skip: Merge pull request #211 from epam/upd_146

upd: update policy 146 to be supported by open source Cloud Custodian

policies/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports.yml

@@ -0,0 +1,16 @@
+# Copyright (c) 2023 EPAM Systems, Inc.
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+policies:
+  - name: ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports
+    comment: '010024022900'
+    description: |
+      VPC Network ACL allows ingress from 0.0.0.0/0 to remote server administration ports (22 or 3389)
+    resource: aws.network-acl
+    filters:
+      - type: value
+        key: min(Entries[?Egress==`false` && RuleAction=='allow' && contains(['-1', '6', '17'],Protocol) && (CidrBlock=='0.0.0.0/0' || Ipv6CidrBlock=='::/0') && (!PortRange || (PortRange.From <= `3389` && PortRange.To >= `3389`) || (PortRange.From <= `22` && PortRange.To >= `22`))].RuleNumber)>min(Entries[?Egress==`false` && RuleAction=='deny' && contains(['-1', '6', '17'],Protocol) && (CidrBlock=='0.0.0.0/0' || Ipv6CidrBlock=='::/0') && (!PortRange || (PortRange.From <= `3389` && PortRange.To >= `3389`) || (PortRange.From <= `22` && PortRange.To >= `22`))].RuleNumber)
+        value: false

terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/green/vpc.tf

@@ -2,14 +2,61 @@ resource "aws_vpc" "this" {
   cidr_block = "10.0.0.0/16"
 
   tags = {
-    Name = "146_aws_vpc_green"
+    Name = "146_aws_vpc_green1"
   }
-
 }
+
 resource "aws_default_network_acl" "this" {
   default_network_acl_id = aws_vpc.this.default_network_acl_id
-
   tags = {
-    Name = "146_default_network_acl_green"
+    Name = "146_default_network_acl_green1"
   }
+  ingress {
+    protocol   = "udp"
+    rule_no    = 1
+    action     = "allow"
+    cidr_block = "0.0.0.0/0"
+    from_port  = 123
+    to_port    = 300 
+  }  
+  ingress {
+    protocol   = "udp"
+    rule_no    = 2
+    action     = "allow"
+    cidr_block = "10.0.0.0/24"
+    from_port  = 22
+    to_port    = 22 
+  } 
+  ingress {
+    protocol   = "tcp"
+    rule_no    = 3
+    action     = "allow"
+    ipv6_cidr_block = "FE80::/10"
+    from_port  = 22
+    to_port    = 22 
+  } 
+  ingress {
+    protocol   = "udp"
+    rule_no    = 4
+    action     = "allow"
+    cidr_block = "10.0.0.0/24"
+    from_port  = 1
+    to_port    = 65535 
+  } 
+  ingress {
+    protocol   = "47"
+    rule_no    = 5
+    action     = "allow"
+    cidr_block = "0.0.0.0/0"
+    from_port  = 1
+    to_port    = 65535 
+  } 
+  ingress {
+    protocol   = "47"
+    rule_no    = 6
+    action     = "allow"
+    cidr_block = "0.0.0.0/0"
+    from_port  = 53
+    to_port    = 53 
+  } 
 }

terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/green2/provider.tf

@@ -0,0 +1,20 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5"
+    }
+  }
+}
+
+provider "aws" {
+  profile = var.profile
+  region  = var.default-region
+
+  default_tags {
+    tags = {
+      CustodianRule    = "ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports"
+      ComplianceStatus = "Green"
+    }
+  }
+}

terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red/vpc.tf → terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/green2/vpc.tf

@@ -2,33 +2,29 @@ resource "aws_vpc" "this" {
   cidr_block = "10.0.0.0/16"
 
   tags = {
-    Name = "146_aws_vpc_red"
+    Name = "146_aws_vpc_green2"
   }
-
 }
 
 resource "aws_default_network_acl" "this" {
   default_network_acl_id = aws_vpc.this.default_network_acl_id
-
+  tags = {
+    Name = "146_default_network_acl_green2"
+  }
   ingress {
     protocol   = "tcp"
-    rule_no    = 1
+    rule_no    = 100
     action     = "allow"
     cidr_block = "0.0.0.0/0"
-    from_port  = 22
-    to_port    = 22
+    from_port  = 20
+    to_port    = 26
   }
-
   ingress {
-    protocol   = "tcp"
-    rule_no    = 2
-    action     = "allow"
+    protocol   = -1
+    rule_no    = 1
+    action     = "deny"
     cidr_block = "0.0.0.0/0"
-    from_port  = 3389
-    to_port    = 3389
-  }
-
-  tags = {
-    Name = "146_default_network_acl_red"
+    from_port  = 0
+    to_port    = 0
   }
 }

terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/iam/146-policy.json

@@ -2,11 +2,10 @@
     "Version": "2012-10-17",
     "Statement": [
         {
-            "Sid": "VisualEditor0",
+            "Sid": "VisualEditor",
             "Effect": "Allow",
             "Action": [
-                "ec2:DescribeNetworkAcls",
-                "ec2:DescribeRegions"
+                "ec2:DescribeNetworkAcls"
             ],
             "Resource": "*"
         }

terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red1/terraform.tfvars

@@ -0,0 +1,2 @@
+profile        = "c7n"
+default-region = "us-east-1"

terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red1/variables.tf

@@ -0,0 +1,9 @@
+variable "default-region" {
+  type        = string
+  description = "Default region for resources will be created"
+}
+
+variable "profile" {
+  type        = string
+  description = "Profile name configured before running apply"
+}

terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red1/vpc.tf

@@ -0,0 +1,30 @@
+resource "aws_vpc" "this" {
+  cidr_block = "10.0.0.0/16"
+
+  tags = {
+    Name = "146_aws_vpc_red1"
+  }
+}
+
+resource "aws_default_network_acl" "this" {
+  default_network_acl_id = aws_vpc.this.default_network_acl_id
+  tags = {
+    Name = "146_default_network_acl_red1"
+  }
+  ingress {
+    protocol   = "udp"
+    rule_no    = 4
+    action     = "allow"
+    cidr_block = "0.0.0.0/0"
+    from_port  = 1
+    to_port    = 65535 
+  }  
+  ingress {
+    protocol   = "udp"
+    rule_no    = 40
+    action     = "deny"
+    cidr_block = "0.0.0.0/0"
+    from_port  = 1
+    to_port    = 65535 
+  } 
+}

terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red2/provider.tf

@@ -0,0 +1,20 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5"
+    }
+  }
+}
+
+provider "aws" {
+  profile = var.profile
+  region  = var.default-region
+
+  default_tags {
+    tags = {
+      CustodianRule    = "ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports"
+      ComplianceStatus = "Red"
+    }
+  }
+}

terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red2/terraform.tfvars

@@ -0,0 +1,2 @@
+profile        = "c7n"
+default-region = "us-east-1"

terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red2/variables.tf

@@ -0,0 +1,9 @@
+variable "default-region" {
+  type        = string
+  description = "Default region for resources will be created"
+}
+
+variable "profile" {
+  type        = string
+  description = "Profile name configured before running apply"
+}

terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red2/vpc.tf

@@ -0,0 +1,30 @@
+resource "aws_vpc" "this" {
+  cidr_block = "10.0.0.0/16"
+
+  tags = {
+    Name = "146_aws_vpc_red2"
+  }
+}
+
+resource "aws_default_network_acl" "this" {
+  default_network_acl_id = aws_vpc.this.default_network_acl_id
+  tags = {
+    Name = "146_default_network_acl_red2"
+  }
+  ingress {
+    protocol   = "tcp"
+    rule_no    = 1
+    action     = "allow"
+    cidr_block = "0.0.0.0/0"
+    from_port  = 20
+    to_port    = 26
+  }
+  ingress {
+    protocol   = -1
+    rule_no    = 100
+    action     = "deny"
+    cidr_block = "0.0.0.0/0"
+    from_port  = 0
+    to_port    = 0
+  }
+}

terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red3/provider.tf

@@ -0,0 +1,20 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5"
+    }
+  }
+}
+
+provider "aws" {
+  profile = var.profile
+  region  = var.default-region
+
+  default_tags {
+    tags = {
+      CustodianRule    = "ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports"
+      ComplianceStatus = "Red"
+    }
+  }
+}

terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red3/terraform.tfvars

@@ -0,0 +1,2 @@
+profile        = "c7n"
+default-region = "us-east-1"

terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red3/variables.tf

@@ -0,0 +1,9 @@
+variable "default-region" {
+  type        = string
+  description = "Default region for resources will be created"
+}
+
+variable "profile" {
+  type        = string
+  description = "Profile name configured before running apply"
+}