Expected Behavior
The description of query "DB Security Group Open To Large Scope" is "The IP address in a DB Security Group must not have more than 256 hosts.".
Based on this you would expect it to be detected on CIDRs with a prefix length of 23 or shorter.
Actual Behavior
This vulnerability is detected on a /24 CIDR, which is a subnet with 256 hosts.
Steps to Reproduce the Problem
Run kics on a security group attached to a EC2 instance and specify a subnet with a prefix length of /24.
Resources:
myInstance:
Type: 'AWS::EC2::Instance'
Properties:
ImageId: ami-0a70b9d193ae8a799
InstanceType: t2.micro
SecurityGroupIds:
- !Ref myInstanceSecurityGroup
myInstanceSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: SG to test ping
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 10.0.0.0/24
Specifications
Current version built from source.
./bin/kics version
Keeping Infrastructure as Code Secure snapshot-e1f23cad
Expected Behavior
The description of query "DB Security Group Open To Large Scope" is "The IP address in a DB Security Group must not have more than 256 hosts.".
Based on this you would expect it to be detected on CIDRs with a prefix length of 23 or shorter.
Actual Behavior
This vulnerability is detected on a /24 CIDR, which is a subnet with 256 hosts.
Steps to Reproduce the Problem
Run kics on a security group attached to a EC2 instance and specify a subnet with a prefix length of /24.
Specifications
Current version built from source.