github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/ec2/no_excessive_port_access.go (about) 1 package ec2 2 3 import ( 4 "github.com/khulnasoft-lab/defsec/internal/rules" 5 "github.com/khulnasoft-lab/defsec/pkg/providers" 6 "github.com/khulnasoft-lab/defsec/pkg/scan" 7 "github.com/khulnasoft-lab/defsec/pkg/severity" 8 "github.com/khulnasoft-lab/defsec/pkg/state" 9 ) 10 11 var CheckNoExcessivePortAccess = rules.Register( 12 scan.Rule{ 13 AVDID: "AVD-AWS-0102", 14 Aliases: []string{"aws-vpc-no-excessive-port-access"}, 15 Provider: providers.AWSProvider, 16 Service: "ec2", 17 ShortCode: "no-excessive-port-access", 18 Summary: "An Network ACL rule allows ALL ports.", 19 Impact: "All ports exposed for ingressing/egressing data", 20 Resolution: "Set specific allowed ports", 21 Explanation: `Ensure access to specific required ports is allowed, and nothing else.`, 22 Links: []string{ 23 "https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html", 24 }, 25 Terraform: &scan.EngineMetadata{ 26 GoodExamples: terraformNoExcessivePortAccessGoodExamples, 27 BadExamples: terraformNoExcessivePortAccessBadExamples, 28 Links: terraformNoExcessivePortAccessLinks, 29 RemediationMarkdown: terraformNoExcessivePortAccessRemediationMarkdown, 30 }, 31 CloudFormation: &scan.EngineMetadata{ 32 GoodExamples: cloudFormationNoExcessivePortAccessGoodExamples, 33 BadExamples: cloudFormationNoExcessivePortAccessBadExamples, 34 Links: cloudFormationNoExcessivePortAccessLinks, 35 RemediationMarkdown: cloudFormationNoExcessivePortAccessRemediationMarkdown, 36 }, 37 Severity: severity.Critical, 38 }, 39 func(s *state.State) (results scan.Results) { 40 for _, acl := range s.AWS.EC2.NetworkACLs { 41 for _, rule := range acl.Rules { 42 if rule.Action.EqualTo("allow") && rule.Protocol.EqualTo("-1") || rule.Protocol.EqualTo("all") { 43 results.Add( 44 "Network ACL rule allows access using ALL ports.", 45 rule.Protocol, 46 ) 47 } else { 48 results.AddPassed(&rule) 49 } 50 } 51 } 52 return 53 }, 54 )