Link Search Menu Expand Document

An inline ingress security group rule allows traffic from /0.

Explanation

Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

Insecure Example

The following example will fail the AWS008 check.

resource "aws_security_group" "my-group" {
	ingress {
		cidr_blocks = ["0.0.0.0/0"]
	}
}

Secure Example

The following example will pass the AWS008 check.

resource "aws_security_group" "my-group" {
	ingress {
		cidr_blocks = ["1.2.3.4/32"]
	}
}