Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix check for public addresses #100

Closed

Conversation

kidbomb
Copy link

@kidbomb kidbomb commented Mar 19, 2024

According to the check documentation:

Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible

However, the check fails even if you try to set the cidr_blocks parameter to a more restrictive range, such as:

 resource "aws_security_group_rule" "another_good_example" {
  type = "ingress"
  cidr_blocks = ["1.2.3.4/24"]
 }

Running trivy config . with the configuration above yields:

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════════════════════════════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────────────────────────────────────────────────────────────────
 main.tf:3
   via main.tf:1-4 (aws_security_group_rule.another_good_example)
────────────────────────────────────────────────────────────────────────────────────────────────────
   1    resource "aws_security_group_rule" "another_good_example" {
   2     type = "ingress"
   3 [   cidr_blocks = ["1.2.3.4/24"]
   4    }

@kidbomb kidbomb requested a review from simar7 as a code owner March 19, 2024 22:33
@CLAassistant
Copy link

CLAassistant commented Mar 19, 2024

CLA assistant check
All committers have signed the CLA.

@nikpivkin
Copy link
Contributor

@simar7 We check the CIDR for publicity in many checks. Should we fix them?

@simar7
Copy link
Member

simar7 commented Mar 26, 2024

@simar7 We check the CIDR for publicity in many checks. Should we fix them?

Can you give an example and the proposed improvement?

@nikpivkin
Copy link
Contributor

@simar7 I mean this PR makes an improvement only for one check, but we have many similar checks related to CIDR.

@nikpivkin
Copy link
Contributor

@simar7 I can fix the rest of the checks in a separate PR.

@nikpivkin
Copy link
Contributor

@kidbomb Thanks for the PR! We are bringing AVD-AWS-0107 and AVD-AWS-0105 checks in line with AWS CIS Benchmarks, so our changes will fix this.

@nikpivkin nikpivkin closed this Sep 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants