Dangerous Defaults

Dangerous Defaults # 1 - AWS VPC and VPNs with No Backups Enabled

We evaluate the configuration for setting up AWS GPU VPC and VPNs using CoGuard, Snyk and KICS #aws #cloudformation #iac #config #backups #configuration

Albert Heinle
Written by
Albert Heinle

We have a series of articles looking at common misconfigurations and dangerous defaults we’ve seen in the wild. Next up! 

Misconfigured security settings can be disastrous for a company, and they are very common. More common than they need to be.  

A security misconfiguration occurs when security settings are either: 

  1. Not implemented, or
  2. Deployed with errors.

The configuration settings create security gaps that expose the application and its data to a cyberattack and possible breach. 

These errors can happen at any level of the your infrastructure: 

  • IaaS or PaaS
  • IaC
  • Container
  • Application
  • Development frameworks
  • Custom code

Many of these misconfigurations happen because developers or system administrators do not change the default configuration of the device or application during installation. This is problematic because many automated attacks start by testing whether a target system uses the default settings. 

AWS GPU VPC+ OpenVPN Instances With No Backups Enabled

We were asked to put together a set of IaC files for a client to be able to deploy a set of GPU EC2 instances with a VPN connection for access. The client was looking to create a new Virtual Private Cluster to access SageMaker and wanted to ensure the configurations were secured to meet their compliance goals for SoC2 and HIPAA. This is the starting CloudFormation template for the VPC with EC2 and VPN instances. 

Example CloudFormation Configuration


AWSTemplateFormatVersion: '2010-09-09'
Description: OpenVPN and GPU EC2 Instances in VPC

Resources:
  MyVPC:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: 10.0.0.0/16
      EnableDnsSupport: true
      EnableDnsHostnames: true
      Tags:
        - Key: Name
          Value: MyVPC

  OpenVPNElasticIP:
    Type: AWS::EC2::EIP

  VPNSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Security Group for OpenVPN EC2 Instance
      VpcId: !Ref MyVPC
      SecurityGroupIngress:
        - IpProtocol: udp
          FromPort: 1194
          ToPort: 1194
          CidrIp: 0.0.0.0/0  # Adjust this to restrict source IPs if necessary
        - IpProtocol: tcp
          FromPort: 22  # SSH
          ToPort: 22
          CidrIp: 0.0.0.0/0 # Adjust this to restrict source IPs if necessary

  GPUInstanceSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Security Group for GPU EC2 Instance
      VpcId: !Ref MyVPC
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 22  # SSH
          ToPort: 22
          SourceSecurityGroupId: !GetAtt VPNSecurityGroup.GroupId  # Allow SSH only from OpenVPN instance

  OpenVPNInstance:
    Type: AWS::EC2::Instance
    Properties:
      InstanceType: t2.micro  # Adjust the instance type as needed
      ImageId: ami-07950069b6e107edf  # OpenVPN Access Server Community Image
      KeyName: your-key-pair
      PrivateIpAddress: 10.0.0.1
      SecurityGroupIds:
        - !Ref VPNSecurityGroup
      Tags:
        - Key: Name
          Value: OpenVPNInstance
      DependsOn: OpenVPNElasticIPAssociation

  OpenVPNElasticIPAssociation:
    Type: AWS::EC2::EIPAssociation
    Properties:
      InstanceId: !Ref OpenVPNInstance
      EIP: !Ref OpenVPNElasticIP

  GPUInstance:
    Type: AWS::EC2::Instance
    Properties:
      InstanceType: g4dn.xlarge  # GPU-optimized instance type
      ImageId: ami-0743cdf6dd3f7e05b  # AMI for amazon/AWS Deep Learning Base AMI GPU CUDA 11 (Ubuntu 20.04) 20230110
      KeyName: your-key-pair
      SecurityGroupIds:
        - !Ref GPUInstanceSecurityGroup
      Tags:
        - Key: Name
          Value: GPUInstance

  GPUVolume:
    Type: AWS::EC2::Volume
    Properties:
      AvailabilityZone: !GetAtt GPUInstance.AvailabilityZone
      Size: 100  # Adjust the size as needed

  OpenVPNVolume:
    Type: AWS::EC2::Volume
    Properties:
      AvailabilityZone: !GetAtt OpenVPNInstance.AvailabilityZone
      Size: 20  # Adjust the size as needed

  GPUVolumeAttachment:
    Type: AWS::EC2::VolumeAttachment
    Properties:
      Device: /dev/xvdf  # Adjust the device name if needed
      InstanceId: !Ref GPUInstance
      VolumeId: !Ref GPUVolume

Test Environment

  • CoGuard CLI version 0.2.14
  • KICS version 1.7.7-alpine (Docker)
  • Snyk version 1.1203.0

All tests were done on the above file using macOS and linux versions. 

We wanted to evaluate the configuration of the GPU VPC and VPN connections. 

Summary Results

Severity CoGuard Snyk KICS
Total 8 8 26
High 2   6
Medium 3 6 10
Low 4 2 4
INFO     6
Unique Rules 8 5 15

Do more results equal a better code scanner? 

There are a few similarities and differences in the results across the three scanners. There is significant variance between the distribution of HIGH vs MEDIUM vs LOW priority vulnerabilities. For a number of reported software vulnerabilities we can compare the results using a CVSS calculator and fill in all of the parameters identified. In the configuration space (or the misconfiguration space), the ranking is a judgment decision for the author of the policy. It becomes critical to understand how violations are scored. We have not been able to find the scoring methodologies for KICS and Snyk with regards to configurations. At CoGuard, we publish our decision guidelines on the user-dashboard (although we allow changes to the sorting and ranking depending on the compliance framework or custom rule set that a specific user has selected). 

Generally, it is a tradeoff between “information” and “information overload”. This is quite common in the LOW/INFO items to be able to generate notifications of configurations and warnings. The challenge is to not overwhelm development teams with unnecessary information and CVE fatigue. This is compounded when many of the results essentially double the raised warnings for each file. Many development teams see a large number of results, and estimate the fix as a large effort and the efforts may be deprioritized in triage. What matters is to capture configuration risk, misconfigurations and security vulnerabilities and to prompt the teams to make informed choices and prioritization. 

At CoGuard we’re focused on clearly identifying HIGH (and very often MEDIUM) issues, and trying to reduce CVE fatigue/noise. The CoGuard Severity Levels are:

Each of the scanners uses a different approach for identifying and ranking issues. Using scanners for IaC, containers and application configurations is a starting point. This is a starting point for remediating misconfigurations and exploitable security vulnerabilities. 

CoGuard Results

CoGuard CLI version 0.2.14 identified 8 misconfigurations including:

  • 2 High
  • 3 Medium
  • 3 Low

CoGuard results have a high focus on security and encryption. The default settings identify encryption of the EC2 and EBS data stores. CoGuard identifies missing backup details from both VPC groups as a method for data/disaster recovery and post-incident analysis.


$ coguard folder ./

          XXXXXXXXXXXK
      xXXXXXXXXXXXXXXXXXXl
    XXXXX.            ;XXXXO       .XXXXXXXXXX     oXXXX        XXXXc       xXXXX'       'XXXXXXXXXXXXO     XXXXXXXXXXX;
  lXXXx    lXXXXXXXX,    0XXX;   cXXXXXXXXXXXXXX.  oXXXX        XXXXc      :XXXXXX       'XXXXXXXXXXXXXXX.  XXXXXXXXXXXXXX'
 dXXX.  .XXXXXx  0XXXXX    ...  dXXXX'      cXXXX. oXXXX        XXXXc     .XXXXXXX0      'XXXX'      OXXXX  XXXXo     .XXXXk
;XXX   xXXX    do   .XXXc      'XXXX,              oXXXX        XXXXc     XXXX.oXXXd     'XXXX'      ,XXXX. XXXXd       XXXXd
0XXl  ;XXk     ,,     KXX.     lXXXX               oXXXX        XXXXc    OXXXl  0XXX:    'XXXX'     .XXXXk  XXXXd       lXXXX
XXX:  oXX: cll.  ,ll: oXX;     oXXXX    .XXXXXXXXo oXXXX        XXXXc   oXXXO   .XXXX.   'XXXXXXXXXXXXXX;   XXXXd       lXXXX
OXXo  ;XXO     do     KXX.     cXXXX.   .XXXXXXXXo oXXXX        XXXXc  ;XXXX     :XXXX   'XXXXXXXXXXXXl     XXXXd       xXXX0
;XXX.  oXXX    ,,   .XXX:      .XXXXo        XXXXo lXXXX       .XXXX: .XXXXXXXXXXXXXXXO  'XXXX'   .XXXXd    XXXXd      ,XXXX;
 oXXX.   XXXXXX:lXXXXXK   ;XXX: .XXXXX.      XXXXo  XXXXX     .XXXX0  XXXXx        XXXXo 'XXXX'    .XXXX0   XXXXd    .XXXXX,
  cXXXO    ;XXXXXXXX.    XXXX'    xXXXXXXXXXXXXXX.   kXXXXXXXXXXXXd  kXXXX         ,XXXX:'XXXX'      XXXXK  XXXXXXXXXXXXXl
    KXXXX;            lXXXXx         'XXXXXXX           cXXXXXX;    lXXXX,          dXXXXlXXXX'       KXXXX XXXXXXXXK
      oXXXXXXXXXXXXXXXXXX:
          OXXXXXXXXXXd
    
SCANNING FOLDER blog-examples
Found file /AWS-CloudFormation-Example.yml
Found configuration files for cloudformation in non-standard location.
SCANNING OF blog-examples COMPLETED
Scan result: 8 checks failed, 2 High/3 Medium/3 Low (🔧 5 candidates for auto-remediation)
 X Severity 4: cloudformation_ec2_volume_encrypted (affected files: ./AWS-CloudFormation-Example.yml for service cloudformation)
Documentation:  EC2 Volumes are generally not encrypted by default. This check
               flags if a volume was found without encryption enabled.
               Remediation: For every resource of type `AWS::EC2::Volume`,
               ensure that if the `Encrypted` parameter is set to `true`.
               Source: https://docs.aws.amazon.com/AWSCloudFormation/latest/User
               Guide/aws-properties-ec2-ebs-volume.html
🔧  X Severity 4: cloudformation_ebs_volume_encryption (affected files: ./AWS-CloudFormation-Example.yml for service cloudformation)
Documentation:  Any volumes in the cloud should always be encrypted.
               Remediation: For every resource of type `AWS::EC2::Volume`,
               ensure that the `Encrypted` key is set to `true` (default is
               `false`).   Source: https://docs.aws.amazon.com/AWSCloudFormation
               /latest/UserGuide/aws-properties-ec2-ebs-volume.html
 X Severity 3: cloudformation_ec2_ensure_backup_plan (affected files: ./AWS-CloudFormation-Example.yml for service cloudformation)
Documentation:  When using EC2-instances, it is recommended to ensure that the
               attached EBS volume is being backed up regularly.  Remediation:
               When using a resource of type `AWS::EC2::Instance`, ensure that
               there is a resource of type `AWS::Backup::BackupPlan`, as well as
               a resource of type `AWS::Backup::BackupSelection`.   Source: http
               s://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-
               properties-ec2-instance.html
🔧  X Severity 3: cloudformation_ec2_disable_termination (affected files: ./AWS-CloudFormation-Example.yml for service cloudformation)
Documentation:  When using EC2-instances, it is advisable to enable termination
               protection, since it is otherwise possible to accidentally lose
               data or put the cluster in an undesired state.  Remediation: For
               every resource of type `AWS::EC2::Instance`, ensure that the
               `DisableApiTermination` key is set to `true` (default is
               `false`).   Source: https://docs.aws.amazon.com/AWSCloudFormation
               /latest/UserGuide/aws-properties-ec2-instance.html
🔧  X Severity 3: cloudformation_ec2_enable_enhanced_monitoring (affected files: ./AWS-CloudFormation-Example.yml for service cloudformation)
Documentation:  When using EC2-instances, if real-time view on data is critical,
               it is advisable to enable enhanced monitoring. This also enables
               teams to get alarms more timely.  Remediation: For every resource
               of type `AWS::EC2::Instance`, ensure that the `Monitoring` key is
               set to `true` (default is `false`).   Source: https://docs.aws.am
               azon.com/AWSCloudFormation/latest/UserGuide/aws-properties-
               ec2-instance.html,
               https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-
               cloudwatch-new.html
🔧  X Severity 2: cloudformation_ebs_volume_encryption_custom_key (affected files: ./AWS-CloudFormation-Example.yml for service cloudformation)
Documentation:  Using the default key to encrypt volumes in AWS is preventing
               good practices like regular key rotation. Hence, a custom key
               should always be used.  Remediation: For every resource of type
               `AWS::EC2::Volume`, ensure that the property `KmsKeyId` is set.
               Source: https://docs.aws.amazon.com/AWSCloudFormation/latest/User
               Guide/aws-properties-ec2-ebs-volume.html
🔧  X Severity 2: cloudformation_ssh_not_default_port (affected files: ./AWS-CloudFormation-Example.yml for service cloudformation)
Documentation:  When creating an EC2-instance in AWS, it is advisable to set the
               port to connect via SSH to anything else but the default port 22,
               as this is a port that is probed by potential attackers first.
               Remediation: For every resource of type
               `AWS::EC2::SecurityGroup`, ensure that there is no `Ingress`
               block inside `SecurityGroupIngress` where the `ToPort` is 22 and
               the `IpProtocol` is `TCP`.   Source: https://docs.aws.amazon.com/
               AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-
               group.html
 X Severity 1: cloudformation_unused_ec2_security_groups (affected files: ./AWS-CloudFormation-Example.yml for service cloudformation)
Documentation:  When defining a security group for EC2-instances, we also expect
               it to be used.  Remediation: For every resource of type
               `AWS::EC2::SecurityGroup`, ensure that it is referenced at least
               in one `SecurityGroups` property in an `AWS::EC2::Instance`
               resource.   Source: https://docs.aws.amazon.com/AWSCloudFormation
               /latest/UserGuide/aws-properties-ec2-instance.html
Scan result: 8 checks failed, 2 High/3 Medium/3 Low (🔧 5 candidates for auto-remediation)

Synk Results

Snyk version 1.1203.0 also identified 8 issues.

  • 6 medium
  • 2 low

4 of the issues are related to a non-encrypted EBS and EC2 storage. These issues are repeated for both the GPU VPC and the OpenVPN VPC. 


$ snyk iac test --report --org=927c4fe6-f615-45ae-97f8-954e44413e8d

Snyk Infrastructure as Code

✔ Test completed.

Issues

Low Severity Issues: 2

  [Low] EC2 API termination protection is not enabled
  Info:    To prevent instance from being accidentally terminated using Amazon
           EC2, you can enable termination protection for the instance. Without
           this setting enabled the instances can be terminated by accident.
           This setting should only be used for instances with high availability
           requirements. Enabling this may prevent IaC workflows from updating
           the instance, for example terraform will not be able to terminate the
           instance to update instance type
  Rule:    https://security.snyk.io/rules/cloud/SNYK-CC-AWS-426
  Path:    [DocId: 0] > Resources[GPUInstance] > Properties >
           DisableApiTermination
  File:    AWS-CloudFormation-Example.yml
  Resolve: Set `DisableApiTermination` attribute with value `true`

  [Low] EC2 API termination protection is not enabled
  Info:    To prevent instance from being accidentally terminated using Amazon
           EC2, you can enable termination protection for the instance. Without
           this setting enabled the instances can be terminated by accident.
           This setting should only be used for instances with high availability
           requirements. Enabling this may prevent IaC workflows from updating
           the instance, for example terraform will not be able to terminate the
           instance to update instance type
  Rule:    https://security.snyk.io/rules/cloud/SNYK-CC-AWS-426
  Path:    [DocId: 0] > Resources[OpenVPNInstance] > Properties >
           DisableApiTermination
  File:    AWS-CloudFormation-Example.yml
  Resolve: Set `DisableApiTermination` attribute with value `true`

Medium Severity Issues: 6

  [Medium] Security Group allows open ingress
  Info:    That inbound traffic is allowed to a resource from any source instead
           of a restricted range. That potentially everyone can access your
           resource
  Rule:    https://security.snyk.io/rules/cloud/SNYK-CC-TF-1
  Path:    [DocId: 0] > Resources > VPNSecurityGroup > Properties >
           SecurityGroupIngress[1]
  File:    AWS-CloudFormation-Example.yml
  Resolve: Set `Properties.SecurityGroupIngress.CidrIp` attribute with a more
           restrictive IP, for example `192.16.0.0/24`

  [Medium] Security Group allows open ingress
  Info:    That inbound traffic is allowed to a resource from any source instead
           of a restricted range. That potentially everyone can access your
           resource
  Rule:    https://security.snyk.io/rules/cloud/SNYK-CC-TF-1
  Path:    [DocId: 0] > Resources > VPNSecurityGroup > Properties >
           SecurityGroupIngress[0]
  File:    AWS-CloudFormation-Example.yml
  Resolve: Set `Properties.SecurityGroupIngress.CidrIp` attribute with a more
           restrictive IP, for example `192.16.0.0/24`

  [Medium] Non-encrypted EBS volume
  Info:    That this EBS volume is not encrypted. The default behavior is for
           EBS volumes to be encrypted. . That should someone gain unauthorized
           access to the data they would be able to read the contents.
  Rule:    https://security.snyk.io/rules/cloud/SNYK-CC-TF-3
  Path:    [DocId: 0] > Resources > OpenVPNVolume > Properties > Encrypted
  File:    AWS-CloudFormation-Example.yml
  Resolve: Set `Properties.Encrypted` attribute to `true`

  [Medium] Non-encrypted EBS volume
  Info:    That this EBS volume is not encrypted. The default behavior is for
           EBS volumes to be encrypted. . That should someone gain unauthorized
           access to the data they would be able to read the contents.
  Rule:    https://security.snyk.io/rules/cloud/SNYK-CC-TF-3
  Path:    [DocId: 0] > Resources > GPUVolume > Properties > Encrypted
  File:    AWS-CloudFormation-Example.yml
  Resolve: Set `Properties.Encrypted` attribute to `true`

  [Medium] Non-Encrypted root block device
  Info:    The root block device for ec2 instance is not encrypted. That should
           someone gain unauthorized access to the data they would be able to
           read the contents.
  Rule:    https://security.snyk.io/rules/cloud/SNYK-CC-TF-53
  Path:    [DocId: 0] > Resources > GPUInstance > Properties >
           BlockDeviceMappings
  File:    AWS-CloudFormation-Example.yml
  Resolve: Set `BlockDeviceMappings.Encrypted` attribute of root device to
           `true`

  [Medium] Non-Encrypted root block device
  Info:    The root block device for ec2 instance is not encrypted. That should
           someone gain unauthorized access to the data they would be able to
           read the contents.
  Rule:    https://security.snyk.io/rules/cloud/SNYK-CC-TF-53
  Path:    [DocId: 0] > Resources > OpenVPNInstance > Properties >
           BlockDeviceMappings
  File:    AWS-CloudFormation-Example.yml
  Resolve: Set `BlockDeviceMappings.Encrypted` attribute of root device to
           `true`

-------------------------------------------------------

Test Summary

  Organization: d-U5bKD53qopZ7jyVZGLXF3N
  Project name: blog-examples

✔ Files without issues: 0
✗ Files with issues: 1
  Ignored issues: 0
  Total issues: 8 [ 0 critical, 0 high, 6 medium, 2 low ]

-------------------------------------------------------

Report Complete

KICS Results

KICS version 1.7.7-alpine (Docker) finds significantly more issues. There are 26 issues found:

  • 6 High
  • 10 Medium
  • 4 Low
  • 6 Info

$ docker run -t -v ~/src/blog-examples:/path checkmarx/kics:latest scan -p /path/AWS-CloudFormation-Example.yml -o "/path/"

Unable to find image 'checkmarx/kics:latest' locally
latest: Pulling from checkmarx/kics
579b34f0a95b: Pull complete 
0da179404944: Pull complete 
91a3b827f55e: Pull complete 
f83f8ea78c84: Pull complete 
eb16900ad0b1: Pull complete 
76d09bbf201d: Pull complete 
14dc99b452dd: Pull complete 
fcc12f5222f7: Pull complete 
4f4fb700ef54: Pull complete 
Digest: sha256:d2b1a9f2d32c9f2854e653db6782799eea67355deeb2d27f0d0534e62b5652e1
Status: Downloaded newer image for checkmarx/kics:latest

                   .0MO.                                    
                   OMMMx                                    
                   ;NMX;                                    
                    ...           ...              ....     
WMMMd     cWMMM0.  KMMMO      ;xKWMMMMNOc.     ,xXMMMMMWXkc.
WMMMd   .0MMMN:    KMMMO    :XMMMMMMMMMMMWl   xMMMMMWMMMMMMl
WMMMd  lWMMMO.     KMMMO   xMMMMKc...'lXMk   ,MMMMx   .;dXx 
WMMMd.0MMMX;       KMMMO  cMMMMd        '    'MMMMNl'       
WMMMNWMMMMl        KMMMO  0MMMN               oMMMMMMMXkl.  
WMMMMMMMMMMo       KMMMO  0MMMX                .ckKWMMMMMM0.
WMMMMWokMMMMk      KMMMO  oMMMMc              .     .:OMMMM0
WMMMK.  dMMMM0.    KMMMO   KMMMMx'    ,kNc   :WOc.    .NMMMX
WMMMd    cWMMMX.   KMMMO    kMMMMMWXNMMMMMd .WMMMMWKO0NMMMMl
WMMMd     ,NMMMN,  KMMMO     'xNMMMMMMMNx,   .l0WMMMMMMMWk, 
xkkk:      ,kkkkx  okkkl        ;xKXKx;          ;dOKKkc    


Scanning with Keeping Infrastructure as Code Secure v1.7.9


Preparing Scan Assets: Done                                                                                                                           
Executing queries: [---------------------------------------------------] 100.00%

Files scanned: 1
Parsed files: 1
Queries loaded: 508
Queries failed to execute: 0

------------------------------------

Security Group Rule Without Description, Severity: INFO, Results: 3
Description: It's considered a best practice for AWS Security Group to have a description
Platform: CloudFormation
Learn more about this vulnerability: https://docs.kics.io/latest/queries/cloudformation-queries/aws/5e6c9c68-8a82-408e-8749-ddad78cbb9c5

	[1]: ../../path/AWS-CloudFormation-Example.yml:38

		037:       VpcId: !Ref MyVPC
		038:       SecurityGroupIngress:
		039:         - IpProtocol: tcp


	[2]: ../../path/AWS-CloudFormation-Example.yml:23

		022:       VpcId: !Ref MyVPC
		023:       SecurityGroupIngress:
		024:         - IpProtocol: udp


	[3]: ../../path/AWS-CloudFormation-Example.yml:23

		022:       VpcId: !Ref MyVPC
		023:       SecurityGroupIngress:
		024:         - IpProtocol: udp


EC2 Not EBS Optimized, Severity: INFO, Results: 1
Description: It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance
Platform: CloudFormation
Learn more about this vulnerability: https://docs.kics.io/latest/queries/cloudformation-queries/aws/8dd0ff1f-0da4-48df-9bb3-7f338ae36a40

	[1]: ../../path/AWS-CloudFormation-Example.yml:46

		045:     Type: AWS::EC2::Instance
		046:     Properties:
		047:       InstanceType: t2.micro  # Adjust the instance type as needed


EC2 Instance Monitoring Disabled, Severity: INFO, Results: 2
Description: EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods
Platform: CloudFormation
Learn more about this vulnerability: https://docs.kics.io/latest/queries/cloudformation-queries/aws/0264093f-6791-4475-af34-4b8102dcbcd0

	[1]: ../../path/AWS-CloudFormation-Example.yml:46

		045:     Type: AWS::EC2::Instance
		046:     Properties:
		047:       InstanceType: t2.micro  # Adjust the instance type as needed


	[2]: ../../path/AWS-CloudFormation-Example.yml:66

		065:     Type: AWS::EC2::Instance
		066:     Properties:
		067:       InstanceType: g4dn.xlarge  # GPU-optimized instance type


VPC Without Attached Subnet, Severity: LOW, Results: 1
Description: VPCs without attached subnets may indicate that they are not being used
Platform: CloudFormation
Learn more about this vulnerability: https://docs.kics.io/latest/queries/cloudformation-queries/aws/3b3b4411-ad1f-40e7-b257-a78a6bb9673a

	[1]: ../../path/AWS-CloudFormation-Example.yml:5

		004: Resources:
		005:   MyVPC:
		006:     Type: AWS::EC2::VPC


VPC FlowLogs Disabled, Severity: LOW, Results: 1
Description: Every VPC resource should have an associated Flow Log
Platform: CloudFormation
Learn more about this vulnerability: https://docs.kics.io/latest/queries/cloudformation-queries/aws/f6d299d2-21eb-41cc-b1e1-fe12d857500b

	[1]: ../../path/AWS-CloudFormation-Example.yml:5

		004: Resources:
		005:   MyVPC:
		006:     Type: AWS::EC2::VPC


Shield Advanced Not In Use, Severity: LOW, Results: 1
Description: AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks
Platform: CloudFormation
Learn more about this vulnerability: https://docs.kics.io/latest/queries/cloudformation-queries/aws/ad7444cf-817a-4765-a79e-2145f7981faf

	[1]: ../../path/AWS-CloudFormation-Example.yml:15

		014: 
		015:   OpenVPNElasticIP:
		016:     Type: AWS::EC2::EIP


IAM Access Analyzer Not Enabled, Severity: LOW, Results: 1
Description: IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions
Platform: CloudFormation
Learn more about this vulnerability: https://docs.kics.io/latest/queries/cloudformation-queries/aws/8d29754a-2a18-460d-a1ba-9509f8d359da

	[1]: ../../path/AWS-CloudFormation-Example.yml:4

		003: 
		004: Resources:
		005:   MyVPC:


VPC Without Network Firewall, Severity: MEDIUM, Results: 1
Description: VPC should have a Network Firewall associated
Platform: CloudFormation
Learn more about this vulnerability: https://docs.kics.io/latest/queries/cloudformation-queries/aws/3e293410-d5b8-411f-85fd-7d26294f20c9

	[1]: ../../path/AWS-CloudFormation-Example.yml:5

		004: Resources:
		005:   MyVPC:
		006:     Type: AWS::EC2::VPC


Instance With No VPC, Severity: MEDIUM, Results: 2
Description: EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations.
Platform: CloudFormation
Learn more about this vulnerability: https://docs.kics.io/latest/queries/cloudformation-queries/aws/8a6d36cd-0bc6-42b7-92c4-67acc8576861

	[1]: ../../path/AWS-CloudFormation-Example.yml:66

		065:     Type: AWS::EC2::Instance
		066:     Properties:
		067:       InstanceType: g4dn.xlarge  # GPU-optimized instance type


	[2]: ../../path/AWS-CloudFormation-Example.yml:46

		045:     Type: AWS::EC2::Instance
		046:     Properties:
		047:       InstanceType: t2.micro  # Adjust the instance type as needed



EC2 Instance Has No IAM Role, Severity: MEDIUM, Results: 2
Description: Check if an EC2 instance refers to an IAM profile, which represents an IAM Role.
Platform: CloudFormation
Learn more about this vulnerability: https://docs.kics.io/latest/queries/cloudformation-queries/aws/f914357d-8386-4d56-9ba6-456e5723f9a6

	[1]: ../../path/AWS-CloudFormation-Example.yml:66

		065:     Type: AWS::EC2::Instance
		066:     Properties:
		067:       InstanceType: g4dn.xlarge  # GPU-optimized instance type


	[2]: ../../path/AWS-CloudFormation-Example.yml:46

		045:     Type: AWS::EC2::Instance
		046:     Properties:
		047:       InstanceType: t2.micro  # Adjust the instance type as needed


EBS Volume Without KmsKeyId, Severity: MEDIUM, Results: 2
Description: EBS Volume should specify a KmsKeyId value
Platform: CloudFormation
Learn more about this vulnerability: https://docs.kics.io/latest/queries/cloudformation-queries/aws/b7063015-6c31-4658-a8e7-14f98f37fd42

	[1]: ../../path/AWS-CloudFormation-Example.yml:84

		083:     Type: AWS::EC2::Volume
		084:     Properties:
		085:       AvailabilityZone: !GetAtt OpenVPNInstance.AvailabilityZone


	[2]: ../../path/AWS-CloudFormation-Example.yml:78

		077:     Type: AWS::EC2::Volume
		078:     Properties:
		079:       AvailabilityZone: !GetAtt GPUInstance.AvailabilityZone


EBS Volume Not Attached To Instances, Severity: MEDIUM, Results: 1
Description: EBS Volumes that are unattached to instances may contain sensitive data
Platform: CloudFormation
Learn more about this vulnerability: https://docs.kics.io/latest/queries/cloudformation-queries/aws/1819ac03-542b-4026-976b-f37addd59f3b

	[1]: ../../path/AWS-CloudFormation-Example.yml:82

		081: 
		082:   OpenVPNVolume:
		083:     Type: AWS::EC2::Volume


EBS Volume Encryption Disabled, Severity: MEDIUM, Results: 2
Description: EBS volumes should be encrypted
Platform: CloudFormation
Learn more about this vulnerability: https://docs.kics.io/latest/queries/cloudformation-queries/aws/80b7ac3f-d2b7-4577-9b10-df7913497162

	[1]: ../../path/AWS-CloudFormation-Example.yml:84

		083:     Type: AWS::EC2::Volume
		084:     Properties:
		085:       AvailabilityZone: !GetAtt OpenVPNInstance.AvailabilityZone


	[2]: ../../path/AWS-CloudFormation-Example.yml:78

		077:     Type: AWS::EC2::Volume
		078:     Properties:
		079:       AvailabilityZone: !GetAtt GPUInstance.AvailabilityZone


Unrestricted Security Group Ingress, Severity: HIGH, Results: 2
Description: AWS Security Group Ingress CIDR should not be open to the world
Platform: CloudFormation
Learn more about this vulnerability: https://docs.kics.io/latest/queries/cloudformation-queries/aws/4a1e6b34-1008-4e61-a5f2-1f7c276f8d14

	[1]: ../../path/AWS-CloudFormation-Example.yml:31

		030:           ToPort: 22
		031:           CidrIp: 0.0.0.0/0 # Adjust this to restrict source IPs if necessary
		032: 


	[2]: ../../path/AWS-CloudFormation-Example.yml:27

		026:           ToPort: 1194
		027:           CidrIp: 0.0.0.0/0  # Adjust this to restrict source IPs if necessary
		028:         - IpProtocol: tcp


Unknown Port Exposed To Internet, Severity: HIGH, Results: 1
Description: AWS Security Group should not have an unknown port exposed to the entire Internet
Platform: CloudFormation
Learn more about this vulnerability: https://docs.kics.io/latest/queries/cloudformation-queries/aws/829ce3b8-065c-41a3-ad57-e0accfea82d2

	[1]: ../../path/AWS-CloudFormation-Example.yml:24

		023:       SecurityGroupIngress:
		024:         - IpProtocol: udp
		025:           FromPort: 1194


Security Groups With Exposed Admin Ports, Severity: HIGH, Results: 1
Description: Security Groups should not have ports open in (20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389)
Platform: CloudFormation
Learn more about this vulnerability: https://docs.kics.io/latest/queries/cloudformation-queries/aws/cdbb0467-2957-4a77-9992-7b55b29df7b7

	[1]: ../../path/AWS-CloudFormation-Example.yml:23

		022:       VpcId: !Ref MyVPC
		023:       SecurityGroupIngress:
		024:         - IpProtocol: udp


Security Group With Unrestricted Access To SSH, Severity: HIGH, Results: 1
Description: 'SSH' (TCP:22) should not be public in AWS Security Group
Platform: CloudFormation
Learn more about this vulnerability: https://docs.kics.io/latest/queries/cloudformation-queries/aws/6e856af2-62d7-4ba2-adc1-73b62cef9cc1

	[1]: ../../path/AWS-CloudFormation-Example.yml:23

		022:       VpcId: !Ref MyVPC
		023:       SecurityGroupIngress:
		024:         - IpProtocol: udp


HTTP Port Open To Internet, Severity: HIGH, Results: 1
Description: The HTTP port is open to the internet in a Security Group
Platform: CloudFormation
Learn more about this vulnerability: https://docs.kics.io/latest/queries/cloudformation-queries/aws/ddfc4eaa-af23-409f-b96c-bf5c45dc4daa

	[1]: ../../path/AWS-CloudFormation-Example.yml:29

		028:         - IpProtocol: tcp
		029:           FromPort: 22  # SSH
		030:           ToPort: 22



Results Summary:
HIGH: 6
MEDIUM: 10
LOW: 4
INFO: 6
TOTAL: 26

Results saved to file /path/results.json
Generating Reports: Done                                                                                                                              
Scan duration: 12.241437548s

Commentary

Three different IaC scanners with three different results. Is one the stand out winner? Or should teams be implementing all three in their CI/CD pipeline? There are the security obsessed that might be inclined to use all three scanners (provided we could eliminate many of the “INFO” noise). 

The critical issue is that backups are not enabled. This is something crucial. And only CoGuard notices the lack of backups and the risks this poses for recovery. Snyk and KICS do not trigger an alert or alarm that there may be no backup configured.

Next Steps

In order to configure the backup, there should be resources of type AWS::Backup::BackupPlan and AWS::Backup::BackupSelection.


  BackupPlan:
    Type: 'AWS::Backup::BackupPlan'
    Properties:
      BackupPlan: 
        BackupPlanName: MyBackupPlan
        Rules: 
          - RuleName: DailyBackupRule
            TargetBackupVault: 
            ScheduleExpression: cron(0 12 * * ? *)

  BackupSelection:
    Type: 'AWS::Backup::BackupSelection'
    Properties:
      BackupPlanId: !Ref BackupPlan
      BackupSelection:
        SelectionName: MyBackupSelection
        IamRoleArn: arn:aws:iam::111222333444:role/service-role/AWSBackupDefaultServiceRole
        Resources:
          - !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:instance/${OpenVPNInstance}'
          - !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:instance/${GPUInstance}'

Add CoGuard to your GitHub Workflows to improve configurations in your IaC, containers, applications and more:


pip3 install coguard-cli
coguard pipeline github add ./your-repository
git commit -a -m “Added coguard to the github pipeline”
git push origin main

Photo credit: Jandira Sonnendeck on Unsplash

Explore a test environment

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Check out and explore a test environment to run infra audits on sample repositories of web applications and view select reports on CoGuard's interative dashboard today.