Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set a more restrictive cidr range, no public ingressing #14

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Set a more restrictive cidr range, no public ingressing #14

wants to merge 1 commit into from

Conversation

JohnVeni
Copy link
Contributor

Fix the following tfsec report :

Results #1-7 CRITICAL Network ACL rule allows ingress from public internet. (7 similar results)
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  subnets.tf:44
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   36    resource "aws_network_acl_rule" "allow_all_inbound" {
   37      for_each = aws_network_acl.this
   38    
   39      network_acl_id = each.value.id
   40      rule_number    = 100
   41      egress         = false
   42      protocol       = -1
   43      rule_action    = "allow"
   44  [   cidr_block     = "0.0.0.0/0" ("0.0.0.0/0")
   45    }
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - subnets.tf:36-45 (aws_network_acl_rule.allow_all_inbound[0])
  - subnets.tf:36-45 (aws_network_acl_rule.allow_all_inbound[6])
  - subnets.tf:36-45 (aws_network_acl_rule.allow_all_inbound[2])
  - subnets.tf:36-45 (aws_network_acl_rule.allow_all_inbound[1])
  - subnets.tf:36-45 (aws_network_acl_rule.allow_all_inbound[4])
  - subnets.tf:36-45 (aws_network_acl_rule.allow_all_inbound[3])
  - subnets.tf:36-45 (aws_network_acl_rule.allow_all_inbound[5])
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
          ID aws-ec2-no-public-ingress-acl
      Impact The ports are exposed for ingressing data to the internet
  Resolution Set a more restrictive cidr range

  More Information
  - https://aquasecurity.github.io/tfsec/v1.28.5/checks/aws/ec2/no-public-ingress-acl/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule#cidr_block
─────────────────────────────────────────────────────────────────────────────────────────────────────────────

@AndrNgg
Copy link
Contributor

AndrNgg commented Feb 16, 2024
edited
Loading

@JohnVeni

I like the idea of making the network module more secure. However, we need to be careful with the complexity that it might bring in the future in regard to troubleshooting.

I prefer leaving NACLS open since it's an optional security measure. Restrict with network ACL And handle all inbound and outbound network security through Security groups.

In short, the SG update in your PR is fine with me but not the NACL one as I would like to keep things simple.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AndrNgg AndrNgg Awaiting requested review from AndrNgg

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@JohnVeni @AndrNgg