Dangerous Defaults # 1 - AWS VPC and VPNs with No Backups Enabled
We evaluate the configuration for setting up AWS GPU VPC and VPNs using CoGuard, Snyk and KICS #aws #cloudformation #iac #config #backups #configuration
A security misconfiguration occurs when security settings are either:
Not implemented, or
Deployed with errors.
The configuration settings create security gaps that expose the application and its data to a cyberattack and possible breach.
These errors can happen at any level of the your infrastructure:
IaaS or PaaS
IaC
Container
Application
Development frameworks
Custom code
Many of these misconfigurations happen because developers or system administrators do not change the default configuration of the device or application during installation. This is problematic because many automated attacks start by testing whether a target system uses the default settings.
AWS GPU VPC+ OpenVPN Instances With No Backups Enabled
We were asked to put together a set of IaC files for a client to be able to deploy a set of GPU EC2 instances with a VPN connection for access. The client was looking to create a new Virtual Private Cluster to access SageMaker and wanted to ensure the configurations were secured to meet their compliance goals for SoC2 and HIPAA. This is the starting CloudFormation template for the VPC with EC2 and VPN instances.
Example CloudFormation Configuration
AWSTemplateFormatVersion: '2010-09-09'
Description: OpenVPN and GPU EC2 Instances in VPC
Resources:
MyVPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.0.0.0/16
EnableDnsSupport: true
EnableDnsHostnames: true
Tags:
- Key: Name
Value: MyVPC
OpenVPNElasticIP:
Type: AWS::EC2::EIP
VPNSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Security Group for OpenVPN EC2 Instance
VpcId: !Ref MyVPC
SecurityGroupIngress:
- IpProtocol: udp
FromPort: 1194
ToPort: 1194
CidrIp: 0.0.0.0/0 # Adjust this to restrict source IPs if necessary
- IpProtocol: tcp
FromPort: 22 # SSH
ToPort: 22
CidrIp: 0.0.0.0/0 # Adjust this to restrict source IPs if necessary
GPUInstanceSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Security Group for GPU EC2 Instance
VpcId: !Ref MyVPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 22 # SSH
ToPort: 22
SourceSecurityGroupId: !GetAtt VPNSecurityGroup.GroupId # Allow SSH only from OpenVPN instance
OpenVPNInstance:
Type: AWS::EC2::Instance
Properties:
InstanceType: t2.micro # Adjust the instance type as needed
ImageId: ami-07950069b6e107edf # OpenVPN Access Server Community Image
KeyName: your-key-pair
PrivateIpAddress: 10.0.0.1
SecurityGroupIds:
- !Ref VPNSecurityGroup
Tags:
- Key: Name
Value: OpenVPNInstance
DependsOn: OpenVPNElasticIPAssociation
OpenVPNElasticIPAssociation:
Type: AWS::EC2::EIPAssociation
Properties:
InstanceId: !Ref OpenVPNInstance
EIP: !Ref OpenVPNElasticIP
GPUInstance:
Type: AWS::EC2::Instance
Properties:
InstanceType: g4dn.xlarge # GPU-optimized instance type
ImageId: ami-0743cdf6dd3f7e05b # AMI for amazon/AWS Deep Learning Base AMI GPU CUDA 11 (Ubuntu 20.04) 20230110
KeyName: your-key-pair
SecurityGroupIds:
- !Ref GPUInstanceSecurityGroup
Tags:
- Key: Name
Value: GPUInstance
GPUVolume:
Type: AWS::EC2::Volume
Properties:
AvailabilityZone: !GetAtt GPUInstance.AvailabilityZone
Size: 100 # Adjust the size as needed
OpenVPNVolume:
Type: AWS::EC2::Volume
Properties:
AvailabilityZone: !GetAtt OpenVPNInstance.AvailabilityZone
Size: 20 # Adjust the size as needed
GPUVolumeAttachment:
Type: AWS::EC2::VolumeAttachment
Properties:
Device: /dev/xvdf # Adjust the device name if needed
InstanceId: !Ref GPUInstance
VolumeId: !Ref GPUVolume
Test Environment
CoGuard CLI version 0.2.14
KICS version 1.7.7-alpine (Docker)
Snyk version 1.1203.0
All tests were done on the above file using macOS and linux versions.
We wanted to evaluate the configuration of the GPU VPC and VPN connections.
Summary Results
Severity
CoGuard
Snyk
KICS
Total
8
8
26
High
2
6
Medium
3
6
10
Low
4
2
4
INFO
6
Unique Rules
8
5
15
Do more results equal a better code scanner?
There are a few similarities and differences in the results across the three scanners. There is significant variance between the distribution of HIGH vs MEDIUM vs LOW priority vulnerabilities. For a number of reported software vulnerabilities we can compare the results using a CVSS calculator and fill in all of the parameters identified. In the configuration space (or the misconfiguration space), the ranking is a judgment decision for the author of the policy. It becomes critical to understand how violations are scored. We have not been able to find the scoring methodologies for KICS and Snyk with regards to configurations. At CoGuard, we publish our decision guidelines on the user-dashboard (although we allow changes to the sorting and ranking depending on the compliance framework or custom rule set that a specific user has selected).
Generally, it is a tradeoff between “information” and “information overload”. This is quite common in the LOW/INFO items to be able to generate notifications of configurations and warnings. The challenge is to not overwhelm development teams with unnecessary information and CVE fatigue. This is compounded when many of the results essentially double the raised warnings for each file. Many development teams see a large number of results, and estimate the fix as a large effort and the efforts may be deprioritized in triage. What matters is to capture configuration risk, misconfigurations and security vulnerabilities and to prompt the teams to make informed choices and prioritization.
At CoGuard we’re focused on clearly identifying HIGH (and very often MEDIUM) issues, and trying to reduce CVE fatigue/noise. The CoGuard Severity Levels are:
Each of the scanners uses a different approach for identifying and ranking issues. Using scanners for IaC, containers and application configurations is a starting point. This is a starting point for remediating misconfigurations and exploitable security vulnerabilities.
CoGuard Results
CoGuard CLI version 0.2.14 identified 8 misconfigurations including:
2 High
3 Medium
3 Low
CoGuard results have a high focus on security and encryption. The default settings identify encryption of the EC2 and EBS data stores. CoGuard identifies missing backup details from both VPC groups as a method for data/disaster recovery and post-incident analysis.
$ coguard folder ./
XXXXXXXXXXXK
xXXXXXXXXXXXXXXXXXXl
XXXXX. ;XXXXO .XXXXXXXXXX oXXXX XXXXc xXXXX' 'XXXXXXXXXXXXO XXXXXXXXXXX;
lXXXx lXXXXXXXX, 0XXX; cXXXXXXXXXXXXXX. oXXXX XXXXc :XXXXXX 'XXXXXXXXXXXXXXX. XXXXXXXXXXXXXX'
dXXX. .XXXXXx 0XXXXX ... dXXXX' cXXXX. oXXXX XXXXc .XXXXXXX0 'XXXX' OXXXX XXXXo .XXXXk
;XXX xXXX do .XXXc 'XXXX, oXXXX XXXXc XXXX.oXXXd 'XXXX' ,XXXX. XXXXd XXXXd
0XXl ;XXk ,, KXX. lXXXX oXXXX XXXXc OXXXl 0XXX: 'XXXX' .XXXXk XXXXd lXXXX
XXX: oXX: cll. ,ll: oXX; oXXXX .XXXXXXXXo oXXXX XXXXc oXXXO .XXXX. 'XXXXXXXXXXXXXX; XXXXd lXXXX
OXXo ;XXO do KXX. cXXXX. .XXXXXXXXo oXXXX XXXXc ;XXXX :XXXX 'XXXXXXXXXXXXl XXXXd xXXX0
;XXX. oXXX ,, .XXX: .XXXXo XXXXo lXXXX .XXXX: .XXXXXXXXXXXXXXXO 'XXXX' .XXXXd XXXXd ,XXXX;
oXXX. XXXXXX:lXXXXXK ;XXX: .XXXXX. XXXXo XXXXX .XXXX0 XXXXx XXXXo 'XXXX' .XXXX0 XXXXd .XXXXX,
cXXXO ;XXXXXXXX. XXXX' xXXXXXXXXXXXXXX. kXXXXXXXXXXXXd kXXXX ,XXXX:'XXXX' XXXXK XXXXXXXXXXXXXl
KXXXX; lXXXXx 'XXXXXXX cXXXXXX; lXXXX, dXXXXlXXXX' KXXXX XXXXXXXXK
oXXXXXXXXXXXXXXXXXX:
OXXXXXXXXXXd
SCANNING FOLDER blog-examples
Found file /AWS-CloudFormation-Example.yml
Found configuration files for cloudformation in non-standard location.
SCANNING OF blog-examples COMPLETED
Scan result: 8 checks failed, 2 High/3 Medium/3 Low (🔧 5 candidates for auto-remediation)
X Severity 4: cloudformation_ec2_volume_encrypted (affected files: ./AWS-CloudFormation-Example.yml for service cloudformation)
Documentation: EC2 Volumes are generally not encrypted by default. This check
flags if a volume was found without encryption enabled.
Remediation: For every resource of type `AWS::EC2::Volume`,
ensure that if the `Encrypted` parameter is set to `true`.
Source: https://docs.aws.amazon.com/AWSCloudFormation/latest/User
Guide/aws-properties-ec2-ebs-volume.html
🔧 X Severity 4: cloudformation_ebs_volume_encryption (affected files: ./AWS-CloudFormation-Example.yml for service cloudformation)
Documentation: Any volumes in the cloud should always be encrypted.
Remediation: For every resource of type `AWS::EC2::Volume`,
ensure that the `Encrypted` key is set to `true` (default is
`false`). Source: https://docs.aws.amazon.com/AWSCloudFormation
/latest/UserGuide/aws-properties-ec2-ebs-volume.html
X Severity 3: cloudformation_ec2_ensure_backup_plan (affected files: ./AWS-CloudFormation-Example.yml for service cloudformation)
Documentation: When using EC2-instances, it is recommended to ensure that the
attached EBS volume is being backed up regularly. Remediation:
When using a resource of type `AWS::EC2::Instance`, ensure that
there is a resource of type `AWS::Backup::BackupPlan`, as well as
a resource of type `AWS::Backup::BackupSelection`. Source: http
s://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-
properties-ec2-instance.html
🔧 X Severity 3: cloudformation_ec2_disable_termination (affected files: ./AWS-CloudFormation-Example.yml for service cloudformation)
Documentation: When using EC2-instances, it is advisable to enable termination
protection, since it is otherwise possible to accidentally lose
data or put the cluster in an undesired state. Remediation: For
every resource of type `AWS::EC2::Instance`, ensure that the
`DisableApiTermination` key is set to `true` (default is
`false`). Source: https://docs.aws.amazon.com/AWSCloudFormation
/latest/UserGuide/aws-properties-ec2-instance.html
🔧 X Severity 3: cloudformation_ec2_enable_enhanced_monitoring (affected files: ./AWS-CloudFormation-Example.yml for service cloudformation)
Documentation: When using EC2-instances, if real-time view on data is critical,
it is advisable to enable enhanced monitoring. This also enables
teams to get alarms more timely. Remediation: For every resource
of type `AWS::EC2::Instance`, ensure that the `Monitoring` key is
set to `true` (default is `false`). Source: https://docs.aws.am
azon.com/AWSCloudFormation/latest/UserGuide/aws-properties-
ec2-instance.html,
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-
cloudwatch-new.html
🔧 X Severity 2: cloudformation_ebs_volume_encryption_custom_key (affected files: ./AWS-CloudFormation-Example.yml for service cloudformation)
Documentation: Using the default key to encrypt volumes in AWS is preventing
good practices like regular key rotation. Hence, a custom key
should always be used. Remediation: For every resource of type
`AWS::EC2::Volume`, ensure that the property `KmsKeyId` is set.
Source: https://docs.aws.amazon.com/AWSCloudFormation/latest/User
Guide/aws-properties-ec2-ebs-volume.html
🔧 X Severity 2: cloudformation_ssh_not_default_port (affected files: ./AWS-CloudFormation-Example.yml for service cloudformation)
Documentation: When creating an EC2-instance in AWS, it is advisable to set the
port to connect via SSH to anything else but the default port 22,
as this is a port that is probed by potential attackers first.
Remediation: For every resource of type
`AWS::EC2::SecurityGroup`, ensure that there is no `Ingress`
block inside `SecurityGroupIngress` where the `ToPort` is 22 and
the `IpProtocol` is `TCP`. Source: https://docs.aws.amazon.com/
AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-
group.html
X Severity 1: cloudformation_unused_ec2_security_groups (affected files: ./AWS-CloudFormation-Example.yml for service cloudformation)
Documentation: When defining a security group for EC2-instances, we also expect
it to be used. Remediation: For every resource of type
`AWS::EC2::SecurityGroup`, ensure that it is referenced at least
in one `SecurityGroups` property in an `AWS::EC2::Instance`
resource. Source: https://docs.aws.amazon.com/AWSCloudFormation
/latest/UserGuide/aws-properties-ec2-instance.html
Scan result: 8 checks failed, 2 High/3 Medium/3 Low (🔧 5 candidates for auto-remediation)
Synk Results
Snyk version 1.1203.0 also identified 8 issues.
6 medium
2 low
4 of the issues are related to a non-encrypted EBS and EC2 storage. These issues are repeated for both the GPU VPC and the OpenVPN VPC.
$ snyk iac test --report --org=927c4fe6-f615-45ae-97f8-954e44413e8d
Snyk Infrastructure as Code
✔ Test completed.
Issues
Low Severity Issues: 2
[Low] EC2 API termination protection is not enabled
Info: To prevent instance from being accidentally terminated using Amazon
EC2, you can enable termination protection for the instance. Without
this setting enabled the instances can be terminated by accident.
This setting should only be used for instances with high availability
requirements. Enabling this may prevent IaC workflows from updating
the instance, for example terraform will not be able to terminate the
instance to update instance type
Rule: https://security.snyk.io/rules/cloud/SNYK-CC-AWS-426
Path: [DocId: 0] > Resources[GPUInstance] > Properties >
DisableApiTermination
File: AWS-CloudFormation-Example.yml
Resolve: Set `DisableApiTermination` attribute with value `true`
[Low] EC2 API termination protection is not enabled
Info: To prevent instance from being accidentally terminated using Amazon
EC2, you can enable termination protection for the instance. Without
this setting enabled the instances can be terminated by accident.
This setting should only be used for instances with high availability
requirements. Enabling this may prevent IaC workflows from updating
the instance, for example terraform will not be able to terminate the
instance to update instance type
Rule: https://security.snyk.io/rules/cloud/SNYK-CC-AWS-426
Path: [DocId: 0] > Resources[OpenVPNInstance] > Properties >
DisableApiTermination
File: AWS-CloudFormation-Example.yml
Resolve: Set `DisableApiTermination` attribute with value `true`
Medium Severity Issues: 6
[Medium] Security Group allows open ingress
Info: That inbound traffic is allowed to a resource from any source instead
of a restricted range. That potentially everyone can access your
resource
Rule: https://security.snyk.io/rules/cloud/SNYK-CC-TF-1
Path: [DocId: 0] > Resources > VPNSecurityGroup > Properties >
SecurityGroupIngress[1]
File: AWS-CloudFormation-Example.yml
Resolve: Set `Properties.SecurityGroupIngress.CidrIp` attribute with a more
restrictive IP, for example `192.16.0.0/24`
[Medium] Security Group allows open ingress
Info: That inbound traffic is allowed to a resource from any source instead
of a restricted range. That potentially everyone can access your
resource
Rule: https://security.snyk.io/rules/cloud/SNYK-CC-TF-1
Path: [DocId: 0] > Resources > VPNSecurityGroup > Properties >
SecurityGroupIngress[0]
File: AWS-CloudFormation-Example.yml
Resolve: Set `Properties.SecurityGroupIngress.CidrIp` attribute with a more
restrictive IP, for example `192.16.0.0/24`
[Medium] Non-encrypted EBS volume
Info: That this EBS volume is not encrypted. The default behavior is for
EBS volumes to be encrypted. . That should someone gain unauthorized
access to the data they would be able to read the contents.
Rule: https://security.snyk.io/rules/cloud/SNYK-CC-TF-3
Path: [DocId: 0] > Resources > OpenVPNVolume > Properties > Encrypted
File: AWS-CloudFormation-Example.yml
Resolve: Set `Properties.Encrypted` attribute to `true`
[Medium] Non-encrypted EBS volume
Info: That this EBS volume is not encrypted. The default behavior is for
EBS volumes to be encrypted. . That should someone gain unauthorized
access to the data they would be able to read the contents.
Rule: https://security.snyk.io/rules/cloud/SNYK-CC-TF-3
Path: [DocId: 0] > Resources > GPUVolume > Properties > Encrypted
File: AWS-CloudFormation-Example.yml
Resolve: Set `Properties.Encrypted` attribute to `true`
[Medium] Non-Encrypted root block device
Info: The root block device for ec2 instance is not encrypted. That should
someone gain unauthorized access to the data they would be able to
read the contents.
Rule: https://security.snyk.io/rules/cloud/SNYK-CC-TF-53
Path: [DocId: 0] > Resources > GPUInstance > Properties >
BlockDeviceMappings
File: AWS-CloudFormation-Example.yml
Resolve: Set `BlockDeviceMappings.Encrypted` attribute of root device to
`true`
[Medium] Non-Encrypted root block device
Info: The root block device for ec2 instance is not encrypted. That should
someone gain unauthorized access to the data they would be able to
read the contents.
Rule: https://security.snyk.io/rules/cloud/SNYK-CC-TF-53
Path: [DocId: 0] > Resources > OpenVPNInstance > Properties >
BlockDeviceMappings
File: AWS-CloudFormation-Example.yml
Resolve: Set `BlockDeviceMappings.Encrypted` attribute of root device to
`true`
-------------------------------------------------------
Test Summary
Organization: d-U5bKD53qopZ7jyVZGLXF3N
Project name: blog-examples
✔ Files without issues: 0
✗ Files with issues: 1
Ignored issues: 0
Total issues: 8 [ 0 critical, 0 high, 6 medium, 2 low ]
-------------------------------------------------------
Report Complete
KICS Results
KICS version 1.7.7-alpine (Docker) finds significantly more issues. There are 26 issues found:
6 High
10 Medium
4 Low
6 Info
$ docker run -t -v ~/src/blog-examples:/path checkmarx/kics:latest scan -p /path/AWS-CloudFormation-Example.yml -o "/path/"
Unable to find image 'checkmarx/kics:latest' locally
latest: Pulling from checkmarx/kics
579b34f0a95b: Pull complete
0da179404944: Pull complete
91a3b827f55e: Pull complete
f83f8ea78c84: Pull complete
eb16900ad0b1: Pull complete
76d09bbf201d: Pull complete
14dc99b452dd: Pull complete
fcc12f5222f7: Pull complete
4f4fb700ef54: Pull complete
Digest: sha256:d2b1a9f2d32c9f2854e653db6782799eea67355deeb2d27f0d0534e62b5652e1
Status: Downloaded newer image for checkmarx/kics:latest
.0MO.
OMMMx
;NMX;
... ... ....
WMMMd cWMMM0. KMMMO ;xKWMMMMNOc. ,xXMMMMMWXkc.
WMMMd .0MMMN: KMMMO :XMMMMMMMMMMMWl xMMMMMWMMMMMMl
WMMMd lWMMMO. KMMMO xMMMMKc...'lXMk ,MMMMx .;dXx
WMMMd.0MMMX; KMMMO cMMMMd ' 'MMMMNl'
WMMMNWMMMMl KMMMO 0MMMN oMMMMMMMXkl.
WMMMMMMMMMMo KMMMO 0MMMX .ckKWMMMMMM0.
WMMMMWokMMMMk KMMMO oMMMMc . .:OMMMM0
WMMMK. dMMMM0. KMMMO KMMMMx' ,kNc :WOc. .NMMMX
WMMMd cWMMMX. KMMMO kMMMMMWXNMMMMMd .WMMMMWKO0NMMMMl
WMMMd ,NMMMN, KMMMO 'xNMMMMMMMNx, .l0WMMMMMMMWk,
xkkk: ,kkkkx okkkl ;xKXKx; ;dOKKkc
Scanning with Keeping Infrastructure as Code Secure v1.7.9
Preparing Scan Assets: Done
Executing queries: [---------------------------------------------------] 100.00%
Files scanned: 1
Parsed files: 1
Queries loaded: 508
Queries failed to execute: 0
------------------------------------
Security Group Rule Without Description, Severity: INFO, Results: 3
Description: It's considered a best practice for AWS Security Group to have a description
Platform: CloudFormation
Learn more about this vulnerability: https://docs.kics.io/latest/queries/cloudformation-queries/aws/5e6c9c68-8a82-408e-8749-ddad78cbb9c5
[1]: ../../path/AWS-CloudFormation-Example.yml:38
037: VpcId: !Ref MyVPC
038: SecurityGroupIngress:
039: - IpProtocol: tcp
[2]: ../../path/AWS-CloudFormation-Example.yml:23
022: VpcId: !Ref MyVPC
023: SecurityGroupIngress:
024: - IpProtocol: udp
[3]: ../../path/AWS-CloudFormation-Example.yml:23
022: VpcId: !Ref MyVPC
023: SecurityGroupIngress:
024: - IpProtocol: udp
EC2 Not EBS Optimized, Severity: INFO, Results: 1
Description: It's considered a best practice for an EC2 instance to use an EBS optimized instance. This provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance
Platform: CloudFormation
Learn more about this vulnerability: https://docs.kics.io/latest/queries/cloudformation-queries/aws/8dd0ff1f-0da4-48df-9bb3-7f338ae36a40
[1]: ../../path/AWS-CloudFormation-Example.yml:46
045: Type: AWS::EC2::Instance
046: Properties:
047: InstanceType: t2.micro # Adjust the instance type as needed
EC2 Instance Monitoring Disabled, Severity: INFO, Results: 2
Description: EC2 Instance should have detailed monitoring enabled. With detailed monitoring enabled data is available in 1-minute periods
Platform: CloudFormation
Learn more about this vulnerability: https://docs.kics.io/latest/queries/cloudformation-queries/aws/0264093f-6791-4475-af34-4b8102dcbcd0
[1]: ../../path/AWS-CloudFormation-Example.yml:46
045: Type: AWS::EC2::Instance
046: Properties:
047: InstanceType: t2.micro # Adjust the instance type as needed
[2]: ../../path/AWS-CloudFormation-Example.yml:66
065: Type: AWS::EC2::Instance
066: Properties:
067: InstanceType: g4dn.xlarge # GPU-optimized instance type
VPC Without Attached Subnet, Severity: LOW, Results: 1
Description: VPCs without attached subnets may indicate that they are not being used
Platform: CloudFormation
Learn more about this vulnerability: https://docs.kics.io/latest/queries/cloudformation-queries/aws/3b3b4411-ad1f-40e7-b257-a78a6bb9673a
[1]: ../../path/AWS-CloudFormation-Example.yml:5
004: Resources:
005: MyVPC:
006: Type: AWS::EC2::VPC
VPC FlowLogs Disabled, Severity: LOW, Results: 1
Description: Every VPC resource should have an associated Flow Log
Platform: CloudFormation
Learn more about this vulnerability: https://docs.kics.io/latest/queries/cloudformation-queries/aws/f6d299d2-21eb-41cc-b1e1-fe12d857500b
[1]: ../../path/AWS-CloudFormation-Example.yml:5
004: Resources:
005: MyVPC:
006: Type: AWS::EC2::VPC
Shield Advanced Not In Use, Severity: LOW, Results: 1
Description: AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks
Platform: CloudFormation
Learn more about this vulnerability: https://docs.kics.io/latest/queries/cloudformation-queries/aws/ad7444cf-817a-4765-a79e-2145f7981faf
[1]: ../../path/AWS-CloudFormation-Example.yml:15
014:
015: OpenVPNElasticIP:
016: Type: AWS::EC2::EIP
IAM Access Analyzer Not Enabled, Severity: LOW, Results: 1
Description: IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions
Platform: CloudFormation
Learn more about this vulnerability: https://docs.kics.io/latest/queries/cloudformation-queries/aws/8d29754a-2a18-460d-a1ba-9509f8d359da
[1]: ../../path/AWS-CloudFormation-Example.yml:4
003:
004: Resources:
005: MyVPC:
VPC Without Network Firewall, Severity: MEDIUM, Results: 1
Description: VPC should have a Network Firewall associated
Platform: CloudFormation
Learn more about this vulnerability: https://docs.kics.io/latest/queries/cloudformation-queries/aws/3e293410-d5b8-411f-85fd-7d26294f20c9
[1]: ../../path/AWS-CloudFormation-Example.yml:5
004: Resources:
005: MyVPC:
006: Type: AWS::EC2::VPC
Instance With No VPC, Severity: MEDIUM, Results: 2
Description: EC2 Instances should be configured under a VPC network. AWS VPCs provide the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations.
Platform: CloudFormation
Learn more about this vulnerability: https://docs.kics.io/latest/queries/cloudformation-queries/aws/8a6d36cd-0bc6-42b7-92c4-67acc8576861
[1]: ../../path/AWS-CloudFormation-Example.yml:66
065: Type: AWS::EC2::Instance
066: Properties:
067: InstanceType: g4dn.xlarge # GPU-optimized instance type
[2]: ../../path/AWS-CloudFormation-Example.yml:46
045: Type: AWS::EC2::Instance
046: Properties:
047: InstanceType: t2.micro # Adjust the instance type as needed
EC2 Instance Has No IAM Role, Severity: MEDIUM, Results: 2
Description: Check if an EC2 instance refers to an IAM profile, which represents an IAM Role.
Platform: CloudFormation
Learn more about this vulnerability: https://docs.kics.io/latest/queries/cloudformation-queries/aws/f914357d-8386-4d56-9ba6-456e5723f9a6
[1]: ../../path/AWS-CloudFormation-Example.yml:66
065: Type: AWS::EC2::Instance
066: Properties:
067: InstanceType: g4dn.xlarge # GPU-optimized instance type
[2]: ../../path/AWS-CloudFormation-Example.yml:46
045: Type: AWS::EC2::Instance
046: Properties:
047: InstanceType: t2.micro # Adjust the instance type as needed
EBS Volume Without KmsKeyId, Severity: MEDIUM, Results: 2
Description: EBS Volume should specify a KmsKeyId value
Platform: CloudFormation
Learn more about this vulnerability: https://docs.kics.io/latest/queries/cloudformation-queries/aws/b7063015-6c31-4658-a8e7-14f98f37fd42
[1]: ../../path/AWS-CloudFormation-Example.yml:84
083: Type: AWS::EC2::Volume
084: Properties:
085: AvailabilityZone: !GetAtt OpenVPNInstance.AvailabilityZone
[2]: ../../path/AWS-CloudFormation-Example.yml:78
077: Type: AWS::EC2::Volume
078: Properties:
079: AvailabilityZone: !GetAtt GPUInstance.AvailabilityZone
EBS Volume Not Attached To Instances, Severity: MEDIUM, Results: 1
Description: EBS Volumes that are unattached to instances may contain sensitive data
Platform: CloudFormation
Learn more about this vulnerability: https://docs.kics.io/latest/queries/cloudformation-queries/aws/1819ac03-542b-4026-976b-f37addd59f3b
[1]: ../../path/AWS-CloudFormation-Example.yml:82
081:
082: OpenVPNVolume:
083: Type: AWS::EC2::Volume
EBS Volume Encryption Disabled, Severity: MEDIUM, Results: 2
Description: EBS volumes should be encrypted
Platform: CloudFormation
Learn more about this vulnerability: https://docs.kics.io/latest/queries/cloudformation-queries/aws/80b7ac3f-d2b7-4577-9b10-df7913497162
[1]: ../../path/AWS-CloudFormation-Example.yml:84
083: Type: AWS::EC2::Volume
084: Properties:
085: AvailabilityZone: !GetAtt OpenVPNInstance.AvailabilityZone
[2]: ../../path/AWS-CloudFormation-Example.yml:78
077: Type: AWS::EC2::Volume
078: Properties:
079: AvailabilityZone: !GetAtt GPUInstance.AvailabilityZone
Unrestricted Security Group Ingress, Severity: HIGH, Results: 2
Description: AWS Security Group Ingress CIDR should not be open to the world
Platform: CloudFormation
Learn more about this vulnerability: https://docs.kics.io/latest/queries/cloudformation-queries/aws/4a1e6b34-1008-4e61-a5f2-1f7c276f8d14
[1]: ../../path/AWS-CloudFormation-Example.yml:31
030: ToPort: 22
031: CidrIp: 0.0.0.0/0 # Adjust this to restrict source IPs if necessary
032:
[2]: ../../path/AWS-CloudFormation-Example.yml:27
026: ToPort: 1194
027: CidrIp: 0.0.0.0/0 # Adjust this to restrict source IPs if necessary
028: - IpProtocol: tcp
Unknown Port Exposed To Internet, Severity: HIGH, Results: 1
Description: AWS Security Group should not have an unknown port exposed to the entire Internet
Platform: CloudFormation
Learn more about this vulnerability: https://docs.kics.io/latest/queries/cloudformation-queries/aws/829ce3b8-065c-41a3-ad57-e0accfea82d2
[1]: ../../path/AWS-CloudFormation-Example.yml:24
023: SecurityGroupIngress:
024: - IpProtocol: udp
025: FromPort: 1194
Security Groups With Exposed Admin Ports, Severity: HIGH, Results: 1
Description: Security Groups should not have ports open in (20, 21, 22, 23, 115, 137, 138, 139, 2049, 3389)
Platform: CloudFormation
Learn more about this vulnerability: https://docs.kics.io/latest/queries/cloudformation-queries/aws/cdbb0467-2957-4a77-9992-7b55b29df7b7
[1]: ../../path/AWS-CloudFormation-Example.yml:23
022: VpcId: !Ref MyVPC
023: SecurityGroupIngress:
024: - IpProtocol: udp
Security Group With Unrestricted Access To SSH, Severity: HIGH, Results: 1
Description: 'SSH' (TCP:22) should not be public in AWS Security Group
Platform: CloudFormation
Learn more about this vulnerability: https://docs.kics.io/latest/queries/cloudformation-queries/aws/6e856af2-62d7-4ba2-adc1-73b62cef9cc1
[1]: ../../path/AWS-CloudFormation-Example.yml:23
022: VpcId: !Ref MyVPC
023: SecurityGroupIngress:
024: - IpProtocol: udp
HTTP Port Open To Internet, Severity: HIGH, Results: 1
Description: The HTTP port is open to the internet in a Security Group
Platform: CloudFormation
Learn more about this vulnerability: https://docs.kics.io/latest/queries/cloudformation-queries/aws/ddfc4eaa-af23-409f-b96c-bf5c45dc4daa
[1]: ../../path/AWS-CloudFormation-Example.yml:29
028: - IpProtocol: tcp
029: FromPort: 22 # SSH
030: ToPort: 22
Results Summary:
HIGH: 6
MEDIUM: 10
LOW: 4
INFO: 6
TOTAL: 26
Results saved to file /path/results.json
Generating Reports: Done
Scan duration: 12.241437548s
Commentary
Three different IaC scanners with three different results. Is one the stand out winner? Or should teams be implementing all three in their CI/CD pipeline? There are the security obsessed that might be inclined to use all three scanners (provided we could eliminate many of the “INFO” noise).
The critical issue is that backups are not enabled. This is something crucial. And only CoGuard notices the lack of backups and the risks this poses for recovery. Snyk and KICS do not trigger an alert or alarm that there may be no backup configured.
Next Steps
In order to configure the backup, there should be resources of type AWS::Backup::BackupPlan and AWS::Backup::BackupSelection.
Oops! Something went wrong while submitting the form.
Check out and explore a test environment to run infra audits on sample repositories of web applications and view select reports on CoGuard's interative dashboard today.