logo

Database

Unrestricted access between network segments - AWS

Need

Enforce restricted access between network segments in AWS

Context

• Usage of Terraform for Infrastructure as Code (IaC)

• Usage of terraform-provider-aws for managing AWS resources with Terraform

Description

1. Non compliant code

provider "aws" {
  region = "us-west-2"
}

resource "aws_security_group" "allow_all" {
  name        = "allow_all"
  description = "Allow all inbound traffic"
  ingress {...

The above Terraform code defines an AWS security group that allows unrestricted access to and from all IP addresses (0.0.0.0/0) on all ports (from_port = 0, to_port = 0) and for all protocols (protocol = "-1"). This means that any machine, regardless of its location or network, can connect to the resources protected by this security group, and vice versa. This can lead to a potential security risk as it exposes the resources to unwanted traffic and potential attacks. The `ingress` block defines the inbound rules for connections to the resources, while the `egress` block defines the outbound rules for connections from the resources. The `cidr_blocks` attribute specifies the range of IP addresses that can connect to or from the resources. In this case, the range is set to `0.0.0.0/0`, which represents all possible IP addresses. The `from_port` and `to_port` attributes define the range of ports that can be used for the connections. When both are set to `0`, it means all ports are allowed. The `protocol` attribute defines the network protocol for the connections, and when it is set to `-1`, it means all protocols are allowed. This configuration is too permissive and goes against the principle of least privilege, which states that a user or system should have the minimum levels of access necessary to perform its function. Therefore, it's recommended to restrict the access to only the necessary IP addresses, ports, and protocols.

2. Steps

• Review the current security group configuration.

• Identify the network segments, ports, IP addresses, network protocols, and administrative services that are required for the application.

• Update the security group configuration to only allow access from the necessary network segments, ports, IP addresses, network protocols, and administrative services.

• Remove the 'allow_all' rule that allows unrestricted access.

• Test the updated security group configuration to ensure it meets the application's requirements.

• Monitor and regularly review the security group configuration to identify any potential misconfigurations or unauthorized access.

3. Secure code example

provider "aws" {
  region = "us-west-2"
}

resource "aws_security_group" "restricted_access" {
  name        = "restricted_access"
  description = "Allow only necessary inbound and outbound traffic"
  ingress {...

The original code had a security group that allowed all inbound and outbound traffic, which is a significant security risk. The updated code restricts access to only the necessary network segments, ports, IP addresses, network protocols, and administrative services. The `ingress` block defines the inbound rules for network traffic. The `from_port` and `to_port` specify the port range for the rule, the `protocol` specifies the protocol type for the rule, and the `cidr_blocks` specify the range of source IP addresses for the rule. Similarly, the `egress` block defines the outbound rules for network traffic. The `from_port` and `to_port` specify the port range for the rule, the `protocol` specifies the protocol type for the rule, and the `cidr_blocks` specify the range of destination IP addresses for the rule. By limiting the access to only what's necessary, we significantly reduce the potential attack surface. It's important to regularly review and update these rules to ensure they meet the application's requirements and to identify any potential misconfigurations or unauthorized access.