Ensure security group rule is not allow-all.
Description
This policy checks whether a security group rule allows all incoming traffic from any IP address. Allowing all traffic can expose resources to unauthorized access and increase the risk of security breaches. It is essential to restrict access to only necessary IP addresses and ports to minimize the attack surface. The rule checks for ingress traffic with a CIDR block of 0.0.0.0/0 and either all ports or a wide port range open.
Code Example
terraform
resource "yandex_vpc_security_group_rule" "example" {
security_group_id = yandex_vpc_security_group.example.id
direction = "ingress"
v4_cidr_blocks = ["10.0.0.0/16"]
port = 22
}Remediation
Restrict the security group rule to only allow necessary IP addresses and ports.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-1353 |
| Severity | HIGH |
| IaC Type | Terraform |
| Frameworks | yandex_vpc_security_group_rule |
| Checkov ID | CKV_YC_20 |