Ensure no access control groups allow inbound from 0.0.0.0:0 to port 80
Description
This policy checks if an Access Control Group (ACG) inbound rule allows traffic on port 80, which is commonly used for HTTP traffic. Allowing unrestricted access to port 80 can expose the system to various attacks, including cross-site scripting (XSS) and man-in-the-middle (MITM) attacks. It is essential to restrict access to port 80 to only trusted sources to prevent potential security breaches. By checking for this, the rule helps in securing the network by ensuring that only necessary ports are exposed to the public.
Code Example
terraform
resource "ncloud_access_control_group_rule" "example" {
access_control_group_no = ncloud_access_control_group.example.id
protocol = "TCP"
inbound_port_range = "80"
inbound_nexus_type = "SECURITY_GROUP"
inbound_nexus_no = ncloud_security_group.example.id
}Remediation
Restrict access to port 80 by specifying a source IP address or a source security group in the ACG inbound rule.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-1226 |
| Severity | MEDIUM |
| IaC Type | Terraform |
| Frameworks | ncloud_access_control_group_rule |
| Checkov ID | CKV_NCP_25 |