include::../description.adoc[] include::../ask-yourself.adoc[] include::../recommended.adoc[] == Sensitive Code Example For AWS: [source,terraform] ---- resource "aws_instance" "example" { associate_public_ip_address = true # Sensitive } ---- [source,terraform] ---- resource "aws_dms_replication_instance" "example" { publicly_accessible = true # Sensitive } ---- For Azure: [source,terraform] ---- resource "azurerm_postgresql_server" "example" { public_network_access_enabled = true # Sensitive } ---- [source,terraform] ---- resource "azurerm_postgresql_server" "example" { public_network_access_enabled = true # Sensitive } ---- [source,terraform] ---- resource "azurerm_kubernetes_cluster" "production" { api_server_authorized_ip_ranges = ["176.0.0.0/4"] # Sensitive default_node_pool { enable_node_public_ip = true # Sensitive } } ---- For GCP: [source,terraform] ---- resource "google_compute_instance" "example" { network_interface { network = "default" access_config { # Sensitive # Ephemeral public IP } } ---- == Compliant Solution For AWS: [source,terraform] ---- resource "aws_instance" "example" { associate_public_ip_address = false } ---- [source,terraform] ---- resource "aws_dms_replication_instance" "example" { publicly_accessible = false } ---- For Azure: [source,terraform] ---- resource "azurerm_postgresql_server" "example" { public_network_access_enabled = false } ---- [source,terraform] ---- resource "azurerm_kubernetes_cluster" "production" { api_server_authorized_ip_ranges = ["192.168.0.0/16"] default_node_pool { enable_node_public_ip = false } } ---- For GCP: [source,terraform] ---- resource "google_compute_instance" "example" { network_interface { network = google_compute_network.vpc_network_example.name } } ---- Note that setting `network="default"` in the network interface block leads to other security problems such as removal of logging, Cloud VPN/VPC network peering, and the addition of insecure firewall rules. + A safer alternative includes creating a specific VPC or subnetwork and enforce security measures. include::../see.adoc[] ifdef::env-github,rspecator-view[] ''' == Implementation Specification (visible only on this page) === Message * Omitting "{parameter}" allows network access from the Internet. Make sure it is safe here. * Make sure allowing public network access is safe here. * For the application_gateway and network_interface resources: ** Make sure it is safe to use this public IP address. * For the kubernetes_cluster {api_server_authorized_ip_ranges} parameter and all firewall_rule resources: ** Make sure that allowing public IP addresses is safe here. === Highlighting * If {parameter} is missing, highlight the resource. * If the assignment is non-compliant, highlight the entire assignment endif::env-github,rspecator-view[]