Automatic information enumeration - Aws

Automatic information enumeration - Aws

Need

Prevention of automatic information enumeration

Context

  • Usage of Terraform for Infrastructure as Code (IaC)
  • Usage of AWS SDK for interacting with Amazon Web Services

Description

Non compliant code

        provider "aws" {
  region = "us-west-2"
}

resource "aws_security_group" "allow_all" {
  name        = "allow_all"
  description = "Allow all inbound traffic"

  ingress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
}
        
        

The above code is a Terraform script for AWS that creates a security group allowing all inbound and outbound traffic. This is a potential security vulnerability as it can allow for unauthorized access to the system, leading to automatic information enumeration.

In the aws_security_group resource block, the ingress and egress blocks specify the rules for inbound and outbound traffic respectively. The from_port and to_port are set to 0, and the protocol is set to -1, which means all protocols and ports are allowed. The cidr_blocks is set to 0.0.0.0/0, which means all IP addresses are allowed.

This configuration essentially leaves the system wide open, making it possible for attackers to automatically enumerate system information such as open ports, available services and users personal data. This can lead to various attacks including data breaches, denial of service attacks, and other forms of system compromise.

Steps

  • Implement proper ingress and egress rules in the AWS security group.
  • Restrict the allowed ports and protocols to only those that are necessary for the application.
  • Avoid using '0.0.0.0/0' as the CIDR block for both ingress and egress rules.
  • Regularly review and update the security group rules to ensure they are up to date and aligned with the application's requirements.
  • Consider implementing network access control lists (ACLs) to provide an additional layer of security and control over network traffic.
  • Implement monitoring and logging mechanisms to detect and respond to any unauthorized access attempts or suspicious activities.

Compliant code

        provider "aws" {
  region = "us-west-2"
}

resource "aws_security_group" "allow_specific" {
  name        = "allow_specific"
  description = "Allow specific inbound and outbound traffic"

  ingress {
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = ["10.0.0.0/16"]
  }

  egress {
    from_port   = 80
    to_port     = 80
    protocol    = "tcp"
    cidr_blocks = ["10.0.0.0/16"]
  }
}
        
        

The updated code now implements a more secure AWS security group configuration. The security group, now named "allow_specific", has been configured to allow specific inbound and outbound traffic instead of all traffic.

In the ingress rule, the from_port and to_port have been set to 22, which is the standard port for SSH. The protocol has been set to "tcp", and the CIDR block has been set to "10.0.0.0/16", which restricts access to the specified IP range.

In the egress rule, the from_port and to_port have been set to 80, which is the standard port for HTTP. The protocol has been set to "tcp", and the CIDR block has been set to "10.0.0.0/16", which restricts outbound access to the specified IP range.

This configuration significantly reduces the risk of automatic information enumeration by limiting the ports, protocols, and IP ranges that can access the system. It is recommended to regularly review and update these rules based on the application's requirements.

Additionally, consider implementing network access control lists (ACLs) for an extra layer of security and control over network traffic. Also, implement monitoring and logging mechanisms to detect and respond to any unauthorized access attempts or suspicious activities.

References