== Why is this an issue? include::../rationale.adoc[] include::../impact.adoc[] == How to fix it include::../common/how-to-fix-it/intro.adoc[] === Code examples ==== Noncompliant code example For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.Instance.html[aws-cdk-lib.aws_ec2.Instance] and other constructs that support a `connections` attribute: [source,javascript,diff-id=1,diff-type=noncompliant] ---- import {aws_ec2 as ec2} from 'aws-cdk-lib' const instance = new ec2.Instance(this, "default-own-security-group",{ instanceType: nanoT2, machineImage: ec2.MachineImage.latestAmazonLinux(), vpc: vpc, instanceName: "test-instance" }) instance.connections.allowFrom( ec2.Peer.anyIpv4(), // Noncompliant ec2.Port.tcp(22), /*description*/ "Allows SSH from all IPv4" ) ---- For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.SecurityGroup.html[aws-cdk-lib.aws_ec2.SecurityGroup] [source,javascript,diff-id=2,diff-type=noncompliant] ---- import {aws_ec2 as ec2} from 'aws-cdk-lib' const securityGroup = new ec2.SecurityGroup(this, "custom-security-group", { vpc: vpc }) securityGroup.addIngressRule( ec2.Peer.anyIpv4(), // Noncompliant ec2.Port.tcpRange(1, 1024) ) ---- For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.CfnSecurityGroup.html[aws-cdk-lib.aws_ec2.CfnSecurityGroup] [source,javascript,diff-id=3,diff-type=noncompliant] ---- import {aws_ec2 as ec2} from 'aws-cdk-lib' new ec2.CfnSecurityGroup( this, "cfn-based-security-group", { groupDescription: "cfn based security group", groupName: "cfn-based-security-group", vpcId: vpc.vpcId, securityGroupIngress: [ { ipProtocol: "6", cidrIp: "0.0.0.0/0", // Noncompliant fromPort: 22, toPort: 22 } ] } ) ---- For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.CfnSecurityGroupIngress.html[aws-cdk-lib.aws_ec2.CfnSecurityGroupIngress] [source,javascript,diff-id=4,diff-type=noncompliant] ---- import {aws_ec2 as ec2} from 'aws-cdk-lib' new ec2.CfnSecurityGroupIngress( // Noncompliant this, "ingress-all-ip-tcp-ssh", { ipProtocol: "tcp", cidrIp: "0.0.0.0/0", fromPort: 22, toPort: 22, groupId: securityGroup.attrGroupId }) ---- ==== Compliant solution For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.Instance.html[aws-cdk-lib.aws_ec2.Instance] and other constructs that support a `connections` attribute: [source,javascript,diff-id=1,diff-type=compliant] ---- import {aws_ec2 as ec2} from 'aws-cdk-lib' const instance = new ec2.Instance(this, "default-own-security-group",{ instanceType: nanoT2, machineImage: ec2.MachineImage.latestAmazonLinux(), vpc: vpc, instanceName: "test-instance" }) instance.connections.allowFrom( ec2.Peer.ipv4("192.0.2.0/24"), ec2.Port.tcp(22), /*description*/ "Allows SSH from a trusted range" ) ---- For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.SecurityGroup.html[aws-cdk-lib.aws_ec2.SecurityGroup] [source,javascript,diff-id=2,diff-type=compliant] ---- import {aws_ec2 as ec2} from 'aws-cdk-lib' const securityGroup3 = new ec2.SecurityGroup(this, "custom-security-group", { vpc: vpc }) securityGroup3.addIngressRule( ec2.Peer.anyIpv4(), ec2.Port.tcpRange(1024, 1048) ) ---- For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.CfnSecurityGroup.html[aws-cdk-lib.aws_ec2.CfnSecurityGroup] [source,javascript,diff-id=3,diff-type=compliant] ---- import {aws_ec2 as ec2} from 'aws-cdk-lib' new ec2.CfnSecurityGroup( this, "cfn-based-security-group", { groupDescription: "cfn based security group", groupName: "cfn-based-security-group", vpcId: vpc.vpcId, securityGroupIngress: [ { ipProtocol: "6", cidrIp: "192.0.2.0/24", fromPort: 22, toPort: 22 } ] } ) ---- For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.CfnSecurityGroupIngress.html[aws-cdk-lib.aws_ec2.CfnSecurityGroupIngress] [source,javascript,diff-id=4,diff-type=compliant] ---- new ec2.CfnSecurityGroupIngress( this, "ingress-all-ipv4-tcp-http", { ipProtocol: "6", cidrIp: "0.0.0.0/0", fromPort: 80, toPort: 80, groupId: securityGroup.attrGroupId } ) ---- == Resources include::../common/resources/docs.adoc[] include::../common/resources/articles.adoc[] include::../common/resources/presentations.adoc[] include::../common/resources/standards.adoc[] ifdef::env-github,rspecator-view[] ''' == Implementation Specification (visible only on this page) == Message When a call to `allowFromAnyIpv4` or `allowDefaultPortFromAnyIpv4` is identified: * Change this method for `allowFrom` and set `other` to a subset of trusted IP addresses In any other case, when a dangerous peer definition is identified: * Change this IP range to a subset of trusted IP addresses. == Highlighting When a call to `allowFromAnyIpv4` or `allowDefaultPortFromAnyIpv4` is identified: * Highlight the method name In any other case, when a dangerous peer definition is identified: * Highlight the peer definition attribute, e.g. `cidrIp` for `IngressProperty`, `peer` parameter for `addIngressRule` calls, `other` for `allowFrom` calls, etc. ''' endif::env-github,rspecator-view[]