VPC security group rule ingress is not restricted to /32 CIDR block Affecting VPC service in AWS

Snyk CCSS

Network / Access Control

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

Snyk ID SNYK-CC-00747
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

Allowing ingress traffic from CIDR blocks larger than /32 exposes the network to a wider range of IP addresses, increasing the risk of network scanning and unauthorized access.

How to fix?

Set the ingress.cidr_blocks attribute in aws_security_group resource to [CIDR/32],Set the cidr_blocks attribute in aws_security_group_rule resource to [CIDR/32].

Example Configuration

data "aws_vpc" "selected" {
  filter {
    name   = "tag:Name"
    values = ["aws-controltower-VPC"]
  }
}

resource "aws_security_group" "allowed-1" {
  name   = "allow_https"
  vpc_id = data.aws_vpc.selected.id

  ingress {
    description = "TLS from VPC"
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    cidr_blocks = ["172.31.0.0/32"]
  }

  tags = {
    Name = "allow_https"
  }
}

resource "aws_security_group" "allowed-2" {
  name   = "allow_ssh"
  vpc_id = data.aws_vpc.selected.id


  tags = {
    Name = "allow_ssh"
  }
}

resource "aws_security_group_rule" "security_rule" {
  type              = "ingress"
  from_port         = 22
  to_port           = 22
  protocol          = "tcp"
  cidr_blocks       = ["172.31.0.0/32"]
  security_group_id = aws_security_group.allowed-2.id
}

VPC security group rule ingress is not restricted to /32 CIDR block Affecting VPC service in AWS

Severity

Description

How to fix?

Example Configuration

Terraform