Public security group rule sensitive port
This product is not supported for your selected
Datadog site. (
).
Id: 2ae9d554-23fb-4065-bfd1-fe43d5f7c419
Cloud Provider: Alicloud
Platform: Terraform
Severity: High
Category: Networking and Firewall
Learn More
Description
A sensitive port, such as 23 or 110, is open to the public using TCP or UDP. This rule detects ingress alicloud_security_group_rule resources where cidr_ip is set to 0.0.0.0/0, the protocol is tcp, udp, or all, and the port_range includes a known sensitive port. This configuration exposes the service to the public internet and increases the risk of unauthorized access.
Compliant Code Examples
resource "alicloud_security_group" "default" {
name = "default"
}
resource "alicloud_security_group_rule" "allow_all_tcp" {
type = "ingress"
ip_protocol = "icmp"
nic_type = "internet"
policy = "accept"
port_range = "1/65535"
priority = 1
security_group_id = alicloud_security_group.default.id
cidr_ip = "0.0.0.0/0"
}
resource "alicloud_security_group" "default" {
name = "default"
}
resource "alicloud_security_group_rule" "allow_all_tcp" {
type = "ingress"
ip_protocol = "tcp"
nic_type = "internet"
policy = "accept"
port_range = "1/65535"
priority = 1
security_group_id = alicloud_security_group.default.id
cidr_ip = "10.159.6.18/12"
}
Non-Compliant Code Examples
resource "alicloud_security_group" "default" {
name = "default"
}
resource "alicloud_security_group_rule" "allow_all_tcp" {
type = "ingress"
ip_protocol = "udp"
nic_type = "internet"
policy = "accept"
port_range = "4333/4334"
priority = 1
security_group_id = alicloud_security_group.default.id
cidr_ip = "0.0.0.0/0"
}
resource "alicloud_security_group" "default" {
name = "default"
}
resource "alicloud_security_group_rule" "allow_all_tcp" {
type = "ingress"
ip_protocol = "all"
nic_type = "internet"
policy = "accept"
port_range = "444/445"
priority = 1
security_group_id = alicloud_security_group.default.id
cidr_ip = "0.0.0.0/0"
}
resource "alicloud_security_group" "default" {
name = "default"
}
resource "alicloud_security_group_rule" "allow_all_tcp" {
type = "ingress"
ip_protocol = "tcp"
nic_type = "internet"
policy = "accept"
port_range = "19/20"
priority = 1
security_group_id = alicloud_security_group.default.id
cidr_ip = "0.0.0.0/0"
}
