Unrestricted access between network segments - AWS - cloudformation

Unrestricted access between network segments - AWS - cloudformation

Need

Enforce restricted access between network segments in AWS

Context

  • Usage of AWS CloudFormation for Infrastructure as Code (IaC)
  • Usage of AWS::EC2::SecurityGroup for managing network access in AWS

Description

Non compliant code

        Resources:
  InsecureSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: "Allow all inbound and outbound traffic"
      SecurityGroupIngress:
        - IpProtocol: "-1"
          FromPort: -1
          ToPort: -1
          CidrIp: "0.0.0.0/0"
      SecurityGroupEgress:
        - IpProtocol: "-1"
          FromPort: -1
          ToPort: -1
          CidrIp: "0.0.0.0/0"
        
        

The above CloudFormation code defines an AWS security group that allows unrestricted access to and from all IP addresses (0.0.0.0/0) on all ports (FromPort = -1, ToPort = -1) and for all protocols (IpProtocol = "-1"). This means that any machine, regardless of its location or network, can connect to the resources protected by this security group, and vice versa. This can lead to a potential security risk as it exposes the resources to unwanted traffic and potential attacks.

The SecurityGroupIngress property defines the inbound rules for connections to the resources, while the SecurityGroupEgress property defines the outbound rules for connections from the resources. The CidrIp attribute specifies the range of IP addresses that can connect to or from the resources. In this case, the range is set to 0.0.0.0/0, which represents all possible IP addresses.

The FromPort and ToPort attributes define the range of ports that can be used for the connections. When both are set to -1, it means all ports are allowed. The IpProtocol attribute defines the network protocol for the connections, and when it is set to -1, it means all protocols are allowed.

This configuration is too permissive and goes against the principle of least privilege, which states that a user or system should have the minimum levels of access necessary to perform its function. Therefore, it's recommended to restrict the access to only the necessary IP addresses, ports, and protocols.

Steps

  • Review the current security group configuration.
  • Identify the network segments, ports, IP addresses, network protocols, and administrative services that are required for the application.
  • Update the security group configuration to only allow access from the necessary network segments, ports, IP addresses, network protocols, and administrative services.
  • Remove the 'allow_all' rule that allows unrestricted access.
  • Test the updated security group configuration to ensure it meets the application's requirements.
  • Monitor and regularly review the security group configuration to identify any potential misconfigurations or unauthorized access.

Compliant code

        Resources:
  SecureSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: "Allow only necessary inbound and outbound traffic"
      SecurityGroupIngress:
        - IpProtocol: "<required_protocol>"
          FromPort: <required_from_port>
          ToPort: <required_to_port>
          CidrIp: "<required_inbound_cidr_blocks>"
      SecurityGroupEgress:
        - IpProtocol: "<required_protocol>"
          FromPort: <required_from_port>
          ToPort: <required_to_port>
          CidrIp: "<required_outbound_cidr_blocks>"
        
        

The original code had a security group that allowed all inbound and outbound traffic, which is a significant security risk. The updated code restricts access to only the necessary network segments, ports, IP addresses, network protocols, and administrative services.

The SecurityGroupIngress property defines the inbound rules for network traffic. The FromPort and ToPort specify the port range for the rule, the IpProtocol specifies the protocol type for the rule, and the CidrIp specifies the range of source IP addresses for the rule.

Similarly, the SecurityGroupEgress property defines the outbound rules for network traffic. The FromPort and ToPort specify the port range for the rule, the IpProtocol specifies the protocol type for the rule, and the CidrIp specifies the range of destination IP addresses for the rule.

By limiting the access to only what's necessary, we significantly reduce the potential attack surface. It's important to regularly review and update these rules to ensure they meet the application's requirements and to identify any potential misconfigurations or unauthorized access.

References