class EC2NetworkAclEntryPortRangeRule
Public Instance Methods
audit_impl(cfn_model)
click to toggle source
# File lib/cfn-nag/custom_rules/EC2NetworkAclEntryPortRangeRule.rb, line 19 def audit_impl(cfn_model) violating_network_acl_entries = cfn_model.resources_by_type('AWS::EC2::NetworkAclEntry') .select do |network_acl_entry| violating_network_acl_entries?(network_acl_entry) end violating_network_acl_entries.map(&:logical_resource_id) end
rule_id()
click to toggle source
# File lib/cfn-nag/custom_rules/EC2NetworkAclEntryPortRangeRule.rb, line 15 def rule_id 'W67' end
rule_text()
click to toggle source
# File lib/cfn-nag/custom_rules/EC2NetworkAclEntryPortRangeRule.rb, line 7 def rule_text 'TCP/UDP protocol NetworkACL entries possibly should not allow all ports.' end
rule_type()
click to toggle source
# File lib/cfn-nag/custom_rules/EC2NetworkAclEntryPortRangeRule.rb, line 11 def rule_type Violation::WARNING end
Private Instance Methods
full_port_range?(network_acl_entry)
click to toggle source
# File lib/cfn-nag/custom_rules/EC2NetworkAclEntryPortRangeRule.rb, line 40 def full_port_range?(network_acl_entry) network_acl_entry.portRange['From'].to_s == '0' && network_acl_entry.portRange['To'].to_s == '65535' end
port_range_params_not_exist?(network_acl_entry)
click to toggle source
# File lib/cfn-nag/custom_rules/EC2NetworkAclEntryPortRangeRule.rb, line 35 def port_range_params_not_exist?(network_acl_entry) network_acl_entry.portRange.nil? || network_acl_entry.portRange['From'].nil? || network_acl_entry.portRange['To'].nil? end
tcp_or_udp_protocol?(network_acl_entry)
click to toggle source
Port Range is required for protocols “6” (TCP) and “17” (UDP)
# File lib/cfn-nag/custom_rules/EC2NetworkAclEntryPortRangeRule.rb, line 31 def tcp_or_udp_protocol?(network_acl_entry) %w[6 17].include?(network_acl_entry.protocol.to_s) end
violating_network_acl_entries?(network_acl_entry)
click to toggle source
# File lib/cfn-nag/custom_rules/EC2NetworkAclEntryPortRangeRule.rb, line 44 def violating_network_acl_entries?(network_acl_entry) tcp_or_udp_protocol?(network_acl_entry) && (port_range_params_not_exist?(network_acl_entry) || full_port_range?(network_acl_entry)) end