Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var CheckAddDescriptionToSecurityGroup = rules.Register( rules.Rule{ AVDID: "AVD-AWS-0099", Provider: provider.AWSProvider, Service: "vpc", ShortCode: "add-description-to-security-group", Summary: "Missing description for security group.", Impact: "Descriptions provide context for the firewall rule reasons", Resolution: "Add descriptions for all security groups", Explanation: `Security groups should include a description for auditing purposes. Simplifies auditing, debugging, and managing security groups.`, Links: []string{ "https://www.cloudconformity.com/knowledge-base/aws/EC2/security-group-rules-description.html", }, Severity: severity.Low, }, func(s *state.State) (results rules.Results) { for _, group := range s.AWS.VPC.SecurityGroups { if !group.IsManaged() { continue } if group.Description.IsEmpty() { results.Add( "Security group does not have a description.", &group, group.Description, ) } else { results.AddPassed(&group) } } return }, )
View Source
var CheckAddDescriptionToSecurityGroupRule = rules.Register( rules.Rule{ AVDID: "AVD-AWS-0099", Provider: provider.AWSProvider, Service: "vpc", ShortCode: "add-description-to-security-group-rule", Summary: "Missing description for security group rule.", Impact: "Descriptions provide context for the firewall rule reasons", Resolution: "Add descriptions for all security groups rules", Explanation: `Security group rules should include a description for auditing purposes. Simplifies auditing, debugging, and managing security groups.`, Links: []string{ "https://www.cloudconformity.com/knowledge-base/aws/EC2/security-group-rules-description.html", }, Severity: severity.Low, }, func(s *state.State) (results rules.Results) { for _, group := range s.AWS.VPC.SecurityGroups { for _, rule := range append(group.EgressRules, group.IngressRules...) { if rule.Description.IsEmpty() { results.Add( "Security group rule does not have a description.", &group, &rule, ) } else { results.AddPassed(&rule) } } } return }, )
View Source
var CheckNoDefaultVpc = rules.Register( rules.Rule{ AVDID: "AVD-AWS-0101", Provider: provider.AWSProvider, Service: "vpc", ShortCode: "no-default-vpc", Summary: "AWS best practice to not use the default VPC for workflows", Impact: "The default VPC does not have critical security features applied", Resolution: "Create a non-default vpc for resources to be created in", Explanation: `Default VPC does not have a lot of the critical security features that standard VPC comes with, new resources should not be created in the default VPC and it should not be present in the Terraform.`, Links: []string{ "https://docs.aws.amazon.com/vpc/latest/userguide/default-vpc.html", }, Severity: severity.High, }, func(s *state.State) (results rules.Results) { for _, def := range s.AWS.VPC.DefaultVPCs { results.Add( "Default VPC is used.", &def, ) } return }, )
View Source
var CheckNoExcessivePortAccess = rules.Register( rules.Rule{ AVDID: "AVD-AWS-0102", Provider: provider.AWSProvider, Service: "vpc", ShortCode: "no-excessive-port-access", Summary: "An ingress Network ACL rule allows ALL ports.", Impact: "All ports exposed for egressing data", Resolution: "Set specific allowed ports", Explanation: `Ensure access to specific required ports is allowed, and nothing else.`, Links: []string{ "https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html", }, Severity: severity.Critical, }, func(s *state.State) (results rules.Results) { for _, acl := range s.AWS.VPC.NetworkACLs { for _, rule := range acl.Rules { if rule.Protocol.EqualTo(-1) { results.Add( "Network ACL rule allows access using ALL ports.", &rule, rule.Protocol, ) } else { results.AddPassed(&rule) } } } return }, )
View Source
var CheckNoPublicEgressSgr = rules.Register( rules.Rule{ AVDID: "AVD-AWS-0104", Provider: provider.AWSProvider, Service: "vpc", ShortCode: "no-public-egress-sgr", Summary: "An egress security group rule allows traffic to /0.", Impact: "Your port is egressing data to the internet", Resolution: "Set a more restrictive cidr range", Explanation: `Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.`, Links: []string{ "https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/centralized-egress-to-internet.html", }, Severity: severity.Critical, }, func(s *state.State) (results rules.Results) { for _, group := range s.AWS.VPC.SecurityGroups { for _, rule := range group.EgressRules { var fail bool for _, block := range rule.CIDRs { if cidr.IsPublic(block.Value()) { fail = true results.Add( "Security group rule allows egress to public internet.", &group, block, ) } } if !fail { results.AddPassed(&rule) } } } return }, )
View Source
var CheckNoPublicIngress = rules.Register( rules.Rule{ AVDID: "AVD-AWS-0105", Provider: provider.AWSProvider, Service: "vpc", ShortCode: "no-public-ingress-acl", Summary: "An ingress Network ACL rule allows specific ports from /0.", Impact: "The ports are exposed for ingressing data to the internet", Resolution: "Set a more restrictive cidr range", Explanation: `Opening up ACLs to the public internet is potentially dangerous. You should restrict access to IP addresses or ranges that explicitly require it where possible.`, Links: []string{ "https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html", }, Severity: severity.Critical, }, func(s *state.State) (results rules.Results) { for _, acl := range s.AWS.VPC.NetworkACLs { for _, rule := range acl.Rules { if !rule.Type.EqualTo(vpc.TypeIngress) { continue } if !rule.Action.EqualTo(vpc.ActionAllow) { continue } var fail bool for _, block := range rule.CIDRs { if cidr.IsPublic(block.Value()) { fail = true results.Add( "Network ACL rule allows ingress from public internet.", &rule, block, ) } } if !fail { results.AddPassed(&rule) } } } return }, )
View Source
var CheckNoPublicIngressSgr = rules.Register( rules.Rule{ AVDID: "AVD-AWS-0107", Provider: provider.AWSProvider, Service: "vpc", ShortCode: "no-public-ingress-sgr", Summary: "An ingress security group rule allows traffic from /0.", Impact: "Your port exposed to the internet", Resolution: "Set a more restrictive cidr range", Explanation: `Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.`, Links: []string{ "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html", }, Severity: severity.Critical, }, func(s *state.State) (results rules.Results) { for _, group := range s.AWS.VPC.SecurityGroups { for _, rule := range group.IngressRules { var failed bool for _, block := range rule.CIDRs { if cidr.IsPublic(block.Value()) { failed = true results.Add( "Security group rule allows ingress from public internet.", &group, block, ) } } if !failed { results.AddPassed(&rule) } } } return }, )
Functions ¶
This section is empty.
Types ¶
This section is empty.
Source Files
Click to show internal directories.
Click to hide internal directories.