AWS WorkSpaces access is not restricted to trusted IP addresses Affecting WorkSpaces service in AWS
CCSS (Common Configuration Scoring System) is a set of measures used to determine the severity of the rule.
Each rule is associated with a high-level category. For example IAM, Container, Monitoring, Logging, Network, etc.
Is your environment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CC-00767
- creditSnyk Research Team
Description
Allowing unrestricted access to AWS WorkSpaces can expose the service to unauthorized access and potential breaches. Restricting access to trusted IP ranges reduces the risk of such security incidents by ensuring that only known and vetted IP addresses can connect to the WorkSpaces environment, thereby enforcing a more secure access control policy.
How to fix?
Set the ip_group_ids attribute in aws_workspaces_directory resource to a valid ip_group ID.
Example configuration:
resource "aws_workspaces_ip_group" "snyk-767-ip" {
name = "snyk-767-ip-group"
rules {
source = "10.2.0.0/24"
description = "NY"
}
rules {
source = "172.16.9.0/32"
description = "LA"
}
}
resource "aws_workspaces_directory" "allowed" {
directory_id = aws_directory_service_directory.snyk-767-dir.id
ip_group_ids = [aws_workspaces_ip_group.snyk-767-ip.id]
}