Terraform Security Group Unrestricted Ports
Description
Detects AWS Security Groups and Security Group Rules that have overly permissive port configurations allowing unrestricted network access. This represents a security risk as it could expose cloud resources to unauthorized access from the internet.
Detection Strategy
• Identifies Terraform resources of type 'aws_security_group' or 'aws_security_group_rule'
• Checks if security group rules allow unrestricted access (0.0.0.0/0 or ::/0) to any ports
• Examines ingress and egress rules for overly permissive port ranges
• Reports a vulnerability when a security group allows unrestricted access to sensitive ports from any source IP
Vulnerable code example
resource "aws_security_group" "vulnerable" {
name = "allow_all"
vpc_id = "vpc-123"
ingress {
from_port = 0 # Vulnerable: allows all ports
to_port = 65535 # Vulnerable: allows all ports
protocol = "-1" # Vulnerable: allows all protocols...✅ Secure code example
resource "aws_security_group" "secure" {
name = "allow_specific" # More descriptive name reflecting limited access
vpc_id = "vpc-123"
description = "Allow specific TLS inbound traffic"
ingress {
from_port = 443 # Restrict to HTTPS port only
to_port = 443 # Only allow specific required port...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.