logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

Insecure service configuration - AWS Security Groups - Cloudformation

Need

Secure configuration of AWS security groups

Context

  1. Usage of CloudFormation for Infrastructure as Code (IaC)
  2. Usage of AWS Security Groups for network access control

Description

Insecure Code Example

Resources:
  InsecureSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: "Allow all inbound and outbound traffic"
      SecurityGroupIngress:
        - IpProtocol: "-1"
          FromPort: 0
          ToPort: 0
          CidrIp: "0.0.0.0/0"
      SecurityGroupEgress:
        - IpProtocol: "-1"
          FromPort: 0
          ToPort: 0
          CidrIp: "0.0.0.0/0"

The above CloudFormation template creates a security group that allows all inbound and outbound traffic. This is a critical security misconfiguration because it exposes associated resources to the public internet without any restrictions. The `SecurityGroupIngress` block allows any IP address (`0.0.0.0/0`) to access any port using any protocol (`-1`, which means all protocols). Similarly, the `SecurityGroupEgress` block allows unrestricted outbound traffic to any destination. This configuration violates the principle of least privilege, increasing the risk of unauthorized access, data breaches, and potential exploitation of vulnerabilities in exposed resources.

Steps

  1. Restrict inbound traffic to only allow access from trusted IP ranges.
  2. Limit outbound traffic to only required destinations.
  3. Avoid using `0.0.0.0/0` for unrestricted access unless absolutely necessary.
  4. Regularly review and update security group rules to align with security policies.
  5. Enable VPC Flow Logs and AWS CloudTrail to monitor access and detect unauthorized traffic.

Secure Code Example

Resources:
  SecureSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: "Restricted inbound and outbound traffic"
      SecurityGroupIngress:
        - IpProtocol: "tcp"
          FromPort: 22
          ToPort: 22
          CidrIp: "203.0.113.0/24"
      SecurityGroupEgress:
        - IpProtocol: "tcp"
          FromPort: 80
          ToPort: 80
          CidrIp: "203.0.113.0/24"

The above CloudFormation template defines a security group with restricted inbound and outbound access, following security best practices. The `SecurityGroupIngress` block allows SSH (`port 22`) traffic only from a specific IP range (`203.0.113.0/24`), reducing the risk of unauthorized remote access. The `SecurityGroupEgress` block allows outbound traffic only to HTTP (`port 80`) within the same IP range, preventing unnecessary data exposure. This approach follows the principle of least privilege, ensuring that only necessary traffic is permitted while reducing the attack surface.

References

  • 165 - Insecure service configuration - AWS Security Groups

    • Last updated

    2025/04/03