PlatformResourcesSign inSign Up

Ensure AWS security groups do not allow ingress from 0.0.0.0/0 to port 80

Error: AWS security groups allow ingress from 0.0.0.0/0 to port 80

Bridgecrew Policy ID: BC_AWS_NETWORKING_67
Checkov Check ID: CKV_AWS_260
Severity: LOW

Suggest Edits

AWS security groups allow ingress from 0.0.0.0/0 to port 80

Description

Allowing ingress from 0.0.0.0/0 to port 80 (i.e. the HTTP port) can expose your Amazon Web Services (AWS) resources to potential security threats. This is because 0.0.0.0/0 represents all IP addresses, and allowing traffic from all IP addresses to port 80 can make it easier for attackers to access your resources.

By ensuring that your AWS security groups do not allow ingress from 0.0.0.0/0 to port 80, you can help protect your resources from potential attacks and unauthorized access. Instead, you should specify the IP addresses or ranges of IP addresses that are allowed to access your resources, and only allow traffic from those sources.

Fix - Buildtime

Terraform

resource "aws_security_group" "bar-sg" {
  name   = "sg-bar"
  vpc_id = aws_vpc.main.id
  ingress {
    from_port = 80
    to_port   = 80
    protocol  = "tcp"
    security_groups = [aws_security_group.foo-sg.id]
    description = "foo"
  }
  egress {
    from_port = 0
    to_port   = 0
    protocol  = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

Updated 11 months ago