class SecurityGroupEgressAllProtocolsRule
Public Instance Methods
audit_impl(cfn_model)
click to toggle source
This will behave slightly different than the legacy jq based rule which was targeted against inline ingress only
# File lib/cfn-nag/custom_rules/SecurityGroupEgressAllProtocolsRule.rb, line 25 def audit_impl(cfn_model) violating_security_groups = cfn_model.security_groups.select do |security_group| violating_egresses = security_group.egresses.select do |egress| violating_egress(egress) end !violating_egresses.empty? end violating_egresses = cfn_model.standalone_egress.select do |standalone_egress| violating_egress(standalone_egress) end violating_security_groups.map(&:logical_resource_id) + violating_egresses.map(&:logical_resource_id) end
rule_id()
click to toggle source
# File lib/cfn-nag/custom_rules/SecurityGroupEgressAllProtocolsRule.rb, line 18 def rule_id 'W40' end
rule_text()
click to toggle source
# File lib/cfn-nag/custom_rules/SecurityGroupEgressAllProtocolsRule.rb, line 10 def rule_text 'Security Groups egress with an IpProtocol of -1 found' end
rule_type()
click to toggle source
# File lib/cfn-nag/custom_rules/SecurityGroupEgressAllProtocolsRule.rb, line 14 def rule_type Violation::WARNING end
Private Instance Methods
negative_1_protocol?(egress)
click to toggle source
# File lib/cfn-nag/custom_rules/SecurityGroupEgressAllProtocolsRule.rb, line 43 def negative_1_protocol?(egress) if egress.ipProtocol.is_a?(Integer) || egress.ipProtocol.is_a?(String) egress.ipProtocol.to_i == -1 else false end end
violating_egress(egress)
click to toggle source
# File lib/cfn-nag/custom_rules/SecurityGroupEgressAllProtocolsRule.rb, line 51 def violating_egress(egress) negative_1_protocol?(egress) && !ip4_localhost?(egress) && !ip6_localhost?(egress) end