From 9c7cbf2c37a8f9a1733f1a871105bf33a1d0cc5b Mon Sep 17 00:00:00 2001 From: Anna Shcherbak Date: Fri, 31 Jan 2025 21:46:31 +0000 Subject: [PATCH] upd: update policy 146 to be supported by open source Cloud Custodian --- ..._to_remote_server_administration_ports.yml | 18 --- .../ec2.DescribeNetworkAcls_1.json | 45 ------ .../red_policy_test.py | 14 -- ..._to_remote_server_administration_ports.yml | 16 +++ .../green/vpc.tf | 55 +++++++- .../green2/provider.tf | 20 +++ .../{red => green2}/terraform.tfvars | 0 .../{red => green2}/variables.tf | 0 .../{red => green2}/vpc.tf | 28 ++-- .../iam/146-policy.json | 5 +- .../{red => red1}/provider.tf | 0 .../red1/terraform.tfvars | 2 + .../red1/variables.tf | 9 ++ .../red1/vpc.tf | 30 ++++ .../red2/provider.tf | 20 +++ .../red2/terraform.tfvars | 2 + .../red2/variables.tf | 9 ++ .../red2/vpc.tf | 30 ++++ .../red3/provider.tf | 20 +++ .../red3/terraform.tfvars | 2 + .../red3/variables.tf | 9 ++ .../red3/vpc.tf | 30 ++++ .../red4/provider.tf | 20 +++ .../red4/terraform.tfvars | 2 + .../red4/variables.tf | 9 ++ .../red4/vpc.tf | 30 ++++ .../ec2.DescribeNetworkAcls_1.json | 103 ++++++++++++++ .../ec2.DescribeNetworkAcls_1.json | 128 +++++++++--------- .../red_policy_test.py | 22 +++ 29 files changed, 512 insertions(+), 166 deletions(-) delete mode 100644 non-compatible/policies/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports.yml delete mode 100644 non-compatible/tests/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/placebo-green/ec2.DescribeNetworkAcls_1.json delete mode 100644 non-compatible/tests/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red_policy_test.py create mode 100644 policies/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports.yml create mode 100644 terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/green2/provider.tf rename terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/{red => green2}/terraform.tfvars (100%) rename terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/{red => green2}/variables.tf (100%) rename terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/{red => green2}/vpc.tf (57%) rename terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/{red => red1}/provider.tf (100%) create mode 100644 terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red1/terraform.tfvars create mode 100644 terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red1/variables.tf create mode 100644 terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red1/vpc.tf create mode 100644 terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red2/provider.tf create mode 100644 terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red2/terraform.tfvars create mode 100644 terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red2/variables.tf create mode 100644 terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red2/vpc.tf create mode 100644 terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red3/provider.tf create mode 100644 terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red3/terraform.tfvars create mode 100644 terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red3/variables.tf create mode 100644 terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red3/vpc.tf create mode 100644 terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red4/provider.tf create mode 100644 terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red4/terraform.tfvars create mode 100644 terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red4/variables.tf create mode 100644 terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red4/vpc.tf create mode 100644 tests/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/placebo-green/ec2.DescribeNetworkAcls_1.json rename {non-compatible/tests => tests}/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/placebo-red/ec2.DescribeNetworkAcls_1.json (68%) create mode 100644 tests/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red_policy_test.py diff --git a/non-compatible/policies/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports.yml b/non-compatible/policies/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports.yml deleted file mode 100644 index 010cb56b5..000000000 --- a/non-compatible/policies/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports.yml +++ /dev/null @@ -1,18 +0,0 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports - comment: '010024022900' - description: | - Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports - resource: aws.network-acl - filters: - - type: cidr-egress-port-range - egress: false - required-ports: 22,3389 - cidr: 0.0.0.0/0 - rule-action: allow diff --git a/non-compatible/tests/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/placebo-green/ec2.DescribeNetworkAcls_1.json b/non-compatible/tests/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/placebo-green/ec2.DescribeNetworkAcls_1.json deleted file mode 100644 index 0bf084d44..000000000 --- a/non-compatible/tests/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/placebo-green/ec2.DescribeNetworkAcls_1.json +++ /dev/null @@ -1,45 +0,0 @@ -{ - "status_code": 200, - "data": { - "NetworkAcls": [ - { - "Associations": [], - "Entries": [ - { - "CidrBlock": "0.0.0.0/0", - "Egress": true, - "Protocol": "-1", - "RuleAction": "deny", - "RuleNumber": 32767 - }, - { - "CidrBlock": "0.0.0.0/0", - "Egress": false, - "Protocol": "-1", - "RuleAction": "deny", - "RuleNumber": 32767 - } - ], - "IsDefault": true, - "NetworkAclId": "acl-05e8078f8344df9be", - "Tags": [ - { - "Key": "Name", - "Value": "146_default_network_acl_green" - }, - { - "Key": "CustodianRule", - "Value": "epam-aws-146-no_acls_allow_ingress_0.0.0.0/0_to_remote_server_administration_ports" - }, - { - "Key": "ComplianceStatus", - "Value": "Green" - } - ], - "VpcId": "vpc-018edcb2181c67c96", - "OwnerId": "this" - } - ], - "ResponseMetadata": {} - } -} \ No newline at end of file diff --git a/non-compatible/tests/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red_policy_test.py b/non-compatible/tests/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red_policy_test.py deleted file mode 100644 index 6158ce30d..000000000 --- a/non-compatible/tests/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red_policy_test.py +++ /dev/null @@ -1,14 +0,0 @@ -class PolicyTest(object): - - def test_resources_with_client(self, base_test, resources, local_session): - base_test.assertEqual(len(resources), 1) - base_test.assertEqual(resources[0]['Entries'][1]['PortRange']['From'], 22) - base_test.assertEqual(resources[0]['Entries'][1]['CidrBlock'], "0.0.0.0/0") - base_test.assertFalse(resources[0]['Entries'][1]['Egress']) - base_test.assertEqual(resources[0]['Entries'][1]['RuleAction'], "allow") - base_test.assertEqual(resources[0]['Entries'][2]['PortRange']['From'], 3389) - base_test.assertEqual(resources[0]['Entries'][2]['CidrBlock'], "0.0.0.0/0") - base_test.assertFalse(resources[0]['Entries'][2]['Egress']) - base_test.assertEqual(resources[0]['Entries'][2]['RuleAction'], "allow") - - diff --git a/policies/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports.yml b/policies/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports.yml new file mode 100644 index 000000000..f894c4244 --- /dev/null +++ b/policies/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports.yml @@ -0,0 +1,16 @@ +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports + comment: '010024022900' + description: | + VPC Network ACL allows ingress from 0.0.0.0/0 to remote server administration ports (22 or 3389) + resource: aws.network-acl + filters: + - type: value + key: min(Entries[?Egress==`false` && RuleAction=='allow' && contains(['-1', '6', '17'],Protocol) && (CidrBlock=='0.0.0.0/0' || Ipv6CidrBlock=='::/0') && (!PortRange || (PortRange.From <= `3389` && PortRange.To >= `3389`) || (PortRange.From <= `22` && PortRange.To >= `22`))].RuleNumber)>min(Entries[?Egress==`false` && RuleAction=='deny' && contains(['-1', '6', '17'],Protocol) && (CidrBlock=='0.0.0.0/0' || Ipv6CidrBlock=='::/0') && (!PortRange || (PortRange.From <= `3389` && PortRange.To >= `3389`) || (PortRange.From <= `22` && PortRange.To >= `22`))].RuleNumber) + value: false diff --git a/terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/green/vpc.tf b/terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/green/vpc.tf index f7caf2980..cdbef6cb6 100644 --- a/terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/green/vpc.tf +++ b/terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/green/vpc.tf @@ -2,14 +2,61 @@ resource "aws_vpc" "this" { cidr_block = "10.0.0.0/16" tags = { - Name = "146_aws_vpc_green" + Name = "146_aws_vpc_green1" } - } + resource "aws_default_network_acl" "this" { default_network_acl_id = aws_vpc.this.default_network_acl_id - tags = { - Name = "146_default_network_acl_green" + Name = "146_default_network_acl_green1" } + ingress { + protocol = "udp" + rule_no = 1 + action = "allow" + cidr_block = "0.0.0.0/0" + from_port = 123 + to_port = 300 + } + ingress { + protocol = "udp" + rule_no = 2 + action = "allow" + cidr_block = "10.0.0.0/24" + from_port = 22 + to_port = 22 + } + ingress { + protocol = "tcp" + rule_no = 3 + action = "allow" + ipv6_cidr_block = "FE80::/10" + from_port = 22 + to_port = 22 + } + ingress { + protocol = "udp" + rule_no = 4 + action = "allow" + cidr_block = "10.0.0.0/24" + from_port = 1 + to_port = 65535 + } + ingress { + protocol = "47" + rule_no = 5 + action = "allow" + cidr_block = "0.0.0.0/0" + from_port = 1 + to_port = 65535 + } + ingress { + protocol = "47" + rule_no = 6 + action = "allow" + cidr_block = "0.0.0.0/0" + from_port = 53 + to_port = 53 + } } diff --git a/terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/green2/provider.tf b/terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/green2/provider.tf new file mode 100644 index 000000000..801f56755 --- /dev/null +++ b/terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/green2/provider.tf @@ -0,0 +1,20 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5" + } + } +} + +provider "aws" { + profile = var.profile + region = var.default-region + + default_tags { + tags = { + CustodianRule = "ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports" + ComplianceStatus = "Green" + } + } +} \ No newline at end of file diff --git a/terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red/terraform.tfvars b/terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/green2/terraform.tfvars similarity index 100% rename from terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red/terraform.tfvars rename to terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/green2/terraform.tfvars diff --git a/terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red/variables.tf b/terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/green2/variables.tf similarity index 100% rename from terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red/variables.tf rename to terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/green2/variables.tf diff --git a/terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red/vpc.tf b/terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/green2/vpc.tf similarity index 57% rename from terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red/vpc.tf rename to terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/green2/vpc.tf index 7e2f08a04..a943df5df 100644 --- a/terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red/vpc.tf +++ b/terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/green2/vpc.tf @@ -2,33 +2,29 @@ resource "aws_vpc" "this" { cidr_block = "10.0.0.0/16" tags = { - Name = "146_aws_vpc_red" + Name = "146_aws_vpc_green2" } - } resource "aws_default_network_acl" "this" { default_network_acl_id = aws_vpc.this.default_network_acl_id - + tags = { + Name = "146_default_network_acl_green2" + } ingress { protocol = "tcp" - rule_no = 1 + rule_no = 100 action = "allow" cidr_block = "0.0.0.0/0" - from_port = 22 - to_port = 22 + from_port = 20 + to_port = 26 } - ingress { - protocol = "tcp" - rule_no = 2 - action = "allow" + protocol = -1 + rule_no = 1 + action = "deny" cidr_block = "0.0.0.0/0" - from_port = 3389 - to_port = 3389 - } - - tags = { - Name = "146_default_network_acl_red" + from_port = 0 + to_port = 0 } } diff --git a/terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/iam/146-policy.json b/terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/iam/146-policy.json index 0f6abaa0d..9466b2c81 100644 --- a/terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/iam/146-policy.json +++ b/terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/iam/146-policy.json @@ -2,11 +2,10 @@ "Version": "2012-10-17", "Statement": [ { - "Sid": "VisualEditor0", + "Sid": "VisualEditor", "Effect": "Allow", "Action": [ - "ec2:DescribeNetworkAcls", - "ec2:DescribeRegions" + "ec2:DescribeNetworkAcls" ], "Resource": "*" } diff --git a/terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red/provider.tf b/terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red1/provider.tf similarity index 100% rename from terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red/provider.tf rename to terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red1/provider.tf diff --git a/terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red1/terraform.tfvars b/terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red1/terraform.tfvars new file mode 100644 index 000000000..e1e2d2fa8 --- /dev/null +++ b/terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red1/terraform.tfvars @@ -0,0 +1,2 @@ +profile = "c7n" +default-region = "us-east-1" diff --git a/terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red1/variables.tf b/terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red1/variables.tf new file mode 100644 index 000000000..c8b410c24 --- /dev/null +++ b/terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red1/variables.tf @@ -0,0 +1,9 @@ +variable "default-region" { + type = string + description = "Default region for resources will be created" +} + +variable "profile" { + type = string + description = "Profile name configured before running apply" +} diff --git a/terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red1/vpc.tf b/terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red1/vpc.tf new file mode 100644 index 000000000..7f04569fa --- /dev/null +++ b/terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red1/vpc.tf @@ -0,0 +1,30 @@ +resource "aws_vpc" "this" { + cidr_block = "10.0.0.0/16" + + tags = { + Name = "146_aws_vpc_red1" + } +} + +resource "aws_default_network_acl" "this" { + default_network_acl_id = aws_vpc.this.default_network_acl_id + tags = { + Name = "146_default_network_acl_red1" + } + ingress { + protocol = "udp" + rule_no = 4 + action = "allow" + cidr_block = "0.0.0.0/0" + from_port = 1 + to_port = 65535 + } + ingress { + protocol = "udp" + rule_no = 40 + action = "deny" + cidr_block = "0.0.0.0/0" + from_port = 1 + to_port = 65535 + } +} diff --git a/terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red2/provider.tf b/terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red2/provider.tf new file mode 100644 index 000000000..9c64e206e --- /dev/null +++ b/terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red2/provider.tf @@ -0,0 +1,20 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5" + } + } +} + +provider "aws" { + profile = var.profile + region = var.default-region + + default_tags { + tags = { + CustodianRule = "ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports" + ComplianceStatus = "Red" + } + } +} \ No newline at end of file diff --git a/terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red2/terraform.tfvars b/terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red2/terraform.tfvars new file mode 100644 index 000000000..e1e2d2fa8 --- /dev/null +++ b/terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red2/terraform.tfvars @@ -0,0 +1,2 @@ +profile = "c7n" +default-region = "us-east-1" diff --git a/terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red2/variables.tf b/terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red2/variables.tf new file mode 100644 index 000000000..c8b410c24 --- /dev/null +++ b/terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red2/variables.tf @@ -0,0 +1,9 @@ +variable "default-region" { + type = string + description = "Default region for resources will be created" +} + +variable "profile" { + type = string + description = "Profile name configured before running apply" +} diff --git a/terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red2/vpc.tf b/terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red2/vpc.tf new file mode 100644 index 000000000..4023cb987 --- /dev/null +++ b/terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red2/vpc.tf @@ -0,0 +1,30 @@ +resource "aws_vpc" "this" { + cidr_block = "10.0.0.0/16" + + tags = { + Name = "146_aws_vpc_red2" + } +} + +resource "aws_default_network_acl" "this" { + default_network_acl_id = aws_vpc.this.default_network_acl_id + tags = { + Name = "146_default_network_acl_red2" + } + ingress { + protocol = "tcp" + rule_no = 1 + action = "allow" + cidr_block = "0.0.0.0/0" + from_port = 20 + to_port = 26 + } + ingress { + protocol = -1 + rule_no = 100 + action = "deny" + cidr_block = "0.0.0.0/0" + from_port = 0 + to_port = 0 + } +} diff --git a/terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red3/provider.tf b/terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red3/provider.tf new file mode 100644 index 000000000..9c64e206e --- /dev/null +++ b/terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red3/provider.tf @@ -0,0 +1,20 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5" + } + } +} + +provider "aws" { + profile = var.profile + region = var.default-region + + default_tags { + tags = { + CustodianRule = "ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports" + ComplianceStatus = "Red" + } + } +} \ No newline at end of file diff --git a/terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red3/terraform.tfvars b/terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red3/terraform.tfvars new file mode 100644 index 000000000..e1e2d2fa8 --- /dev/null +++ b/terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red3/terraform.tfvars @@ -0,0 +1,2 @@ +profile = "c7n" +default-region = "us-east-1" diff --git a/terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red3/variables.tf b/terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red3/variables.tf new file mode 100644 index 000000000..c8b410c24 --- /dev/null +++ b/terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red3/variables.tf @@ -0,0 +1,9 @@ +variable "default-region" { + type = string + description = "Default region for resources will be created" +} + +variable "profile" { + type = string + description = "Profile name configured before running apply" +} diff --git a/terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red3/vpc.tf b/terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red3/vpc.tf new file mode 100644 index 000000000..a585f747c --- /dev/null +++ b/terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red3/vpc.tf @@ -0,0 +1,30 @@ +resource "aws_vpc" "this" { + cidr_block = "10.0.0.0/16" + + tags = { + Name = "146_aws_vpc_red3" + } +} + +resource "aws_default_network_acl" "this" { + default_network_acl_id = aws_vpc.this.default_network_acl_id + tags = { + Name = "146_default_network_acl_red3" + } + ingress { + protocol = "udp" + rule_no = 2 + action = "allow" + ipv6_cidr_block = "::/0" + from_port = 3389 + to_port = 3389 + } + ingress { + protocol = "udp" + rule_no = 20 + action = "deny" + ipv6_cidr_block = "::/0" + from_port = 3389 + to_port = 3389 + } +} diff --git a/terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red4/provider.tf b/terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red4/provider.tf new file mode 100644 index 000000000..9c64e206e --- /dev/null +++ b/terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red4/provider.tf @@ -0,0 +1,20 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5" + } + } +} + +provider "aws" { + profile = var.profile + region = var.default-region + + default_tags { + tags = { + CustodianRule = "ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports" + ComplianceStatus = "Red" + } + } +} \ No newline at end of file diff --git a/terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red4/terraform.tfvars b/terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red4/terraform.tfvars new file mode 100644 index 000000000..e1e2d2fa8 --- /dev/null +++ b/terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red4/terraform.tfvars @@ -0,0 +1,2 @@ +profile = "c7n" +default-region = "us-east-1" diff --git a/terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red4/variables.tf b/terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red4/variables.tf new file mode 100644 index 000000000..c8b410c24 --- /dev/null +++ b/terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red4/variables.tf @@ -0,0 +1,9 @@ +variable "default-region" { + type = string + description = "Default region for resources will be created" +} + +variable "profile" { + type = string + description = "Profile name configured before running apply" +} diff --git a/terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red4/vpc.tf b/terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red4/vpc.tf new file mode 100644 index 000000000..05f084ae5 --- /dev/null +++ b/terraform/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red4/vpc.tf @@ -0,0 +1,30 @@ +resource "aws_vpc" "this" { + cidr_block = "10.0.0.0/16" + + tags = { + Name = "146_aws_vpc_red4" + } +} + +resource "aws_default_network_acl" "this" { + default_network_acl_id = aws_vpc.this.default_network_acl_id + tags = { + Name = "146_default_network_acl_red4" + } + ingress { + protocol = -1 + rule_no = 4 + action = "allow" + cidr_block = "0.0.0.0/0" + from_port = 0 + to_port = 0 + } + ingress { + protocol = -1 + rule_no = 40 + action = "deny" + cidr_block = "0.0.0.0/0" + from_port = 0 + to_port = 0 + } +} diff --git a/tests/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/placebo-green/ec2.DescribeNetworkAcls_1.json b/tests/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/placebo-green/ec2.DescribeNetworkAcls_1.json new file mode 100644 index 000000000..abb7e580f --- /dev/null +++ b/tests/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/placebo-green/ec2.DescribeNetworkAcls_1.json @@ -0,0 +1,103 @@ +{ + "status_code": 200, + "data": { + "NetworkAcls": [ + { + "Associations": [], + "Entries": [ + { + "CidrBlock": "0.0.0.0/0", + "Egress": true, + "Protocol": "-1", + "RuleAction": "deny", + "RuleNumber": 32767 + }, + { + "CidrBlock": "0.0.0.0/0", + "Egress": false, + "PortRange": { + "From": 123, + "To": 300 + }, + "Protocol": "17", + "RuleAction": "allow", + "RuleNumber": 1 + }, + { + "CidrBlock": "10.0.0.0/24", + "Egress": false, + "PortRange": { + "From": 22, + "To": 22 + }, + "Protocol": "17", + "RuleAction": "allow", + "RuleNumber": 2 + }, + { + "Egress": false, + "Ipv6CidrBlock": "fe80::/10", + "PortRange": { + "From": 22, + "To": 22 + }, + "Protocol": "6", + "RuleAction": "allow", + "RuleNumber": 3 + }, + { + "CidrBlock": "10.0.0.0/24", + "Egress": false, + "PortRange": { + "From": 1, + "To": 65535 + }, + "Protocol": "17", + "RuleAction": "allow", + "RuleNumber": 4 + }, + { + "CidrBlock": "0.0.0.0/0", + "Egress": false, + "Protocol": "47", + "RuleAction": "allow", + "RuleNumber": 5 + }, + { + "CidrBlock": "0.0.0.0/0", + "Egress": false, + "Protocol": "47", + "RuleAction": "allow", + "RuleNumber": 6 + }, + { + "CidrBlock": "0.0.0.0/0", + "Egress": false, + "Protocol": "-1", + "RuleAction": "deny", + "RuleNumber": 32767 + } + ], + "IsDefault": true, + "NetworkAclId": "acl-0c17da31758edbf21", + "Tags": [ + { + "Key": "ComplianceStatus", + "Value": "Green" + }, + { + "Key": "CustodianRule", + "Value": "ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports" + }, + { + "Key": "Name", + "Value": "146_default_network_acl_green1" + } + ], + "VpcId": "vpc-0e0f0ad99e5b15e89", + "OwnerId": "644160558196" + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/non-compatible/tests/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/placebo-red/ec2.DescribeNetworkAcls_1.json b/tests/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/placebo-red/ec2.DescribeNetworkAcls_1.json similarity index 68% rename from non-compatible/tests/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/placebo-red/ec2.DescribeNetworkAcls_1.json rename to tests/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/placebo-red/ec2.DescribeNetworkAcls_1.json index b4ea02cfd..ab07854b7 100644 --- a/non-compatible/tests/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/placebo-red/ec2.DescribeNetworkAcls_1.json +++ b/tests/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/placebo-red/ec2.DescribeNetworkAcls_1.json @@ -1,67 +1,63 @@ -{ - "status_code": 200, - "data": { - "NetworkAcls": [ - { - "Associations": [], - "Entries": [ - { - "CidrBlock": "0.0.0.0/0", - "Egress": true, - "Protocol": "-1", - "RuleAction": "deny", - "RuleNumber": 32767 - }, - { - "CidrBlock": "0.0.0.0/0", - "Egress": false, - "PortRange": { - "From": 22, - "To": 22 - }, - "Protocol": "6", - "RuleAction": "allow", - "RuleNumber": 1 - }, - { - "CidrBlock": "0.0.0.0/0", - "Egress": false, - "PortRange": { - "From": 3389, - "To": 3389 - }, - "Protocol": "6", - "RuleAction": "allow", - "RuleNumber": 2 - }, - { - "CidrBlock": "0.0.0.0/0", - "Egress": false, - "Protocol": "-1", - "RuleAction": "deny", - "RuleNumber": 32767 - } - ], - "IsDefault": true, - "NetworkAclId": "acl-0202ea11e25b41c54", - "Tags": [ - { - "Key": "CustodianRule", - "Value": "epam-aws-146-no_acls_allow_ingress_0.0.0.0/0_to_remote_server_administration_ports" - }, - { - "Key": "Name", - "Value": "146_default_network_acl_red" - }, - { - "Key": "ComplianceStatus", - "Value": "Red" - } - ], - "VpcId": "vpc-0e919101a43a05760", - "OwnerId": "this" - } - ], - "ResponseMetadata": {} - } +{ + "status_code": 200, + "data": { + "NetworkAcls": [ + { + "Associations": [], + "Entries": [ + { + "CidrBlock": "0.0.0.0/0", + "Egress": true, + "Protocol": "-1", + "RuleAction": "deny", + "RuleNumber": 32767 + }, + { + "CidrBlock": "0.0.0.0/0", + "Egress": false, + "PortRange": { + "From": 20, + "To": 26 + }, + "Protocol": "6", + "RuleAction": "allow", + "RuleNumber": 1 + }, + { + "CidrBlock": "0.0.0.0/0", + "Egress": false, + "Protocol": "-1", + "RuleAction": "deny", + "RuleNumber": 100 + }, + { + "CidrBlock": "0.0.0.0/0", + "Egress": false, + "Protocol": "-1", + "RuleAction": "deny", + "RuleNumber": 32767 + } + ], + "IsDefault": true, + "NetworkAclId": "acl-0f2734ccec361b16c", + "Tags": [ + { + "Key": "CustodianRule", + "Value": "ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports" + }, + { + "Key": "Name", + "Value": "146_default_network_acl_red2" + }, + { + "Key": "ComplianceStatus", + "Value": "Red" + } + ], + "VpcId": "vpc-085de0467f9f9bcd9", + "OwnerId": "644160558196" + } + ], + "ResponseMetadata": {} + } } \ No newline at end of file diff --git a/tests/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red_policy_test.py b/tests/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red_policy_test.py new file mode 100644 index 000000000..60091c956 --- /dev/null +++ b/tests/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports/red_policy_test.py @@ -0,0 +1,22 @@ +class PolicyTest(object): + + def test_resources_with_client(self, base_test, resources, local_session): + base_test.assertEqual(len(resources), 1) + base_test.assertTrue(resources[0]['Entries'][0]['Egress']) + + base_test.assertLessEqual(resources[0]['Entries'][1]['PortRange']['From'], 22) + base_test.assertEqual(resources[0]['Entries'][1]['CidrBlock'], "0.0.0.0/0") + base_test.assertFalse(resources[0]['Entries'][1]['Egress']) + base_test.assertEqual(resources[0]['Entries'][1]['RuleAction'], "allow") + base_test.assertEqual(resources[0]['Entries'][1]['Protocol'], "6") + base_test.assertGreaterEqual(resources[0]['Entries'][1]['PortRange']['To'], 22) + rule_number1 = resources[0]['Entries'][1]['RuleNumber'] + + base_test.assertEqual(resources[0]['Entries'][2]['CidrBlock'], "0.0.0.0/0") + base_test.assertFalse(resources[0]['Entries'][2]['Egress']) + base_test.assertEqual(resources[0]['Entries'][2]['RuleAction'], "deny") + base_test.assertEqual(resources[0]['Entries'][2]['Protocol'], "-1") + base_test.assertNotIn('PortRange', resources[0]['Entries'][2]) + rule_number2 = resources[0]['Entries'][2]['RuleNumber'] + + base_test.assertLessEqual(rule_number1, rule_number2) \ No newline at end of file