Insecure service configuration - AWS
Need
Secure configuration of AWS services
Context
- Usage of Terraform for Infrastructure as Code (IaC)
- Usage of AWS SDK for interacting with Amazon Web Services
Description
Non compliant code
provider "aws" {
region = "us-west-2"
}
resource "aws_security_group" "allow_all" {
name = "allow_all"
description = "Allow all inbound traffic"
ingress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
The above Terraform code is used to create an AWS security group that allows all inbound and outbound traffic. This is a typical example of insecure service configuration in AWS.
The aws_security_group
resource block creates a new security group named "allow_all". The ingress
block specifies the inbound rules for this security group. In this case, it allows traffic from any IP address (0.0.0.0/0) on any port (from 0 to 0) using any protocol (-1, which stands for all protocols).
Similarly, the egress
block specifies the outbound rules for this security group. It allows traffic to any IP address on any port using any protocol.
This configuration is highly insecure because it exposes all the resources associated with this security group to the public internet. Any malicious actor can identify and try to access these resources, exploit vulnerabilities, or launch attacks.
Steps
- Restrict the inbound traffic to only allow access from specific IP addresses or ranges.
- Restrict the outbound traffic to only allow access to specific IP addresses or ranges.
- Remove the 'allow_all' security group and create more specific security groups based on the required access.
- Implement least privilege principle by granting only the necessary permissions to the security groups.
- Regularly review and update the security group rules to ensure they align with the current requirements.
- Enable logging and monitoring for the security groups to detect any unauthorized access attempts.
Compliant code
provider "aws" {
region = "us-west-2"
}
resource "aws_security_group" "specific_access" {
name = "specific_access"
description = "Allow specific inbound and outbound traffic"
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["203.0.113.0/24"]
}
egress {
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["203.0.113.0/24"]
}
}
The above code is a secure configuration of an AWS service using Terraform. The aws_security_group
resource is used to create a security group that allows specific inbound and outbound traffic.
In the ingress
block, the from_port
and to_port
are set to 22, which is the port for SSH. The protocol
is set to "tcp", and the cidr_blocks
is set to "203.0.113.0/24". This means that only the IP addresses within the range 203.0.113.0 to 203.0.113.255 are allowed to access the service via SSH.
Similarly, in the egress
block, the from_port
and to_port
are set to 80, which is the port for HTTP. The protocol
is set to "tcp", and the cidr_blocks
is set to "203.0.113.0/24". This means that the service is only allowed to send outbound traffic to the IP addresses within the range 203.0.113.0 to 203.0.113.255 via HTTP.
This configuration implements the principle of least privilege by only granting the necessary permissions to the security group. It also helps to prevent unauthorized access by restricting the inbound and outbound traffic to specific IP addresses or ranges. Regular reviews and updates of the security group rules, as well as enabling logging and monitoring, can further enhance the security of the service.