def test_security_group_with_egress(security_group_with_egress):
rule = EC2SecurityGroupMissingEgressRule(None)
result = rule.invoke(security_group_with_egress)
assert result.valid
assert len(result.failed_rules) == 0
assert len(result.failed_monitored_rules) == 0
def test_single_security_group_one_cidr_ingress(single_security_group_one_cidr_ingress):
rule = EC2SecurityGroupMissingEgressRule(None)
result = rule.invoke(single_security_group_one_cidr_ingress)
assert not result.valid
assert len(result.failed_rules) == 1
assert len(result.failed_monitored_rules) == 0
assert result.failed_rules[0].rule == "EC2SecurityGroupMissingEgressRule"
assert (
result.failed_rules[0].reason
== "Missing egress rule in sg means all traffic is allowed outbound. Make this explicit if it is desired configuration"
)
def test_single_security_group_one_cidr_ingress(
single_security_group_one_cidr_ingress):
rule = EC2SecurityGroupMissingEgressRule(None)
result = rule.invoke(single_security_group_one_cidr_ingress)
assert not result.valid
assert compare_lists_of_failures(
result.failures,
[
Failure(
granularity=RuleGranularity.RESOURCE,
reason=
"Missing egress rule in sg means all traffic is allowed outbound. Make this explicit if it is desired configuration",
risk_value=RuleRisk.MEDIUM,
rule="EC2SecurityGroupMissingEgressRule",
rule_mode=RuleMode.BLOCKING,
actions=None,
resource_ids={"sg"},
)
],
)
def test_security_group_with_egress(security_group_with_egress):
rule = EC2SecurityGroupMissingEgressRule(None)
result = rule.invoke(security_group_with_egress)
assert result.valid
assert compare_lists_of_failures(result.failures, [])