Automatic information enumeration
Need
Prevention of automatic information enumeration
Context
- Usage of Terraform for Infrastructure as Code (IaC)
- Usage of AWS SDK for interacting with Amazon Web Services
Description
Non compliant code
provider "aws" {
region = "us-west-2"
}
resource "aws_security_group" "allow_all" {
name = "allow_all"
description = "Allow all inbound traffic"
ingress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
The above code is a Terraform script for AWS that creates a security group allowing all inbound and outbound traffic. This is a potential security vulnerability as it can allow for unauthorized access to the system, leading to automatic information enumeration.
In the aws_security_group
resource block, the ingress
and egress
blocks specify the rules for inbound and outbound traffic respectively. The from_port
and to_port
are set to 0
, and the protocol
is set to -1
, which means all protocols and ports are allowed. The cidr_blocks
is set to 0.0.0.0/0
, which means all IP addresses are allowed.
This configuration essentially leaves the system wide open, making it possible for attackers to automatically enumerate system information such as open ports, available services and users personal data. This can lead to various attacks including data breaches, denial of service attacks, and other forms of system compromise.
Steps
- Implement proper ingress and egress rules in the AWS security group.
- Restrict the allowed ports and protocols to only those that are necessary for the application.
- Avoid using '0.0.0.0/0' as the CIDR block for both ingress and egress rules.
- Regularly review and update the security group rules to ensure they are up to date and aligned with the application's requirements.
- Consider implementing network access control lists (ACLs) to provide an additional layer of security and control over network traffic.
- Implement monitoring and logging mechanisms to detect and respond to any unauthorized access attempts or suspicious activities.
Compliant code
provider "aws" {
region = "us-west-2"
}
resource "aws_security_group" "allow_specific" {
name = "allow_specific"
description = "Allow specific inbound and outbound traffic"
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["10.0.0.0/16"]
}
egress {
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["10.0.0.0/16"]
}
}
The updated code now implements a more secure AWS security group configuration. The security group, now named "allow_specific", has been configured to allow specific inbound and outbound traffic instead of all traffic.
In the ingress rule, the from_port and to_port have been set to 22, which is the standard port for SSH. The protocol has been set to "tcp", and the CIDR block has been set to "10.0.0.0/16", which restricts access to the specified IP range.
In the egress rule, the from_port and to_port have been set to 80, which is the standard port for HTTP. The protocol has been set to "tcp", and the CIDR block has been set to "10.0.0.0/16", which restricts outbound access to the specified IP range.
This configuration significantly reduces the risk of automatic information enumeration by limiting the ports, protocols, and IP ranges that can access the system. It is recommended to regularly review and update these rules based on the application's requirements.
Additionally, consider implementing network access control lists (ACLs) for an extra layer of security and control over network traffic. Also, implement monitoring and logging mechanisms to detect and respond to any unauthorized access attempts or suspicious activities.