Unrestricted access between network segments - AWS
Need
Enforce restricted access between network segments in AWS
Context
- Usage of Terraform for Infrastructure as Code (IaC)
- Usage of terraform-provider-aws for managing AWS resources with Terraform
Description
Non compliant code
provider "aws" {
region = "us-west-2"
}
resource "aws_security_group" "allow_all" {
name = "allow_all"
description = "Allow all inbound traffic"
ingress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
The above Terraform code defines an AWS security group that allows unrestricted access to and from all IP addresses (0.0.0.0/0) on all ports (from_port = 0, to_port = 0) and for all protocols (protocol = "-1"). This means that any machine, regardless of its location or network, can connect to the resources protected by this security group, and vice versa. This can lead to a potential security risk as it exposes the resources to unwanted traffic and potential attacks.
The ingress
block defines the inbound rules for connections to the resources, while the egress
block defines the outbound rules for connections from the resources. The cidr_blocks
attribute specifies the range of IP addresses that can connect to or from the resources. In this case, the range is set to 0.0.0.0/0
, which represents all possible IP addresses.
The from_port
and to_port
attributes define the range of ports that can be used for the connections. When both are set to 0
, it means all ports are allowed. The protocol
attribute defines the network protocol for the connections, and when it is set to -1
, it means all protocols are allowed.
This configuration is too permissive and goes against the principle of least privilege, which states that a user or system should have the minimum levels of access necessary to perform its function. Therefore, it's recommended to restrict the access to only the necessary IP addresses, ports, and protocols.
Steps
- Review the current security group configuration.
- Identify the network segments, ports, IP addresses, network protocols, and administrative services that are required for the application.
- Update the security group configuration to only allow access from the necessary network segments, ports, IP addresses, network protocols, and administrative services.
- Remove the 'allow_all' rule that allows unrestricted access.
- Test the updated security group configuration to ensure it meets the application's requirements.
- Monitor and regularly review the security group configuration to identify any potential misconfigurations or unauthorized access.
Compliant code
provider "aws" {
region = "us-west-2"
}
resource "aws_security_group" "restricted_access" {
name = "restricted_access"
description = "Allow only necessary inbound and outbound traffic"
ingress {
from_port = <required_from_port>
to_port = <required_to_port>
protocol = "<required_protocol>"
cidr_blocks = ["<required_inbound_cidr_blocks>"]
}
egress {
from_port = <required_from_port>
to_port = <required_to_port>
protocol = "<required_protocol>"
cidr_blocks = ["<required_outbound_cidr_blocks>"]
}
}
The original code had a security group that allowed all inbound and outbound traffic, which is a significant security risk. The updated code restricts access to only the necessary network segments, ports, IP addresses, network protocols, and administrative services.
The ingress
block defines the inbound rules for network traffic. The from_port
and to_port
specify the port range for the rule, the protocol
specifies the protocol type for the rule, and the cidr_blocks
specify the range of source IP addresses for the rule.
Similarly, the egress
block defines the outbound rules for network traffic. The from_port
and to_port
specify the port range for the rule, the protocol
specifies the protocol type for the rule, and the cidr_blocks
specify the range of destination IP addresses for the rule.
By limiting the access to only what's necessary, we significantly reduce the potential attack surface. It's important to regularly review and update these rules to ensure they meet the application's requirements and to identify any potential misconfigurations or unauthorized access.