Security Review: ALB Module Default CIDR Configuration Risk #1201
Description
Hi CloudPosse team,
Thank you for maintaining this comprehensive Terraform component library! As a security-focused organization, I've been reviewing your ALB module and found a configuration pattern that could impact production deployments.
Security Finding
Network Access Control Risk
Location: modules/alb/variables.tf:32, 56
variable "http_ingress_cidr_blocks" {
default = ["0.0.0.0/0"]
}
variable "https_ingress_cidr_blocks" {
default = ["0.0.0.0/0"]
}Risk Analysis:
- ALB accepts traffic from any IP address by default
- Violates principle of least privilege
- Increases exposure to DDoS attacks and unauthorized access
- Many users deploy with defaults without reviewing security implications
Impact Assessment
- Scope: 535+ stars, widely used in enterprise environments
- Risk Level: P1 - Production security exposure
- Affected Users: Teams using default configurations in production
Suggested Improvements
1. More Restrictive Defaults
Consider defaulting to more restrictive CIDRs:
# Option 1: Private networks only
default = ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
# Option 2: Force explicit configuration
default = [] # Require users to explicitly set CIDR blocks2. Documentation Enhancement
Add security warnings in README about network access configuration.
3. Example Configurations
Provide clear examples for different deployment scenarios (internal vs public).
Security Best Practices
Your module already follows many excellent practices:
- ✅ TLS 1.3 SSL policy by default
- ✅ HTTP to HTTPS redirect enabled
- ✅ Access logging enabled by default
Offer
We specialize in infrastructure security reviews and would be happy to provide a comprehensive analysis of your component library if you're interested in a deeper security assessment.
Contact: youming@flowspec.org
Best regards,
Configuration Security Review Team