Skip to content

bug(cloudformation): query "DB Security Group Open To Large Scope" triggers on /24 CIDR #7988

Description

@lmbruder-sidn

Expected Behavior

The description of query "DB Security Group Open To Large Scope" is "The IP address in a DB Security Group must not have more than 256 hosts.".
Based on this you would expect it to be detected on CIDRs with a prefix length of 23 or shorter.

Actual Behavior

This vulnerability is detected on a /24 CIDR, which is a subnet with 256 hosts.

Steps to Reproduce the Problem

Run kics on a security group attached to a EC2 instance and specify a subnet with a prefix length of /24.

Resources:
   myInstance:
     Type: 'AWS::EC2::Instance'
     Properties: 
        ImageId: ami-0a70b9d193ae8a799
        InstanceType: t2.micro
        SecurityGroupIds:
          - !Ref myInstanceSecurityGroup

   myInstanceSecurityGroup:
      Type: AWS::EC2::SecurityGroup
      Properties:
          GroupDescription: SG to test ping
          SecurityGroupIngress:
          - IpProtocol: tcp
            FromPort: 22
            ToPort: 22
            CidrIp: 10.0.0.0/24

Specifications

Current version built from source.

./bin/kics version  
Keeping Infrastructure as Code Secure snapshot-e1f23cad

Metadata

Metadata

Assignees

No one assigned

    Labels

    awsPR related with AWS CloudbugSomething isn't workingcloudformationCloudFormation querycommunityCommunity contributionqueryNew query feature

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions