Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 (tcp / udp)
Description
This policy checks for unrestricted ingress to port 22 in OpenStack security groups, which could allow unauthorized access to instances. Port 22 is the default port for SSH, and unrestricted access to it poses a significant security risk. It is essential to restrict access to port 22 to only trusted IP addresses or sources to prevent potential attacks. By doing so, the risk of unauthorized access to instances can be significantly reduced.
Code Example
terraform
resource "openstack_networking_secgroup_rule_v2" "example" {
direction = "ingress"
ethertype = "IPv4"
protocol = "tcp"
port_range_min = 22
port_range_max = 22
remote_ip_prefix = "192.168.1.0/24"
}Remediation
Restrict ingress to port 22 by specifying allowed IP addresses or security groups in the security group rule.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-1279 |
| Severity | HIGH |
| IaC Type | Terraform |
| Frameworks | openstack_compute_secgroup_v2, openstack_networking_secgroup_rule_v2 |
| Checkov ID | CKV_OPENSTACK_2 |