github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/ec2/no_public_ingress_sgr.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/ec2/no_public_ingress_sgr.go (about)

     1  package ec2
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/internal/cidr"
     5  	"github.com/khulnasoft-lab/defsec/internal/rules"
     6  	"github.com/khulnasoft-lab/defsec/pkg/framework"
     7  	"github.com/khulnasoft-lab/defsec/pkg/providers"
     8  	"github.com/khulnasoft-lab/defsec/pkg/scan"
     9  	"github.com/khulnasoft-lab/defsec/pkg/severity"
    10  	"github.com/khulnasoft-lab/defsec/pkg/state"
    11  )
    12  
    13  var CheckNoPublicIngressSgr = rules.Register(
    14  	scan.Rule{
    15  		AVDID:     "AVD-AWS-0107",
    16  		Aliases:   []string{"aws-vpc-no-public-ingress-sgr"},
    17  		Provider:  providers.AWSProvider,
    18  		Service:   "ec2",
    19  		ShortCode: "no-public-ingress-sgr",
    20  		Frameworks: map[framework.Framework][]string{
    21  			framework.Default:     nil,
    22  			framework.CIS_AWS_1_2: {"4.1", "4.2"},
    23  		},
    24  		Summary:     "An ingress security group rule allows traffic from /0.",
    25  		Impact:      "Your port exposed to the internet",
    26  		Resolution:  "Set a more restrictive cidr range",
    27  		Explanation: `Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.`,
    28  		Links: []string{
    29  			"https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html",
    30  		},
    31  		Terraform: &scan.EngineMetadata{
    32  			GoodExamples:        terraformNoPublicIngressSgrGoodExamples,
    33  			BadExamples:         terraformNoPublicIngressSgrBadExamples,
    34  			Links:               terraformNoPublicIngressSgrLinks,
    35  			RemediationMarkdown: terraformNoPublicIngressSgrRemediationMarkdown,
    36  		},
    37  		CloudFormation: &scan.EngineMetadata{
    38  			GoodExamples:        cloudFormationNoPublicIngressSgrGoodExamples,
    39  			BadExamples:         cloudFormationNoPublicIngressSgrBadExamples,
    40  			Links:               cloudFormationNoPublicIngressSgrLinks,
    41  			RemediationMarkdown: cloudFormationNoPublicIngressSgrRemediationMarkdown,
    42  		},
    43  		Severity: severity.Critical,
    44  	},
    45  	func(s *state.State) (results scan.Results) {
    46  		for _, group := range s.AWS.EC2.SecurityGroups {
    47  			for _, rule := range group.IngressRules {
    48  				var failed bool
    49  				for _, block := range rule.CIDRs {
    50  					if cidr.IsPublic(block.Value()) && cidr.CountAddresses(block.Value()) > 1 {
    51  						failed = true
    52  						results.Add(
    53  							"Security group rule allows ingress from public internet.",
    54  							block,
    55  						)
    56  					}
    57  				}
    58  				if !failed {
    59  					results.AddPassed(&rule)
    60  				}
    61  			}
    62  		}
    63  		return
    64  	},
    65  )