VPC default security group allows unrestricted ingress traffic Affecting VPC service in AWS

Snyk CCSS

Network / Best Practices

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

CIS-AWS CIS-Controls CSA-CCM ISO-27001 NIST-800-53 PCI-DSS SOC-2

Snyk ID SNYK-CC-00024
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

Configuring all VPC default security groups to restrict all inbound traffic encourages least privilege security group development and mindful placement of AWS resources into security groups, which in turn reduces the exposure of those resources.

How to fix?

Remove any invalid ingress block from the aws_security_group or aws_default_security_group.

Ensure that an aws_default_security_group or aws_security_group ingress block does NOT contain the value 0.0.0.0/0 in the cidr_blocks (ipv6_cidr_blocks for ipv6) field.

Example Configuration

resource "aws_security_group" "example" {
  ingress {
    cidr_blocks = [10.0.0.0/16]
    from_port   = 5900
    to_port     = 5900
    # other required fields here
  }
}

CloudFormation

AWS::EC2::SecurityGroupIngress

Terraform

aws_security_group

References

AWS VPC Security Groups