CCSS (Common Configuration Scoring System) is a set of measures used to determine the severity of the rule.
Each rule is associated with a high-level category. For example IAM, Container, Monitoring, Logging, Network, etc.
Is your environment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CC-00024
- creditSnyk Research Team
Description
Configuring all VPC default security groups to restrict all inbound traffic encourages least privilege security group development and mindful placement of AWS resources into security groups, which in turn reduces the exposure of those resources.
How to fix?
Remove any invalid ingress block from the aws_security_group or aws_default_security_group.
Ensure that an aws_default_security_group or aws_security_group ingress block does NOT contain the value 0.0.0.0/0 in the cidr_blocks (ipv6_cidr_blocks for ipv6) field.
Example configuration:
resource "aws_security_group" "example" {
ingress {
cidr_blocks = [10.0.0.0/16]
from_port = 5900
to_port = 5900
# other required fields here
}
}
Remove any invalid SecurityGroupIngress block from the AWS::EC2::SecurityGroup.
A SecurityGroupIngress block is invalid if it contains the following:
- A
DefaultSecurityGroupis referenced in the [GroupId] field
Example configuration:
YAML example configuration:
Vpc01SecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
VpcId: !Ref Vpc01
GroupDescription: Description
Vpc01ValidIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: !Ref Vpc01SecurityGroup
IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: "90.90.90.0/24"
# other required fields here