Class: SecurityGroupEgressOpenToWorldRule
- Includes:
- IpAddr
- Defined in:
- lib/cfn-nag/custom_rules/SecurityGroupEgressOpenToWorldRule.rb
Instance Method Summary collapse
-
#audit_impl(cfn_model) ⇒ Object
This will behave slightly different than the legacy jq based rule which was targeted against inline ingress only.
- #rule_id ⇒ Object
- #rule_text ⇒ Object
- #rule_type ⇒ Object
Methods included from IpAddr
#ip4_cidr_range?, #ip4_open?, #ip6_cidr_range?, #ip6_open?, #normalize_cidr_ip6
Methods inherited from BaseRule
Instance Method Details
#audit_impl(cfn_model) ⇒ Object
This will behave slightly different than the legacy jq based rule which was targeted against inline ingress only
22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 |
# File 'lib/cfn-nag/custom_rules/SecurityGroupEgressOpenToWorldRule.rb', line 22 def audit_impl(cfn_model) logical_resource_ids = [] cfn_model.security_groups.each do |security_group| violating_egresses = security_group.egresses.select do |egress| ip4_open?(egress) || ip6_open?(egress) end logical_resource_ids << security_group.logical_resource_id unless violating_egresses.empty? end violating_egresses = cfn_model.standalone_egress.select do |standalone_egress| ip4_open?(standalone_egress) || ip6_open?(standalone_egress) end logical_resource_ids + violating_egresses.map(&:logical_resource_id) end |
#rule_id ⇒ Object
16 17 18 |
# File 'lib/cfn-nag/custom_rules/SecurityGroupEgressOpenToWorldRule.rb', line 16 def rule_id 'W5' end |
#rule_text ⇒ Object
8 9 10 |
# File 'lib/cfn-nag/custom_rules/SecurityGroupEgressOpenToWorldRule.rb', line 8 def rule_text 'Security Groups found with cidr open to world on egress' end |