class EC2NetworkAclEntryIneffectiveDenyRule
Public Instance Methods
audit_impl(cfn_model)
click to toggle source
# File lib/cfn-nag/custom_rules/EC2NetworkAclEntryIneffectiveDenyRule.rb, line 20 def audit_impl(cfn_model) violating_nacl_entries = [] cfn_model.resources_by_type('AWS::EC2::NetworkAcl').each do |nacl| violating_nacl_entries += violating_nacl_entries(nacl) end violating_nacl_entries.map(&:logical_resource_id) end
rule_id()
click to toggle source
# File lib/cfn-nag/custom_rules/EC2NetworkAclEntryIneffectiveDenyRule.rb, line 16 def rule_id 'W71' end
rule_text()
click to toggle source
# File lib/cfn-nag/custom_rules/EC2NetworkAclEntryIneffectiveDenyRule.rb, line 8 def rule_text 'NetworkACL Entry Deny rules should affect all CIDR ranges.' end
rule_type()
click to toggle source
# File lib/cfn-nag/custom_rules/EC2NetworkAclEntryIneffectiveDenyRule.rb, line 12 def rule_type Violation::WARNING end
Private Instance Methods
deny_does_not_cover_all_cidrs(nacl_entries)
click to toggle source
# File lib/cfn-nag/custom_rules/EC2NetworkAclEntryIneffectiveDenyRule.rb, line 31 def deny_does_not_cover_all_cidrs(nacl_entries) nacl_entries.select do |nacl_entry| nacl_entry.ruleAction == 'deny' && not_all_cidrs_covered?(nacl_entry) end end
egress(nacl_entries)
click to toggle source
# File lib/cfn-nag/custom_rules/EC2NetworkAclEntryIneffectiveDenyRule.rb, line 43 def egress(nacl_entries) nacl_entries.select do |nacl_entry| truthy?(nacl_entry.egress) end end
ingress(nacl_entries)
click to toggle source
# File lib/cfn-nag/custom_rules/EC2NetworkAclEntryIneffectiveDenyRule.rb, line 49 def ingress(nacl_entries) nacl_entries.select do |nacl_entry| not_truthy?(nacl_entry.egress) end end
not_all_cidrs_covered?(nacl_entry)
click to toggle source
# File lib/cfn-nag/custom_rules/EC2NetworkAclEntryIneffectiveDenyRule.rb, line 37 def not_all_cidrs_covered?(nacl_entry) (!nacl_entry.cidrBlock.nil? && nacl_entry.cidrBlock != '0.0.0.0/0') || (!nacl_entry.ipv6CidrBlock.nil? && (nacl_entry.ipv6CidrBlock != '::/0' && nacl_entry.ipv6CidrBlock != ':/0')) end
violating_nacl_entries(nacl)
click to toggle source
# File lib/cfn-nag/custom_rules/EC2NetworkAclEntryIneffectiveDenyRule.rb, line 55 def violating_nacl_entries(nacl) deny_does_not_cover_all_cidrs(egress(nacl.network_acl_entries)) + deny_does_not_cover_all_cidrs(ingress(nacl.network_acl_entries)) end