Public port with wide port range

이 제품은 선택한 Datadog 사이트에서 지원되지 않습니다. ().
이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

Id: ansible-aws-public-port-wide

Cloud Provider: AWS

Platform: Ansible

Severity: High

Category: Networking and Firewall

Learn More

Description

Security groups must not allow a wide port range to the entire internet. Exposing multiple ports publicly increases attack surface and enables broad port scanning, automated exploitation, and easier lateral movement.

For Ansible amazon.aws.ec2_group or ec2_group resources, check rules[].from_port and rules[].to_port and ensure rules where to_port - from_port > 0 are not paired with cidr_ip set to 0.0.0.0/0 or cidr_ipv6 set to ::/0. Rules that require external access should restrict CIDR ranges to trusted networks or use specific single-port entries. Any rule defining a port range with an entire-network CIDR is flagged.

Secure example restricting access to a single port and a specific CIDR:

my_sg:
  name: my-security-group
  rules:
    - proto: tcp
      from_port: 22
      to_port: 22
      cidr_ip: 203.0.113.5/32
    - proto: tcp
      from_port: 443
      to_port: 443
      cidr_ip: 198.51.100.0/24

Compliant Code Examples

- name: example ec2 group v2
  amazon.aws.ec2_group:
    name: example
    description: an example EC2 group
    vpc_id: 12345
    region: eu-west-1
    rules:
    - proto: tcp
      from_port: 80
      to_port: 80
      cidr_ip: 0.0.0.0/0
    - proto: tcp
      from_port: 22
      to_port: 22
      cidr_ip: 10.0.0.0/8

Non-Compliant Code Examples

- name: example ec2 group
  amazon.aws.ec2_group:
    name: example
    description: an example EC2 group
    vpc_id: 12345
    region: eu-west-1
    rules:
      - proto: tcp
        from_port: 80
        to_port: 82
        cidr_ip: 0.0.0.0/0
      - proto: tcp
        from_port: 2
        to_port: 22
        cidr_ipv6: ::/0