No Public Ingress Sgr | Vulnerability Database

An ingress security group rule allows traffic from /0.

Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

Impact

Your port exposed to the internet

Recommended Actions

Follow the appropriate remediation steps below to resolve the issue.

Set a more restrictive cidr range

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11


AWSTemplateFormatVersion: 2010-09-09
Description: Good example of ingress rule
Resources:
  BadSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Limits security group egress traffic
      SecurityGroupIngress:
      - CidrIp: 127.0.0.1/32
        IpProtocol: "6"

Open the Amazon VPC console at https://console.aws.amazon.com/vpc/

In the left pane, choose Security groups.
Select a security group.
In the bottom section of the page, choose the Inbound Rules tab.
Choose Edit rules.
Identify the rule that allows access through port 3389 and then choose the X to remove it.
Choose Save rules.

Set a more restrictive cidr range

1
2
3
4
5


 resource "aws_security_group_rule" "good_example" {
 	type = "ingress"
 	cidr_blocks = ["10.0.0.0/16"]
 }
 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12


resource "aws_security_group_rule" "allow_partner_rsync" {
  type              = "ingress"
  security_group_id = aws_security_group.….id
  from_port         = 22
  to_port           = 22
  protocol          = "tcp"
  cidr_blocks = [
    "1.2.3.4/32",
    "4.5.6.7/32",
  ]
}

Remediation Links

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule#cidr_blocks