Insecure service configuration - AWS - Aws

Insecure service configuration - AWS - Aws

Need

Secure configuration of AWS services

Context

  • Usage of Terraform for Infrastructure as Code (IaC)
  • Usage of AWS SDK for interacting with Amazon Web Services

Description

Non compliant code

        provider "aws" {
  region = "us-west-2"
}

resource "aws_security_group" "allow_all" {
  name        = "allow_all"
  description = "Allow all inbound traffic"

  ingress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
}
        
        

The above Terraform code is used to create an AWS security group that allows all inbound and outbound traffic. This is a typical example of insecure service configuration in AWS.

The aws_security_group resource block creates a new security group named "allow_all". The ingress block specifies the inbound rules for this security group. In this case, it allows traffic from any IP address (0.0.0.0/0) on any port (from 0 to 0) using any protocol (-1, which stands for all protocols).

Similarly, the egress block specifies the outbound rules for this security group. It allows traffic to any IP address on any port using any protocol.

This configuration is highly insecure because it exposes all the resources associated with this security group to the public internet. Any malicious actor can identify and try to access these resources, exploit vulnerabilities, or launch attacks.

Steps

  • Restrict the inbound traffic to only allow access from specific IP addresses or ranges.
  • Restrict the outbound traffic to only allow access to specific IP addresses or ranges.
  • Remove the 'allow_all' security group and create more specific security groups based on the required access.
  • Implement least privilege principle by granting only the necessary permissions to the security groups.
  • Regularly review and update the security group rules to ensure they align with the current requirements.
  • Enable logging and monitoring for the security groups to detect any unauthorized access attempts.

Compliant code

        provider "aws" {
  region = "us-west-2"
}

resource "aws_security_group" "specific_access" {
  name        = "specific_access"
  description = "Allow specific inbound and outbound traffic"

  ingress {
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = ["203.0.113.0/24"]
  }

  egress {
    from_port   = 80
    to_port     = 80
    protocol    = "tcp"
    cidr_blocks = ["203.0.113.0/24"]
  }
}
        
        

The above code is a secure configuration of an AWS service using Terraform. The aws_security_group resource is used to create a security group that allows specific inbound and outbound traffic.

In the ingress block, the from_port and to_port are set to 22, which is the port for SSH. The protocol is set to "tcp", and the cidr_blocks is set to "203.0.113.0/24". This means that only the IP addresses within the range 203.0.113.0 to 203.0.113.255 are allowed to access the service via SSH.

Similarly, in the egress block, the from_port and to_port are set to 80, which is the port for HTTP. The protocol is set to "tcp", and the cidr_blocks is set to "203.0.113.0/24". This means that the service is only allowed to send outbound traffic to the IP addresses within the range 203.0.113.0 to 203.0.113.255 via HTTP.

This configuration implements the principle of least privilege by only granting the necessary permissions to the security group. It also helps to prevent unauthorized access by restricting the inbound and outbound traffic to specific IP addresses or ranges. Regular reviews and updates of the security group rules, as well as enabling logging and monitoring, can further enhance the security of the service.

References