保護DataHogo
Security Encyclopedia/Cloud Provider Security
mediumCWE-284OWASP A05:2021

Missing VPC / Security Group Rules

Your cloud resources are deployed without a VPC or with security groups that allow unrestricted inbound traffic (0.0.0.0/0), exposing internal services to the internet.

How It Works

A VPC is your private network in the cloud. Security groups act as stateful firewalls for your resources. Without them, or with overly permissive rules, every service you deploy is potentially reachable from the public internet. A security group allowing 0.0.0.0/0 on port 22 (SSH) or port 3306 (MySQL) gives every internet scanner a direct line to those services.

Vulnerable Code
# BAD: security group allowing all inbound traffic on all ports (Terraform)
resource "aws_security_group" "web" {
  ingress {
    from_port   = 0
    to_port     = 65535
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]  // all ports open to internet
  }
}
Secure Code
# GOOD: only allow HTTP/HTTPS from internet, SSH from admin IP only
resource "aws_security_group" "web" {
  ingress {
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]  // HTTPS is fine to be public
  }
  ingress {
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = ["YOUR_OFFICE_IP/32"]  // SSH only from known IP
  }
}

Real-World Example

AWS publishes its most common misconfigurations annually. Security groups with 0.0.0.0/0 on sensitive ports consistently rank in the top 5. In 2023, a fintech startup had their entire Kubernetes cluster accessible from the internet due to a misconfigured node security group — discovered during a routine Data Hogo scan.

How to Prevent It

  • Use the principle of least connectivity: only open ports that are required, to the specific sources that need them
  • Never allow 0.0.0.0/0 on SSH (22), RDP (3389), or any database port
  • Use AWS Security Hub or GCP Security Command Center to continuously audit security group rules
  • Deploy all non-public resources in private subnets with NAT Gateway for outbound internet access
  • Use AWS VPC Flow Logs to monitor and alert on unexpected traffic patterns

Affected Technologies

Node.jsPython

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

S3 Bucket Public Access

critical

Your S3 bucket is publicly readable due to a public ACL, disabled Block Public Access settings, or a wildcard bucket policy — anyone on the internet can list and download your files.

CWE-284OWASP A05:2021

Cloud Metadata SSRF

critical

Your app fetches user-supplied URLs without blocking cloud metadata endpoints like 169.254.169.254, letting attackers steal your cloud credentials via SSRF.

CWE-918OWASP A10:2021

AWS Credentials Hardcoded

critical

AWS access keys (starting with AKIA) or secret access keys are hardcoded in your source code, giving anyone who reads the code full access to your AWS account.

CWE-798OWASP A02:2021

IAM Overly Permissive Policy

high

Your IAM policy uses Action: '*' or Resource: '*', granting far more permissions than needed and turning any credential leak into a full account takeover.

CWE-269OWASP A01:2021