Class: SecurityGroupIngressOpenToWorldRule
- Defined in:
- lib/cfn-nag/custom_rules/SecurityGroupIngressOpenToWorldRule.rb
Instance Method Summary collapse
-
#audit_impl(cfn_model) ⇒ Object
This will behave slightly different than the legacy jq based rule which was targeted against inline ingress only.
- #rule_id ⇒ Object
- #rule_text ⇒ Object
- #rule_type ⇒ Object
Methods inherited from BaseRule
Instance Method Details
#audit_impl(cfn_model) ⇒ Object
This will behave slightly different than the legacy jq based rule which was targeted against inline ingress only
20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 |
# File 'lib/cfn-nag/custom_rules/SecurityGroupIngressOpenToWorldRule.rb', line 20 def audit_impl(cfn_model) logical_resource_ids = [] cfn_model.security_groups.each do |security_group| violating_ingresses = security_group.securityGroupIngress.select do |ingress| # only care about literals. if a Hash/Ref not going to chase it down given likely a Parameter with external val ingress.cidrIp.is_a?(String) && ingress.cidrIp == '0.0.0.0/0' end unless violating_ingresses.empty? logical_resource_ids << security_group.logical_resource_id end end violating_ingresses = cfn_model.standalone_ingress.select do |standalone_ingress| standalone_ingress.cidrIp.is_a?(String) && standalone_ingress.cidrIp == '0.0.0.0/0' end logical_resource_ids + violating_ingresses.map { |ingress| ingress.logical_resource_id} end |
#rule_id ⇒ Object
14 15 16 |
# File 'lib/cfn-nag/custom_rules/SecurityGroupIngressOpenToWorldRule.rb', line 14 def rule_id 'W2' end |
#rule_text ⇒ Object
6 7 8 |
# File 'lib/cfn-nag/custom_rules/SecurityGroupIngressOpenToWorldRule.rb', line 6 def rule_text 'Security Groups found with cidr open to world on ingress. This should never be true on instance. Permissible on ELB' end |