Ensure security group does not contain allow-all rules.
Description
This policy checks whether a security group contains allow-all rules, which can pose a significant security risk by allowing unrestricted access to resources. The rule specifically looks for ingress rules with a CIDR block of 0.0.0.0/0 and either all ports open or no port restrictions. It is essential to restrict access to only necessary IP addresses and ports to prevent unauthorized access and potential security breaches. By ensuring that security groups do not contain allow-all rules, organizations can significantly reduce the attack surface of their infrastructure.
Code Example
terraform
resource "yandex_vpc_security_group" "example" {
ingress {
protocol = "tcp"
v4_cidr_blocks = ["10.0.0.0/16"]
from_port = 22
to_port = 22
}
}Remediation
Ensure the security group does not allow all traffic from any source IP address and restricts access to only necessary ports.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-1352 |
| Severity | HIGH |
| IaC Type | Terraform |
| Frameworks | yandex_vpc_security_group |
| Checkov ID | CKV_YC_19 |