OCI VCN Security list has stateful security rules
Description
This policy identifies the OCI Virtual Cloud Networks (VCN) security lists that have stateful ingress rules configured in their security lists. It is recommended that Virtual Cloud Networks (VCN) security lists are configured with stateless ingress rules to slow the impact of a denial-of-service (DoS) attack.
Code Example
go
resource "oci_core_security_list" "pass" {
compartment_id = oci_identity_compartment.tf-compartment.id
vcn_id = oci_core_vcn.test_vcn.id
ingress_security_rules {
protocol = "all"
source="192.168.1.0/24"
- stateless = false
}
}Remediation
- OCI Console*
. Login to the OCI Console
. Type the resource reported in the alert into the Search box at the top of the Console.
. Click the resource reported in the alert from the Resources submenu
. Click on Ingress rule where Stateless column is set to No
. Click on Edit
. Select the checkbox STATELESS
. Click on Save Changes === Fix - Buildtime
Terraform
- Resource: oci_core_security_list
- Arguments: vcn_id + ingress_security_rule
Rule Details
| Field | Value |
|---|---|
| ID | IAC-1244 |
| Severity | MEDIUM |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_OCI_17 |