Ensure no Alibaba Cloud security groups allow ingress from 0.0.0.0:0 to port 22

Error: Alibaba Cloud Security group allows internet traffic to SSH port (22)

Bridgecrew Policy ID: BC_ALI_NETWORKING_2
Checkov Check ID: CKV_ALI_2
Severity: HIGH

Alibaba Cloud Security group allows internet traffic to SSH port (22)

Description

This policy identifies Security groups that allow inbound traffic on SSH port (22) from the public internet. As a best practice, restrict security groups to only allow permitted traffic and limit brute force attacks on your network.

Fix - Runtime

Alibaba Cloud Portal

  1. Log in to Alibaba Cloud Portal
  2. Go to Elastic Compute Service
  3. In the left-side navigation pane, choose Network & Security > Security Groups
  4. Select the reported security group and then click Add Rules in the Actions column
  5. In Inbound tab, Select the rule having 'Action' as Allow, 'Authorization Object' as 0.0.0.0/0 and 'Port Range' value as 22, Click Modify in the Actions column
  6. Replace the value 0.0.0.0/0 with specific IP address range.
  7. Click on 'OK'

Fix - Buildtime

Terraform

resource "alicloud_security_group_rule" "allow_all_vncserver" {
  type              = "ingress"
  ip_protocol       = "tcp"
  nic_type          = "internet"
  policy            = "accept"
  port_range        = "5900/5900"
  security_group_id = alicloud_security_group.default.id
  cidr_ip           = "0.0.0.0/0"
}
Footer
© 2022 GitHub, Inc.
Footer navigation