Secure configuration of AWS security groups
Resources:
InsecureSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "Allow all inbound and outbound traffic"
SecurityGroupIngress:
- IpProtocol: "-1"
FromPort: 0
ToPort: 0
CidrIp: "0.0.0.0/0"
SecurityGroupEgress:
- IpProtocol: "-1"
FromPort: 0
ToPort: 0
CidrIp: "0.0.0.0/0"
The following CloudFormation template creates a security group that allows
all inbound and outbound traffic. This is a critical security misconfiguration
because it exposes associated resources to the public internet without any
restrictions.
The
SecurityGroupIngress block allows any IP address (
0.0.0.0/0) to
access any port using any protocol (
-1, which means all protocols).
Similarly, the
SecurityGroupEgress block allows unrestricted outbound
traffic to any destination.
This configuration violates the principle of least privilege, increasing
the risk of unauthorized access, data breaches, and potential exploitation
of vulnerabilities in exposed resources.
Resources:
SecureSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "Restricted inbound and outbound traffic"
SecurityGroupIngress:
- IpProtocol: "tcp"
FromPort: 22
ToPort: 22
CidrIp: "203.0.113.0/24"
SecurityGroupEgress:
- IpProtocol: "tcp"
FromPort: 80
ToPort: 80
CidrIp: "203.0.113.0/24"
The following CloudFormation template defines a security group with
restricted inbound and outbound access, following security best practices.
The
SecurityGroupIngress block allows SSH (
port 22) traffic only from
a specific IP range (
203.0.113.0/24), reducing the risk of unauthorized
remote access.
The
SecurityGroupEgress block allows outbound traffic only to HTTP
(
port 80) within the same IP range, preventing unnecessary data exposure.
This approach follows the principle of least privilege, ensuring that only
necessary traffic is permitted while reducing the attack surface.