class EC2NetworkAclEntryProtocolRule
Public Instance Methods
audit_impl(cfn_model)
click to toggle source
# File lib/cfn-nag/custom_rules/EC2NetworkAclEntryProtocolRule.rb, line 20 def audit_impl(cfn_model) violating_network_acl_entries = cfn_model.resources_by_type('AWS::EC2::NetworkAclEntry') .select do |network_acl_entry| violating_network_acl_entries?(network_acl_entry) end violating_network_acl_entries.map(&:logical_resource_id) end
rule_id()
click to toggle source
# File lib/cfn-nag/custom_rules/EC2NetworkAclEntryProtocolRule.rb, line 16 def rule_id 'W66' end
rule_text()
click to toggle source
# File lib/cfn-nag/custom_rules/EC2NetworkAclEntryProtocolRule.rb, line 7 def rule_text 'To avoid opening all ports for Allow rules, EC2 NetworkACL Entry Protocol should be either 6 (for TCP), 17 ' \ '(for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code).' end
rule_type()
click to toggle source
# File lib/cfn-nag/custom_rules/EC2NetworkAclEntryProtocolRule.rb, line 12 def rule_type Violation::WARNING end
Private Instance Methods
icmpv6_protocol?(network_acl_entry)
click to toggle source
# File lib/cfn-nag/custom_rules/EC2NetworkAclEntryProtocolRule.rb, line 48 def icmpv6_protocol?(network_acl_entry) network_acl_entry.protocol.to_s == '58' && !network_acl_entry.ipv6CidrBlock.nil? && !network_acl_entry.icmp.nil? && !network_acl_entry.icmp['Code'].nil? && !network_acl_entry.icmp['Type'].nil? end
rule_action_allow?(network_acl_entry)
click to toggle source
docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkAclEntry.html#API_CreateNetworkAclEntry_RequestParameters A value of “-1” means all protocols. If you specify “-1” or a protocol number other than “6” (TCP), “17” (UDP), or “1” (ICMP), traffic on all ports is allowed, regardless of any ports or ICMP types or codes that you specify. If you specify protocol “58” (ICMPv6) and specify an IPv4 CIDR block, traffic for all ICMP types and codes allowed, regardless of any that you specify. If you specify protocol “58” (ICMPv6) and specify an IPv6 CIDR block, you must specify an ICMP type and code.
# File lib/cfn-nag/custom_rules/EC2NetworkAclEntryProtocolRule.rb, line 40 def rule_action_allow?(network_acl_entry) network_acl_entry.ruleAction == 'allow' end
tcp_udp_icmp_protocol?(network_acl_entry)
click to toggle source
# File lib/cfn-nag/custom_rules/EC2NetworkAclEntryProtocolRule.rb, line 44 def tcp_udp_icmp_protocol?(network_acl_entry) %w[1 6 17].include?(network_acl_entry.protocol.to_s) end
violating_network_acl_entries?(network_acl_entry)
click to toggle source
# File lib/cfn-nag/custom_rules/EC2NetworkAclEntryProtocolRule.rb, line 54 def violating_network_acl_entries?(network_acl_entry) if rule_action_allow?(network_acl_entry) if tcp_udp_icmp_protocol?(network_acl_entry) || icmpv6_protocol?(network_acl_entry) false else true end end end