Fix Security Group Rules: Add Rule Descriptions

Oct 15, 2025 by ADMIN 48 views

🛡️ IAC Security Policy Violation: Missing Security Group Rule Descriptions

Hey guys, let's dive into a common security hiccup: the lack of descriptions for your security group rules. This is a heads-up from Mend IAC scanning, highlighting a policy violation where some of your security group rules are missing those handy little descriptions. This is a low-severity issue, but it's super important for keeping things tidy and secure.

🔍 What's the Deal?

So, what's the big deal about descriptions? Well, imagine you're a detective looking at a bunch of clues. Each security group rule is a clue that dictates how traffic flows in and out of your system. Without descriptions, it's like looking at clues without knowing what they mean, making it tough to understand what's going on and why.

Security group rules without descriptions are a pain for a few reasons:

Harder to Understand: When you come back to your infrastructure a few weeks or months later, will you remember what each rule does? Descriptions are your notes to yourself (and your team!).
Troubleshooting Nightmare: If something goes wrong, you'll be spending extra time figuring out what each rule is for. Descriptions help you pinpoint the problem quickly.
Compliance Woes: Some security standards require detailed documentation of your security configurations. Missing descriptions can be a compliance risk.
Teamwork Friction: If multiple people manage your infrastructure, descriptions ensure everyone is on the same page. No more guessing games!

Basically, descriptions are a small but mighty part of good infrastructure practice. They make everything clearer, faster, and more secure.

Policy ID: `CKV_AWS_23`

This policy, CKV_AWS_23, is all about ensuring that every security group rule has a clear description. It's like a rule of thumb for good security practices.

Severity: LOW | Framework: terraform

This violation is tagged as LOW severity. While not the most critical issue, it's still worth addressing. The framework in question here is Terraform, a popular Infrastructure as Code (IaC) tool. The focus is on finding and fixing any security group rules in your Terraform code that are missing descriptions.

Violations: 1 across 1 files

The report flags 1 violation in total, affecting 1 file. This gives you a clear scope of what needs attention. It points to a single spot where a description is missing.

🛠️ Fixing the Problem

Now, let's get down to the nitty-gritty of fixing this. The goal is to add a description to each and every security group rule. Here's how to do it in Terraform and CloudFormation:

Terraform Fix

For Terraform, it's pretty straightforward. You'll need to modify your ingress or egress blocks within your aws_security_group resource. Add a description field to each rule. Let's look at an example:

Before (Missing Description):

resource "aws_security_group" "examplea" {
  name        = var.es_domain
  description = "Allow inbound traffic to ElasticSearch from VPC CIDR"
  vpc_id      = var.vpc

  ingress {
    cidr_blocks = ["10.0.0.0/16"]
    from_port   = 80
    protocol    = "tcp"
    to_port     = 80
  }
}

After (With Description Added):

resource "aws_security_group" "examplea" {
  name        = var.es_domain
  description = "Allow inbound traffic to ElasticSearch from VPC CIDR"
  vpc_id      = var.vpc

  ingress {
    cidr_blocks = ["10.0.0.0/16"]
    description = "Allows HTTP traffic from the VPC CIDR block"
    from_port   = 80
    protocol    = "tcp"
    to_port     = 80
  }
}

See the description = "Allows HTTP traffic from the VPC CIDR block" line? That's the magic. Make sure to tailor the description to what that specific rule is doing. Get specific and informative, and you'll be set. After making the changes, apply them with terraform apply to update your infrastructure.

CloudFormation Fix

CloudFormation fixes require similar adjustments. You'll add the Description field to your SecurityGroupIngress and SecurityGroupEgress resources. Here's a sample:

Before (Missing Description):

{
  "Resources": {
    "MySecurityGroup": {
      "Type": "AWS::EC2::SecurityGroup",
      "Properties": {
        "GroupDescription": "My security group",
        "SecurityGroupIngress": [
          {
            "IpProtocol": "tcp",
            "FromPort": 80,
            "ToPort": 80,
            "CidrIp": "0.0.0.0/0"
          }
        ],
        "SecurityGroupEgress": [
          {
            "IpProtocol": "tcp",
            "FromPort": 443,
            "ToPort": 443,
            "CidrIp": "0.0.0.0/0"
          }
        ]
      }
    }
  }
}

After (With Description Added):

{
  "Resources": {
    "MySecurityGroup": {
      "Type": "AWS::EC2::SecurityGroup",
      "Properties": {
        "GroupDescription": "My security group",
        "SecurityGroupIngress": [
          {
            "IpProtocol": "tcp",
            "FromPort": 80,
            "ToPort": 80,
            "CidrIp": "0.0.0.0/0",
            "Description": "Allows HTTP traffic from anywhere"
          }
        ],
        "SecurityGroupEgress": [
          {
            "IpProtocol": "tcp",
            "FromPort": 443,
            "ToPort": 443,
            "CidrIp": "0.0.0.0/0",
            "Description": "Allows HTTPS traffic from anywhere"
          }
        ]
      }
    }
  }
}

In the SecurityGroupIngress and SecurityGroupEgress sections, you can now see the added Description fields. These fields specify what each rule does, making everything super clear. Deploy the updated CloudFormation template to implement the changes.

🛠️ Remediation Steps

Now, let's break down the steps for fixing this:

Review the Report: Carefully examine the file and line numbers provided in the report. This points you directly to the affected code.
Apply the Fix: Add descriptions to the security group rules according to the example above, making sure the description accurately reflects the rule's purpose.
Test Your Changes: Before pushing the changes to production, test them in a development or staging environment. Verify that everything works as expected.
Scan Again: Once you've made the changes, rescan your infrastructure to confirm that the violation is resolved.

📋 All Violations in this Policy

Here’s a quick table to show you exactly where the problem lies:

Severity	File	Line Range	Framework
🟡 LOW	`/test-14-misconfigurations.tf`	11-29	terraform

📊 Summary

Here's a quick summary to keep you in the loop:

Total Violations: 1
New Violations: 1
Resolved Violations: 0
Affected Files: 1

By Severity

LOW: 1 violation

By Framework

terraform: 1 violation

🔧 Remediation Guide

Let's get down to how to fix this:

1. Immediate Action

Review and address violations based on your security policies and deployment timeline. Because this is a low-severity issue, the remediation can follow your normal workflow for code changes.

2. Policy Understanding

This policy violation highlights the absence of descriptions for security group rules. These descriptions are essential for understanding the purpose of each rule.

3. Fix Strategy

Review the affected file listed above.
Add a descriptive comment to the relevant security group rules, explaining the role of each rule (e.g., "Allows inbound HTTP traffic from the internet.")
Test your changes in a development environment.
Rescan to confirm that the fix has been implemented.

---This issue is automatically managed by Mend IAC scanning. It will be updated as violations are fixed or new ones are introduced.*