Terraform Security Group Open Cidrs
Description
Detects AWS security groups and security group rules that allow unrestricted network access through overly permissive CIDR ranges (like 0.0.0.0/0). This poses a security risk by potentially exposing AWS resources to access from any IP address on the internet.
Detection Strategy
• Identifies Terraform resources of type 'aws_security_group' or 'aws_security_group_rule'
• Examines the ingress and egress rules defined in these security group resources
• Checks if any rules use overly permissive CIDR ranges that allow unrestricted access
• Reports a vulnerability if security group rules allow access from unrestricted IP ranges
Vulnerable code example
resource "aws_security_group" "example" {
name = "allow_all"
vpc_id = "vpc-12345"
ingress {
from_port = 443
to_port = 443
protocol = "tcp"...✅ Secure code example
resource "aws_security_group" "example" {
name = "allow_specific" # More descriptive name
description = "Allow specific HTTPS inbound traffic"
vpc_id = "vpc-12345"
ingress {
from_port = 443
to_port = 443...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.