def test_security_group_type_slash0(self): role_props = { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "RootRole": { "Type": "AWS::EC2::SecurityGroup", "Properties": { 'SecurityGroupIngress': [{ 'CidrIp': "0.0.0.0/0", 'FromPort': 22, 'ToPort': 22 }] } } } } result = Result() rule = SecurityGroupOpenToWorldRule(None, result) resources = parse(role_props).resources rule.invoke(resources) assert not result.valid assert result.failed_rules[0][ 'reason'] == 'Port 22 open to the world in security group "RootRole"' assert result.failed_rules[0]['rule'] == 'SecurityGroupOpenToWorldRule'
def test_security_group_rules_as_refs(self): role_props = { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "RootRole": { "Type": "AWS::EC2::SecurityGroup", "Properties": { 'SecurityGroupIngress': [{ 'CidrIp': { "Ref": "MyParam" }, 'FromPort': 22, 'ToPort': 22 }] } } } } result = Result() rule = SecurityGroupOpenToWorldRule(None, result) resources = parse(role_props).resources rule.invoke(resources) assert result.valid assert len(result.failed_rules) == 0
def test_invalid_security_group_range(self): role_props = { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "RootRole": { "Type": "AWS::EC2::SecurityGroup", "Properties": { 'SecurityGroupIngress': [{ 'CidrIp': "0.0.0.0/0", 'FromPort': 0, 'ToPort': 100 }] } } } } result = Result() rule = SecurityGroupOpenToWorldRule(None, result) resources = parse(role_props).resources rule.invoke(resources) assert result.failed_rules[0][ 'reason'] == 'Ports 0 - 100 open in Security Group RootRole' assert result.failed_rules[0]['rule'] == 'SecurityGroupOpenToWorldRule'
def test_valid_security_group_port443(self): role_props = { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "RootRole": { "Type": "AWS::EC2::SecurityGroup", "Properties": {"SecurityGroupIngress": [{"CidrIp": "0.0.0.0/0", "FromPort": 443, "ToPort": 443}]}, } }, } result = Result() rule = SecurityGroupOpenToWorldRule(None, result) resources = parse(role_props).resources rule.invoke(resources, []) assert result.valid assert len(result.failed_rules) == 0
def test_invalid_security_group_range(self): role_props = { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "RootRole": { "Type": "AWS::EC2::SecurityGroup", "Properties": {"SecurityGroupIngress": [{"CidrIp": "0.0.0.0/0", "FromPort": 0, "ToPort": 100}]}, } }, } result = Result() rule = SecurityGroupOpenToWorldRule(None, result) resources = parse(role_props).resources rule.invoke(resources, []) assert result.failed_rules[0]["reason"] == "Ports 0 - 100 open in Security Group RootRole" assert result.failed_rules[0]["rule"] == "SecurityGroupOpenToWorldRule"
def test_invalid_security_group_cidripv6(self): role_props = { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "RootRole": { "Type": "AWS::EC2::SecurityGroup", "Properties": {"SecurityGroupIngress": [{"CidrIpv6": "::/0", "FromPort": 22, "ToPort": 22}]}, } }, } result = Result() rule = SecurityGroupOpenToWorldRule(None, result) resources = parse(role_props).resources rule.invoke(resources, []) assert result.failed_rules[0]["reason"] == 'Port 22 open to the world in security group "RootRole"' assert result.failed_rules[0]["rule"] == "SecurityGroupOpenToWorldRule"