Class: SecurityGroupEgressPortRangeRule

Inherits:
BaseRule
  • Object
show all
Defined in:
lib/cfn-nag/custom_rules/SecurityGroupEgressPortRangeRule.rb

Instance Method Summary collapse

Methods inherited from BaseRule

#audit

Instance Method Details

#audit_impl(cfn_model) ⇒ Object

This will behave slightly different than the legacy jq based rule which was targeted against inline ingress only



19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
 
# File 'lib/cfn-nag/custom_rules/SecurityGroupEgressPortRangeRule.rb', line 19

def audit_impl(cfn_model)
  logical_resource_ids = []
  cfn_model.security_groups.each do |security_group|
    violating_egresses = security_group.egresses.select do |egress|
      egress.fromPort != egress.toPort
    end

    logical_resource_ids << security_group.logical_resource_id unless violating_egresses.empty?
  end

  violating_egresses = cfn_model.standalone_egress.select do |standalone_egress|
    standalone_egress.fromPort != standalone_egress.toPort
  end

  logical_resource_ids + violating_egresses.map(&:logical_resource_id)
end

#rule_idObject 



13
14
15
 
# File 'lib/cfn-nag/custom_rules/SecurityGroupEgressPortRangeRule.rb', line 13

def rule_id
  'W29'
end

#rule_textObject 



5
6
7
 
# File 'lib/cfn-nag/custom_rules/SecurityGroupEgressPortRangeRule.rb', line 5

def rule_text
  'Security Groups found egress with port range instead of just a single port'
end

#rule_typeObject 



9
10
11
 
# File 'lib/cfn-nag/custom_rules/SecurityGroupEgressPortRangeRule.rb', line 9

def rule_type
  Violation::WARNING
end