Ensure OCI security group has stateless ingress security rules
Error: OCI Network Security Groups (NSG) has stateful security rules
Bridgecrew Policy ID: BC_OCI_NETWORKING_6
Checkov Check ID: CKV_OCI_21
Severity: LOW
OCI Network Security Groups (NSG) has stateful security rules
Description
Stateless rules for network security groups create one way traffic rather than two. This makes it very explicit which ports are available internally and externally. This is recommended for high volume websites.
Fix - Runtime
- Go to Networking > Virtual Cloud Networks > VCN Name > Resources > Network Security Groups
- Edit your Network Security Group
- Under Security Rules, Rules, check "Stateless" for all rules
Fix - Buildtime
- Resource: oci_core_network_security_group_security_rule
- Arguments: stateless
resource "oci_core_network_security_group_security_rule" "pass" {
network_security_group_id = oci_core_network_security_group.test_network_security_group.id
direction = "INGRESS"
protocol = var.network_security_group_security_rule_protocol
+ stateless = true
}
Updated 10 months ago