Skip to content

bug(cloudformation): elb_with_security_group_without_inbound_rules fails when other SG use AWS::EC2::SecurityGroupIngress #7303

New issue
New issue
Open
Open
bug(cloudformation): elb_with_security_group_without_inbound_rules fails when other SG use AWS::EC2::SecurityGroupIngress#7303
Labels
awsPR related with AWS CloudbugSomething isn't workingcloudformationCloudFormation querycommunityCommunity contributiondockerDocker queryqueryNew query feature
@fischaz

Description

@fischaz
fischaz
opened on Dec 9, 2024

Description

The rule elb_with_security_group_without_inbound_rules (e200a6f3-c589-49ec-9143-7421d4a2c845) seems to misbehave when there are other AWS::EC2::SecurityGroupIngress for other security group name in the same template document and misfire.

Expected Behavior

The following template would be a valid template IMO:

AWSTemplateFormatVersion: "2010-09-09"
Resources:
  AppSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: app security group
      VpcId: vpc-1234
      SecurityGroupEgress:
        - IpProtocol: "tcp"
          FromPort: 443
          ToPort: 443
          CidrIp: "0.0.0.0/0"
          Description: HTTPS

  ALBSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: alb security group
      VpcId: vpc-1234
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 443
          ToPort: 443
          CidrIp: "10.0.0.0/8"
          Description: HTTPS
      SecurityGroupEgress:
        - IpProtocol: tcp
          FromPort: 8080
          ToPort: 8080
          DestinationSecurityGroupId: !Ref AppSecurityGroup
          Description: HTTPS connection to app

  # Avoid circular dependence by splitting ingress rules into a separate resource
  AppSecurityGroupFromALB:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupId: !Ref AppSecurityGroup
      IpProtocol: tcp
      FromPort: 8080
      ToPort: 8080
      SourceSecurityGroupId: !Ref ALBSecurityGroup
      Description: HTTPS connection from ALB

  LoadBalancer:
    Type: AWS::ElasticLoadBalancingV2::LoadBalancer
    Properties:
      Scheme: internet-facing
      Subnets:
        - subnet-abc
        - subnet-def
      SecurityGroups:
        - !Ref ALBSecurityGroup
  • Creates a Security Group ALBSecurityGroup which is open ingress from 10.0.0.0/8 and egress allow traffic only to the security group AppSecurityGroup
  • The security group AppSecurityGroup only allow ingress from ALB Security group ALBSecurityGroup and allow general HTTPS egress (AWS SDK, ...)
  • The Load Balancer LoadBalancer attach only to ALBSecurityGroup

In this template, I'm expecting kics to not fire the issue ELB With Security Group Without Inbound Rules as there is clearly a ingress rule on the ALB Attached Security group.

Actual Behavior

With the command:

docker run -t -v $(pwd):/path checkmarx/kics scan -p /path -o "/path/"

Kics Fired the following rule:

{
	"kics_version": "v2.1.3",
	"files_scanned": 1,
	"lines_scanned": 53,
	"files_parsed": 1,
	"lines_parsed": 52,
	"lines_ignored": 1,
	"files_failed_to_scan": 0,
	"queries_total": 500,
	"queries_failed_to_execute": 0,
	"queries_failed_to_compute_similarity_id": 0,
	"scan_id": "console",
	"severity_counters": {
		"CRITICAL": 0,
		"HIGH": 0,
		"INFO": 0,
		"LOW": 1,
		"MEDIUM": 4,
		"TRACE": 0
	},
	"total_counter": 5,
	"total_bom_resources": 0,
	"start": "2024-12-09T04:20:09.207771959Z",
	"end": "2024-12-09T04:20:12.335319002Z",
	"paths": [
		"/path"
	],
	"queries": [
		{
			"query_name": "ELB With Security Group Without Inbound Rules",
			"query_id": "e200a6f3-c589-49ec-9143-7421d4a2c845",
			"query_url": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html#cfn-ec2-securitygroup-securitygroupingress",
			"severity": "MEDIUM",
			"platform": "CloudFormation",
			"cwe": "665",
			"cloud_provider": "AWS",
			"category": "Networking and Firewall",
			"experimental": false,
			"description": "An AWS Elastic Load Balancer (ELB) shouldn't have security groups without outbound rules",
			"description_id": "3ccdd7d2",
			"files": [
				{
					"file_name": "../../path/template.yml",
					"similarity_id": "d4f4ee0b7e016728139eb87167f62b3ed7939db640bb6286082136fa9c84a4a6",
					"line": 17,
					"resource_type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
					"resource_name": "CerapAppALB",
					"issue_type": "MissingAttribute",
					"search_key": "Resources.ALBSecurityGroup.Properties",
					"search_line": -1,
					"search_value": "",
					"expected_value": "'Resources.ALBSecurityGroup.Properties.SecurityGroupIngress' is defined",
					"actual_value": "'Resources.ALBSecurityGroup.Properties.SecurityGroupIngress' is undefined"
				}
			]
		},
        ]
}

I suspect that the third check in https://github.com/Checkmarx/kics/blob/master/assets/queries/cloudFormation/aws/elb_with_security_group_without_inbound_rules/query.rego#L39-L47 is matching the fact that there is a AWS::EC2::SecurityGroupIngress resource, but the groupId is for some other security group.

Steps to Reproduce the Problem

(Command line arguments and flags used)

  1. step 1
  2. step 2
  3. step 3

Specifications

(N/A if not applicable)

  • Version: v2.1.3
  • Platform: macOS (docker-desktop)
  • Subsystem:

Metadata

Metadata

Assignees

No one assigned

    Labels

    awsPR related with AWS CloudbugSomething isn't workingcloudformationCloudFormation querycommunityCommunity contributiondockerDocker queryqueryNew query feature

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions