Class: SecurityGroupEgressOpenToWorldRule

Inherits:
BaseRule show all
Includes:
IpAddr
Defined in:
lib/cfn-nag/custom_rules/SecurityGroupEgressOpenToWorldRule.rb

Instance Method Summary collapse

Methods included from IpAddr

#ip4_cidr_range?, #ip4_localhost?, #ip4_open?, #ip6_cidr_range?, #ip6_localhost?, #ip6_open?, #normalize_cidr_ip6

Methods inherited from BaseRule

#audit

Instance Method Details

#audit_impl(cfn_model) ⇒ Object

This will behave slightly different than the legacy jq based rule which was targeted against inline ingress only


25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
# File 'lib/cfn-nag/custom_rules/SecurityGroupEgressOpenToWorldRule.rb', line 25

def audit_impl(cfn_model)
  violating_security_groups = cfn_model.security_groups.select do |security_group|
    violating_egresses = security_group.egresses.select do |egress|
      ip4_open?(egress) || ip6_open?(egress)
    end

    !violating_egresses.empty?
  end

  violating_egresses = cfn_model.standalone_egress.select do |standalone_egress|
    ip4_open?(standalone_egress) || ip6_open?(standalone_egress)
  end

  violating_security_groups.map(&:logical_resource_id) + violating_egresses.map(&:logical_resource_id)
end

#rule_idObject


18
19
20
# File 'lib/cfn-nag/custom_rules/SecurityGroupEgressOpenToWorldRule.rb', line 18

def rule_id
  'W5'
end

#rule_textObject


10
11
12
# File 'lib/cfn-nag/custom_rules/SecurityGroupEgressOpenToWorldRule.rb', line 10

def rule_text
  'Security Groups found with cidr open to world on egress'
end

#rule_typeObject


14
15
16
# File 'lib/cfn-nag/custom_rules/SecurityGroupEgressOpenToWorldRule.rb', line 14

def rule_type
  Violation::WARNING
end