Create rule S6329: Assigning public IP address to an AWS resource is security-sensitive (#202)
This commit is contained in:
github-actions[bot]
GitHub
parent
ff4ca58e61
commit
ab591b6b58
8
rules/S6329/ask-yourself.adoc
Normal file
8
rules/S6329/ask-yourself.adoc
Normal file
@ -0,0 +1,8 @@
|
||||
== Ask Yourself Whether
|
||||
|
||||
The instance launched in the VPC:
|
||||
|
||||
* doesn't need to communicate with the Internet.
|
||||
* is not a public service.
|
||||
|
||||
There is a risk if you answered yes to any of those questions.
|
||||
2
rules/S6329/cloudformation/metadata.json
Normal file
2
rules/S6329/cloudformation/metadata.json
Normal file
@ -0,0 +1,2 @@
|
||||
{
|
||||
}
|
||||
45
rules/S6329/cloudformation/rule.adoc
Normal file
45
rules/S6329/cloudformation/rule.adoc
Normal file
@ -0,0 +1,45 @@
|
||||
include::../description.adoc[]
|
||||
|
||||
include::../ask-yourself.adoc[]
|
||||
|
||||
include::../recommended.adoc[]
|
||||
|
||||
== Noncompliant Code Example
|
||||
|
||||
DMS and EC2 instances have a public IP address assigned to them:
|
||||
|
||||
----
|
||||
DMSInstance:
|
||||
Type: AWS::DMS::ReplicationInstance
|
||||
Properties:
|
||||
PubliclyAccessible: true # sensitive, by default it's also set to true
|
||||
|
||||
|
||||
EC2Instance:
|
||||
Type: AWS::EC2::Instance
|
||||
Properties:
|
||||
NetworkInterfaces:
|
||||
- AssociatePublicIpAddress: true # sensitive, by default it's also set to true
|
||||
DeviceIndex: "0"
|
||||
----
|
||||
|
||||
== Compliant Solution
|
||||
|
||||
DMS and EC2 instances doesn't have a public IP address:
|
||||
|
||||
----
|
||||
DMSInstance:
|
||||
Type: AWS::DMS::ReplicationInstance
|
||||
Properties:
|
||||
PubliclyAccessible: false
|
||||
|
||||
|
||||
EC2Instance:
|
||||
Type: AWS::EC2::Instance
|
||||
Properties:
|
||||
NetworkInterfaces:
|
||||
- AssociatePublicIpAddress: false
|
||||
DeviceIndex: "0"
|
||||
----
|
||||
|
||||
include::../see.adoc[]
|
||||
2
rules/S6329/description.adoc
Normal file
2
rules/S6329/description.adoc
Normal file
@ -0,0 +1,2 @@
|
||||
AWS resources that are launched into a VPC, such as EC2 or DMS instances, can have a private and public IP addresses. A public IP address allows the corresponding instance to send and receive Internet traffic through the Internet Gateway and therefore exposing it to potential malicious traffic like DDoS attacks.
|
||||
|
||||
39
rules/S6329/metadata.json
Normal file
39
rules/S6329/metadata.json
Normal file
@ -0,0 +1,39 @@
|
||||
{
|
||||
"title": "Assigning public IP address to an AWS resource is security-sensitive",
|
||||
"type": "SECURITY_HOTSPOT",
|
||||
"status": "ready",
|
||||
"remediation": {
|
||||
"func": "Constant\/Issue",
|
||||
"constantCost": "5min"
|
||||
},
|
||||
"tags": [
|
||||
"cwe",
|
||||
"owasp-a5"
|
||||
],
|
||||
"extra": {
|
||||
"coveredLanguages": [
|
||||
|
||||
],
|
||||
"replacementRules": [
|
||||
|
||||
]
|
||||
},
|
||||
"defaultSeverity": "Blocker",
|
||||
"ruleSpecification": "RSPEC-6329",
|
||||
"sqKey": "S6329",
|
||||
"scope": "Main",
|
||||
"securityStandards": {
|
||||
"CWE": [
|
||||
284
|
||||
],
|
||||
"OWASP": [
|
||||
"A5"
|
||||
],
|
||||
"CIS": [
|
||||
"3.3"
|
||||
]
|
||||
},
|
||||
"defaultQualityProfiles": [
|
||||
"Sonar way"
|
||||
]
|
||||
}
|
||||
4
rules/S6329/recommended.adoc
Normal file
4
rules/S6329/recommended.adoc
Normal file
@ -0,0 +1,4 @@
|
||||
== Recommended Secure Coding Practices
|
||||
|
||||
It's recommended to avoid exposing instances on the Internet by assigning to them a public IP address, unless the instance is running a service designed to be publicly accessible, such as customer portals or e-commerce websites. To communicate with instances in another VPC, consider using https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html[VPC peering].
|
||||
|
||||
6
rules/S6329/see.adoc
Normal file
6
rules/S6329/see.adoc
Normal file
@ -0,0 +1,6 @@
|
||||
== See
|
||||
|
||||
* https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html[AWS Documentation] - Amazon EC2 instance IP addressing
|
||||
* https://docs.aws.amazon.com/dms/latest/userguide/CHAP_ReplicationInstance.PublicPrivate.html[AWS Documentation] - Public and private replication instances
|
||||
* https://cwe.mitre.org/data/definitions/284.html[MITRE, CWE-284] - Improper Access Control
|
||||
* https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[OWASP Top 10 2017 Category A5] - Broken Access Control
|
||||
2
rules/S6329/terraform/metadata.json
Normal file
2
rules/S6329/terraform/metadata.json
Normal file
@ -0,0 +1,2 @@
|
||||
{
|
||||
}
|
||||
35
rules/S6329/terraform/rule.adoc
Normal file
35
rules/S6329/terraform/rule.adoc
Normal file
@ -0,0 +1,35 @@
|
||||
include::../description.adoc[]
|
||||
|
||||
include::../ask-yourself.adoc[]
|
||||
|
||||
include::../recommended.adoc[]
|
||||
|
||||
== Noncompliant Code Example
|
||||
|
||||
DMS and EC2 instances have a public IP address assigned to them:
|
||||
|
||||
----
|
||||
resource "aws_instance" "noncompliantec2" {
|
||||
associate_public_ip_address = true # Sensitive, by default it's also set to true
|
||||
}
|
||||
|
||||
resource "aws_dms_replication_instance" "noncompliantdms" {
|
||||
publicly_accessible = true # Sensitive, by default it's also set to true
|
||||
}
|
||||
----
|
||||
|
||||
== Compliant Solution
|
||||
|
||||
DMS and EC2 instances doesn't have a public IP address:
|
||||
|
||||
----
|
||||
resource "aws_instance" "compliantec2" {
|
||||
associate_public_ip_address = false
|
||||
}
|
||||
|
||||
resource "aws_dms_replication_instance" "compliantdms" {
|
||||
publicly_accessible = false
|
||||
}
|
||||
----
|
||||
|
||||
include::../see.adoc[]
|
||||
Loading…
x
Reference in New Issue
Block a user