github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/ec2/restrict_all_in_default_sg.go (about) 1 package ec2 2 3 import ( 4 "github.com/khulnasoft-lab/defsec/internal/rules" 5 "github.com/khulnasoft-lab/defsec/pkg/framework" 6 "github.com/khulnasoft-lab/defsec/pkg/providers" 7 "github.com/khulnasoft-lab/defsec/pkg/scan" 8 "github.com/khulnasoft-lab/defsec/pkg/severity" 9 "github.com/khulnasoft-lab/defsec/pkg/state" 10 ) 11 12 var CheckRestrictAllInDefaultSG = rules.Register( 13 scan.Rule{ 14 AVDID: "AVD-AWS-0173", 15 Provider: providers.AWSProvider, 16 Service: "ec2", 17 ShortCode: "restrict-all-in-default-sg", 18 Frameworks: map[framework.Framework][]string{ 19 framework.CIS_AWS_1_4: {"5.3"}, 20 }, 21 Summary: "Default security group should restrict all traffic", 22 Impact: "Easier to accidentally expose resources - goes against principle of least privilege", 23 Resolution: "Configure default security group to restrict all traffic", 24 Explanation: ` 25 Configuring all VPC default security groups to restrict all traffic will encourage least 26 privilege security group development and mindful placement of AWS resources into 27 security groups which will in-turn reduce the exposure of those resources. 28 `, 29 Links: []string{ 30 "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/default-custom-security-groups.html", 31 }, 32 Severity: severity.Low, 33 }, 34 func(s *state.State) (results scan.Results) { 35 for _, vpc := range s.AWS.EC2.VPCs { 36 for _, sg := range vpc.SecurityGroups { 37 if sg.IsDefault.IsTrue() { 38 if len(sg.IngressRules) > 0 || len(sg.EgressRules) > 0 { 39 results.Add( 40 "Default security group for VPC has ingress or egress rules.", 41 &vpc, 42 ) 43 } 44 } else { 45 results.AddPassed(&vpc) 46 } 47 } 48 } 49 return 50 }, 51 )