Ensure routing tables for security groups peering are \"least access\"

Once a VPC peering connection is established, routing tables must be updated to establish any connections between the peered security groups. These routes can be as specific as desired - even peering a security groups to only a single host on the other side of the connection.

Risk Level: High
Cloud Entity: Amazon VPC
CloudGuard Rule ID: D9.TF.AWS.NET.04
Covered by Spectral: No
Category: Compute

GSL LOGIC

aws_security_group should not have ingress.cidr_block contain-any ['0.0.0.0/0'] and (ingress.from_port=0 and ingress.to_port=65535)

REMEDIATION

  1. Run aws ec2 describe-security-groups 2. For each group allow ingress for 0.0.0.0/0 and ports from 0 to 65535 2.1 Run aws ec2 delete-security-configuration --group-ids <group>

Amazon VPC

Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define. You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways. You can use both IPv4 and IPv6 in your VPC for secure and easy access to resources and applications.

Compliance Frameworks

  • Terraform AWS CIS Foundations