class SecurityGroupIngressOpenToWorldRule
Public Instance Methods
audit_impl(cfn_model)
click to toggle source
This will behave slightly different than the legacy jq based rule which was targeted against inline ingress only
# File lib/cfn-nag/custom_rules/SecurityGroupIngressOpenToWorldRule.rb, line 26 def audit_impl(cfn_model) violating_security_groups = cfn_model.security_groups.select do |security_group| violating_ingresses = security_group.ingresses.select do |ingress| violating_ingress(ingress) end !violating_ingresses.empty? end violating_ingresses = cfn_model.standalone_ingress.select do |standalone_ingress| violating_ingress(standalone_ingress) end violating_security_groups.map(&:logical_resource_id) + violating_ingresses.map(&:logical_resource_id) end
rule_id()
click to toggle source
# File lib/cfn-nag/custom_rules/SecurityGroupIngressOpenToWorldRule.rb, line 19 def rule_id 'W2' end
rule_text()
click to toggle source
# File lib/cfn-nag/custom_rules/SecurityGroupIngressOpenToWorldRule.rb, line 10 def rule_text 'Security Groups found with cidr open to world on ingress. This should ' \ 'never be true on instance. Permissible on ELB' end
rule_type()
click to toggle source
# File lib/cfn-nag/custom_rules/SecurityGroupIngressOpenToWorldRule.rb, line 15 def rule_type Violation::WARNING end
Private Instance Methods
violating_ingress(ingress)
click to toggle source
# File lib/cfn-nag/custom_rules/SecurityGroupIngressOpenToWorldRule.rb, line 44 def violating_ingress(ingress) ip4_open?(ingress) || ip6_open?(ingress) end