Ansible Tower exposed to the internet

이 제품은 선택한 Datadog 사이트에서 지원되지 않습니다. ().
이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Metadata

Id: ansible-ansible-tower-exposed-to-internet

Cloud Provider: Ansible Inventory

Platform: Ansible

Severity: Medium

Category: Best Practices

Learn More

Description

Ansible Tower hosts must not be assigned public IP addresses. Exposing Tower to the public internet increases the risk of unauthorized access and credential compromise of your automation infrastructure. Check the Ansible inventory resource (ansible_inventory) for entries under all.children.tower.hosts and ensure each host value is a private IP address (RFC1918) or an internal DNS name rather than a public IP. Resources with hosts set to public IPs are flagged.

Use private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) or internal hostnames, and place Tower behind a VPN, bastion host, or firewall/security-group restrictions to limit exposure.

Secure inventory example with a private IP:

all:
  children:
    tower:
      hosts:
        tower.internal.example.com:
          ansible_host: 10.0.1.5

Compliant Code Examples

all:
  children:
    automationhub:
      hosts:
        automationhub.acme.org:
          admin_password: <password>
          pg_database: awx
          pg_host: database-01.acme.org
          pg_password: <password>
          pg_port: '5432'
          pg_sslmode: prefer
          pg_username: awx
    database:
      hosts:
        database-01.acme.org:
          admin_password: <password>
          pg_database: awx
          pg_host: database-01.acme.org
          pg_password: <password>
          pg_port: '5432'
          pg_sslmode: prefer
          pg_username: awx
    tower:
      hosts:
        172.27.0.5:
          admin_password: <password>
          pg_database: awx
          pg_host: database-01.acme.org
          pg_password: <password>
          pg_port: '5432'
          pg_sslmode: prefer
          pg_username: awx
    ungrouped: {}

[tower]
172.27.0.2
172.27.0.3
172.27.0.4

Non-Compliant Code Examples

all:
  children:
    automationhub:
      hosts:
        automationhub.acme.org:
          admin_password: <password>
          pg_database: awx
          pg_host: database-01.acme.org
          pg_password: <password>
          pg_port: '5432'
          pg_sslmode: prefer
          pg_username: awx
    database:
      hosts:
        database-01.acme.org:
          admin_password: <password>
          pg_database: awx
          pg_host: database-01.acme.org
          pg_password: <password>
          pg_port: '5432'
          pg_sslmode: prefer
          pg_username: awx
    tower:
      hosts:
        139.50.1.1:
          admin_password: <password>
          pg_database: awx
          pg_host: database-01.acme.org
          pg_password: <password>
          pg_port: '5432'
          pg_sslmode: prefer
          pg_username: awx
    ungrouped: {}

[tower]
150.50.1.1
[automationhub]
automationhub.acme.org
[database]
database-01.acme.org
[all:vars]
admin_password='<password>'
pg_host='database-01.acme.org'
pg_port='5432'
pg_database='awx'
pg_username='awx'
pg_password='<password>'
pg_sslmode='prefer'