Automatic information enumeration - Open ports - Aws

Automatic information enumeration - Open ports - Aws

Need

Restrict open ports to only necessary and authorized services

Context

  • Usage of Terraform for Infrastructure as Code (IaC)
  • Usage of aws_security_group for managing security groups in AWS

Description

Non compliant code

        resource "aws_security_group" "allow_all" {
  name        = "allow_all"
  description = "Allow all inbound traffic"

  ingress {
    from_port   = 0
    to_port     = 65535
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
}
        
        

The above Terraform code creates a security group that allows inbound traffic from any IP address ( 0.0.0.0/0) to all ports ( 0 to 65535). This is a security risk as it exposes all services running on the instances associated with this security group to the public internet.

An attacker can easily scan these ports to discover running services and exploit known vulnerabilities in these services. This is an example of automatic information enumeration vulnerability where open ports are scanned to gather information about available services.

The egress block is also configured to allow all outbound traffic from the instances, which could potentially be exploited by an attacker who gains access to the instance to exfiltrate data or launch attacks on other systems.

This configuration should be replaced with a more restrictive one, allowing only necessary ports and IP ranges to reduce the potential attack surface.

Steps

  • Review the security requirements for the application and determine the necessary inbound and outbound traffic.
  • Modify the 'aws_security_group' resource configuration to restrict the inbound traffic to only the required ports and sources.
  • Update the 'from_port' and 'to_port' values in the 'ingress' block to specify the specific port range needed for the application.
  • Set the 'cidr_blocks' value in the 'ingress' block to limit the source IP addresses or ranges that are allowed to access the ports.
  • Update the 'egress' block to restrict outbound traffic as per the application requirements.
  • Test the updated security group configuration to ensure that only the necessary ports are open and accessible.
  • Monitor and regularly review the security group configuration to identify and address any potential vulnerabilities.

Compliant code

        resource "aws_security_group" "allow_specific" {
  name        = "allow_specific"
  description = "Allow specific inbound traffic"

  ingress {
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = ["203.0.113.0/24"]
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
}
        
        

The updated code modifies the aws_security_group resource to restrict the inbound traffic to only the necessary ports and sources.

In the ingress block, the from_port and to_port values have been updated to 22, which is the standard port for SSH. This means that only traffic on port 22 will be allowed to enter.

The cidr_blocks value has been set to 203.0.113.0/24, which restricts the source IP addresses that are allowed to access the port to this specific range.

The egress block remains the same, allowing all outbound traffic. However, this should be updated as per your application requirements to restrict outbound traffic to only necessary ports and destinations.

Remember to test the updated security group configuration to ensure that only the necessary ports are open and accessible. Also, monitor and regularly review the security group configuration to identify and address any potential vulnerabilities.

References