CCSS (Common Configuration Scoring System) is a set of measures used to determine the severity of the rule.
Each rule is associated with a high-level category. For example IAM, Container, Monitoring, Logging, Network, etc.
Is your environment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CC-00211
- creditSnyk Research Team
Description
AWS recommends that no security group allows unrestricted ingress access to port 5800, unless it is from AWS Elastic Load Balancer. Removing unfettered connectivity to remote console services reduces a server's exposure to risk.
How to fix?
Set the security group's ingress.cidr_blocks attribute to a more restrictive CIDR block, or attach the security group to an aws_elb using the ELB's security_groups attribute.
Example configuration:
resource "aws_security_group" "ingress-5800-valid-elb-group" {
name = "ingress-5800-valid-elb-group"
description = "Ingress 5800 Test"
ingress {
from_port = 5800
to_port = 5800
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
}
resource "aws_elb" "ingress-5800-elb" {
name = "ingress-5800-elb"
security_groups = ["${aws_security_group.ingress-5800-valid-elb-group.id}"]
subnets = ["${aws_default_subnet.default.id}"]
listener {
instance_port = 8000
instance_protocol = "http"
lb_port = 80
lb_protocol = "http"
}
cross_zone_load_balancing = true
idle_timeout = 400
connection_draining = true
connection_draining_timeout = 400
}