Severity Framework
CCSS (Common Configuration Scoring System) is a set of measures used to determine the severity of the rule.
Snyk CCSS
Rule category
Each rule is associated with a high-level category. For example IAM, Container, Monitoring, Logging, Network, etc.
Network/ Access Control
Is your environment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsFrameworks
- Snyk IDSNYK-CC-00747
- creditSnyk Research Team
Description
Allowing ingress traffic from CIDR blocks larger than /32 exposes the network to a wider range of IP addresses, increasing the risk of network scanning and unauthorized access.
How to fix?
Set the ingress.cidr_blocks attribute in aws_security_group resource to [CIDR/32],Set the cidr_blocks attribute in aws_security_group_rule resource to [CIDR/32].
Example configuration:
data "aws_vpc" "selected" {
filter {
name = "tag:Name"
values = ["aws-controltower-VPC"]
}
}
resource "aws_security_group" "allowed-1" {
name = "allow_https"
vpc_id = data.aws_vpc.selected.id
ingress {
description = "TLS from VPC"
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["172.31.0.0/32"]
}
tags = {
Name = "allow_https"
}
}
resource "aws_security_group" "allowed-2" {
name = "allow_ssh"
vpc_id = data.aws_vpc.selected.id
tags = {
Name = "allow_ssh"
}
}
resource "aws_security_group_rule" "security_rule" {
type = "ingress"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["172.31.0.0/32"]
security_group_id = aws_security_group.allowed-2.id
}