github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/ec2/no_public_ip.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/ec2/no_public_ip.go (about)

     1  package ec2
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/internal/rules"
     5  	"github.com/khulnasoft-lab/defsec/pkg/providers"
     6  	"github.com/khulnasoft-lab/defsec/pkg/scan"
     7  	"github.com/khulnasoft-lab/defsec/pkg/severity"
     8  	"github.com/khulnasoft-lab/defsec/pkg/state"
     9  )
    10  
    11  var CheckNoPublicIp = rules.Register(
    12  	scan.Rule{
    13  		AVDID:       "AVD-AWS-0009",
    14  		Aliases:     []string{"aws-autoscaling-no-public-ip"},
    15  		Provider:    providers.AWSProvider,
    16  		Service:     "ec2",
    17  		ShortCode:   "no-public-ip",
    18  		Summary:     "Launch configuration should not have a public IP address.",
    19  		Impact:      "The instance or configuration is publicly accessible",
    20  		Resolution:  "Set the instance to not be publicly accessible",
    21  		Explanation: `You should limit the provision of public IP addresses for resources. Resources should not be exposed on the public internet, but should have access limited to consumers required for the function of your application.`,
    22  		Links: []string{
    23  			"https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html",
    24  		},
    25  		Terraform: &scan.EngineMetadata{
    26  			GoodExamples:        terraformNoPublicIpGoodExamples,
    27  			BadExamples:         terraformNoPublicIpBadExamples,
    28  			Links:               terraformNoPublicIpLinks,
    29  			RemediationMarkdown: terraformNoPublicIpRemediationMarkdown,
    30  		},
    31  		CloudFormation: &scan.EngineMetadata{
    32  			GoodExamples:        cloudFormationNoPublicIpGoodExamples,
    33  			BadExamples:         cloudFormationNoPublicIpBadExamples,
    34  			Links:               cloudFormationNoPublicIpLinks,
    35  			RemediationMarkdown: cloudFormationNoPublicIpRemediationMarkdown,
    36  		},
    37  		Severity: severity.High,
    38  	},
    39  	func(s *state.State) (results scan.Results) {
    40  		for _, launchConfig := range s.AWS.EC2.LaunchConfigurations {
    41  			if launchConfig.AssociatePublicIP.IsTrue() {
    42  				results.Add(
    43  					"Launch configuration associates public IP address.",
    44  					launchConfig.AssociatePublicIP,
    45  				)
    46  			} else {
    47  				results.AddPassed(&launchConfig)
    48  			}
    49  		}
    50  		return
    51  	},
    52  )