class EC2NetworkAclEntryIneffectiveDenyRule

Public Instance Methods

audit_impl(cfn_model) click to toggle source
# File lib/cfn-nag/custom_rules/EC2NetworkAclEntryIneffectiveDenyRule.rb, line 20
def audit_impl(cfn_model)
  violating_nacl_entries = []
  cfn_model.resources_by_type('AWS::EC2::NetworkAcl').each do |nacl|
    violating_nacl_entries += violating_nacl_entries(nacl)
  end

  violating_nacl_entries.map(&:logical_resource_id)
end
rule_id() click to toggle source
# File lib/cfn-nag/custom_rules/EC2NetworkAclEntryIneffectiveDenyRule.rb, line 16
def rule_id
  'W71'
end
rule_text() click to toggle source
# File lib/cfn-nag/custom_rules/EC2NetworkAclEntryIneffectiveDenyRule.rb, line 8
def rule_text
  'NetworkACL Entry Deny rules should affect all CIDR ranges.'
end
rule_type() click to toggle source
# File lib/cfn-nag/custom_rules/EC2NetworkAclEntryIneffectiveDenyRule.rb, line 12
def rule_type
  Violation::WARNING
end

Private Instance Methods

deny_does_not_cover_all_cidrs(nacl_entries) click to toggle source
# File lib/cfn-nag/custom_rules/EC2NetworkAclEntryIneffectiveDenyRule.rb, line 31
def deny_does_not_cover_all_cidrs(nacl_entries)
  nacl_entries.select do |nacl_entry|
    nacl_entry.ruleAction == 'deny' && not_all_cidrs_covered?(nacl_entry)
  end
end
egress(nacl_entries) click to toggle source
# File lib/cfn-nag/custom_rules/EC2NetworkAclEntryIneffectiveDenyRule.rb, line 43
def egress(nacl_entries)
  nacl_entries.select do |nacl_entry|
    truthy?(nacl_entry.egress)
  end
end
ingress(nacl_entries) click to toggle source
# File lib/cfn-nag/custom_rules/EC2NetworkAclEntryIneffectiveDenyRule.rb, line 49
def ingress(nacl_entries)
  nacl_entries.select do |nacl_entry|
    not_truthy?(nacl_entry.egress)
  end
end
not_all_cidrs_covered?(nacl_entry) click to toggle source
# File lib/cfn-nag/custom_rules/EC2NetworkAclEntryIneffectiveDenyRule.rb, line 37
def not_all_cidrs_covered?(nacl_entry)
  (!nacl_entry.cidrBlock.nil? &&
    nacl_entry.cidrBlock != '0.0.0.0/0') ||
    (!nacl_entry.ipv6CidrBlock.nil? && (nacl_entry.ipv6CidrBlock != '::/0' && nacl_entry.ipv6CidrBlock != ':/0'))
end
violating_nacl_entries(nacl) click to toggle source
# File lib/cfn-nag/custom_rules/EC2NetworkAclEntryIneffectiveDenyRule.rb, line 55
def violating_nacl_entries(nacl)
  deny_does_not_cover_all_cidrs(egress(nacl.network_acl_entries)) +
    deny_does_not_cover_all_cidrs(ingress(nacl.network_acl_entries))
end