Unrestricted ingress traffic leaves assets exposed to remote attacks
- GG_ID: GG_IAC_0003
- Severity: HIGH
- Complexity: HIGH
- Categories: NETWORK
- Providers: AWS
- Potential data exposure: True
- Visible in logs: False
- User interaction required: False
- Privileges required: False
A security group has open ingress from all IPs, and on all ports. This means that the assets in this security group are exposed to the whole web.
Furthermore, no port range is specified. This means that some applications running on assets of this security group may be reached by external traffic, while they are not expected to do so.
Having open ingress means anyone can try and connect to the asset.
If credentials are required to establish a connection, it still leaves open the possibility to bruteforce the credentials, or perform Denial of Service attacks.
If no credentials are required, or credentials have been acquired by an attacker, then the asset is fully compromised.
Identify which remote ips need to connect to the asset, and implement the adequate CIDR rules. Note that assets that share the same security group can always access each other.