Overly Permissive Cloud Security Groups and Firewall Rules

High Risk Infrastructure Security
aws-security-groupsgcp-firewall-rulesazure-network-security-groupsnetwork-securityfirewall-rulesoverpermissive-accessnetwork-aclport-exposure

What it is

A high-severity security vulnerability where cloud security groups, network ACLs, and firewall rules are configured with overly broad permissions, allowing unrestricted or excessive network access to cloud resources. This includes rules that allow traffic from any source (0.0.0.0/0), open dangerous ports, permit protocols beyond requirements, or grant access to administrative interfaces from the internet.

# VULNERABLE: SSH accessible from internet
resource "aws_security_group" "web_sg" {
  name   = "web-security-group"
  vpc_id = aws_vpc.main.id
  
  # VULNERABLE: SSH from anywhere
  ingress {
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]  # DANGEROUS!
    description = "SSH access"
  }
  
  # VULNERABLE: Database port exposed
  ingress {
    from_port   = 5432
    to_port     = 5432
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]  # DANGEROUS!
    description = "PostgreSQL"
  }
}
# SECURE: Restricted access via security groups
resource "aws_security_group" "web_sg" {
  name   = "web-security-group"
  vpc_id = aws_vpc.main.id
  
  # SECURE: SSH only from bastion
  ingress {
    from_port       = 22
    to_port         = 22
    protocol        = "tcp"
    security_groups = [aws_security_group.bastion_sg.id]
    description     = "SSH from bastion only"
  }
  
  # SECURE: Database access from app tier only
  ingress {
    from_port       = 5432
    to_port         = 5432
    protocol        = "tcp"
    security_groups = [aws_security_group.app_sg.id]
    description     = "PostgreSQL from app tier only"
  }
}

💡 Why This Fix Works

The vulnerable configuration allows SSH and database access from any IP address (0.0.0.0/0), exposing critical services to the internet. The secure version restricts access using security group references, allowing SSH only from a bastion host and database access only from the application tier.

Why it happens

Security groups configured to allow inbound traffic from any IP address (0.0.0.0/0) on sensitive ports like SSH, RDP, or databases.

Root causes

Security Groups with 0.0.0.0/0 CIDR Blocks

Security groups configured to allow inbound traffic from any IP address (0.0.0.0/0) on sensitive ports like SSH, RDP, or databases.

Overly Broad Port Ranges

Firewall rules that open wide ranges of ports or all ports instead of specific required ports.

Administrative Port Exposure

Exposing administrative interfaces, management consoles, or database ports directly to the internet.

Fixes

1

Restrict Source IP Ranges

Replace 0.0.0.0/0 with specific IP ranges or security group references for internal traffic.

2

Open Only Required Ports

Specify exact ports needed instead of ranges, and close all unnecessary ports.

3

Use Bastion Hosts for SSH/RDP

Route SSH and RDP traffic through bastion hosts instead of allowing direct internet access.

Detect This Vulnerability in Your Code

Sourcery automatically identifies overly permissive cloud security groups and firewall rules and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities