EC2 security group has unrestricted traffic access

ID

aws_ec2_group_unrestricted_traffic

Severity

critical

Vendor

AWS

Resource

Network

Tags

reachable

Description

EC2 security group has unrestricted traffic access. Unrestricted access can increase opportunities for malicious activities.

To fix it, you must configure range ips different to: cidr_ip=0.0.0.0/0 or cidr_ipv6=::/0 and a minimum ports range, not from_port=0 and to_port=65535 or from_port=-1 or to_port=-1.

Learn more about this topic at AWS CIDR subnet reservation.

Examples

---
- name: Example playbook
  hosts: localhost
  tasks:
    - name: example using ICMP types and codes
      amazon.aws.ec2_security_group:
        name: "{{ name }}"
        description: sg for ICMP
        vpc_id: vpc-xxxxxxxx
        profile: "{{ aws_profile }}"
        region: us-east-1
        rules:
          - proto: icmp
            icmp_type: 3
            icmp_code: 1
            cidr_ip: 0.0.0.0/0
            from_port: -1

Mitigation / Fix

---
- name: Example playbook
  hosts: localhost
  tasks:
    - name: example using ICMP types and codes
      amazon.aws.ec2_security_group:
        name: "{{ name }}"
        description: sg for ICMP
        vpc_id: vpc-xxxxxxxx
        profile: "{{ aws_profile }}"
        region: us-east-1
        rules:
          - proto: icmp
            icmp_type: 3
            icmp_code: 1
            cidr_ip: 172.16.0.0/12
            from_port: 80
            to_port: 80