Class: SecurityGroupIngressOpenToWorldRule

Inherits:

BaseRule

• Object
• BaseRule
• SecurityGroupIngressOpenToWorldRule

Includes:

IpAddr

Defined in:

lib/cfn-nag/custom_rules/SecurityGroupIngressOpenToWorldRule.rb

Instance Method Summary

• #audit_impl(cfn_model) ⇒ Object

  This will behave slightly different than the legacy jq based rule which was targeted against inline ingress only.

• #rule_id ⇒ Object
• #rule_text ⇒ Object
• #rule_type ⇒ Object

Methods included from IpAddr

#ip4_cidr_range?, #ip4_open?, #ip6_cidr_range?, #ip6_open?, #normalize_cidr_ip6

Methods inherited from BaseRule

#audit

Instance Method Details

#audit_impl(cfn_model) ⇒ Object

This will behave slightly different than the legacy jq based rule which was targeted against inline ingress only

# File 'lib/cfn-nag/custom_rules/SecurityGroupIngressOpenToWorldRule.rb', line 22

def audit_impl(cfn_model)
  logical_resource_ids = []
  cfn_model.security_groups.each do |security_group|
    violating_ingresses = security_group.ingresses.select do |ingress|
      ip4_open?(ingress) || ip6_open?(ingress)
    end

    unless violating_ingresses.empty?
      logical_resource_ids << security_group.logical_resource_id
    end
  end

  violating_ingresses = cfn_model.standalone_ingress.select do |standalone_ingress|
    ip4_open?(standalone_ingress) || ip6_open?(standalone_ingress)
  end

  logical_resource_ids + violating_ingresses.map { |ingress| ingress.logical_resource_id}
end

#rule_id ⇒ Object

# File 'lib/cfn-nag/custom_rules/SecurityGroupIngressOpenToWorldRule.rb', line 16

def rule_id
  'W2'
end

#rule_text ⇒ Object

# File 'lib/cfn-nag/custom_rules/SecurityGroupIngressOpenToWorldRule.rb', line 8

def rule_text
  'Security Groups found with cidr open to world on ingress.  This should never be true on instance.  Permissible on ELB'
end

#rule_type ⇒ Object

# File 'lib/cfn-nag/custom_rules/SecurityGroupIngressOpenToWorldRule.rb', line 12

def rule_type
  Violation::WARNING
end