Class: SecurityGroupIngressOpenToWorldRule

Inherits:
BaseRule
  • Object
show all
Includes:
IpAddr
Defined in:
lib/cfn-nag/custom_rules/SecurityGroupIngressOpenToWorldRule.rb

Instance Method Summary collapse

Methods included from IpAddr

#ip4_cidr_range?, #ip4_open?, #ip6_cidr_range?, #ip6_open?, #normalize_cidr_ip6

Methods inherited from BaseRule

#audit

Instance Method Details

#audit_impl(cfn_model) ⇒ Object

This will behave slightly different than the legacy jq based rule which was targeted against inline ingress only



24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
 
# File 'lib/cfn-nag/custom_rules/SecurityGroupIngressOpenToWorldRule.rb', line 24

def audit_impl(cfn_model)
  logical_resource_ids = []
  cfn_model.security_groups.each do |security_group|
    violating_ingresses = security_group.ingresses.select do |ingress|
      ip4_open?(ingress) || ip6_open?(ingress)
    end

    logical_resource_ids << security_group.logical_resource_id unless violating_ingresses.empty?
  end

  violating_ingresses = cfn_model.standalone_ingress.select do |standalone_ingress|
    ip4_open?(standalone_ingress) || ip6_open?(standalone_ingress)
  end

  logical_resource_ids + violating_ingresses.map(&:logical_resource_id)
end

#rule_idObject 



17
18
19
 
# File 'lib/cfn-nag/custom_rules/SecurityGroupIngressOpenToWorldRule.rb', line 17

def rule_id
  'W2'
end

#rule_textObject 



8
9
10
11
 
# File 'lib/cfn-nag/custom_rules/SecurityGroupIngressOpenToWorldRule.rb', line 8

def rule_text
  'Security Groups found with cidr open to world on ingress.  ' \
  'This should never be true on instance.  Permissible on ELB'
end

#rule_typeObject 



13
14
15
 
# File 'lib/cfn-nag/custom_rules/SecurityGroupIngressOpenToWorldRule.rb', line 13

def rule_type
  Violation::WARNING
end