github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/elb/alb_not_public.go (about) 1 package elb 2 3 import ( 4 "github.com/khulnasoft-lab/defsec/internal/rules" 5 "github.com/khulnasoft-lab/defsec/pkg/providers" 6 "github.com/khulnasoft-lab/defsec/pkg/providers/aws/elb" 7 "github.com/khulnasoft-lab/defsec/pkg/scan" 8 "github.com/khulnasoft-lab/defsec/pkg/severity" 9 "github.com/khulnasoft-lab/defsec/pkg/state" 10 ) 11 12 var CheckAlbNotPublic = rules.Register( 13 scan.Rule{ 14 AVDID: "AVD-AWS-0053", 15 Provider: providers.AWSProvider, 16 Service: "elb", 17 ShortCode: "alb-not-public", 18 Summary: "Load balancer is exposed to the internet.", 19 Impact: "The load balancer is exposed on the internet", 20 Resolution: "Switch to an internal load balancer or add a terrasec ignore", 21 Explanation: `There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.`, 22 Links: []string{}, 23 Terraform: &scan.EngineMetadata{ 24 GoodExamples: terraformAlbNotPublicGoodExamples, 25 BadExamples: terraformAlbNotPublicBadExamples, 26 Links: terraformAlbNotPublicLinks, 27 RemediationMarkdown: terraformAlbNotPublicRemediationMarkdown, 28 }, 29 Severity: severity.High, 30 }, 31 func(s *state.State) (results scan.Results) { 32 for _, lb := range s.AWS.ELB.LoadBalancers { 33 if lb.Metadata.IsUnmanaged() || lb.Type.EqualTo(elb.TypeGateway) { 34 continue 35 } 36 if lb.Internal.IsFalse() { 37 results.Add( 38 "Load balancer is exposed publicly.", 39 lb.Internal, 40 ) 41 } else { 42 results.AddPassed(&lb) 43 } 44 } 45 return 46 }, 47 )