Class: EC2NetworkAclEntryOverlappingPortsRule

Inherits:
BaseRule show all
Defined in:
lib/cfn-nag/custom_rules/EC2NetworkAclEntryOverlappingPortsRule.rb

Instance Method Summary collapse

Methods inherited from BaseRule

#audit

Instance Method Details

#audit_impl(cfn_model) ⇒ Object


20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
# File 'lib/cfn-nag/custom_rules/EC2NetworkAclEntryOverlappingPortsRule.rb', line 20

def audit_impl(cfn_model)
  nacl_entries = cfn_model.resources_by_type('AWS::EC2::NetworkAclEntry')

  # Select nacl entries that can be evaluated
  nacl_entries.select! do |nacl_entry|
    tcp_or_udp_protocol?(nacl_entry) && valid_ports?(nacl_entry)
  end

  violating_nacl_entries = []

  # Group entries by nacl id, ip type, and egress/ingress
  grouped_nacl_entries = group_nacl_entries(nacl_entries)

  grouped_nacl_entries.each do |grouping|
    violating_nacl_entries += overlapping_port_entries(grouping)
  end
  violating_nacl_entries.map(&:logical_resource_id)
end

#rule_idObject


16
17
18
# File 'lib/cfn-nag/custom_rules/EC2NetworkAclEntryOverlappingPortsRule.rb', line 16

def rule_id
  'W72'
end

#rule_textObject


8
9
10
# File 'lib/cfn-nag/custom_rules/EC2NetworkAclEntryOverlappingPortsRule.rb', line 8

def rule_text
  'NetworkACL Entries are reusing or overlapping ports which may create ineffective rules.'
end

#rule_typeObject


12
13
14
# File 'lib/cfn-nag/custom_rules/EC2NetworkAclEntryOverlappingPortsRule.rb', line 12

def rule_type
  Violation::WARNING
end