Json Yaml All Protocols Allowed
Description
Detects when AWS Security Group rules in CloudFormation templates are configured to allow all IP protocols (-1 or all). This creates an overly permissive security posture that allows any type of traffic, which violates security best practices and the principle of least privilege.
Detection Strategy
• Inspects Security Group ingress and egress rules in CloudFormation templates
• Identifies rules where IpProtocol is set to '-1' or configured to allow all protocols
• Reports a security issue when unrestricted protocol access is found in either ingress or egress rules
• Checks both ingress (inbound) and egress (outbound) rules for comprehensive analysis
Vulnerable code example
Resources:
unsafeSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Insecure security group with overly permissive rules
SecurityGroupIngress:
- CidrIp: 34.229.161.227/16 # Overly broad CIDR range
FromPort: 22...✅ Secure code example
Resources:
secureSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Secure security group with restricted rules
SecurityGroupIngress:
- CidrIp: 34.229.161.227/32 # Restricted to single IP instead of /16
FromPort: 22...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.