Cloud platforms such as AWS, Azure, or GCP support virtual firewalls that can be used to restrict access to services by controlling inbound and
outbound traffic.
Any firewall rule allowing traffic from all IP addresses to standard network ports on which administration services
traditionally listen, such as 22 for SSH, can expose these services to exploits and unauthorized access.
It’s recommended to restrict access to remote administration services to only trusted IP addresses. In practice, trusted IP addresses are those held by system administrators or those of bastion-like servers.
For aws-cdk-lib.aws_ec2.Instance and other constructs
that support a connections attribute:
import {aws_ec2 as ec2} from 'aws-cdk-lib'
const instance = new ec2.Instance(this, "default-own-security-group",{
instanceType: nanoT2,
machineImage: ec2.MachineImage.latestAmazonLinux(),
vpc: vpc,
instanceName: "test-instance"
})
instance.connections.allowFrom(
ec2.Peer.anyIpv4(), // Noncompliant
ec2.Port.tcp(22),
/*description*/ "Allows SSH from all IPv4"
)
For aws-cdk-lib.aws_ec2.SecurityGroup
import {aws_ec2 as ec2} from 'aws-cdk-lib'
const securityGroup = new ec2.SecurityGroup(this, "custom-security-group", {
vpc: vpc
})
securityGroup.addIngressRule(
ec2.Peer.anyIpv4(), // Noncompliant
ec2.Port.tcpRange(1, 1024)
)
For aws-cdk-lib.aws_ec2.CfnSecurityGroup
import {aws_ec2 as ec2} from 'aws-cdk-lib'
new ec2.CfnSecurityGroup(
this,
"cfn-based-security-group", {
groupDescription: "cfn based security group",
groupName: "cfn-based-security-group",
vpcId: vpc.vpcId,
securityGroupIngress: [
{
ipProtocol: "6",
cidrIp: "0.0.0.0/0", // Noncompliant
fromPort: 22,
toPort: 22
}
]
}
)
For aws-cdk-lib.aws_ec2.CfnSecurityGroupIngress
import {aws_ec2 as ec2} from 'aws-cdk-lib'
new ec2.CfnSecurityGroupIngress( // Noncompliant
this,
"ingress-all-ip-tcp-ssh", {
ipProtocol: "tcp",
cidrIp: "0.0.0.0/0",
fromPort: 22,
toPort: 22,
groupId: securityGroup.attrGroupId
})
For aws-cdk-lib.aws_ec2.Instance and other constructs
that support a connections attribute:
import {aws_ec2 as ec2} from 'aws-cdk-lib'
const instance = new ec2.Instance(this, "default-own-security-group",{
instanceType: nanoT2,
machineImage: ec2.MachineImage.latestAmazonLinux(),
vpc: vpc,
instanceName: "test-instance"
})
instance.connections.allowFrom(
ec2.Peer.ipv4("192.0.2.0/24"),
ec2.Port.tcp(22),
/*description*/ "Allows SSH from a trusted range"
)
For aws-cdk-lib.aws_ec2.SecurityGroup
import {aws_ec2 as ec2} from 'aws-cdk-lib'
const securityGroup3 = new ec2.SecurityGroup(this, "custom-security-group", {
vpc: vpc
})
securityGroup3.addIngressRule(
ec2.Peer.anyIpv4(),
ec2.Port.tcpRange(1024, 1048)
)
For aws-cdk-lib.aws_ec2.CfnSecurityGroup
import {aws_ec2 as ec2} from 'aws-cdk-lib'
new ec2.CfnSecurityGroup(
this,
"cfn-based-security-group", {
groupDescription: "cfn based security group",
groupName: "cfn-based-security-group",
vpcId: vpc.vpcId,
securityGroupIngress: [
{
ipProtocol: "6",
cidrIp: "192.0.2.0/24", // Compliant
fromPort: 22,
toPort: 22
}
]
}
)
For aws-cdk-lib.aws_ec2.CfnSecurityGroupIngress
new ec2.CfnSecurityGroupIngress(
this,
"ingress-all-ipv4-tcp-http", {
ipProtocol: "6",
cidrIp: "0.0.0.0/0",
fromPort: 80,
toPort: 80,
groupId: securityGroup.attrGroupId
}
)