Ensure the firewall ingress is not wide open
Description
This policy checks whether a DigitalOcean firewall's ingress rule allows traffic from any source IP address. Allowing traffic from any IP address (0.0.0.0/0 or ::/0) can expose the firewall to unauthorized access, potentially leading to security breaches. It is essential to restrict access to only trusted IP addresses or ranges to minimize the attack surface. By enforcing this rule, you can prevent potential security vulnerabilities and protect your network from unauthorized access.
Code Example
terraform
resource "digitalocean_firewall" "example" {
name = "example-firewall"
inbound_rule {
protocol = "tcp"
port_range = "22"
source_addresses = ["192.0.2.0/24"]
}
}Remediation
Restrict the source addresses in the inbound rule to specific IP addresses or ranges.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0833 |
| Severity | HIGH |
| IaC Type | Terraform |
| Frameworks | digitalocean_firewall |
| Checkov ID | CKV_DIO_4 |