Class: SecurityGroupIngressCidrNon32Rule

Inherits:
BaseRule
  • Object
show all
Defined in:
lib/cfn-nag/custom_rules/SecurityGroupIngressCidrNon32Rule.rb

Instance Method Summary collapse

Methods inherited from BaseRule

#audit

Instance Method Details

#audit_impl(cfn_model) ⇒ Object

This will behave slightly different than the legacy jq based rule which was targeted against inline ingress only



20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
# File 'lib/cfn-nag/custom_rules/SecurityGroupIngressCidrNon32Rule.rb', line 20

def audit_impl(cfn_model)
  logical_resource_ids = []
  cfn_model.security_groups.each do |security_group|
    violating_ingresses = security_group.securityGroupIngress.select do |ingress|
      # only care about literals.  if a Hash/Ref not going to chase it down given likely a Parameter with external val
      ingress.cidrIp.is_a?(String) && !ingress.cidrIp.end_with?('/32')
    end

    unless violating_ingresses.empty?
      logical_resource_ids << security_group.logical_resource_id
    end
  end

  violating_ingresses = cfn_model.standalone_ingress.select do |standalone_ingress|
    standalone_ingress.cidrIp.is_a?(String) && !standalone_ingress.cidrIp.end_with?('/32')
  end

  logical_resource_ids + violating_ingresses.map { |ingress| ingress.logical_resource_id}
end

#rule_idObject



14
15
16
# File 'lib/cfn-nag/custom_rules/SecurityGroupIngressCidrNon32Rule.rb', line 14

def rule_id
  'W9'
end

#rule_textObject



6
7
8
# File 'lib/cfn-nag/custom_rules/SecurityGroupIngressCidrNon32Rule.rb', line 6

def rule_text
  'Security Groups found with ingress cidr that is not /32'
end

#rule_typeObject



10
11
12
# File 'lib/cfn-nag/custom_rules/SecurityGroupIngressCidrNon32Rule.rb', line 10

def rule_type
  Violation::WARNING
end