CCSS (Common Configuration Scoring System) is a set of measures used to determine the severity of the rule.
Each rule is associated with a high-level category. For example IAM, Container, Monitoring, Logging, Network, etc.
Is your environment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CC-00169
- creditSnyk Research Team
Description
Removing unfettered connectivity to remote console services, such as Remote Desktop Protocol, reduces a server's exposure to risk.
How to fix?
Remove any invalid ingress block from the aws_security_group.
An ingress block is invalid if it contains both of the following:
- A
0.0.0.0/0in thecidr_blocksfield 3389is within the port range defined fromfrom_porttoto_port, ORfrom_portandto_portare both set to0
Example configuration:
resource "aws_security_group" "example" {
ingress {
cidr_blocks = [10.0.0.0/16]
from_port = 3389
to_port = 3389
# other required fields here
}
}
Remove any invalid SecurityGroupIngress block from the AWS::EC2::SecurityGroup.
A SecurityGroupIngress block is invalid if it contains both of the following:
- A
0.0.0.0/0in the CidrIp field 3389is within the port range defined from FromPort to ToPort, OR FromPort and ToPort are both set to0
Example configuration:
JSON example configuration:
{
"ValidSecurityGroup02": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"SecurityGroupIngress": [
{
"CidrIp": "10.0.0.0/16",
"FromPort": 3389,
"ToPort": 3389,
"IpProtocol": "tcp"
}
]
}
# other required fields here
}
}
YAML example configuration:
ValidSecurityGroup02:
Type: AWS::EC2::SecurityGroup
Properties:
SecurityGroupIngress:
- CidrIp: '10.0.0.0/16'
FromPort: 3389
ToPort: 3389
IpProtocol: "tcp"
# other required fields here