bug(misconf): False positive reporting aws_vpc_security_group_ingress_rule terraform resource as too permissive

[simar7]

Discussed in #7425

^{Originally posted by KashifSaadat August 30, 2024}

IDs

AVD-AWS-0107

Description

Trivy complains that the security group ingress rule is allowing traffic from the public internet, referring to AVD-AWS-0107: An ingress security group rule allows traffic from /0.

The output is below:

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 telemetry.tf:38
   via telemetry.tf:35-44 (aws_vpc_security_group_ingress_rule.segment_io_to_telemetrydb)
────────────────────────────────────────
  35   resource "aws_vpc_security_group_ingress_rule" "segment_io_to_telemetrydb" {
  36     security_group_id = aws_security_group.telemetrydb.id
  37   
  38 [   cidr_ipv4   = "3.251.148.96/29"
  39     description = "Allow inbound from Segment.io to Telemetry RDS: https://segment.com/docs/connections/storage/warehouses/faq/#which-ips-should-i-allowlist"
  40     from_port   = 5432
  41     ip_protocol = "tcp"
  42     tags        = var.tags
  43     to_port     = 5432
  44   }
────────────────────────────────────────

From the above you can see that cidr_ipv4 = "3.251.148.96/29" (not 0.0.0.0/0). I noticed that if I use a /32 then it doesn't flag up.

Support for the resource was added in: #6764
An existing issue raised around this is: #6760

Reproduction Steps

Create the following:

resource "aws_security_group" "rds" {
  name        = "rds-sg"
  description = "Allow inbound traffic to RDS Instance"
  vpc_id      = var.vpc_id
}

resource "aws_vpc_security_group_ingress_rule" "segment_io_to_rds" {
  security_group_id = aws_security_group.rds.id
  cidr_ipv4   = "3.251.148.96/29"
  description = "Allow inbound from Segment.io to RDS"
  from_port   = 5432
  ip_protocol = "tcp"
  tags        = var.tags
  to_port     = 5432
}

Target

AWS

Scanner

Misconfiguration

Target OS

No response

Debug Output

-

Version

https://github.com/aquasecurity/trivy-action/releases/tag/0.24.0
https://github.com/aquasecurity/trivy/releases/tag/v0.53.0

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[nikpivkin]

@simar7 The avd-aws-0107 check triggers if the CIDR is public and the IP address range is greater than 1. The check suggests a resolution: Set a more restrictive cidr range. Should we only warn if the CIDR covers all IPs?

There is an open PR related to this problem, could you give an answer there? aquasecurity/trivy-checks#100

[nikpivkin]

@simar7 It's a duplicate of the #7267

[simar7]

Closing as dupe of #7267

[cloudopsgeek]

@nikpivkin - are we merging the following PR
aquasecurity/trivy-checks#100
We are still seeing the 107 Error for custom IP address

[nikpivkin]

Hi @cloudopsgeek we haven't released a new version of the Trivy and checks bundle.

[cloudopsgeek]

@nikpivkin - Thank you for your quick response. May I know when I can expect the new version with fix?