CCSS (Common Configuration Scoring System) is a set of measures used to determine the severity of the rule.
Each rule is associated with a high-level category. For example IAM, Container, Monitoring, Logging, Network, etc.
Is your environment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CC-00121
- creditSnyk Research Team
Description
Public access to remote server administration ports, such as 22 and 3389, increases resource attack surface and unnecessarily raises the risk of resource compromise.
How to fix?
Set the ingress.cidr_block attribute to a more restrictive CIDR block, for example 192.16.0.0/24.
Example configuration:
resource "aws_network_acl" "nacl_inline" {
vpc_id = "${aws_vpc.vpc1.id}"
subnet_ids = ["${aws_subnet.subnet2.id}"]
ingress {
protocol = "tcp"
rule_no = 20
action = "allow"
cidr_block = "192.16.0.0/24"
from_port = 22
to_port = 22
}
}
Remove any invalid AWS::EC2::NetworkAclEntry associated with the AWS::EC2::NetworkAcl.
An AWS::EC2::NetworkAclEntry is invalid if it contains all of the following:
- A
0.0.0.0/0in the CidrBlock field 22is within the port range defined in PortRange, OR Protocol is set to-1- RuleAction is set to
allow
Alternatively, set the Properties.CidrBlock attribute to a more restrictive CIDR block, for example 192.16.0.0/24.
Example configuration:
AWSTemplateFormatVersion: 2010-09-09
Resources:
ValidVpc03:
Type: AWS::EC2::VPC
Properties:
CidrBlock: '10.0.0.0/16'
ValidVpcNacl:
Type: AWS::EC2::NetworkAcl
Properties:
VpcId: !Ref ValidVpc03
ValidVpcNaclEntry01:
Type: AWS::EC2::NetworkAclEntry
Properties:
NetworkAclId: !Ref ValidVpc03Nacl
RuleNumber: 10
RuleAction: allow
Protocol: 6
CidrBlock: "192.16.0.0/24"
PortRange:
From: 22
To: 22