the services could use the
credentials to log in to the system.
How to fix it
It is recommended to restrict access to remote administration services to only trusted IP addresses. In practice, trusted IP addresses are those
held by system administrators or those of bastion-like
servers.
Code examples
Noncompliant code example
For aws_cdk.aws_ec2.Instance and other constructs that
support a connections
attribute:
from aws_cdk import aws_ec2 as ec2
instance = ec2.Instance(
self,
"my_instance",
instance_type=nano_t2,
machine_image=ec2.MachineImage.latest_amazon_linux(),
vpc=vpc
)
instance.connections.allow_from(
ec2.Peer.any_ipv4(), # Noncompliant
ec2.Port.tcp(22),
description="Allows SSH from all IPv4"
)
instance.connections.allow_from_any_ipv4( # Noncompliant
ec2.Port.tcp(3389),
description="Allows Terminal Server from all IPv4"
)
For aws_cdk.aws_ec2.SecurityGroup
from aws_cdk import aws_ec2 as ec2
security_group = ec2.SecurityGroup(
self,
"custom-security-group",
vpc=vpc
)
security_group.add_ingress_rule(
ec2.Peer.any_ipv4(), # Noncompliant
ec2.Port.tcp_range(1, 1024)
)
For aws_cdk.aws_ec2.CfnSecurityGroup
from aws_cdk import aws_ec2 as ec2
ec2.CfnSecurityGroup(
self,
"cfn-based-security-group",
group_description="cfn based security group",
group_name="cfn-based-security-group",
vpc_id=vpc.vpc_id,
security_group_ingress=[
ec2.CfnSecurityGroup.IngressProperty( # Noncompliant
ip_protocol="6",
cidr_ip="0.0.0.0/0",
from_port=22,
to_port=22
),
ec2.CfnSecurityGroup.IngressProperty( # Noncompliant
ip_protocol="tcp",
cidr_ip="0.0.0.0/0",
from_port=3389,
to_port=3389
),
{ # Noncompliant
"ipProtocol":"-1",
"cidrIpv6":"::/0"
}
]
)
For aws_cdk.aws_ec2.CfnSecurityGroupIngress
from aws_cdk import aws_ec2 as ec2
ec2.CfnSecurityGroupIngress( # Noncompliant
self,
"ingress-all-ip-tcp-ssh",
ip_protocol="tcp",
cidr_ip="0.0.0.0/0",
from_port=22,
to_port=22,
group_id=security_group.attr_group_id
)
ec2.CfnSecurityGroupIngress( # Noncompliant
self,
"ingress-all-ipv6-all-tcp",
ip_protocol="-1",
cidr_ipv6="::/0",
group_id=security_group.attr_group_id
)
Compliant solution
For aws_cdk.aws_ec2.Instance and other constructs that
support a connections
attribute:
from aws_cdk import aws_ec2 as ec2
instance = ec2.Instance(
self,
"my_instance",
instance_type=nano_t2,
machine_image=ec2.MachineImage.latest_amazon_linux(),
vpc=vpc
)
instance.connections.allow_from_any_ipv4(
ec2.Port.tcp(1234),
description="Allows 1234 from all IPv4"
)
instance.connections.allow_from(
ec2.Peer.ipv4("192.0.2.0/24"),
ec2.Port.tcp(22),
description="Allows SSH from all IPv4"
)
For aws_cdk.aws_ec2.SecurityGroup
from aws_cdk import aws_ec2 as ec2
security_group = ec2.SecurityGroup(
self,
"custom-security-group",
vpc=vpc
)
security_group.add_ingress_rule(
ec2.Peer.any_ipv4(),
ec2.Port.tcp_range(1024, 1048)
)
For aws_cdk.aws_ec2.CfnSecurityGroup
from aws_cdk import aws_ec2 as ec2
ec2.CfnSecurityGroup(
self,
"cfn-based-security-group",
group_description="cfn based security group",
group_name="cfn-based-security-group",
vpc_id=vpc.vpc_id,
security_group_ingress=[
ec2.CfnSecurityGroup.IngressProperty(
ip_protocol="tcp",
cidr_ip="0.0.0.0/0",
from_port=1024,
to_port=1048
),
{
"ipProtocol":"6",
"cidrIp":"192.0.2.0/24",
"fromPort":22,
"toPort":22
}
]
)
For aws_cdk.aws_ec2.CfnSecurityGroupIngress
from aws_cdk import aws_ec2 as ec2
ec2.CfnSecurityGroupIngress(
self,
"ingress-all-ipv4-tcp-http",
ip_protocol="6",
cidr_ip="0.0.0.0/0",
from_port=80,
to_port=80,
group_id=security_group.attr_group_id
)
ec2.CfnSecurityGroupIngress(
self,
"ingress-range-tcp-rdp",
ip_protocol="tcp",
cidr_ip="192.0.2.0/24",
from_port=3389,
to_port=3389,
group_id=security_group.attr_group_id
)
Resources
Documentation
- AWS Documentation - Security groups for your VPC
- Azure Documentation - Network security
groups
- GCP Documentation - Firewalls
Standards