ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S6463/python/rule.adoc
Pierre-Loup 770348d041
Avoid OWASP Top 10 security-standard mismatch between metadata and description links (RULEAPI-798) (#3537) 
* Add check for security standard mismatch

* Fix security standard mismatches

* Fix Resources/Standards links for secrets rules

* Fix check

* Fix links and update security standard mapping

* Fix maintanability issue

* Apply review suggestions

* Apply suggestions from code review

Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com>

* Fix typo

Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com>

---------

Co-authored-by: Egon Okerman <egon.okerman@sonarsource.com>
2024-01-17 17:20:28 +01:00

86 lines
2.0 KiB
Plaintext
Raw Blame History

Allowing unrestricted outbound communications can lead to data leaks.
A restrictive security group is an additional layer of protection that might
prevent the abuse or exploitation of a resource. For example, it complicates the
exfiltration of data in the case of a successfully exploited vulnerability.
When deciding if outgoing connections should be limited, consider that limiting
the connections results in additional administration and maintenance work.
== Ask Yourself Whether
* The resource has access to sensitive data.
* The resource is part of a private network.
There is a risk if you answered yes to any of those questions.
== Recommended Secure Coding Practices
It is recommended to restrict outgoing connections to a set of trusted
destinations.
== Sensitive Code Example
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.SecurityGroup.html[aws_cdk.aws_ec2.SecurityGroup]:
[source,python]
----
from aws_cdk import (
aws_ec2 as ec2
)
ec2.SecurityGroup( # Sensitive; allow_all_outbound is enabled by default
self,
"example",
vpc=vpc
)
----
== Compliant Solution
For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.SecurityGroup.html[aws_cdk.aws_ec2.SecurityGroup]:
[source,python]
----
from aws_cdk import (
aws_ec2 as ec2
)
sg = ec2.SecurityGroup(
self,
"example",
vpc=vpc,
allow_all_outbound=False
)
sg.add_egress_rule(
peer=ec2.Peer.ipv4("203.0.113.127/32"),
connection=ec2.Port.tcp(443)
)
----
== See
* https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html[AWS Documentation] - Control traffic to resources using security groups
* CWE - https://cwe.mitre.org/data/definitions/284[CWE-284 - Improper Access Control]
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
=== Message
* Make sure that allowing unrestricted outbound communications is safe here.
* Omitting "allow_all_outbound" enables unrestricted outbound communications. Make sure it is safe here.
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink