class SecurityGroupIngressAllProtocolsRule

Public Instance Methods

audit_impl(cfn_model) click to toggle source

This will behave slightly different than the legacy jq based rule which was targeted against inline ingress only

# File lib/cfn-nag/custom_rules/SecurityGroupIngressAllProtocolsRule.rb, line 22
def audit_impl(cfn_model)
  violating_security_groups = cfn_model.security_groups.select do |security_group|
    violating_ingresses = security_group.ingresses.select do |ingress|
      violating_ingress(ingress)
    end

    !violating_ingresses.empty?
  end

  violating_ingresses = cfn_model.standalone_ingress.select do |standalone_ingress|
    violating_ingress(standalone_ingress)
  end

  violating_security_groups.map(&:logical_resource_id) + violating_ingresses.map(&:logical_resource_id)
end
rule_id() click to toggle source
# File lib/cfn-nag/custom_rules/SecurityGroupIngressAllProtocolsRule.rb, line 15
def rule_id
  'W42'
end
rule_text() click to toggle source
# File lib/cfn-nag/custom_rules/SecurityGroupIngressAllProtocolsRule.rb, line 7
def rule_text
  'Security Groups ingress with an ipProtocol of -1 found '
end
rule_type() click to toggle source
# File lib/cfn-nag/custom_rules/SecurityGroupIngressAllProtocolsRule.rb, line 11
def rule_type
  Violation::WARNING
end

Private Instance Methods

violating_ingress(ingress) click to toggle source
# File lib/cfn-nag/custom_rules/SecurityGroupIngressAllProtocolsRule.rb, line 40
def violating_ingress(ingress)
  if ingress.ipProtocol.is_a?(Integer) || ingress.ipProtocol.is_a?(String)
    ingress.ipProtocol.to_i == -1
  else
    false
  end
end