Fluid Attacks Database

Description

Detects misconfigured AWS security groups in Terraform that may use non-RFC1918 private IP ranges. This could potentially expose AWS resources to unauthorized networks outside the intended private address space (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16).

Weakness:

024 - Unrestricted access between network segments - AWS

Category: Access Subversion

Detection Strategy

• Scans Terraform configuration files for AWS security group and security group rule resources

• Identifies 'aws_security_group', 'aws_security_group_rule', and their ingress/egress rules

• Analyzes the CIDR blocks and IP ranges defined in the security group rules

• Reports a vulnerability when security group rules use IP ranges outside of RFC1918 private address spaces

Vulnerable code example

resource "aws_security_group_rule" "vulnerable" {
  security_group_id = "sg-123456"
  type             = "ingress"
  from_port        = 0              # Vulnerable: allows ALL ports (start range)
  to_port          = 65535          # Vulnerable: allows ALL ports (end range)
  protocol         = "-1"           # Vulnerable: allows ALL protocols
  cidr_blocks      = ["0.0.0.0/0"]  # Vulnerable: allows access from ANY IP address
}

✅ Secure code example

resource "aws_security_group_rule" "secure" {
  security_group_id = "sg-123456"
  type             = "ingress"
  from_port        = 443            # Only allow HTTPS port
  to_port          = 443            # Restrict to single required port
  protocol         = "tcp"          # Specify exact protocol needed
  cidr_blocks      = ["10.0.0.0/16"]  # Restrict to internal network range only
}

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.