KICS REPORT02/10/2022 10:48KICS.IO
KICS development Scanned paths: /path/e2e/fixtures/samples/positive.yaml Platforms: CloudFormationStart time: 10:48:11, Feb 10 2022 End time: 10:48:27, Feb 10 2022

Vulnerabilities:

4 HIGH
12 MEDIUM
5 LOW
0 INFO
21 TOTAL

ALB Listening on HTTP

Platform: CloudFormation Category: Networking and Firewall
All Application Load Balancers (ALB) should block connection requests over HTTPhttps://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-elb-listener.html#cfn-ec2-elb-listener-protocol
Results (1)
File: fixtures\samples\positive.yaml Line 104
Expected: 'Resources.ALBListener.Protocol' not equal to 'HTTP' Found: 'Resources.ALBListener.Protocol' equals to 'HTTP'
103 Port: 80
104 Protocol: HTTP
105 ECSALBListenerRule:

ECS Task Definition Network Mode Not Recommended

Platform: CloudFormation Category: Insecure Configurations
Network_Mode should be 'awsvpc' in ecs_task_definition. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurationshttps://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-taskdefinition.html#cfn-ecs-taskdefinition-networkmode
Results (1)
File: fixtures\samples\positive.yaml Line 48
Expected: 'Resources.TaskDefinition.Properties.NetworkMode' is set and is 'awsvpc' Found: 'Resources.TaskDefinition.Properties.NetworkMode' is undefined and defaults to 'bridge'
47 Type: AWS::ECS::TaskDefinition
48 Properties:
49 Family: !Join ['', [!Ref 'AWS::StackName', -ecs-demo-app]]

Fully Open Ingress

Platform: CloudFormation Category: Networking and Firewall
ECS Service's security group should not allow unrestricted access to all ports from all IPv4 addresseshttps://docs.aws.amazon.com/AmazonECS/latest/developerguide/get-set-up-for-amazon-ecs.html#create-a-base-security-group
Results (2)
File: fixtures\samples\positive.yaml Line 24
Expected: Resource name 'EcsSecurityGroupHTTPinbound02' of type 'AWS::EC2::SecurityGroupIngress' should not accept ingress connections from all IPv4 adresses and to all available ports Found: Resource name 'EcsSecurityGroupHTTPinbound02' of type 'AWS::EC2::SecurityGroupIngress' should not accept ingress connections from CIDR 0.0.0.0/0 to all available ports
23 ToPort: 0
24 CidrIp: 0.0.0.0/0
25 EcsSecurityGroupSSHinbound:
File: fixtures\samples\positive.yaml Line 32
Expected: Resource name 'EcsSecurityGroupSSHinbound' of type 'AWS::EC2::SecurityGroupIngress' should not accept ingress connections from all IPv4 adresses and to all available ports Found: Resource name 'EcsSecurityGroupSSHinbound' of type 'AWS::EC2::SecurityGroupIngress' should not accept ingress connections from CIDR 0.0.0.0/0 to all available ports
31 ToPort: 0
32 CidrIp: 0.0.0.0/0
33 EcsSecurityGroupALBports:

ALB Is Not Integrated With WAF

Platform: CloudFormation Category: Networking and Firewall
All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) servicehttps://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafregional-webaclassociation.html
Results (1)
File: fixtures\samples\positive.yaml Line 86
Expected: 'Resources.ECSALB' does not have an 'internal' scheme and has a 'WebACLAssociation' associated Found: 'Resources.ECSALB' does not have an 'internal' scheme and a 'WebACLAssociation' associated
85 - Name: my-vol
86 ECSALB:
87 Type: AWS::ElasticLoadBalancingV2::LoadBalancer

Auto Scaling Group With No Associated ELB

Platform: CloudFormation Category: Availability
AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'LoadBalancerNames' must be defined and not empty.https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-as-group.html
Results (1)
File: fixtures\samples\positive.yaml Line 131
Expected: 'Resources.ECSAutoScalingGroup.Properties.LoadBalancerNames' is defined Found: 'Resources.ECSAutoScalingGroup.Properties.LoadBalancerNames' is not defined
130 Type: AWS::AutoScaling::AutoScalingGroup
131 Properties:
132 VPCZoneIdentifier: !Ref 'SubnetId'

ECS Service Without Running Tasks

Platform: CloudFormation Category: Availability
ECS Service should have at least 1 task runninghttps://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-service.html#cfn-ecs-service-deploymentconfiguration
Results (1)
File: fixtures\samples\positive.yaml Line 159
Expected: Resources.service.Properties.DeploymentConfiguration is defined and not null Found: Resources.service.Properties.DeploymentConfiguration is undefined or null
158 Type: AWS::ECS::Service
159 Properties:
160 Cluster: !Ref 'ECSCluster'

ELB With Security Group Without Inbound Rules

Platform: CloudFormation Category: Networking and Firewall
An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound ruleshttps://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html#cfn-ec2-securitygroup-securitygroupingress
Results (1)
File: fixtures\samples\positive.yaml Line 14
Expected: 'Resources.EcsSecurityGroup.Properties.SecurityGroupIngress' is defined Found: 'Resources.EcsSecurityGroup.Properties.SecurityGroupIngress' is undefined
13 Type: AWS::EC2::SecurityGroup
14 Properties:
15 GroupDescription: ECS Security Group

ELB With Security Group Without Outbound Rules

Platform: CloudFormation Category: Networking and Firewall
An AWS Elastic Load Balancer (ELB) shouldn´t have security groups without outbound ruleshttps://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html#cfn-ec2-securitygroup-securitygroupegress
Results (1)
File: fixtures\samples\positive.yaml Line 14
Expected: 'Resources.EcsSecurityGroup.Properties.SecurityGroupEgress' is defined Found: 'Resources.EcsSecurityGroup.Properties.SecurityGroupEgress' is undefined
13 Type: AWS::EC2::SecurityGroup
14 Properties:
15 GroupDescription: ECS Security Group

Empty Roles For ECS Cluster Task Definitions

Platform: CloudFormation Category: Access Control
Check if any ECS cluster has not defined proper roles for services' task definitions.https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-service.html
Results (1)
File: fixtures\samples\positive.yaml Line 167
Expected: 'Resources.service.Properties.TaskDefinition' refers to a TaskDefinition with Role Found: 'Resources.service.Properties.TaskDefinition' does not refer to a TaskDefinition with Role
166 Role: !Ref 'ECSServiceRole'
167 TaskDefinition: !Ref 'TaskDefinition'
168 ECSServiceRole:

IAM Access Analyzer Undefined

Platform: CloudFormation Category: Access Control
IAM Access Analyzer should be defined to identify unintentional accesshttps://docs.amazonaws.cn/en_us/AWSCloudFormation/latest/UserGuide/aws-resource-accessanalyzer-analyzer.html
Results (1)
File: fixtures\samples\positive.yaml Line 9
Expected: 'AWS::AccessAnalyzer::Analyzer' is set Found: 'AWS::AccessAnalyzer::Analyzer' is undefined
8 Description: Select at two subnets in your selected VPC.
9Resources:
10 ECSCluster:

Security Group Ingress With Port Range

Platform: CloudFormation Category: Networking and Firewall
AWS Security Group Ingress should have a single porthttps://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group-ingress.html
Results (3)
File: fixtures\samples\positive.yaml Line 35
Expected: Resources.EcsSecurityGroupALBports.Properties.FromPort is equal to Resources.EcsSecurityGroupALBports.Properties.ToPort Found: Resources.EcsSecurityGroupALBports.Properties.FromPort is not equal to Resources.EcsSecurityGroupALBports.Properties.ToPort
34 Type: AWS::EC2::SecurityGroupIngress
35 Properties:
36 GroupId: !Ref 'EcsSecurityGroup'
File: fixtures\samples\positive.yaml Line 19
Expected: Resources.EcsSecurityGroupHTTPinbound02.Properties.FromPort is equal to Resources.EcsSecurityGroupHTTPinbound02.Properties.ToPort Found: Resources.EcsSecurityGroupHTTPinbound02.Properties.FromPort is not equal to Resources.EcsSecurityGroupHTTPinbound02.Properties.ToPort
18 Type: AWS::EC2::SecurityGroupIngress
19 Properties:
20 GroupId: !Ref 'EcsSecurityGroup'
File: fixtures\samples\positive.yaml Line 27
Expected: Resources.EcsSecurityGroupSSHinbound.Properties.FromPort is equal to Resources.EcsSecurityGroupSSHinbound.Properties.ToPort Found: Resources.EcsSecurityGroupSSHinbound.Properties.FromPort is not equal to Resources.EcsSecurityGroupSSHinbound.Properties.ToPort
26 Type: AWS::EC2::SecurityGroupIngress
27 Properties:
28 GroupId: !Ref 'EcsSecurityGroup'

Unrestricted Security Group Ingress

Platform: CloudFormation Category: Networking and Firewall
AWS Security Group Ingress CIDR should not be open to the worldhttps://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group-ingress.html
Results (2)
File: fixtures\samples\positive.yaml Line 24
Expected: Resources.EcsSecurityGroupHTTPinbound02.Properties.CidrIp is not open to the world (0.0.0.0/0) Found: Resources.EcsSecurityGroupHTTPinbound02.Properties.CidrIp is open to the world (0.0.0.0/0)
23 ToPort: 0
24 CidrIp: 0.0.0.0/0
25 EcsSecurityGroupSSHinbound:
File: fixtures\samples\positive.yaml Line 32
Expected: Resources.EcsSecurityGroupSSHinbound.Properties.CidrIp is not open to the world (0.0.0.0/0) Found: Resources.EcsSecurityGroupSSHinbound.Properties.CidrIp is open to the world (0.0.0.0/0)
31 ToPort: 0
32 CidrIp: 0.0.0.0/0
33 EcsSecurityGroupALBports:

ECS Task Definition HealthCheck Missing

Platform: CloudFormation Category: Observability
Amazon ECS must have the HealthCheck property defined to give more control over monitoring the health of taskshttps://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ecs-taskdefinition-healthcheck.html
Results (2)
File: fixtures\samples\positive.yaml Line 67
Expected: 'Resources.TaskDefinition.Properties.ContainerDefinitions' contains 'HealthCheck' property Found: 'Resources.TaskDefinition.Properties.ContainerDefinitions' doesn't contain 'HealthCheck' property
66 - ContainerPort: 80
67 - Name: busybox
68 Cpu: 10
File: fixtures\samples\positive.yaml Line 51
Expected: 'Resources.TaskDefinition.Properties.ContainerDefinitions' contains 'HealthCheck' property Found: 'Resources.TaskDefinition.Properties.ContainerDefinitions' doesn't contain 'HealthCheck' property
50 ContainerDefinitions:
51 - Name: simple-app
52 Cpu: 10

Security Group Rule Without Description

Platform: CloudFormation Category: Best Practices
AWS Security Group Rule should have description definedhttps://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html
Results (3)
File: fixtures\samples\positive.yaml Line 19
Expected: Resources.EcsSecurityGroupHTTPinbound02.Properties.Description is set Found: Resources.EcsSecurityGroupHTTPinbound02.Properties.Description is undefined
18 Type: AWS::EC2::SecurityGroupIngress
19 Properties:
20 GroupId: !Ref 'EcsSecurityGroup'
File: fixtures\samples\positive.yaml Line 27
Expected: Resources.EcsSecurityGroupSSHinbound.Properties.Description is set Found: Resources.EcsSecurityGroupSSHinbound.Properties.Description is undefined
26 Type: AWS::EC2::SecurityGroupIngress
27 Properties:
28 GroupId: !Ref 'EcsSecurityGroup'
File: fixtures\samples\positive.yaml Line 35
Expected: Resources.EcsSecurityGroupALBports.Properties.Description is set Found: Resources.EcsSecurityGroupALBports.Properties.Description is undefined
34 Type: AWS::EC2::SecurityGroupIngress
35 Properties:
36 GroupId: !Ref 'EcsSecurityGroup'
KICS is open and will always stay such. Both the scanning engine and the security queries are clear and open for the software development community.
Spread the love:
The KICS project is powered by Checkmarx, global leader of Application Security Testing