Skip to content

Configuration security hardening: address overly permissive defaults in security groups and IAM policies #1202

New issue
New issue
Open
Open
Configuration security hardening: address overly permissive defaults in security groups and IAM policies#1202
@youming1970

Description

@youming1970
youming1970
opened on Sep 6, 2025

Hi CloudPosse team,

Thank you for maintaining this comprehensive collection of Terraform AWS components — it's an invaluable resource for AWS infrastructure management.

While conducting a security review of the codebase, we identified several configuration defaults that could create security risks if deployed without customization:

1) Overly permissive security group defaults (P1)

Location: /modules/bastion/variables.tf lines 35, 42

variable "security_group_rules" {
  default = [
    {
      type        = "ingress"
      protocol    = "tcp"
      from_port   = 22
      to_port     = 22
      cidr_blocks = ["0.0.0.0/0"]  # SSH from anywhere
    }
  ]
}

Risk: Bastion hosts accessible from any internet IP address.

Similar Issues:

  • SFTP server (/modules/sftp/variables.tf line 88) - SSH/SFTP from 0.0.0.0/0
  • EKS API server (/modules/eks/cluster/variables.tf line 78) - API access from 0.0.0.0/0

2) Database backup disabled by default (P1)

Location: /modules/rds/rds-variables.tf line 235

variable "backup_retention_period" {
  type        = number
  default     = 0  # Backups disabled
}

Risk: Production databases deployed without backup protection.

3) S3 security defaults allow unencrypted uploads (P2)

Location: /modules/s3-bucket/variables.tf lines 134, 140

variable "allow_encrypted_uploads_only" {
  default     = false  # Unencrypted uploads allowed
}
variable "allow_ssl_requests_only" {
  default     = false  # HTTP requests allowed
}

Risk: Sensitive data could be uploaded without encryption or transmitted over HTTP.

4) IAM policies with wildcard resources (P2)

Location: /modules/eks/alb-controller/distributed-iam-policy.tf lines 95, 102

{
    "Action": ["ec2:AuthorizeSecurityGroupIngress"],
    "Resource": "*"  # No resource restrictions
}

Risk: Excessive permissions violating least privilege principle.

Proposed security improvements:

Security Group Defaults:

  • Change default CIDR blocks from 0.0.0.0/0 to require explicit configuration
  • Add validation to warn when 0.0.0.0/0 is used
  • Provide examples of restrictive CIDR configurations

Database Security:

  • Enable backup retention by default (e.g., 7 days minimum)
  • Enable CloudWatch logging by default for audit trails
  • Require explicit opt-out for security features

S3 Security:

  • Enable SSL-only and encryption-only by default
  • Require explicit opt-out for insecure configurations
  • Add security warnings in module documentation

IAM Security:

  • Add resource-specific conditions to policies where possible
  • Document least privilege alternatives
  • Provide guidance on policy customization

Happy to contribute:

  • Security-focused variable defaults
  • Documentation updates with security warnings
  • Validation rules for high-risk configurations
  • Examples of secure configuration patterns

These improvements would help organizations deploy CloudPosse components with security-first defaults while maintaining flexibility for specific use cases.

Context: we run configuration security reviews for enterprise AWS deployments. Happy to discuss AWS security patterns if helpful.

Contact: [email protected]

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions