Insecure Access Control
Why is this important?
Access Control is one of the most fundamental security requirements. Any problems with managing access control can allow attackers to bypass business logic and access data from other users.
Check out this video for a high-level explanation:
S3 Buckets Are Publicly Available
Option A: Limit access to S3 buckets
In the context of terraform, when an S3 bucket has a certain ACL it is publicly accessible. In some cases that doesn't just allow read access to the data of the bucket, but even write access. The following ACLs are flagged:
- public-read
- public-read-write
- website
Follow the steps below:
- Go through the issues that GuardRails identified.
- Review the affected buckets to determine whether the ACLs are correct.
resource "aws_s3_bucket" "b" {
bucket = "my-tf-test-bucket"
acl = "public-read-write"
tags = {
Name = "My bucket"
Environment = "Dev"
}
}
- If not, then either remove the
aclargument or change it to the right alternative. - Test the changes and ensure that everything is working as expected.
- Ship it 🚢 and relax 🌴
Limit Access to AWS Resources
Option A: Ensure sensitive resources are not public
In the context of terraform, when a specific resource is marked as publicly accessible, it means that attackers may be able to interact with it. Resources that are identified include the following types:
- aws_db_instance
- aws_dms_replication_instance
- aws_rds_cluster_instance
- aws_redshift_cluster
Follow the steps below:
- Go through the issues that GuardRails identified in the PR.
- Review the affected resources to determine whether they can be public.
resource "aws_db_instance" "insecure" {
# ... other configuration ...
publicly_accessible = true
}
- If not, then either remove the
publicly_accessibleargument or change it topublicly_accessible = false. - Test the changes and ensure that everything is working as expected.
- Ship it 🚢 and relax 🌴
Option B: Ensure inbound traffic on AWS is restricted
AWS Security Groups can be configured to allow all incoming traffic, which is in violation with the security best practices.
- Go through the issues that GuardRails identified in the PR.
- Review the
aws_security_grouporaws_security_group_ruleresources wherecidr_blockscontain/0.
resource "aws_security_group" "allow_tls" {
name = "allow_tls"
description = "Allow TLS inbound traffic"
vpc_id = aws_vpc.main.id
ingress {
description = "TLS from VPC"
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
}
- Ensure that the
cidr_blocksare limited to required ports and ip address ranges.
Option C: Ensure inbound traffic on Azure is restricted
Azure Network Security Groups can be configured to allow all incoming traffic, which is in violation with the security best practices.
- Go through the issues that GuardRails identified in the PR.
- Review the
azurerm_network_security_ruleresources wheresource_address_prefixcontain/0or*.
resource "azurerm_network_security_rule" "example" {
name = "test123"
priority = 100
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "*"
source_address_prefix = "*"
destination_address_prefix = "*"
resource_group_name = azurerm_resource_group.example.name
network_security_group_name = azurerm_network_security_group.example.name
}
- Ensure that the
source_address_prefixare limited to required ports and ip address ranges.
Option D: Ensure inbound traffic on GCP is restricted
GCP firewalls can be configured to allow all incoming traffic, which is in violation with the security best practices.
- Go through the issues that GuardRails identified in the PR.
- Review the
google_compute_firewallresources wheresource_rangescontain/0.
resource "google_compute_firewall" "project-firewall-allow-ssh" {
name = "${var.vpc_name}-allow-something"
network = "${google_compute_network.project-network.self_link}"
....
source_ranges = ["0.0.0.0/0"]
}
- Ensure that the
source_rangesare limited to required ports and ip address ranges.