def test_security_group_type_slash0(self):
        role_props = {
            "AWSTemplateFormatVersion": "2010-09-09",
            "Resources": {
                "RootRole": {
                    "Type": "AWS::EC2::SecurityGroup",
                    "Properties": {
                        'SecurityGroupIngress': [{
                            'CidrIp': "0.0.0.0/0",
                            'FromPort': 22,
                            'ToPort': 22
                        }]
                    }
                }
            }
        }

        result = Result()
        rule = SecurityGroupOpenToWorldRule(None, result)
        resources = parse(role_props).resources
        rule.invoke(resources)

        assert not result.valid
        assert result.failed_rules[0][
            'reason'] == 'Port 22 open to the world in security group "RootRole"'
        assert result.failed_rules[0]['rule'] == 'SecurityGroupOpenToWorldRule'
    def test_security_group_rules_as_refs(self):

        role_props = {
            "AWSTemplateFormatVersion": "2010-09-09",
            "Resources": {
                "RootRole": {
                    "Type": "AWS::EC2::SecurityGroup",
                    "Properties": {
                        'SecurityGroupIngress': [{
                            'CidrIp': {
                                "Ref": "MyParam"
                            },
                            'FromPort': 22,
                            'ToPort': 22
                        }]
                    }
                }
            }
        }

        result = Result()
        rule = SecurityGroupOpenToWorldRule(None, result)
        resources = parse(role_props).resources
        rule.invoke(resources)

        assert result.valid
        assert len(result.failed_rules) == 0
    def test_invalid_security_group_range(self):
        role_props = {
            "AWSTemplateFormatVersion": "2010-09-09",
            "Resources": {
                "RootRole": {
                    "Type": "AWS::EC2::SecurityGroup",
                    "Properties": {
                        'SecurityGroupIngress': [{
                            'CidrIp': "0.0.0.0/0",
                            'FromPort': 0,
                            'ToPort': 100
                        }]
                    }
                }
            }
        }

        result = Result()
        rule = SecurityGroupOpenToWorldRule(None, result)
        resources = parse(role_props).resources
        rule.invoke(resources)

        assert result.failed_rules[0][
            'reason'] == 'Ports 0 - 100 open in Security Group RootRole'
        assert result.failed_rules[0]['rule'] == 'SecurityGroupOpenToWorldRule'
def test_invalid_security_group_cidripv6(invalid_security_group_cidripv6):
    result = Result()
    rule = SecurityGroupOpenToWorldRule(None, result)
    rule.invoke(invalid_security_group_cidripv6)

    assert not result.valid
    assert result.failed_rules[0].rule == "SecurityGroupOpenToWorldRule"
    assert result.failed_rules[0].reason == "Port 22 open to the world in security group 'SecurityGroup'"
def test_valid_security_group_port443(valid_security_group_port443):
    result = Result()
    rule = SecurityGroupOpenToWorldRule(None, result)
    rule.invoke(valid_security_group_port443)

    assert result.valid
    assert len(result.failed_rules) == 0
    assert len(result.failed_monitored_rules) == 0
def test_security_group_type_slash0(security_group_type_slash0):
    result = Result()
    rule = SecurityGroupOpenToWorldRule(None, result)
    rule.invoke(security_group_type_slash0)

    assert not result.valid
    assert result.failed_rules[0].rule == "SecurityGroupOpenToWorldRule"
    assert result.failed_rules[0].reason == "Port 22 open to the world in security group 'SecurityGroup'"
def test_invalid_security_group_multiple_statements(invalid_security_group_multiple_statements):
    result = Result()
    rule = SecurityGroupOpenToWorldRule(None, result)
    rule.invoke(invalid_security_group_multiple_statements)

    assert not result.valid
    assert result.failed_rules[0].rule == "SecurityGroupOpenToWorldRule"
    assert result.failed_rules[0].reason == "Port 9090 open to the world in security group 'SecurityGroup'"
Esempio n. 8
0
    def test_valid_security_group_port443(self):
        role_props = {
            "AWSTemplateFormatVersion": "2010-09-09",
            "Resources": {
                "RootRole": {
                    "Type": "AWS::EC2::SecurityGroup",
                    "Properties": {"SecurityGroupIngress": [{"CidrIp": "0.0.0.0/0", "FromPort": 443, "ToPort": 443}]},
                }
            },
        }

        result = Result()
        rule = SecurityGroupOpenToWorldRule(None, result)
        resources = parse(role_props).resources
        rule.invoke(resources, [])

        assert result.valid
        assert len(result.failed_rules) == 0
Esempio n. 9
0
    def test_invalid_security_group_range(self):
        role_props = {
            "AWSTemplateFormatVersion": "2010-09-09",
            "Resources": {
                "RootRole": {
                    "Type": "AWS::EC2::SecurityGroup",
                    "Properties": {"SecurityGroupIngress": [{"CidrIp": "0.0.0.0/0", "FromPort": 0, "ToPort": 100}]},
                }
            },
        }

        result = Result()
        rule = SecurityGroupOpenToWorldRule(None, result)
        resources = parse(role_props).resources
        rule.invoke(resources, [])

        assert result.failed_rules[0]["reason"] == "Ports 0 - 100 open in Security Group RootRole"
        assert result.failed_rules[0]["rule"] == "SecurityGroupOpenToWorldRule"
Esempio n. 10
0
    def test_invalid_security_group_cidripv6(self):
        role_props = {
            "AWSTemplateFormatVersion": "2010-09-09",
            "Resources": {
                "RootRole": {
                    "Type": "AWS::EC2::SecurityGroup",
                    "Properties": {"SecurityGroupIngress": [{"CidrIpv6": "::/0", "FromPort": 22, "ToPort": 22}]},
                }
            },
        }

        result = Result()
        rule = SecurityGroupOpenToWorldRule(None, result)
        resources = parse(role_props).resources
        rule.invoke(resources, [])

        assert result.failed_rules[0]["reason"] == 'Port 22 open to the world in security group "RootRole"'
        assert result.failed_rules[0]["rule"] == "SecurityGroupOpenToWorldRule"