class Terracop::Cop::Aws::UnrestrictedIngressPorts
This cop warns against ingress security group rules that allow any port. Servers usually run multiple services that might open different ports, exposing them to a range of vulnerabilities. Only allow the specific ports you want to receive traffic on, and no more.
@example
# bad resource "aws_security_group_rule" "ingress" { type = "ingress" from_port = 0 to_port = 65535 } # good resource "aws_security_group_rule" "ingress" { type = "ingress" from_port = 443 to_port = 443 }
Public Instance Methods
check()
click to toggle source
# File lib/terracop/cop/aws/unrestricted_ingress_ports.rb, line 30 def check return unless ingress? && (tcp? || udp?) && any_port? offense('Limit ingress traffic to small port ranges.', :security) end