Class: SecurityGroupIngressOpenToWorldRule
- Includes:
- IpAddr
- Defined in:
- lib/cfn-nag/custom_rules/SecurityGroupIngressOpenToWorldRule.rb
Instance Method Summary collapse
-
#audit_impl(cfn_model) ⇒ Object
This will behave slightly different than the legacy jq based rule which was targeted against inline ingress only.
- #rule_id ⇒ Object
- #rule_text ⇒ Object
- #rule_type ⇒ Object
Methods included from IpAddr
#ip4_cidr_range?, #ip4_open?, #ip6_cidr_range?, #ip6_open?, #normalize_cidr_ip6
Methods inherited from BaseRule
Instance Method Details
#audit_impl(cfn_model) ⇒ Object
This will behave slightly different than the legacy jq based rule which was targeted against inline ingress only
22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 |
# File 'lib/cfn-nag/custom_rules/SecurityGroupIngressOpenToWorldRule.rb', line 22 def audit_impl(cfn_model) logical_resource_ids = [] cfn_model.security_groups.each do |security_group| violating_ingresses = security_group.ingresses.select do |ingress| ip4_open?(ingress) || ip6_open?(ingress) end unless violating_ingresses.empty? logical_resource_ids << security_group.logical_resource_id end end violating_ingresses = cfn_model.standalone_ingress.select do |standalone_ingress| ip4_open?(standalone_ingress) || ip6_open?(standalone_ingress) end logical_resource_ids + violating_ingresses.map { |ingress| ingress.logical_resource_id} end |
#rule_id ⇒ Object
16 17 18 |
# File 'lib/cfn-nag/custom_rules/SecurityGroupIngressOpenToWorldRule.rb', line 16 def rule_id 'W2' end |
#rule_text ⇒ Object
8 9 10 |
# File 'lib/cfn-nag/custom_rules/SecurityGroupIngressOpenToWorldRule.rb', line 8 def rule_text 'Security Groups found with cidr open to world on ingress. This should never be true on instance. Permissible on ELB' end |