Why is this an issue?
Cloud platforms such as AWS, Azure, or GCP support virtual firewalls that can be used to restrict access to services by controlling inbound and
outbound traffic.
Any firewall rule allowing traffic from all IP addresses to standard network ports on which administration services
traditionally listen, such as 22 for SSH, can expose these services to exploits and unauthorized access.
Recommended Secure Coding Practices
It’s recommended to restrict access to remote administration services to only trusted IP addresses. In practice, trusted IP addresses are those
held by system administrators or those of bastion-like
servers.
Noncompliant code example
An ingress rule allowing all inbound SSH traffic:
MySecurityGroup:
Type: "AWS::EC2::SecurityGroup"
Properties:
GroupDescription: "noncompliant"
VpcId: !Ref myVPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 22
ToPort: 22 # SSH traffic
CidrIp: "0.0.0.0/0" # from all IP addresses is authorized
Compliant solution
An ingress rule allowing inbound SSH traffic from specific IP addresses:
MySecurityGroup:
Type: "AWS::EC2::SecurityGroup"
Properties:
GroupDescription: "compliant"
VpcId: !Ref myVPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: "1.2.3.0/24"
Resources
