github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/ec2/no_public_ingress_acl.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/ec2/no_public_ingress_acl.go (about)

     1  package ec2
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/internal/cidr"
     5  	"github.com/khulnasoft-lab/defsec/internal/rules"
     6  	"github.com/khulnasoft-lab/defsec/pkg/providers"
     7  	"github.com/khulnasoft-lab/defsec/pkg/providers/aws/ec2"
     8  	"github.com/khulnasoft-lab/defsec/pkg/scan"
     9  	"github.com/khulnasoft-lab/defsec/pkg/severity"
    10  	"github.com/khulnasoft-lab/defsec/pkg/state"
    11  )
    12  
    13  var CheckNoPublicIngress = rules.Register(
    14  	scan.Rule{
    15  		AVDID:       "AVD-AWS-0105",
    16  		Aliases:     []string{"aws-vpc-no-public-ingress-acl"},
    17  		Provider:    providers.AWSProvider,
    18  		Service:     "ec2",
    19  		ShortCode:   "no-public-ingress-acl",
    20  		Summary:     "An ingress Network ACL rule allows specific ports from /0.",
    21  		Impact:      "The ports are exposed for ingressing data to the internet",
    22  		Resolution:  "Set a more restrictive cidr range",
    23  		Explanation: `Opening up ACLs to the public internet is potentially dangerous. You should restrict access to IP addresses or ranges that explicitly require it where possible.`,
    24  		Links: []string{
    25  			"https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html",
    26  		},
    27  		Terraform: &scan.EngineMetadata{
    28  			GoodExamples:        terraformNoPublicIngressAclGoodExamples,
    29  			BadExamples:         terraformNoPublicIngressAclBadExamples,
    30  			Links:               terraformNoPublicIngressAclLinks,
    31  			RemediationMarkdown: terraformNoPublicIngressAclRemediationMarkdown,
    32  		},
    33  		CloudFormation: &scan.EngineMetadata{
    34  			GoodExamples:        cloudFormationNoPublicIngressAclGoodExamples,
    35  			BadExamples:         cloudFormationNoPublicIngressAclBadExamples,
    36  			Links:               cloudFormationNoPublicIngressAclLinks,
    37  			RemediationMarkdown: cloudFormationNoPublicIngressAclRemediationMarkdown,
    38  		},
    39  		Severity: severity.Critical,
    40  	},
    41  	func(s *state.State) (results scan.Results) {
    42  		for _, acl := range s.AWS.EC2.NetworkACLs {
    43  			for _, rule := range acl.Rules {
    44  				if !rule.Type.EqualTo(ec2.TypeIngress) {
    45  					continue
    46  				}
    47  				if !rule.Action.EqualTo(ec2.ActionAllow) {
    48  					continue
    49  				}
    50  				var fail bool
    51  				for _, block := range rule.CIDRs {
    52  					if cidr.IsPublic(block.Value()) && cidr.CountAddresses(block.Value()) > 1 {
    53  						fail = true
    54  						results.Add(
    55  							"Network ACL rule allows ingress from public internet.",
    56  							block,
    57  						)
    58  					}
    59  				}
    60  				if !fail {
    61  					results.AddPassed(&rule)
    62  				}
    63  			}
    64  		}
    65  		return
    66  	},
    67  )