Alibaba Cloud Security group allow internet traffic to SSH port (22)
Description
This policy identifies Security groups that allow inbound traffic on SSH port (22) from the public internet. As a best practice, restrict security groups to only allow permitted traffic and limit brute force attacks on your network.
Code Example
go
resource "alicloud_security_group_rule" "example" {
...
type = "ingress"
ip_protocol = "tcp"
port_range = "22/22"
- cidr_ip = "0.0.0.0/0"
+ cidr_ip = "192.168.1.0/24"
}Remediation
Terraform
- Resource: alicloud_security_group_rule
- Attribute: cidr_ip
To mitigate this issue, ensure that the `cidr_ip` attribute in the `alicloud_security_group_rule` resource does not include `0.0.0.0/0` for ingress on port 22.
Example:
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0002 |
| Severity | INFO |
| IaC Type | Terraform |
| Frameworks | Terraform |
| Checkov ID | CKV_ALI_2 |