VPC security group rule permits ingress from '0.0.0.0/0' to port 5800 (Virtual Network Computing) and is not attached to an ELB Affecting VPC service in AWS

Snyk CCSS

Network / Ports

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

CIS-Controls CIS-Google CSA-CCM HIPAA ISO-27001 NIST-800-53 PCI-DSS SOC-2

Snyk ID SNYK-CC-00211
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

AWS recommends that no security group allows unrestricted ingress access to port 5800, unless it is from AWS Elastic Load Balancer. Removing unfettered connectivity to remote console services reduces a server's exposure to risk.

How to fix?

Set the security group's ingress.cidr_blocks attribute to a more restrictive CIDR block, or attach the security group to an aws_elb using the ELB's security_groups attribute.

Example Configuration

resource "aws_security_group" "ingress-5800-valid-elb-group" {
  name = "ingress-5800-valid-elb-group"
  description = "Ingress 5800 Test"

  ingress {
    from_port = 5800
    to_port = 5800
    protocol = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

resource "aws_elb" "ingress-5800-elb" {
  name            = "ingress-5800-elb"
  security_groups = ["${aws_security_group.ingress-5800-valid-elb-group.id}"]
  subnets         = ["${aws_default_subnet.default.id}"]

  listener {
    instance_port     = 8000
    instance_protocol = "http"
    lb_port           = 80
    lb_protocol       = "http"
  }

  cross_zone_load_balancing   = true
  idle_timeout                = 400
  connection_draining         = true
  connection_draining_timeout = 400
}

Terraform

Resource: aws_security_group

References

Control traffic to resources using security groups