From 25a566ffb8d24f16e0ba55b0c7fc8bef09797970 Mon Sep 17 00:00:00 2001 From: Filipe Paz Rodrigues Date: Tue, 19 Mar 2024 15:17:43 -0700 Subject: [PATCH 1/5] Update no_public_ingress_sgr.go --- checks/cloud/aws/ec2/no_public_ingress_sgr.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/checks/cloud/aws/ec2/no_public_ingress_sgr.go b/checks/cloud/aws/ec2/no_public_ingress_sgr.go index 158a2d0f..621842b5 100755 --- a/checks/cloud/aws/ec2/no_public_ingress_sgr.go +++ b/checks/cloud/aws/ec2/no_public_ingress_sgr.go @@ -47,7 +47,7 @@ var CheckNoPublicIngressSgr = rules.Register( for _, rule := range group.IngressRules { var failed bool for _, block := range rule.CIDRs { - if cidr.IsPublic(block.Value()) && cidr.CountAddresses(block.Value()) > 1 { + if cidr.IsPublic(block.Value()) && cidr.CountAddresses(block.Value()) == 255*255*255*255 { failed = true results.Add( "Security group rule allows ingress from public internet.", From 26a5a3e55f6eb54758cf655e442a54e682243be7 Mon Sep 17 00:00:00 2001 From: Filipe Paz Rodrigues Date: Tue, 19 Mar 2024 15:19:40 -0700 Subject: [PATCH 2/5] Update no_public_ingress_sgr.tf.go --- checks/cloud/aws/ec2/no_public_ingress_sgr.tf.go | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/checks/cloud/aws/ec2/no_public_ingress_sgr.tf.go b/checks/cloud/aws/ec2/no_public_ingress_sgr.tf.go index e5d68d5d..5cd6964b 100644 --- a/checks/cloud/aws/ec2/no_public_ingress_sgr.tf.go +++ b/checks/cloud/aws/ec2/no_public_ingress_sgr.tf.go @@ -8,6 +8,12 @@ var terraformNoPublicIngressSgrGoodExamples = []string{ } `, ` + resource "aws_security_group_rule" "another_good_example" { + type = "ingress" + cidr_blocks = ["1.2.3.4/24"] + } + `, + ` resource "aws_security_group_rule" "allow_partner_rsync" { type = "ingress" security_group_id = aws_security_group.….id From 4569ce0b44f9aaf7ed61ea7cb94d81800900afbc Mon Sep 17 00:00:00 2001 From: Filipe Paz Rodrigues Date: Tue, 19 Mar 2024 15:22:21 -0700 Subject: [PATCH 3/5] Update no_public_ingress_sgr_test.go --- .../aws/ec2/no_public_ingress_sgr_test.go | 21 ++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/checks/cloud/aws/ec2/no_public_ingress_sgr_test.go b/checks/cloud/aws/ec2/no_public_ingress_sgr_test.go index 066feab5..bcab2a16 100644 --- a/checks/cloud/aws/ec2/no_public_ingress_sgr_test.go +++ b/checks/cloud/aws/ec2/no_public_ingress_sgr_test.go @@ -20,7 +20,7 @@ func TestCheckNoPublicIngressSgr(t *testing.T) { expected bool }{ { - name: "AWS VPC ingress security group rule with wildcard address", + name: "AWS VPC ingress security group rule with wildcard address (0.0.0.0/0)", input: ec2.EC2{ SecurityGroups: []ec2.SecurityGroup{ { @@ -38,6 +38,25 @@ func TestCheckNoPublicIngressSgr(t *testing.T) { }, expected: true, }, + { + name: "AWS VPC ingress security group rule with public address (/24)", + input: ec2.EC2{ + SecurityGroups: []ec2.SecurityGroup{ + { + Metadata: trivyTypes.NewTestMetadata(), + IngressRules: []ec2.SecurityGroupRule{ + { + Metadata: trivyTypes.NewTestMetadata(), + CIDRs: []trivyTypes.StringValue{ + trivyTypes.String("1.2.3.4/24", trivyTypes.NewTestMetadata()), + }, + }, + }, + }, + }, + }, + expected: false, + }, { name: "AWS VPC ingress security group rule with private address", input: ec2.EC2{ From 0d3ea8dea2a6489b9f299725867159b54c3c4965 Mon Sep 17 00:00:00 2001 From: Filipe Paz Rodrigues Date: Tue, 19 Mar 2024 15:29:31 -0700 Subject: [PATCH 4/5] Update no_public_ingress_sgr.go --- checks/cloud/aws/ec2/no_public_ingress_sgr.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/checks/cloud/aws/ec2/no_public_ingress_sgr.go b/checks/cloud/aws/ec2/no_public_ingress_sgr.go index 621842b5..bbd8cc19 100755 --- a/checks/cloud/aws/ec2/no_public_ingress_sgr.go +++ b/checks/cloud/aws/ec2/no_public_ingress_sgr.go @@ -47,7 +47,7 @@ var CheckNoPublicIngressSgr = rules.Register( for _, rule := range group.IngressRules { var failed bool for _, block := range rule.CIDRs { - if cidr.IsPublic(block.Value()) && cidr.CountAddresses(block.Value()) == 255*255*255*255 { + if cidr.IsPublic(block.Value()) && (cidr.CountAddresses(block.Value()) == 255*255*255*255 || cidr.CountAddresses(block.Value()) == 0xffffffffffffffff) { failed = true results.Add( "Security group rule allows ingress from public internet.", From c231f6b76a40172c89692e991c7fabf77c0d3964 Mon Sep 17 00:00:00 2001 From: Filipe Rodrigues Date: Mon, 25 Mar 2024 21:22:47 -0700 Subject: [PATCH 5/5] Update docs --- avd_docs/aws/ec2/AVD-AWS-0107/Terraform.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/avd_docs/aws/ec2/AVD-AWS-0107/Terraform.md b/avd_docs/aws/ec2/AVD-AWS-0107/Terraform.md index 4f72892d..48804f32 100644 --- a/avd_docs/aws/ec2/AVD-AWS-0107/Terraform.md +++ b/avd_docs/aws/ec2/AVD-AWS-0107/Terraform.md @@ -7,6 +7,13 @@ Set a more restrictive cidr range cidr_blocks = ["10.0.0.0/16"] } +``` +```hcl + resource "aws_security_group_rule" "another_good_example" { + type = "ingress" + cidr_blocks = ["1.2.3.4/24"] + } + ``` ```hcl resource "aws_security_group_rule" "allow_partner_rsync" {