def test_security_group_type_slash0(self):
role_props = {
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"RootRole": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
'SecurityGroupIngress': [{
'CidrIp': "0.0.0.0/0",
'FromPort': 22,
'ToPort': 22
}]
}
}
}
}
result = Result()
rule = SecurityGroupOpenToWorldRule(None, result)
resources = parse(role_props).resources
rule.invoke(resources)
assert not result.valid
assert result.failed_rules[0][
'reason'] == 'Port 22 open to the world in security group "RootRole"'
assert result.failed_rules[0]['rule'] == 'SecurityGroupOpenToWorldRule'
def test_security_group_rules_as_refs(self):
role_props = {
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"RootRole": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
'SecurityGroupIngress': [{
'CidrIp': {
"Ref": "MyParam"
},
'FromPort': 22,
'ToPort': 22
}]
}
}
}
}
result = Result()
rule = SecurityGroupOpenToWorldRule(None, result)
resources = parse(role_props).resources
rule.invoke(resources)
assert result.valid
assert len(result.failed_rules) == 0
def test_invalid_security_group_range(self):
role_props = {
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"RootRole": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
'SecurityGroupIngress': [{
'CidrIp': "0.0.0.0/0",
'FromPort': 0,
'ToPort': 100
}]
}
}
}
}
result = Result()
rule = SecurityGroupOpenToWorldRule(None, result)
resources = parse(role_props).resources
rule.invoke(resources)
assert result.failed_rules[0][
'reason'] == 'Ports 0 - 100 open in Security Group RootRole'
assert result.failed_rules[0]['rule'] == 'SecurityGroupOpenToWorldRule'
def test_invalid_security_group_cidripv6(invalid_security_group_cidripv6):
result = Result()
rule = SecurityGroupOpenToWorldRule(None, result)
rule.invoke(invalid_security_group_cidripv6)
assert not result.valid
assert result.failed_rules[0].rule == "SecurityGroupOpenToWorldRule"
assert result.failed_rules[0].reason == "Port 22 open to the world in security group 'SecurityGroup'"
def test_valid_security_group_port443(valid_security_group_port443):
result = Result()
rule = SecurityGroupOpenToWorldRule(None, result)
rule.invoke(valid_security_group_port443)
assert result.valid
assert len(result.failed_rules) == 0
assert len(result.failed_monitored_rules) == 0
def test_security_group_type_slash0(security_group_type_slash0):
result = Result()
rule = SecurityGroupOpenToWorldRule(None, result)
rule.invoke(security_group_type_slash0)
assert not result.valid
assert result.failed_rules[0].rule == "SecurityGroupOpenToWorldRule"
assert result.failed_rules[0].reason == "Port 22 open to the world in security group 'SecurityGroup'"
def test_invalid_security_group_multiple_statements(invalid_security_group_multiple_statements):
result = Result()
rule = SecurityGroupOpenToWorldRule(None, result)
rule.invoke(invalid_security_group_multiple_statements)
assert not result.valid
assert result.failed_rules[0].rule == "SecurityGroupOpenToWorldRule"
assert result.failed_rules[0].reason == "Port 9090 open to the world in security group 'SecurityGroup'"
def test_valid_security_group_port443(self):
role_props = {
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"RootRole": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {"SecurityGroupIngress": [{"CidrIp": "0.0.0.0/0", "FromPort": 443, "ToPort": 443}]},
}
},
}
result = Result()
rule = SecurityGroupOpenToWorldRule(None, result)
resources = parse(role_props).resources
rule.invoke(resources, [])
assert result.valid
assert len(result.failed_rules) == 0
def test_invalid_security_group_range(self):
role_props = {
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"RootRole": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {"SecurityGroupIngress": [{"CidrIp": "0.0.0.0/0", "FromPort": 0, "ToPort": 100}]},
}
},
}
result = Result()
rule = SecurityGroupOpenToWorldRule(None, result)
resources = parse(role_props).resources
rule.invoke(resources, [])
assert result.failed_rules[0]["reason"] == "Ports 0 - 100 open in Security Group RootRole"
assert result.failed_rules[0]["rule"] == "SecurityGroupOpenToWorldRule"
def test_invalid_security_group_cidripv6(self):
role_props = {
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"RootRole": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {"SecurityGroupIngress": [{"CidrIpv6": "::/0", "FromPort": 22, "ToPort": 22}]},
}
},
}
result = Result()
rule = SecurityGroupOpenToWorldRule(None, result)
resources = parse(role_props).resources
rule.invoke(resources, [])
assert result.failed_rules[0]["reason"] == 'Port 22 open to the world in security group "RootRole"'
assert result.failed_rules[0]["rule"] == "SecurityGroupOpenToWorldRule"
