github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/ec2/no_public_egress_sgr.go (about)

     1  package ec2
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/internal/cidr"
     5  	"github.com/khulnasoft-lab/defsec/internal/rules"
     6  	"github.com/khulnasoft-lab/defsec/pkg/providers"
     7  	"github.com/khulnasoft-lab/defsec/pkg/scan"
     8  	"github.com/khulnasoft-lab/defsec/pkg/severity"
     9  	"github.com/khulnasoft-lab/defsec/pkg/state"
    10  )
    11  
    12  var CheckNoPublicEgressSgr = rules.Register(
    13  	scan.Rule{
    14  		AVDID:       "AVD-AWS-0104",
    15  		Aliases:     []string{"aws-vpc-no-public-egress-sgr"},
    16  		Provider:    providers.AWSProvider,
    17  		Service:     "ec2",
    18  		ShortCode:   "no-public-egress-sgr",
    19  		Summary:     "An egress security group rule allows traffic to /0.",
    20  		Impact:      "Your port is egressing data to the internet",
    21  		Resolution:  "Set a more restrictive cidr range",
    22  		Explanation: `Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.`,
    23  		Links: []string{
    24  			"https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/centralized-egress-to-internet.html",
    25  		},
    26  		Terraform: &scan.EngineMetadata{
    27  			GoodExamples:        terraformNoPublicEgressSgrGoodExamples,
    28  			BadExamples:         terraformNoPublicEgressSgrBadExamples,
    29  			Links:               terraformNoPublicEgressSgrLinks,
    30  			RemediationMarkdown: terraformNoPublicEgressSgrRemediationMarkdown,
    31  		},
    32  		CloudFormation: &scan.EngineMetadata{
    33  			GoodExamples:        cloudFormationNoPublicEgressSgrGoodExamples,
    34  			BadExamples:         cloudFormationNoPublicEgressSgrBadExamples,
    35  			Links:               cloudFormationNoPublicEgressSgrLinks,
    36  			RemediationMarkdown: cloudFormationNoPublicEgressSgrRemediationMarkdown,
    37  		},
    38  		Severity: severity.Critical,
    39  	},
    40  	func(s *state.State) (results scan.Results) {
    41  		for _, group := range s.AWS.EC2.SecurityGroups {
    42  			for _, rule := range group.EgressRules {
    43  				var fail bool
    44  				for _, block := range rule.CIDRs {
    45  					if cidr.IsPublic(block.Value()) && cidr.CountAddresses(block.Value()) > 1 {
    46  						fail = true
    47  						results.Add(
    48  							"Security group rule allows egress to multiple public internet addresses.",
    49  							block,
    50  						)
    51  					}
    52  				}
    53  				if !fail {
    54  					results.AddPassed(&rule)
    55  				}
    56  			}
    57  		}
    58  		return
    59  	},
    60  )