Migrate ec2 resources to cfn-guard ruleset (#258)

aws-cloudformation · Mar 20, 2024 · e99123c · e99123c
1 parent 946508c
commit e99123c
Show file tree

Hide file tree

Showing 33 changed files with 5,385 additions and 118 deletions.
diff --git a/rules/aws/amazon_ec2/ebs_volume_encryption_key_rule.guard b/rules/aws/amazon_ec2/ebs_volume_encryption_key_rule.guard
@@ -0,0 +1,46 @@
+#
+#####################################
+##          AWS Solutions          ##
+#####################################
+# Rule Identifier:
+#    EBS_VOLUME_ENCRYPTION_KEY_RULE
+#
+# Description:
+#   EBS Volume should specify a KmsKeyId value
+#
+# Reports on:
+#    AWS::EC2::Volume
+#
+# Evaluates:
+#    AWS CloudFormation
+#
+# Rule Parameters:
+#    NA
+#
+# CFN_NAG Rule Id:
+#   W37
+#
+# Scenarios:
+# a) SKIP: when there is no EC2 Volume resource present.
+# b) PASS: when EC2 Volume resources have KmsKeyId Key.
+# c) FAIL: when EC2 Volume resources does not have KmsKeyId Key.
+# d) SKIP: when metadata has rule suppression for EBS_VOLUME_ENCRYPTION_KEY_RULE
+
+#
+# Select all EC2 Volume resources from incoming template (payload)
+#
+let ebs_volume_encryption_key_rule = Resources.*[ Type == 'AWS::EC2::Volume'
+  Metadata.cfn_nag.rules_to_suppress not exists or
+  Metadata.cfn_nag.rules_to_suppress.*.id != "W37"
+  Metadata.guard.SuppressedRules not exists or
+  Metadata.guard.SuppressedRules.* != "EBS_VOLUME_ENCRYPTION_KEY_RULE"
+]
+
+rule EBS_VOLUME_ENCRYPTION_KEY_RULE when %ebs_volume_encryption_key_rule !empty {
+  %ebs_volume_encryption_key_rule.Type == 'AWS::EC2::Volume'
+  %ebs_volume_encryption_key_rule.Properties.KmsKeyId exists
+  <<
+    Violation: EC2 Volume KmsKeyId does not exist
+    Fix: Specify KmsKeyId value
+  >>
+}
diff --git a/rules/aws/amazon_ec2/ec2_ebs_encryption_by_default.guard b/rules/aws/amazon_ec2/ec2_ebs_encryption_by_default.guard
diff --git a/rules/aws/amazon_ec2/ec2_network_acl_entry_ineffective_deny_rule.guard b/rules/aws/amazon_ec2/ec2_network_acl_entry_ineffective_deny_rule.guard
@@ -0,0 +1,60 @@
+#
+#####################################
+##          AWS Solutions          ##
+#####################################
+# Rule Identifier:
+#    EC2_NETWORK_ACL_ENTRY_INEFFECTIVE_DENY_RULE
+#
+# Description:
+#   NetworkACL Entry Deny rules should affect all CIDR ranges.
+#
+# Reports on:
+#    AWS::EC2::NetworkAclEntry
+#
+# Evaluates:
+#    AWS CloudFormation
+#
+# Rule Parameters:
+#    NA
+#
+# CFN_NAG Rule Id:
+#   W71
+#
+# Scenarios:
+# a) SKIP: when there are no EC2 NetworkACLEntry resource present
+# b) PASS: When all EC2 NetworkACLEntry resources deny affects all CIDR ranges.
+# c) FAIL: When any EC2 NetworkACLEntry resources deny does not affect all CIDR ranges.
+# d) SKIP: when metadata has rule suppression for EC2_NETWORK_ACL_ENTRY_INEFFECTIVE_DENY_RULE
+
+#
+# Select all EC2 NetworkACLEntry resources from incoming template (payload)
+#
+let ec2_network_acl_entry_ineffective_deny_rule = Resources.*[ Type == 'AWS::EC2::NetworkAclEntry'
+  Metadata.cfn_nag.rules_to_suppress not exists or
+  Metadata.cfn_nag.rules_to_suppress.*.id != "W71"
+  Metadata.guard.SuppressedRules not exists or
+  Metadata.guard.SuppressedRules.* != "EC2_NETWORK_ACL_ENTRY_INEFFECTIVE_DENY_RULE"
+]
+
+rule EC2_NETWORK_ACL_ENTRY_INEFFECTIVE_DENY_RULE when %ec2_network_acl_entry_ineffective_deny_rule !empty {
+  let violations = %ec2_network_acl_entry_ineffective_deny_rule[
+    Type == 'AWS::EC2::NetworkAclEntry'
+    Properties.RuleAction == 'deny'
+    Properties {
+        CidrBlock exists
+        CidrBlock != '0.0.0.0/0'
+    }
+    OR
+    Properties {
+        Ipv6CidrBlock exists
+        Ipv6CidrBlock != '::/0'
+        Ipv6CidrBlock != ':/0'
+    }
+  ]
+
+  %violations empty
+  <<
+    Violation: EC2 NetworkACLEntry resources with ruleAction Deny does not cover all CIDR Ranges.
+    Fix: Cover all CIDR ranges for deny RuleAction.
+  >>
+}
diff --git a/rules/aws/amazon_ec2/ec2_network_acl_port_range_rule.guard b/rules/aws/amazon_ec2/ec2_network_acl_port_range_rule.guard
@@ -0,0 +1,64 @@
+#
+#####################################
+##          AWS Solutions          ##
+#####################################
+# Rule Identifier:
+#    EC2_NETWORK_ACL_PORT_RANGE_RULE
+#
+# Description:
+#   TCP/UDP protocol NetworkACL entries possibly should not allow all ports.
+#
+# Reports on:
+#    AWS::EC2::NetworkAclEntry
+#
+# Evaluates:
+#    AWS CloudFormation
+#
+# Rule Parameters:
+#    NA
+#
+# CFN_NAG Rule Id:
+#   W67
+#
+# Scenarios:
+# a) SKIP: when there are no EC2 NetworkACLEntry resource present
+# b) PASS: When all EC2 NetworkACLEntry resources does not use all ports for TCP/UDP
+# c) FAIL: When any EC2 NetworkACLEntry resources does not specify range of ports for TCP/UDP
+# d) SKIP: when metadata has rule suppression for EC2_NETWORK_ACL_PORT_RANGE_RULE
+
+#
+# Select all EC2 NetworkACLEntry resources from incoming template (payload)
+#
+let ec2_network_acl_port_range_rule = Resources.*[ Type == 'AWS::EC2::NetworkAclEntry'
+  Metadata.cfn_nag.rules_to_suppress not exists or
+  Metadata.cfn_nag.rules_to_suppress.*.id != "W67"
+  Metadata.guard.SuppressedRules not exists or
+  Metadata.guard.SuppressedRules.* != "EC2_NETWORK_ACL_PORT_RANGE_RULE"
+]
+
+rule EC2_NETWORK_ACL_PORT_RANGE_RULE when %ec2_network_acl_port_range_rule !empty {
+  let violations = %ec2_network_acl_port_range_rule[
+    Type == 'AWS::EC2::NetworkAclEntry'
+    Properties {
+        Protocol == 6
+        OR
+        Protocol == 17
+    }
+    Properties.PortRange !exists
+    OR
+    Properties.PortRange.From !exists
+    OR
+    Properties.PortRange.To !exists
+    OR
+    Properties {
+        PortRange.From == 0
+        PortRange.To == 65535
+    }
+  ]
+
+  %violations empty
+  <<
+    Violation: EC2 NetworkACLEntry resources does not specify a range of ports for TCP/UDP or specifies complete range from 0 to 65535.
+    Fix: Specify a range of ports for TCP/UDP for EC2 NetworkACLEntry resources.
+  >>
+}
diff --git a/rules/aws/amazon_ec2/ec2_network_acl_protocol_rule.guard b/rules/aws/amazon_ec2/ec2_network_acl_protocol_rule.guard
@@ -0,0 +1,68 @@
+#
+#####################################
+##          AWS Solutions          ##
+#####################################
+# Rule Identifier:
+#    EC2_NETWORK_ACL_PROTOCOL_RULE
+#
+# Description:
+#   To avoid opening all ports for Allow rules, EC2 NetworkACL Entry Protocol should be either 6 (for TCP), 17 (for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code).
+#
+# Reports on:
+#    AWS::EC2::NetworkAclEntry
+#
+# Evaluates:
+#    AWS CloudFormation
+#
+# Rule Parameters:
+#    NA
+#
+# CFN_NAG Rule Id:
+#   W66
+#
+# Scenarios:
+# a) SKIP: when there are no EC2 NetworkACLEntry resource present
+# b) PASS: When all EC2 NetworkACLEntry resources only uses specific protocol port number 6 (for TCP), 17 (for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code).
+# c) FAIL: When any EC2 NetworkACLEntry resources does not use specific protocol port number 6 (for TCP), 17 (for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code).
+# d) SKIP: when metadata has rule suppression for EC2_NETWORK_ACL_PROTOCOL_RULE
+
+#
+# Select all EC2 NetworkACLEntry resources from incoming template (payload)
+#
+let ec2_network_acl_protocol_rule = Resources.*[ Type == 'AWS::EC2::NetworkAclEntry'
+  Metadata.cfn_nag.rules_to_suppress not exists or
+  Metadata.cfn_nag.rules_to_suppress.*.id != "W66"
+  Metadata.guard.SuppressedRules not exists or
+  Metadata.guard.SuppressedRules.* != "EC2_NETWORK_ACL_PROTOCOL_RULE"
+]
+
+rule EC2_NETWORK_ACL_PROTOCOL_RULE when %ec2_network_acl_protocol_rule !empty {
+
+  let violations = %ec2_network_acl_protocol_rule[
+    Type == 'AWS::EC2::NetworkAclEntry'
+    Properties.RuleAction == 'allow'
+    Properties {
+        Protocol != 1
+        Protocol != 6
+        Protocol != 17
+        Protocol != 58
+    }
+    OR
+    Properties {
+        Protocol == 58
+        Ipv6CidrBlock !exists
+        OR
+        Icmp !exists
+        OR
+        Icmp.Code !exists
+        OR
+        Icmp.Type !exists
+    }
+  ]
+
+  %violations empty
+  <<
+    Violation: EC2 NetworkACLEntry resources does not use specific protocol port number 6 (for TCP), 17 (for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code).
+    Fix: Use protocol port number 6 (for TCP), 17 (for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code).
+  >>
+}
diff --git a/rules/aws/amazon_ec2/ec2_security_group_egress_open_to_world_rule.guard b/rules/aws/amazon_ec2/ec2_security_group_egress_open_to_world_rule.guard
@@ -0,0 +1,69 @@
+#
+#####################################
+##          AWS Solutions          ##
+#####################################
+# Rule Identifier:
+#    EC2_SECURITY_GROUP_EGRESS_OPEN_TO_WORLD_RULE
+#
+# Description:
+#   Check if cidr FOR ipv4 and ipv6 on security group egress is open or private.
+#
+# Reports on:
+#    AWS::EC2::SecurityGroup, AWS::EC2::SecurityGroupEgress
+#
+# Evaluates:
+#    AWS CloudFormation
+#
+# Rule Parameters:
+#    NA
+#
+# CFN_NAG Rule Id:
+#   W5
+#
+# Scenarios:
+# a) SKIP: when there are no Security Egress Groups resource present
+# b) PASS: When all Security Egress Groups do not use open to world cidr
+# c) FAIL: when any Security Egress Groups uses open to world cidr
+# d) SKIP: when metadata has rule suppression for EC2_SECURITY_GROUP_EGRESS_OPEN_TO_WORLD_RULE
+
+#
+# Select all Security Group Egress resources from incoming template (payload)
+#
+
+let ec2_security_group_ingress_open_to_world_rule_sg_egress_resources = Resources.*[ Type == 'AWS::EC2::SecurityGroup'
+  Metadata.cfn_nag.rules_to_suppress not exists or
+  Metadata.cfn_nag.rules_to_suppress.*.id != "W5"
+  Metadata.guard.SuppressedRules not exists or
+  Metadata.guard.SuppressedRules.* != "EC2_SECURITY_GROUP_EGRESS_OPEN_TO_WORLD_RULE"
+]
+
+let ec2_security_group_egress_open_to_world_rule_sge_resources = Resources.*[ Type == 'AWS::EC2::SecurityGroupEgress'
+  Metadata.cfn_nag.rules_to_suppress not exists or
+  Metadata.cfn_nag.rules_to_suppress.*.id != "W5"
+  Metadata.guard.SuppressedRules not exists or
+  Metadata.guard.SuppressedRules.* != "EC2_SECURITY_GROUP_EGRESS_OPEN_TO_WORLD_RULE"
+]
+
+rule EC2_SECURITY_GROUP_EGRESS_OPEN_TO_WORLD_RULE when %ec2_security_group_egress_open_to_world_rule_sge_resources !empty OR %ec2_security_group_ingress_open_to_world_rule_sg_egress_resources !empty {
+  let violations_sg = %ec2_security_group_ingress_open_to_world_rule_sg_egress_resources[
+    Type == 'AWS::EC2::SecurityGroup'
+    Properties.SecurityGroupEgress exists
+    some Properties.SecurityGroupEgress[*].CidrIp == '0.0.0.0/0'
+    OR
+    some Properties.SecurityGroupEgress[*].CidrIpv6 == '::/0'
+  ]
+
+  let violations_sge = %ec2_security_group_egress_open_to_world_rule_sge_resources[
+    Type == 'AWS::EC2::SecurityGroupEgress'
+    Properties.CidrIp == '0.0.0.0/0'
+    OR
+    Properties.CidrIpv6 == '::/0'
+  ]
+
+  %violations_sg empty
+  %violations_sge empty
+  <<
+    Violation: Security Group Egress has a range of ports instead of a single port
+    Fix: Use single port instead of range of ports for egress rules
+  >>
+}