Class: Terracop::Cop::Aws::UnrestrictedEgressPorts

Inherits:

SecurityGroupRuleCop

• Object
• Base
• SecurityGroupRuleCop
• Terracop::Cop::Aws::UnrestrictedEgressPorts

Defined in:

lib/terracop/cop/aws/unrestricted_egress_ports.rb

Overview

This cop warns against egress security group rules that allow any port. This would, for example, allow an attacker to use your machine to send spam emails, since you left port 25 outbound open.

Examples:

# bad
resource "aws_security_group_rule" "egress" {
  type        = "egress"
  from_port   = 0
  to_port     = 65535
}

# good
resource "aws_security_group_rule" "egress" {
  type        = "egress"
  from_port   = 443
  to_port     = 443
}

Instance Attribute Summary

Attributes inherited from Base

#attributes, #index, #name, #offenses, #type

Instance Method Summary

• #check ⇒ Object

Methods inherited from Base

config, cop_name, #human_name, #initialize, #offense, run

Constructor Details

This class inherits a constructor from Terracop::Cop::Base

Instance Method Details

#check ⇒ Object

# File 'lib/terracop/cop/aws/unrestricted_egress_ports.rb', line 29

def check
  return unless egress? && (tcp? || udp?) && any_port?

  offense('Limit egress traffic to small port ranges.', :security)
end