2021-09-13 14:01:24 +02:00
|
|
|
include::../description.adoc[]
|
|
|
|
|
|
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
|
|
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
|
|
2022-02-07 11:00:36 +01:00
|
|
|
== Sensitive Code Example
|
2021-09-13 14:01:24 +02:00
|
|
|
|
2022-03-03 09:41:02 +01:00
|
|
|
For AWS:
|
|
|
|
|
|
|
|
|
|
[source,terraform]
|
|
|
|
|
----
|
|
|
|
|
resource "aws_instance" "example" {
|
|
|
|
|
associate_public_ip_address = true # Sensitive
|
|
|
|
|
}
|
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
[source,terraform]
|
|
|
|
|
----
|
|
|
|
|
resource "aws_dms_replication_instance" "example" {
|
|
|
|
|
publicly_accessible = true # Sensitive
|
|
|
|
|
}
|
|
|
|
|
----
|
|
|
|
|
|
2022-02-07 11:00:36 +01:00
|
|
|
For Azure:
|
2021-09-13 14:01:24 +02:00
|
|
|
|
2022-02-04 17:28:24 +01:00
|
|
|
[source,terraform]
|
2021-09-13 14:01:24 +02:00
|
|
|
----
|
2022-02-07 11:00:36 +01:00
|
|
|
resource "azurerm_postgresql_server" "example" {
|
|
|
|
|
public_network_access_enabled = true # Sensitive
|
2021-09-13 14:01:24 +02:00
|
|
|
}
|
2022-02-07 11:00:36 +01:00
|
|
|
----
|
2022-03-03 09:41:02 +01:00
|
|
|
|
|
|
|
|
[source,terraform]
|
|
|
|
|
----
|
|
|
|
|
resource "azurerm_postgresql_server" "example" {
|
|
|
|
|
public_network_access_enabled = true # Sensitive
|
|
|
|
|
}
|
|
|
|
|
----
|
|
|
|
|
|
2022-02-07 11:00:36 +01:00
|
|
|
[source,terraform]
|
|
|
|
|
----
|
|
|
|
|
resource "azurerm_kubernetes_cluster" "production" {
|
|
|
|
|
api_server_authorized_ip_ranges = ["176.0.0.0/4"] # Sensitive
|
|
|
|
|
default_node_pool {
|
|
|
|
|
enable_node_public_ip = true # Sensitive
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
----
|
2021-09-13 14:01:24 +02:00
|
|
|
|
2022-03-03 09:41:02 +01:00
|
|
|
For GCP:
|
|
|
|
|
|
|
|
|
|
[source,terraform]
|
|
|
|
|
----
|
|
|
|
|
resource "google_compute_instance" "example" {
|
|
|
|
|
network_interface {
|
|
|
|
|
network = "default"
|
|
|
|
|
|
|
|
|
|
access_config { # Sensitive
|
|
|
|
|
# Ephemeral public IP
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
== Compliant Solution
|
|
|
|
|
|
2022-02-07 11:00:36 +01:00
|
|
|
For AWS:
|
2022-03-03 09:41:02 +01:00
|
|
|
|
2022-02-07 11:00:36 +01:00
|
|
|
[source,terraform]
|
|
|
|
|
----
|
|
|
|
|
resource "aws_instance" "example" {
|
2022-03-03 09:41:02 +01:00
|
|
|
associate_public_ip_address = false
|
2022-02-07 11:00:36 +01:00
|
|
|
}
|
|
|
|
|
----
|
2022-03-03 09:41:02 +01:00
|
|
|
|
2022-02-07 11:00:36 +01:00
|
|
|
[source,terraform]
|
|
|
|
|
----
|
|
|
|
|
resource "aws_dms_replication_instance" "example" {
|
2022-03-03 09:41:02 +01:00
|
|
|
publicly_accessible = false
|
2021-09-13 14:01:24 +02:00
|
|
|
}
|
|
|
|
|
----
|
|
|
|
|
|
2022-02-07 11:00:36 +01:00
|
|
|
For Azure:
|
2021-09-13 14:01:24 +02:00
|
|
|
|
2022-02-04 17:28:24 +01:00
|
|
|
[source,terraform]
|
2021-09-13 14:01:24 +02:00
|
|
|
----
|
2022-02-07 11:00:36 +01:00
|
|
|
resource "azurerm_postgresql_server" "example" {
|
|
|
|
|
public_network_access_enabled = false
|
|
|
|
|
}
|
|
|
|
|
----
|
2022-03-03 09:41:02 +01:00
|
|
|
|
2022-02-07 11:00:36 +01:00
|
|
|
[source,terraform]
|
|
|
|
|
----
|
|
|
|
|
resource "azurerm_kubernetes_cluster" "production" {
|
|
|
|
|
api_server_authorized_ip_ranges = ["192.168.0.0/16"]
|
|
|
|
|
default_node_pool {
|
|
|
|
|
enable_node_public_ip = false
|
|
|
|
|
}
|
2021-09-13 14:01:24 +02:00
|
|
|
}
|
2022-02-07 11:00:36 +01:00
|
|
|
----
|
2021-09-13 14:01:24 +02:00
|
|
|
|
2022-03-03 09:41:02 +01:00
|
|
|
For GCP:
|
|
|
|
|
|
2022-02-07 11:00:36 +01:00
|
|
|
[source,terraform]
|
|
|
|
|
----
|
2022-03-03 09:41:02 +01:00
|
|
|
resource "google_compute_instance" "example" {
|
|
|
|
|
network_interface {
|
2023-07-19 15:26:54 +02:00
|
|
|
network = google_compute_network.vpc_network_example.name
|
2022-03-03 09:41:02 +01:00
|
|
|
}
|
2021-09-13 14:01:24 +02:00
|
|
|
}
|
|
|
|
|
----
|
|
|
|
|
|
2023-07-19 15:26:54 +02:00
|
|
|
Note that setting `network="default"` in the network interface block leads to
|
|
|
|
|
other security problems such as removal of logging, Cloud VPN/VPC network
|
|
|
|
|
peering, and the addition of insecure firewall rules. +
|
|
|
|
|
A safer alternative includes creating a specific VPC or subnetwork and enforce
|
|
|
|
|
security measures.
|
|
|
|
|
|
2022-02-04 17:28:24 +01:00
|
|
|
include::../see.adoc[]
|
2022-02-07 11:00:36 +01:00
|
|
|
|
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
|
|
|
|
|
|
'''
|
|
|
|
|
|
|
|
|
|
== Implementation Specification
|
|
|
|
|
(visible only on this page)
|
|
|
|
|
|
2023-05-25 14:18:12 +02:00
|
|
|
=== Message
|
|
|
|
|
|
|
|
|
|
* Omitting "{parameter}" allows network access from the Internet. Make sure it is safe here.
|
|
|
|
|
* Make sure allowing public network access is safe here.
|
|
|
|
|
|
|
|
|
|
* For the application_gateway and network_interface resources:
|
|
|
|
|
** Make sure it is safe to use this public IP address.
|
|
|
|
|
* For the kubernetes_cluster {api_server_authorized_ip_ranges} parameter and all firewall_rule resources:
|
|
|
|
|
** Make sure that allowing public IP addresses is safe here.
|
|
|
|
|
|
2022-02-07 11:00:36 +01:00
|
|
|
|
|
|
|
|
=== Highlighting
|
|
|
|
|
|
|
|
|
|
* If {parameter} is missing, highlight the resource.
|
|
|
|
|
* If the assignment is non-compliant, highlight the entire assignment
|
|
|
|
|
|
|
|
|
|
endif::env-github,rspecator-view[]
|
