No Public Ingress Sgr | Vulnerability Database

An ingress security group rule allows traffic from /0.

Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

Impact

Your port exposed to the internet

Recommended Actions

Follow the appropriate remediation steps below to resolve the issue.

Set a more restrictive cidr range

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11


AWSTemplateFormatVersion: 2010-09-09
Description: Good example of ingress rule
Resources:
  BadSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Limits security group egress traffic
      SecurityGroupIngress:
      - CidrIp: 127.0.0.1/32
        IpProtocol: "6"

Set a more restrictive cidr range

1
2
3
4
5


 resource "aws_security_group_rule" "good_example" {
 	type = "ingress"
 	cidr_blocks = ["10.0.0.0/16"]
 }
 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12


resource "aws_security_group_rule" "allow_partner_rsync" {
  type              = "ingress"
  security_group_id = aws_security_group.….id
  from_port         = 22
  to_port           = 22
  protocol          = "tcp"
  cidr_blocks = [
    "1.2.3.4/32",
    "4.5.6.7/32",
  ]
}

Remediation Links

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule#cidr_blocks