class SecurityGroupEgressAllProtocolsRule

Public Instance Methods

audit_impl(cfn_model) click to toggle source

This will behave slightly different than the legacy jq based rule which was targeted against inline ingress only

# File lib/cfn-nag/custom_rules/SecurityGroupEgressAllProtocolsRule.rb, line 25
def audit_impl(cfn_model)
  violating_security_groups = cfn_model.security_groups.select do |security_group|
    violating_egresses = security_group.egresses.select do |egress|
      violating_egress(egress)
    end

    !violating_egresses.empty?
  end

  violating_egresses = cfn_model.standalone_egress.select do |standalone_egress|
    violating_egress(standalone_egress)
  end

  violating_security_groups.map(&:logical_resource_id) + violating_egresses.map(&:logical_resource_id)
end
rule_id() click to toggle source
# File lib/cfn-nag/custom_rules/SecurityGroupEgressAllProtocolsRule.rb, line 18
def rule_id
  'W40'
end
rule_text() click to toggle source
# File lib/cfn-nag/custom_rules/SecurityGroupEgressAllProtocolsRule.rb, line 10
def rule_text
  'Security Groups egress with an IpProtocol of -1 found'
end
rule_type() click to toggle source
# File lib/cfn-nag/custom_rules/SecurityGroupEgressAllProtocolsRule.rb, line 14
def rule_type
  Violation::WARNING
end

Private Instance Methods

negative_1_protocol?(egress) click to toggle source
# File lib/cfn-nag/custom_rules/SecurityGroupEgressAllProtocolsRule.rb, line 43
def negative_1_protocol?(egress)
  if egress.ipProtocol.is_a?(Integer) || egress.ipProtocol.is_a?(String)
    egress.ipProtocol.to_i == -1
  else
    false
  end
end
violating_egress(egress) click to toggle source
# File lib/cfn-nag/custom_rules/SecurityGroupEgressAllProtocolsRule.rb, line 51
def violating_egress(egress)
  negative_1_protocol?(egress) && !ip4_localhost?(egress) && !ip6_localhost?(egress)
end