Terraform Unrestricted Ip Protocols
Description
Detects AWS security group configurations that allow unrestricted IP protocols (-1 or all) in ingress/egress rules. Such configurations can expose EC2 instances to all network protocol types, potentially allowing malicious traffic and attacks.
Detection Strategy
• Identifies AWS security group resources by checking for 'aws_security_group' or 'aws_security_group_rule' resource types
• Examines the ingress and egress rules within security groups for protocol specifications
• Reports a vulnerability when a security group rule allows all protocols (-1) or has no protocol restriction specified
• Focuses on Terraform AWS provider resources in Infrastructure as Code files
Vulnerable code example
resource "aws_security_group" "example" {
name = "example"
vpc_id = "vpc-123"
egress {
from_port = 443
to_port = 443
protocol = "-1" # Vulnerable: protocol "-1" allows ALL protocols, too permissive...✅ Secure code example
resource "aws_security_group" "example" {
name = "example"
description = "Allow specific HTTPS egress traffic" # Added description
vpc_id = "vpc-123"
egress {
from_port = 443
to_port = 443...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.