Class: SecurityGroupEgressOpenToWorldRule

Inherits:

BaseRule

• Object
• BaseRule
• SecurityGroupEgressOpenToWorldRule

Defined in:

lib/cfn-nag/custom_rules/SecurityGroupEgressOpenToWorldRule.rb

Instance Method Summary

• #audit_impl(cfn_model) ⇒ Object

  This will behave slightly different than the legacy jq based rule which was targeted against inline ingress only.

• #rule_id ⇒ Object
• #rule_text ⇒ Object
• #rule_type ⇒ Object

Methods inherited from BaseRule

#audit

Instance Method Details

#audit_impl(cfn_model) ⇒ Object

This will behave slightly different than the legacy jq based rule which was targeted against inline ingress only

# File 'lib/cfn-nag/custom_rules/SecurityGroupEgressOpenToWorldRule.rb', line 20

def audit_impl(cfn_model)
  logical_resource_ids = []
  cfn_model.security_groups.each do |security_group|
    violating_egresses = security_group.securityGroupEgress.select do |egress|
      # only care about literals.  if a Hash/Ref not going to chase it down given likely a Parameter with external val
      egress.cidrIp.is_a?(String) && egress.cidrIp == '0.0.0.0/0'
    end

    unless violating_egresses.empty?
      logical_resource_ids << security_group.logical_resource_id
    end
  end

  violating_egresses = cfn_model.standalone_egress.select do |standalone_egress|
    standalone_egress.cidrIp.is_a?(String) && standalone_egress.cidrIp == '0.0.0.0/0'
  end

  logical_resource_ids + violating_egresses.map { |egress| egress.logical_resource_id}
end

#rule_id ⇒ Object

# File 'lib/cfn-nag/custom_rules/SecurityGroupEgressOpenToWorldRule.rb', line 14

def rule_id
  'W5'
end

#rule_text ⇒ Object

# File 'lib/cfn-nag/custom_rules/SecurityGroupEgressOpenToWorldRule.rb', line 6

def rule_text
  'Security Groups found with cidr open to world on egress'
end

#rule_type ⇒ Object

# File 'lib/cfn-nag/custom_rules/SecurityGroupEgressOpenToWorldRule.rb', line 10

def rule_type
  Violation::WARNING
end