class EC2NetworkAclEntryPortRangeRule

Public Instance Methods

audit_impl(cfn_model) click to toggle source
# File lib/cfn-nag/custom_rules/EC2NetworkAclEntryPortRangeRule.rb, line 19
def audit_impl(cfn_model)
  violating_network_acl_entries = cfn_model.resources_by_type('AWS::EC2::NetworkAclEntry')
                                           .select do |network_acl_entry|
    violating_network_acl_entries?(network_acl_entry)
  end

  violating_network_acl_entries.map(&:logical_resource_id)
end
rule_id() click to toggle source
# File lib/cfn-nag/custom_rules/EC2NetworkAclEntryPortRangeRule.rb, line 15
def rule_id
  'W67'
end
rule_text() click to toggle source
# File lib/cfn-nag/custom_rules/EC2NetworkAclEntryPortRangeRule.rb, line 7
def rule_text
  'TCP/UDP protocol NetworkACL entries possibly should not allow all ports.'
end
rule_type() click to toggle source
# File lib/cfn-nag/custom_rules/EC2NetworkAclEntryPortRangeRule.rb, line 11
def rule_type
  Violation::WARNING
end

Private Instance Methods

full_port_range?(network_acl_entry) click to toggle source
# File lib/cfn-nag/custom_rules/EC2NetworkAclEntryPortRangeRule.rb, line 40
def full_port_range?(network_acl_entry)
  network_acl_entry.portRange['From'].to_s == '0' && network_acl_entry.portRange['To'].to_s == '65535'
end
port_range_params_not_exist?(network_acl_entry) click to toggle source
# File lib/cfn-nag/custom_rules/EC2NetworkAclEntryPortRangeRule.rb, line 35
def port_range_params_not_exist?(network_acl_entry)
  network_acl_entry.portRange.nil? ||
    network_acl_entry.portRange['From'].nil? || network_acl_entry.portRange['To'].nil?
end
tcp_or_udp_protocol?(network_acl_entry) click to toggle source

Port Range is required for protocols “6” (TCP) and “17” (UDP)

# File lib/cfn-nag/custom_rules/EC2NetworkAclEntryPortRangeRule.rb, line 31
def tcp_or_udp_protocol?(network_acl_entry)
  %w[6 17].include?(network_acl_entry.protocol.to_s)
end
violating_network_acl_entries?(network_acl_entry) click to toggle source
# File lib/cfn-nag/custom_rules/EC2NetworkAclEntryPortRangeRule.rb, line 44
def violating_network_acl_entries?(network_acl_entry)
  tcp_or_udp_protocol?(network_acl_entry) && (port_range_params_not_exist?(network_acl_entry) ||
    full_port_range?(network_acl_entry))
end