Security groups should not use broad internal CIDR ranges as source

ec2
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Description

Security group ingress rules should reference specific subnets or security groups rather than overly broad internal CIDR ranges like 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16. Using a full RFC 1918 range as a source grants access from every host on the internal network, bypassing network segmentation controls and increasing the blast radius of a compromised host.

Remediation

Replace broad internal CIDR ranges with specific subnet CIDRs or security group references.

  1. Open the Amazon EC2 console.
  2. Navigate to Security Groups, select the group, and edit the inbound rules.
  3. Replace any 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16 source with the specific subnet CIDR (e.g., 10.1.2.0/24) or a security group ID that needs access.