github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/ec2/no_public_ip_subnet.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/ec2/no_public_ip_subnet.go (about)

     1  package ec2
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/internal/rules"
     5  	"github.com/khulnasoft-lab/defsec/pkg/providers"
     6  	"github.com/khulnasoft-lab/defsec/pkg/scan"
     7  	"github.com/khulnasoft-lab/defsec/pkg/severity"
     8  	"github.com/khulnasoft-lab/defsec/pkg/state"
     9  )
    10  
    11  var CheckNoPublicIpSubnet = rules.Register(
    12  	scan.Rule{
    13  		AVDID:       "AVD-AWS-0164",
    14  		Aliases:     []string{"aws-subnet-no-public-ip"},
    15  		Provider:    providers.AWSProvider,
    16  		Service:     "ec2",
    17  		ShortCode:   "no-public-ip-subnet",
    18  		Summary:     "Instances in a subnet should not receive a public IP address by default.",
    19  		Impact:      "The instance is publicly accessible",
    20  		Resolution:  "Set the instance to not be publicly accessible",
    21  		Explanation: `You should limit the provision of public IP addresses for resources. Resources should not be exposed on the public internet, but should have access limited to consumers required for the function of your application.`,
    22  		Links: []string{
    23  			"https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html#concepts-public-addresses",
    24  		},
    25  		Terraform: &scan.EngineMetadata{
    26  			GoodExamples:        terraformNoPublicIpSubnetGoodExamples,
    27  			BadExamples:         terraformNoPublicIpSubnetBadExamples,
    28  			Links:               terraformNoPublicIpSubnetLinks,
    29  			RemediationMarkdown: terraformNoPublicIpSubnetRemediationMarkdown,
    30  		},
    31  		CloudFormation: &scan.EngineMetadata{
    32  			GoodExamples:        cloudFormationNoPublicIpSubnetGoodExamples,
    33  			BadExamples:         cloudFormationNoPublicIpSubnetBadExamples,
    34  			Links:               cloudFormationNoPublicIpSubnetLinks,
    35  			RemediationMarkdown: cloudFormationNoPublicIpSubnetRemediationMarkdown,
    36  		},
    37  		Severity: severity.High,
    38  	},
    39  	func(s *state.State) (results scan.Results) {
    40  		for _, subnet := range s.AWS.EC2.Subnets {
    41  			if subnet.MapPublicIpOnLaunch.IsTrue() {
    42  				results.Add(
    43  					"Subnet associates public IP address.",
    44  					subnet.MapPublicIpOnLaunch,
    45  				)
    46  			} else {
    47  				results.AddPassed(&subnet)
    48  			}
    49  		}
    50  		return
    51  	},
    52  )