nuclei-templates/cloud/aws/ec2/ec2-unrestricted-icmp.yaml

id: ec2-unrestricted-icmp
info:
  name: Restrict EC2 ICMP Access
  author: princechaddha
  severity: critical
  description: |
    Checks for Amazon EC2 security groups with inbound rules allowing unrestricted ICMP access. Advises restricting ICMP to trusted IPs to uphold the Principle of Least Privilege and minimize the attack surface.
  impact: |
    Unrestricted ICMP can be used for network reconnaissance and Distributed Denial of Service (DDoS) attacks, posing a significant security risk.
  remediation: |
    Modify EC2 security group rules to limit ICMP access to necessary, trusted IP addresses/ranges only.
  reference:
    - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html
  tags: cloud,devops,aws,amazon,ec2,aws-cloud-config


variables:
  region: "us-east-1"

self-contained: true
code:
  - engine:
      - sh
      - bash
    source: |
      aws ec2 describe-security-groups --region $region --filters Name=ip-permission.protocol,Values=icmp Name=ip-permission.cidr,Values='0.0.0.0/0' --query 'SecurityGroups[*].GroupId' --output json

    extractors:
      - type: json
        name: securitygroup
        internal: true
        json:
          - '.[]'

      - type: dsl
        dsl:
          - 'securitygroup + " security group(s) alows unrestricted ICMP access (0.0.0.0/0 or ::/0)"'
# digest: 4a0a0047304502201c1e1628656627c21447c7abc8072f76f2a62c9d1e6cadb470ecb80db95258ce022100b4302e8fb947bc6c9bdcd1344ce69898da49781c66a9574bba9bd2eb7920ed35:922c64590222798bb761d5b6d8e72950
AWS Code Templates (#8915) * s3 bucket checks * fixed lint errors * IAM checks * added ec2 templates * rdp * fixed lint error * acm & cloudwatch templates * cloudtrail * vpc templates added * added aws profile * fixed lint * added aws-code-env * added iterate in flow * added scan profile + updated tags * Delete config/cloud/aws.yml * updated scan profile * syntax update * removed local digest * added comments --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> Co-authored-by: Sandeep Singh <sandeep@projectdiscovery.io> 2024-04-11 14:23:07 +00:00			`id: ec2-unrestricted-icmp`
			`info:`
			`name: Restrict EC2 ICMP Access`
			`author: princechaddha`
			`severity: critical`
			`description: \|`
			`Checks for Amazon EC2 security groups with inbound rules allowing unrestricted ICMP access. Advises restricting ICMP to trusted IPs to uphold the Principle of Least Privilege and minimize the attack surface.`
			`impact: \|`
			`Unrestricted ICMP can be used for network reconnaissance and Distributed Denial of Service (DDoS) attacks, posing a significant security risk.`
			`remediation: \|`
			`Modify EC2 security group rules to limit ICMP access to necessary, trusted IP addresses/ranges only.`
			`reference:`
			`- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html`
			`tags: cloud,devops,aws,amazon,ec2,aws-cloud-config`


			`variables:`
			`region: "us-east-1"`

			`self-contained: true`
			`code:`
			`- engine:`
			`- sh`
			`- bash`
			`source: \|`
			`aws ec2 describe-security-groups --region $region --filters Name=ip-permission.protocol,Values=icmp Name=ip-permission.cidr,Values='0.0.0.0/0' --query 'SecurityGroups[*].GroupId' --output json`

			`extractors:`
			`- type: json`
			`name: securitygroup`
			`internal: true`
			`json:`
			`- '.[]'`

			`- type: dsl`
			`dsl:`
			`- 'securitygroup + " security group(s) alows unrestricted ICMP access (0.0.0.0/0 or ::/0)"'`
Auto Template Signing [Thu Apr 11 14:25:25 UTC 2024] :robot: 2024-04-11 14:25:25 +00:00			`# digest: 4a0a0047304502201c1e1628656627c21447c7abc8072f76f2a62c9d1e6cadb470ecb80db95258ce022100b4302e8fb947bc6c9bdcd1344ce69898da49781c66a9574bba9bd2eb7920ed35:922c64590222798bb761d5b6d8e72950`