Cloud platforms such as AWS, Azure, or GCP support virtual firewalls that can be used to restrict access to services by controlling inbound and
outbound traffic.
Any firewall rule allowing traffic from all IP addresses to standard network ports on which administration services
traditionally listen, such as 22 for SSH, can expose these services to exploits and unauthorized access.
Like any other service, administration services can contain vulnerabilities. Administration services run with elevated privileges and thus a vulnerability could have a high impact on the system.
Additionally, credentials might be leaked through phishing or similar techniques. Attackers who are able to reach the services could use the credentials to log in to the system.
It is recommended to restrict access to remote administration services to only trusted IP addresses. In practice, trusted IP addresses are those held by system administrators or those of bastion-like servers.
An ingress rule allowing all inbound SSH traffic for AWS:
resource "aws_security_group" "noncompliant" {
name = "allow_ssh_noncompliant"
description = "allow_ssh_noncompliant"
vpc_id = aws_vpc.main.id
ingress {
description = "SSH rule"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"] # Noncompliant
}
}
A security rule allowing all inbound SSH traffic for Azure:
resource "azurerm_network_security_rule" "noncompliant" {
priority = 100
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "22"
source_address_prefix = "*" # Noncompliant
destination_address_prefix = "*"
}
A firewall rule allowing all inbound SSH traffic for GCP:
resource "google_compute_firewall" "noncompliant" {
network = google_compute_network.default.name
allow {
protocol = "tcp"
ports = ["22"]
}
source_ranges = ["0.0.0.0/0"] # Noncompliant
}
An ingress rule allowing inbound SSH traffic from specific IP addresses for AWS:
resource "aws_security_group" "compliant" {
name = "allow_ssh_compliant"
description = "allow_ssh_compliant"
vpc_id = aws_vpc.main.id
ingress {
description = "SSH rule"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["1.2.3.0/24"]
}
}
A security rule allowing inbound SSH traffic from specific IP addresses for Azure:
resource "azurerm_network_security_rule" "compliant" {
priority = 100
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "22"
source_address_prefix = "1.2.3.0"
destination_address_prefix = "*"
}
A firewall rule allowing inbound SSH traffic from specific IP addresses for GCP:
resource "google_compute_firewall" "compliant" {
network = google_compute_network.default.name
allow {
protocol = "tcp"
ports = ["22"]
}
source_ranges = ["10.0.0.1/32"]
}