Closed nikpivkin closed 2 weeks ago
The check is triggered for the deny rule.
Example config:
resource "aws_network_acl_rule" "bar" { rule_number = 200 egress = false protocol = "all" rule_action = "deny" cidr_block = "0.0.0.0/0" }
Output:
main.tf (terraform) Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0) Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1) CRITICAL: Network ACL rule allows access using ALL ports. ════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════ Ensure access to specific required ports is allowed, and nothing else. See https://avd.aquasec.com/misconfig/avd-aws-0102 ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── main.tf:4 via main.tf:1-7 (aws_network_acl_rule.bar) ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── 1 resource "aws_network_acl_rule" "bar" { 2 rule_number = 200 3 egress = false 4 [ protocol = "all" 5 rule_action = "deny" 6 cidr_block = "0.0.0.0/0" 7 } ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Discussed in https://github.com/aquasecurity/trivy/discussions/7004
The check is triggered for the deny rule.
Example config:
Output: