Ensure OCI security group has stateless ingress security rules

Error: OCI Network Security Groups (NSG) has stateful security rules
Bridgecrew Policy ID: BC_OCI_NETWORKING_6
Checkov Check ID: CKV_OCI_21
Severity: LOW

OCI Network Security Groups (NSG) has stateful security rules


Stateless rules for network security groups create one way traffic rather than two. This makes it very explicit which ports are available internally and externally. This is recommended for high volume websites.

Fix - Runtime

  1. Go to Networking > Virtual Cloud Networks > VCN Name > Resources > Network Security Groups
  2. Edit your Network Security Group
  3. Under Security Rules, Rules, check "Stateless" for all rules

Fix - Buildtime

  • Resource: oci_core_network_security_group_security_rule
  • Arguments: stateless
resource "oci_core_network_security_group_security_rule" "pass" {
  network_security_group_id = oci_core_network_security_group.test_network_security_group.id
  direction                 = "INGRESS"
  protocol                  = var.network_security_group_security_rule_protocol
+  stateless                 = true