False negative scanning aws_vpc_security_group_ingress_rule TF resource

[danfaizer]

IDs

ADV-AWS-0107

Description

You can define security group ingress/egress rules in 2 ways in Terraform:

1. aws_security_group_rule
2. aws_vpc_security_group_ingress_rule / aws_vpc_security_group_egress_rule

In case 1. the security control works and the "too broad" access is reported.
In case 2. (which seems to be the newer and recommended way to create ingress/egress rules) the security control does not work and the "too broad" access is NOT reported.

The control should be reported in both definitions.

Reproduction Steps

1. Create a security group with a security group ingress rule referencing the security group.
`security-group.tf`

resource "aws_security_group" "allow_ssh" {
  name        = "allow_ssh"
  description = "Allow SSH traffic from the internet"
  vpc_id      = "vpc-01234567890abcdef"

  tags = {
    Name = "allow_ssh"
  }
}

resource "aws_vpc_security_group_ingress_rule" "allow_ssh_access" {
  security_group_id = aws_security_group.id
  cidr_ipv4   = "0.0.0.0/0"
  ip_protocol = "tcp"
  from_port   = 22
  to_port     = 22
}

# resource "aws_security_group_rule" "allow_ssh_access" {
#   type              = "ingress"
#   security_group_id = aws_security_group.id
#   from_port         = 22
#   to_port           = 22
#   protocol          = "tcp"
#   cidr_blocks = [
#     "0.0.0.0/0",
#   ]
# }

2. Scan with trivy:

trivy config security-group.tf
2024-05-23T14:31:11+02:00	INFO	Misconfiguration scanning is enabled
2024-05-23T14:31:11+02:00	INFO	Detected config files	num=2

Note: In the uncommented code the misconfiguration is not reported, in the commented code the misconfiguration is reported.

### Target

AWS

### Scanner

Misconfiguration

### Target OS

_No response_

### Debug Output

```bash
trivy config security-group.tf --debug
2024-05-23T14:33:00+02:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-05-23T14:33:00+02:00	DEBUG	Cache dir	dir="/Users/jamiroquake/Library/Caches/trivy"
2024-05-23T14:33:00+02:00	INFO	Misconfiguration scanning is enabled
2024-05-23T14:33:00+02:00	DEBUG	Policies successfully loaded from disk
2024-05-23T14:33:00+02:00	DEBUG	Enabling misconfiguration scanners	scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-05-23T14:33:00+02:00	DEBUG	[nuget] The nuget packages directory couldn't be found. License search disabled
2024-05-23T14:33:00+02:00	DEBUG	Scanning files for misconfigurations...	scanner="Terraform"
2024-05-23T14:33:00+02:00	DEBUG	[misconf] 33:00.549264000 terraform.scanner                Scanning [&{%!s(*mapfs.file=&{ [] {. 256 2147484096 {13946499877203372728 507056168 0x10e10dea0} <nil>} {{{0 0} {[] {} 0x14000d70440} map[security-group.tf:0x140022cd4a8] 0}}}) }] at '.'...
2024-05-23T14:33:00+02:00	DEBUG	[misconf] 33:00.551615000 terraform.scanner.rego           Overriding filesystem for checks!
2024-05-23T14:33:00+02:00	DEBUG	[misconf] 33:00.552140000 terraform.scanner.rego           Loaded 3 embedded libraries.
2024-05-23T14:33:00+02:00	DEBUG	[misconf] 33:00.576610000 terraform.scanner.rego           Loaded 191 embedded policies.
2024-05-23T14:33:00+02:00	DEBUG	[misconf] 33:00.613911000 terraform.scanner.rego           Loaded 194 policies from disk.
2024-05-23T14:33:00+02:00	DEBUG	[misconf] 33:00.614150000 terraform.scanner.rego           Overriding filesystem for data!
2024-05-23T14:33:00+02:00	DEBUG	[misconf] 33:00.777022000 terraform.parser.<root>          Setting project/module root to '.'
2024-05-23T14:33:00+02:00	DEBUG	[misconf] 33:00.777048000 terraform.parser.<root>          Parsing FS from '.'
2024-05-23T14:33:00+02:00	DEBUG	[misconf] 33:00.777067000 terraform.parser.<root>          Parsing 'security-group.tf'...
2024-05-23T14:33:00+02:00	DEBUG	[misconf] 33:00.778768000 terraform.parser.<root>          Added file security-group.tf.
2024-05-23T14:33:00+02:00	DEBUG	[misconf] 33:00.779138000 terraform.scanner                Scanning root module '.'...
2024-05-23T14:33:00+02:00	DEBUG	[misconf] 33:00.779156000 terraform.parser.<root>          Setting project/module root to '.'
2024-05-23T14:33:00+02:00	DEBUG	[misconf] 33:00.779165000 terraform.parser.<root>          Parsing FS from '.'
2024-05-23T14:33:00+02:00	DEBUG	[misconf] 33:00.779177000 terraform.parser.<root>          Parsing 'security-group.tf'...
2024-05-23T14:33:00+02:00	DEBUG	[misconf] 33:00.779258000 terraform.parser.<root>          Added file security-group.tf.
2024-05-23T14:33:00+02:00	DEBUG	[misconf] 33:00.779265000 terraform.parser.<root>          Evaluating module...
2024-05-23T14:33:00+02:00	DEBUG	[misconf] 33:00.779326000 terraform.parser.<root>          Read 2 block(s) and 0 ignore(s) for module 'root' (1 file[s])...
2024-05-23T14:33:00+02:00	DEBUG	[misconf] 33:00.779343000 terraform.parser.<root>          Added 0 variables from tfvars.
2024-05-23T14:33:00+02:00	DEBUG	[misconf] 33:00.779349000 terraform.parser.<root>          Error loading module metadata: open .terraform/modules/modules.json: file does not exist.
2024-05-23T14:33:00+02:00	DEBUG	[misconf] 33:00.779405000 terraform.parser.<root>          Working directory for module evaluation is '/Users/jamiroquake/work/github.com/danfaizer/IaC-vulnerable-samples/terraform'
2024-05-23T14:33:00+02:00	DEBUG	[misconf] 33:00.780154000 terraform.parser.<root>.evaluator Filesystem key is '5cb6251c9a42212a359127f6516f89f7974f5df8724c33f1687f9ad0e84db4fe'
2024-05-23T14:33:00+02:00	DEBUG	[misconf] 33:00.780157000 terraform.parser.<root>.evaluator Starting module evaluation...
2024-05-23T14:33:00+02:00	DEBUG	[misconf] 33:00.780500000 terraform.parser.<root>.evaluator Starting submodule evaluation...
2024-05-23T14:33:00+02:00	DEBUG	[misconf] 33:00.780556000 terraform.parser.<root>.evaluator All submodules are evaluated at i=0
2024-05-23T14:33:00+02:00	DEBUG	[misconf] 33:00.780562000 terraform.parser.<root>.evaluator Starting post-submodule evaluation...
2024-05-23T14:33:00+02:00	DEBUG	[misconf] 33:00.780635000 terraform.parser.<root>.evaluator Finished processing 0 submodule(s).
2024-05-23T14:33:00+02:00	DEBUG	[misconf] 33:00.780638000 terraform.parser.<root>.evaluator Module evaluation complete.
2024-05-23T14:33:00+02:00	DEBUG	[misconf] 33:00.780641000 terraform.parser.<root>          Finished parsing module 'root'.
2024-05-23T14:33:00+02:00	DEBUG	[misconf] 33:00.780658000 terraform.executor               Adapting modules...
2024-05-23T14:33:00+02:00	DEBUG	[misconf] 33:00.782807000 terraform.executor               Adapted 1 module(s) into defsec state data.
2024-05-23T14:33:00+02:00	DEBUG	[misconf] 33:00.782816000 terraform.executor               Using max routines of 7
2024-05-23T14:33:00+02:00	DEBUG	[misconf] 33:00.783133000 terraform.executor               Initialized 486 rule(s).
2024-05-23T14:33:00+02:00	DEBUG	[misconf] 33:00.783138000 terraform.executor               Created pool with 7 worker(s) to apply rules.
2024-05-23T14:33:00+02:00	DEBUG	[misconf] 33:00.785424000 terraform.scanner.rego           Scanning 1 inputs...
2024-05-23T14:33:00+02:00	DEBUG	[misconf] 33:00.789961000 terraform.executor               Finished applying rules.
2024-05-23T14:33:00+02:00	DEBUG	[misconf] 33:00.789971000 terraform.executor               Applying ignores...
2024-05-23T14:33:00+02:00	DEBUG	OS is not detected.
2024-05-23T14:33:00+02:00	INFO	Detected config files	num=2
2024-05-23T14:33:00+02:00	DEBUG	Scanned config file	path="."
2024-05-23T14:33:00+02:00	DEBUG	Scanned config file	path="security-group.tf"

Version

trivy --version
Version: 0.51.2
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-04-16 06:12:18.601562975 +0000 UTC
  NextUpdate: 2024-04-16 12:12:18.601562704 +0000 UTC
  DownloadedAt: 2024-04-16 11:36:59.614942 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2023-10-27 00:56:52.8927736 +0000 UTC
  NextUpdate: 2023-10-30 00:56:52.8927731 +0000 UTC
  DownloadedAt: 2023-10-27 11:28:08.392459 +0000 UTC
Check Bundle:
  Digest: sha256:6d0771effa53c6cf8130861fc3ac28f5515c35a028edb4bb1e67261b9218c80e
  DownloadedAt: 2024-05-23 11:49:51.300577 +0000 UTC

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[simar7]

thanks for the report! @nikpivkin looks like we don't handle aws_vpc_security_group_ingress_rule and aws_vpc_security_group_egress_rule today right?

[nikpivkin]

Right, only aws_security_group_rule

[nikpivkin]

Track #6764

[KashifSaadat]

Hi, I see the fix for this in #6764 was added in v0.52.0 of Trivy and so included within the v0.24.0 github action. There still appears to be a false negative on the support of the new aws_vpc_security_group_ingress_rule resource and so this issue is not yet resolved.

An example of the output is below:

CRITICAL: Security group rule allows ingress from public internet.
════════════════════════════════════════
Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0107
────────────────────────────────────────
 telemetry.tf:38
   via telemetry.tf:35-44 (aws_vpc_security_group_ingress_rule.segment_io_to_telemetrydb)
────────────────────────────────────────
  35   resource "aws_vpc_security_group_ingress_rule" "segment_io_to_telemetrydb" {
  36     security_group_id = aws_security_group.telemetrydb.id
  37   
  38 [   cidr_ipv4   = "3.251.148.96/29"
  39     description = "Allow inbound from Segment.io to Telemetry RDS: https://segment.com/docs/connections/storage/warehouses/faq/#which-ips-should-i-allowlist"
  40     from_port   = 5432
  41     ip_protocol = "tcp"
  42     tags        = var.tags
  43     to_port     = 5432
  44   }
────────────────────────────────────────

Edit: As this is closed I've created a new discussion #7425