class Terracop::Cop::Aws::UnrestrictedIngressPorts

This cop warns against ingress security group rules that allow any port. Servers usually run multiple services that might open different ports, exposing them to a range of vulnerabilities. Only allow the specific ports you want to receive traffic on, and no more.

@example

# bad
resource "aws_security_group_rule" "ingress" {
  type        = "ingress"
  from_port   = 0
  to_port     = 65535
}

# good
resource "aws_security_group_rule" "ingress" {
  type        = "ingress"
  from_port   = 443
  to_port     = 443
}

Public Instance Methods

check() click to toggle source
# File lib/terracop/cop/aws/unrestricted_ingress_ports.rb, line 30
def check
  return unless ingress? && (tcp? || udp?) && any_port?

  offense('Limit ingress traffic to small port ranges.', :security)
end