Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var CheckAddDescriptionToSecurityGroup = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0099", Provider: providers.AWSProvider, Service: "vpc", ShortCode: "add-description-to-security-group", Summary: "Missing description for security group.", Impact: "Descriptions provide context for the firewall rule reasons", Resolution: "Add descriptions for all security groups", Explanation: `Security groups should include a description for auditing purposes. Simplifies auditing, debugging, and managing security groups.`, Links: []string{ "https://www.cloudconformity.com/knowledge-base/aws/EC2/security-group-rules-description.html", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformAddDescriptionToSecurityGroupGoodExamples, BadExamples: terraformAddDescriptionToSecurityGroupBadExamples, Links: terraformAddDescriptionToSecurityGroupLinks, RemediationMarkdown: terraformAddDescriptionToSecurityGroupRemediationMarkdown, }, CloudFormation: &scan.EngineMetadata{ GoodExamples: cloudFormationAddDescriptionToSecurityGroupGoodExamples, BadExamples: cloudFormationAddDescriptionToSecurityGroupBadExamples, Links: cloudFormationAddDescriptionToSecurityGroupLinks, RemediationMarkdown: cloudFormationAddDescriptionToSecurityGroupRemediationMarkdown, }, Severity: severity.Low, }, func(s *state.State) (results scan.Results) { for _, group := range s.AWS.VPC.SecurityGroups { if group.IsUnmanaged() { continue } if group.Description.IsEmpty() { results.Add( "Security group does not have a description.", group.Description, ) } else if group.Description.EqualTo("Managed by Terraform") { results.Add( "Security group explicitly uses the default description.", group.Description, ) } else { results.AddPassed(&group) } } return }, )
View Source
var CheckAddDescriptionToSecurityGroupRule = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0124", Provider: providers.AWSProvider, Service: "vpc", ShortCode: "add-description-to-security-group-rule", Summary: "Missing description for security group rule.", Impact: "Descriptions provide context for the firewall rule reasons", Resolution: "Add descriptions for all security groups rules", Explanation: `Security group rules should include a description for auditing purposes. Simplifies auditing, debugging, and managing security groups.`, Links: []string{ "https://www.cloudconformity.com/knowledge-base/aws/EC2/security-group-rules-description.html", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformAddDescriptionToSecurityGroupRuleGoodExamples, BadExamples: terraformAddDescriptionToSecurityGroupRuleBadExamples, Links: terraformAddDescriptionToSecurityGroupRuleLinks, RemediationMarkdown: terraformAddDescriptionToSecurityGroupRuleRemediationMarkdown, }, CloudFormation: &scan.EngineMetadata{ GoodExamples: cloudFormationAddDescriptionToSecurityGroupRuleGoodExamples, BadExamples: cloudFormationAddDescriptionToSecurityGroupRuleBadExamples, Links: cloudFormationAddDescriptionToSecurityGroupRuleLinks, RemediationMarkdown: cloudFormationAddDescriptionToSecurityGroupRuleRemediationMarkdown, }, Severity: severity.Low, }, func(s *state.State) (results scan.Results) { for _, group := range s.AWS.VPC.SecurityGroups { for _, rule := range append(group.EgressRules, group.IngressRules...) { if rule.Description.IsEmpty() { results.Add( "Security group rule does not have a description.", rule.Description, ) } else { results.AddPassed(&rule) } } } return }, )
View Source
var CheckNoDefaultVpc = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0101", Provider: providers.AWSProvider, Service: "vpc", ShortCode: "no-default-vpc", Summary: "AWS best practice to not use the default VPC for workflows", Impact: "The default VPC does not have critical security features applied", Resolution: "Create a non-default vpc for resources to be created in", Explanation: `Default VPC does not have a lot of the critical security features that standard VPC comes with, new resources should not be created in the default VPC and it should not be present in the Terraform.`, Links: []string{ "https://docs.aws.amazon.com/vpc/latest/userguide/default-vpc.html", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformNoDefaultVpcGoodExamples, BadExamples: terraformNoDefaultVpcBadExamples, Links: terraformNoDefaultVpcLinks, RemediationMarkdown: terraformNoDefaultVpcRemediationMarkdown, }, Severity: severity.High, }, func(s *state.State) (results scan.Results) { for _, def := range s.AWS.VPC.DefaultVPCs { results.Add( "Default VPC is used.", &def, ) } return }, )
View Source
var CheckNoExcessivePortAccess = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0102", Provider: providers.AWSProvider, Service: "vpc", ShortCode: "no-excessive-port-access", Summary: "An ingress Network ACL rule allows ALL ports.", Impact: "All ports exposed for egressing data", Resolution: "Set specific allowed ports", Explanation: `Ensure access to specific required ports is allowed, and nothing else.`, Links: []string{ "https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformNoExcessivePortAccessGoodExamples, BadExamples: terraformNoExcessivePortAccessBadExamples, Links: terraformNoExcessivePortAccessLinks, RemediationMarkdown: terraformNoExcessivePortAccessRemediationMarkdown, }, CloudFormation: &scan.EngineMetadata{ GoodExamples: cloudFormationNoExcessivePortAccessGoodExamples, BadExamples: cloudFormationNoExcessivePortAccessBadExamples, Links: cloudFormationNoExcessivePortAccessLinks, RemediationMarkdown: cloudFormationNoExcessivePortAccessRemediationMarkdown, }, Severity: severity.Critical, }, func(s *state.State) (results scan.Results) { for _, acl := range s.AWS.VPC.NetworkACLs { for _, rule := range acl.Rules { if rule.Protocol.EqualTo("-1") || rule.Protocol.EqualTo("all") { results.Add( "Network ACL rule allows access using ALL ports.", rule.Protocol, ) } else { results.AddPassed(&rule) } } } return }, )
View Source
var CheckNoPublicEgressSgr = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0104", Provider: providers.AWSProvider, Service: "vpc", ShortCode: "no-public-egress-sgr", Summary: "An egress security group rule allows traffic to /0.", Impact: "Your port is egressing data to the internet", Resolution: "Set a more restrictive cidr range", Explanation: `Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.`, Links: []string{ "https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/centralized-egress-to-internet.html", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformNoPublicEgressSgrGoodExamples, BadExamples: terraformNoPublicEgressSgrBadExamples, Links: terraformNoPublicEgressSgrLinks, RemediationMarkdown: terraformNoPublicEgressSgrRemediationMarkdown, }, CloudFormation: &scan.EngineMetadata{ GoodExamples: cloudFormationNoPublicEgressSgrGoodExamples, BadExamples: cloudFormationNoPublicEgressSgrBadExamples, Links: cloudFormationNoPublicEgressSgrLinks, RemediationMarkdown: cloudFormationNoPublicEgressSgrRemediationMarkdown, }, Severity: severity.Critical, }, func(s *state.State) (results scan.Results) { for _, group := range s.AWS.VPC.SecurityGroups { for _, rule := range group.EgressRules { var fail bool for _, block := range rule.CIDRs { if cidr.IsPublic(block.Value()) && cidr.CountAddresses(block.Value()) > 1 { fail = true results.Add( "Security group rule allows egress to multiple public internet addresses.", block, ) } } if !fail { results.AddPassed(&rule) } } } return }, )
View Source
var CheckNoPublicIngress = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0105", Provider: providers.AWSProvider, Service: "vpc", ShortCode: "no-public-ingress-acl", Summary: "An ingress Network ACL rule allows specific ports from /0.", Impact: "The ports are exposed for ingressing data to the internet", Resolution: "Set a more restrictive cidr range", Explanation: `Opening up ACLs to the public internet is potentially dangerous. You should restrict access to IP addresses or ranges that explicitly require it where possible.`, Links: []string{ "https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformNoPublicIngressAclGoodExamples, BadExamples: terraformNoPublicIngressAclBadExamples, Links: terraformNoPublicIngressAclLinks, RemediationMarkdown: terraformNoPublicIngressAclRemediationMarkdown, }, CloudFormation: &scan.EngineMetadata{ GoodExamples: cloudFormationNoPublicIngressAclGoodExamples, BadExamples: cloudFormationNoPublicIngressAclBadExamples, Links: cloudFormationNoPublicIngressAclLinks, RemediationMarkdown: cloudFormationNoPublicIngressAclRemediationMarkdown, }, Severity: severity.Critical, }, func(s *state.State) (results scan.Results) { for _, acl := range s.AWS.VPC.NetworkACLs { for _, rule := range acl.Rules { if !rule.Type.EqualTo(vpc.TypeIngress) { continue } if !rule.Action.EqualTo(vpc.ActionAllow) { continue } var fail bool for _, block := range rule.CIDRs { if cidr.IsPublic(block.Value()) && cidr.CountAddresses(block.Value()) > 1 { fail = true results.Add( "Network ACL rule allows ingress from public internet.", block, ) } } if !fail { results.AddPassed(&rule) } } } return }, )
View Source
var CheckNoPublicIngressSgr = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0107", Provider: providers.AWSProvider, Service: "vpc", ShortCode: "no-public-ingress-sgr", Summary: "An ingress security group rule allows traffic from /0.", Impact: "Your port exposed to the internet", Resolution: "Set a more restrictive cidr range", Explanation: `Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.`, Links: []string{ "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformNoPublicIngressSgrGoodExamples, BadExamples: terraformNoPublicIngressSgrBadExamples, Links: terraformNoPublicIngressSgrLinks, RemediationMarkdown: terraformNoPublicIngressSgrRemediationMarkdown, }, CloudFormation: &scan.EngineMetadata{ GoodExamples: cloudFormationNoPublicIngressSgrGoodExamples, BadExamples: cloudFormationNoPublicIngressSgrBadExamples, Links: cloudFormationNoPublicIngressSgrLinks, RemediationMarkdown: cloudFormationNoPublicIngressSgrRemediationMarkdown, }, Severity: severity.Critical, }, func(s *state.State) (results scan.Results) { for _, group := range s.AWS.VPC.SecurityGroups { for _, rule := range group.IngressRules { var failed bool for _, block := range rule.CIDRs { if cidr.IsPublic(block.Value()) && cidr.CountAddresses(block.Value()) > 1 { failed = true results.Add( "Security group rule allows ingress from public internet.", block, ) } } if !failed { results.AddPassed(&rule) } } } return }, )
Functions ¶
This section is empty.
Types ¶
This section is empty.
Source Files
¶
- add_description_to_security_group.cf.go
- add_description_to_security_group.go
- add_description_to_security_group.tf.go
- add_description_to_security_group_rule.cf.go
- add_description_to_security_group_rule.go
- add_description_to_security_group_rule.tf.go
- no_default_vpc.go
- no_default_vpc.tf.go
- no_excessive_port_access.cf.go
- no_excessive_port_access.go
- no_excessive_port_access.tf.go
- no_public_egress_sgr.cf.go
- no_public_egress_sgr.go
- no_public_egress_sgr.tf.go
- no_public_ingress_acl.cf.go
- no_public_ingress_acl.go
- no_public_ingress_acl.tf.go
- no_public_ingress_sgr.cf.go
- no_public_ingress_sgr.go
- no_public_ingress_sgr.tf.go
Click to show internal directories.
Click to hide internal directories.