Json Yaml Unrestricted Cidrs In Security Group
Description
Detects unrestricted CIDR ranges (like 0.0.0.0/0 or ::/0) in AWS CloudFormation security group ingress rules. These overly permissive network access rules can expose AWS resources to access from any IP address, creating potential security vulnerabilities.
Detection Strategy
• Check AWS CloudFormation template files for security group definitions
• Inspect ingress rules within security groups for CIDR IP range specifications
• Flag security group rules that allow inbound access from unrestricted CIDR ranges (0.0.0.0/0 or ::/0)
• Report vulnerability when unrestricted CIDRs are found in ingress rules
Vulnerable code example
Resources:
mySecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Vulnerable security group
SecurityGroupIngress:
- CidrIp: 0.0.0.0/0 # Vulnerable: allows inbound access from any IPv4 address
FromPort: 22...✅ Secure code example
Parameters:
AllowedIpv4Cidr:
Type: String
Description: Allowed IPv4 CIDR range for SSH access
Default: 10.0.0.0/16 # Restrict to internal network range
AllowedIpv6Cidr:
Type: String
Description: Allowed IPv6 CIDR range...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.