Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False positive for missing egress rules #140

Open
iainelder opened this issue Jan 8, 2021 · 1 comment
Open

False positive for missing egress rules #140

iainelder opened this issue Jan 8, 2021 · 1 comment

Comments

@iainelder
Copy link

iainelder commented Jan 8, 2021
edited
Loading

CFRipper version 0.22.0 gives a false positive for missing egress rules.

It happens when the rule is defined as a SecurityGroupEgress resource.

Consider the following test1.yml template. It creates security group with no egress using a SecurityGroupEgress resource.

---
AWSTemplateFormatVersion: 2010-09-09
Description: Security Group without egress

Resources:

  EC2SG:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: !Sub "${AWS::StackName}" 
      Tags:
        - Key: Name
          Value: !Sub "${AWS::StackName}"

  EC2SGEgress:
    Type: AWS::EC2::SecurityGroupEgress
    Properties:
      GroupId: !GetAtt EC2SG.GroupId
      Description: Localhost only. CFN hack to forbid egress
      IpProtocol: "-1"
      CidrIp: 127.0.0.1/32

The result is invalid for test1.yml:

$ cfripper test1.yml
Analysing test.yml...
Valid: False
Issues found:
	- EC2SecurityGroupMissingEgressRule: Missing egress rule in EC2SG means all traffic is allowed outbound. Make this explicit if it is desired configuration

Now consider the following test2.yml template. It also crease a security group with no egress, this time using the SecurityGroupEgress proprty of the SecurityGroup resource.

---
AWSTemplateFormatVersion: 2010-09-09
Description: Security Group without egress

Resources:

  EC2SG:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: !Sub "${AWS::StackName}"
      SecurityGroupEgress:
       - IpProtocol: -1
         CidrIp: 127.0.0.1/32
      Tags:
        - Key: Name
          Value: !Sub "${AWS::StackName}"

The result is valid for test2.yml:

$ cfripper test2.yml
Analysing test.yml...
Valid: True

The result should be valid for both ways of writing this.

(I found the following Stack Overflow discussion useful while researching this.)
@ocrawford555
Copy link
Contributor

Good issue, thanks for raising!

We will have to update our EC2SecurityGroupMissingEgressRule to search the whole CFModel for AWS::EC2::SecurityGroupEgress linked to a particular AWS::EC2::SecurityGroup, to allow the test1.yml stack to be marked as valid.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@iainelder @ocrawford555