logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

Insecure protocol allowed in security group - Cloudformation

Need

Detection and prevention of insecure communication protocols

Context

  1. Usage of AWS CloudFormation (IaC) to define infrastructure
  2. Definition of EC2 Security Groups using AWS::EC2::SecurityGroup
  3. Evaluation of ingress rules that permit communication over insecure channels

Description

Insecure Code Example

Resources:
  InsecureSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Allow insecure Telnet access
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 23
          ToPort: 23
          CidrIp: 0.0.0.0/0

The CloudFormation resource below defines a security group that allows inbound traffic over TCP port 23 (Telnet). This is an example of insecure communication because Telnet transmits data—including authentication credentials—in plain text over the network. Insecure channels refer to network protocols that do not provide encryption for data in transit, such as HTTP, FTP, Telnet, and others. When these protocols are allowed, attackers can intercept and read sensitive data using tools like packet sniffers. This type of misconfiguration can enable Man-in-The-Middle (MITM) attacks, session hijacking, and credential theft, especially when access is allowed from any IP address (0.0.0.0/0).

Steps

  1. Identify all network-access rules defined in CloudFormation templates (e.g., in security groups, NACLs, or load balancers).
  2. Detect the use of insecure protocols such as Telnet (23), HTTP (80), FTP (21), etc.
  3. Replace insecure protocols with encrypted alternatives (e.g., HTTPS, SFTP, SSH).
  4. Restrict access using specific CIDR blocks instead of allowing traffic from all IPs (0.0.0.0/0).
  5. Document and justify any exception where insecure protocols are used, and apply compensating controls (e.g., VPN tunneling).

Secure Code Example

Resources:
  SecureSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Allow secure access via HTTPS
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 443
          ToPort: 443
          CidrIp: 203.0.113.0/24

The secure version avoids exposing the application to insecure communication protocols. It replaces Telnet with secure alternatives like SSH (port 22) or uses HTTPS (port 443) instead of HTTP. Additionally, it restricts access to known IP ranges to reduce the attack surface. Ensuring the use of encrypted channels (e.g., TLS/SSL-based protocols) protects data integrity and confidentiality during transmission and is a fundamental security practice.

References

  • 332 - Insecure protocol allowed in security group

    • Last updated

    2025/04/04