cfn-nag 0.5.26 → 0.5.27

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c913a08d77c80481bdbdaff01e45589bdee21e86aeb510e5f1297aa91c7b5385
-  data.tar.gz: cea90eddf825cca78623c639ac4562fc99fae5fbaf714047803fd12d11e1b6f8
+  metadata.gz: f7661d4fd465896a67ff7b8a2faa3df9bd5c432f8875333e56c9f22425ea24fe
+  data.tar.gz: 12a7a44a1010f5842a97e7f91b312264c799dcc1a096039eaf5cca52ba294903
 SHA512:
-  metadata.gz: 52bd1a027be9f4680c82d1ce5910bce64d778d8cf82f8099697cc3404cf190881b4ad8f567b1ffaffc531df189a2d397f6ac271372c7afb75e251b6f0bc4a895
-  data.tar.gz: b1dde255dc1d96694a07a2ea0677121ebda460201ad431222635a379aa273a6be355492815733b28a40349847a7f24de0d57d0559223d0455265846787078311
+  metadata.gz: 400e1ba497ef38dd8888722f227b7ae6437645ac8a3b843eb5d30c5763459baee525c4dad8a3c0ae1026831d93640f48027013dee9522a2203f19942097c3d16
+  data.tar.gz: 5d72fc2ea9a23cf1d8611b63162967f318c74bba3757c13cfbd105b2bcd001ba44a366f0d1b7ff15aad631303c20984d848e9ee2a1ab64df2deff1dcef46e953

data/lib/cfn-nag/custom_rules/EC2NetworkAclEntryPortRangeRule.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+require 'cfn-nag/violation'
+require_relative 'base'
+
+class EC2NetworkAclEntryPortRangeRule < BaseRule
+  def rule_text
+    'TCP/UDP protocol NetworkACL entries possibly should not allow all ports.'
+  end
+
+  def rule_type
+    Violation::WARNING
+  end
+
+  def rule_id
+    'W67'
+  end
+
+  def audit_impl(cfn_model)
+    violating_network_acl_entries = cfn_model.resources_by_type('AWS::EC2::NetworkAclEntry')
+                                             .select do |network_acl_entry|
+      violating_network_acl_entries?(network_acl_entry)
+    end
+
+    violating_network_acl_entries.map(&:logical_resource_id)
+  end
+
+  private
+
+  # Port Range is required for protocols "6" (TCP) and "17" (UDP)
+  def tcp_or_udp_protocol?(network_acl_entry)
+    %w[6 17].include?(network_acl_entry.protocol)
+  end
+
+  def port_range_params_not_exist?(network_acl_entry)
+    network_acl_entry.portRange.nil? ||
+      network_acl_entry.portRange['From'].nil? || network_acl_entry.portRange['To'].nil?
+  end
+
+  def full_port_range?(network_acl_entry)
+    network_acl_entry.portRange['From'] == '0' && network_acl_entry.portRange['To'] == '65535'
+  end
+
+  def violating_network_acl_entries?(network_acl_entry)
+    tcp_or_udp_protocol?(network_acl_entry) && (port_range_params_not_exist?(network_acl_entry) ||
+      full_port_range?(network_acl_entry))
+  end
+end

data/lib/cfn-nag/custom_rules/EC2NetworkAclEntryProtocolRule.rb

@@ -0,0 +1,64 @@
+# frozen_string_literal: true
+
+require 'cfn-nag/violation'
+require_relative 'base'
+
+class EC2NetworkAclEntryProtocolRule < BaseRule
+  def rule_text
+    'To avoid opening all ports for Allow rules, EC2 NetworkACL Entry Protocol should be either 6 (for TCP), 17 ' \
+    '(for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code).'
+  end
+
+  def rule_type
+    Violation::WARNING
+  end
+
+  def rule_id
+    'W66'
+  end
+
+  def audit_impl(cfn_model)
+    violating_network_acl_entries = cfn_model.resources_by_type('AWS::EC2::NetworkAclEntry')
+                                             .select do |network_acl_entry|
+      violating_network_acl_entries?(network_acl_entry)
+    end
+
+    violating_network_acl_entries.map(&:logical_resource_id)
+  end
+
+  private
+
+  # https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkAclEntry.html#API_CreateNetworkAclEntry_RequestParameters
+  # A value of "-1" means all protocols. If you specify "-1" or a protocol
+  # number other than "6" (TCP), "17" (UDP), or "1" (ICMP), traffic on all ports
+  # is allowed, regardless of any ports or ICMP types or codes that you specify.
+  # If you specify protocol "58" (ICMPv6) and specify an IPv4 CIDR block,
+  # traffic for all ICMP types and codes allowed, regardless of any that you
+  # specify. If you specify protocol "58" (ICMPv6) and specify an IPv6 CIDR
+  # block, you must specify an ICMP type and code.
+
+  def rule_action_allow?(network_acl_entry)
+    network_acl_entry.ruleAction == 'allow'
+  end
+
+  def tcp_udp_icmp_protocol?(network_acl_entry)
+    %w[1 6 17].include?(network_acl_entry.protocol)
+  end
+
+  def icmpv6_protocol?(network_acl_entry)
+    network_acl_entry.protocol == '58' && !network_acl_entry.ipv6CidrBlock.nil? &&
+      !network_acl_entry.icmp.nil? && !network_acl_entry.icmp['Code'].nil? &&
+      !network_acl_entry.icmp['Type'].nil?
+  end
+
+  def violating_network_acl_entries?(network_acl_entry)
+    if rule_action_allow?(network_acl_entry)
+      if tcp_udp_icmp_protocol?(network_acl_entry) ||
+         icmpv6_protocol?(network_acl_entry)
+        false
+      else
+        true
+      end
+    end
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cfn-nag
 version: !ruby/object:Gem::Version
-  version: 0.5.26
+  version: 0.5.27
 platform: ruby
 authors:
 - Eric Kascic
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-03-11 00:00:00.000000000 Z
+date: 2020-03-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -198,6 +198,8 @@ files:
 - lib/cfn-nag/custom_rules/DirectoryServiceMicrosoftADPasswordRule.rb
 - lib/cfn-nag/custom_rules/DirectoryServiceSimpleADPasswordRule.rb
 - lib/cfn-nag/custom_rules/DocDBDBClusterMasterUserPasswordRule.rb
+- lib/cfn-nag/custom_rules/EC2NetworkAclEntryPortRangeRule.rb
+- lib/cfn-nag/custom_rules/EC2NetworkAclEntryProtocolRule.rb
 - lib/cfn-nag/custom_rules/EC2SubnetMapPublicIpOnLaunchRule.rb
 - lib/cfn-nag/custom_rules/EFSFileSystemEncryptedRule.rb
 - lib/cfn-nag/custom_rules/EMRClusterKerberosAttributesADDomainJoinPasswordRule.rb