logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

Insecure service configuration - Security Groups - Cloudformation

Need

Secure configuration of EC2 Security Groups

Context

  1. Usage of AWS CloudFormation for Infrastructure as Code (IaC)
  2. Usage of AWS native services to manage EC2 resources

Description

Insecure Code Example

Resources:
  InsecureEC2Instance:
    Type: AWS::EC2::Instance
    Properties:
      ImageId: ami-0c94855ba95c574c8
      InstanceType: t2.micro
      # No security group is defined

In the above CloudFormation template, an AWS EC2 instance is being created without any security group associated with it. This is a major security vulnerability as it means that the instance is not protected by any firewall rules, allowing unrestricted access from the internet. A Security Group acts as a virtual firewall for your instance to control inbound and outbound traffic. When you launch an instance in a VPC, you must associate it with at least one security group. If no security group is explicitly defined, the default security group is used, which might have permissive rules. In the provided code, there are no input/output rules defined for the EC2 instance, which could allow unauthorized access depending on the default group's configuration. This is a serious security concern and should be addressed immediately.

Steps

  1. Identify the required inbound and outbound traffic for the EC2 instance.
  2. Create a new security group or use an existing one that meets the requirements.
  3. Define the inbound and outbound rules for the security group to allow the necessary traffic.
  4. Reference the security group in the EC2 instance's `SecurityGroupIds` property in the CloudFormation template.

Secure Code Example

Resources:
  SecureSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: "Security Group with restricted access"
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 22
          ToPort: 22
          CidrIp: 0.0.0.0/0
      SecurityGroupEgress:
        - IpProtocol: -1
          FromPort: 0
          ToPort: 0
          CidrIp: 0.0.0.0/0

  SecureEC2Instance:
    Type: AWS::EC2::Instance
    Properties:
      ImageId: ami-0c94855ba95c574c8
      InstanceType: t2.micro
      SecurityGroupIds:
        - !Ref SecureSecurityGroup

The above CloudFormation template creates a security group named "SecureSecurityGroup" with an inbound rule that allows TCP traffic on port 22 (SSH) from any IP address (0.0.0.0/0), and an outbound rule that allows all traffic. The EC2 instance is then updated to associate this security group using the `SecurityGroupIds` property. This ensures that the instance is protected by defined network rules, reducing the risk of unauthorized access.

References

  • 177 - Insecure service configuration - Security Groups

    • Last updated

    2025/04/03