--- inputType: "CA10__CaAwsSecurityGroup__c" testData: - file: "test-data.json" conditions: - status: "INCOMPLIANT" currentStateMessage: "This security group allows SMTP (port 25) access from 0.0.0.0/0 or ::/0." remediationMessage: "Change the security group source to a range other than 0.0.0.0/0 or delete the offending inbound rule." check: RELATED_LIST_HAS: status: "INCOMPLIANT" relationshipName: "CA10__AWS_EC2_Security_Group_Rules__r" otherwise: status: "COMPLIANT" currentStateMessage: "This security group does not allow unrestricted SMTP access." relatedLists: - relationshipName: "CA10__AWS_EC2_Security_Group_Rules__r" importExtracts: - file: "/types/CA10__CaAwsSecurityGroupRule2__c/object.extracts.yaml" conditions: - status: "INAPPLICABLE" currentStateMessage: "This is an outbound security group rule." check: NOT_EQUAL: left: EXTRACT: "CA10__direction__c" right: TEXT: "Inbound" - status: "INAPPLICABLE" currentStateMessage: "This security group rule does not allow unrestricted access." check: AND: args: - NOT_EQUAL: left: EXTRACT: "CA10__sourceIpRange__c" right: TEXT: "0.0.0.0/0" - NOT_EQUAL: left: EXTRACT: "CA10__sourceIpRange__c" right: TEXT: "::/0" - status: "INAPPLICABLE" currentStateMessage: "This security group rule protocol is not All or TCP." check: # check that protocol is neither all or tcp NOT: arg: OR: args: - IS_EQUAL: left: EXTRACT: "CA10__protocol__c" right: TEXT: "All" - IS_EQUAL: left: EXTRACT: "CA10__protocol__c" right: TEXT: "tcp" - status: "INCOMPLIANT" currentStateMessage: "This security group allows SMTP access from 0.0.0.0/0 or ::/0." remediationMessage: "Change the source field to a range other\ \ than 0.0.0.0/0 or delete the offending inbound rule." check: AND: args: - LESS_THAN_EQUAL: left: EXTRACT: "CA10__fromPort__c" right: NUMBER: 25.0 - GREATER_THAN_EQUAL: left: EXTRACT: "CA10__toPort__c" right: NUMBER: 25.0 otherwise: status: "COMPLIANT" currentStateMessage: "This security group does not allow unrestricted access."