π§ AWS EC2 Default Security Group does not restrict all traffic - prod.logic.yaml π’
- Contextual name: π§ prod.logic.yaml π’
- ID:
/ce/ca/aws/ec2/default-security-group-does-not-restrict-all-traffic/prod.logic.yaml - Located in: π AWS EC2 Default Security Group does not restrict all traffic π’
Flagsβ
- π’ Logic test success
- π’ Logic with extracts
- π’ Logic with test data
Input Typeβ
| Type | API Name | Extracts | Extract Files | Logic Files | |
|---|---|---|---|---|---|
| π | π AWS EC2 Security Group | CA10__CaAwsSecurityGroup__c | 1 | 1 | 17 |
Usesβ
Test Results π’β
Generated at: 2025-04-24T23:44:28.809237056Z Open
| Result | Id | Condition Index | Condition Text | Runtime Error |
|---|---|---|---|---|
| π’ | test1 | βοΈ 99 | βοΈ isDisappeared(CA10__disappearanceTime__c) | βοΈ null |
| π’ | test2 | βοΈ 199 | βοΈ extract('Name') != 'default' | βοΈ null |
| π’ | test3 | βοΈ 299 | βοΈ CA10__AWS_EC2_Security_Group_Rules__r.has(INCOMPLIANT) && CA10__AWS_EC2_Instance_FWs__r.has(INCOMPLIANT) | βοΈ null |
| π’ | test4 | βοΈ 399 | βοΈ CA10__AWS_EC2_Security_Group_Rules__r.has(INCOMPLIANT) | βοΈ null |
| π’ | test5 | βοΈ 499 | βοΈ CA10__AWS_EC2_Instance_FWs__r.has(INCOMPLIANT) | βοΈ null |
| π’ | test6 | βοΈ 500 | βοΈ otherwise | βοΈ null |
| π’ | test7 | βοΈ 199 | βοΈ extract('Name') != 'default' | βοΈ null |
Generationβ
| File | MD5 | |
|---|---|---|
| Open | /ce/ca/aws/ec2/default-security-group-does-not-restrict-all-traffic/policy.yaml | D91B20477D1817E1B9BE7B8A928B63BF |
| Open | /ce/ca/aws/ec2/default-security-group-does-not-restrict-all-traffic/prod.logic.yaml | 4945C757D1804DBE389489AD4D4283BB |
| Open | /ce/ca/aws/ec2/default-security-group-does-not-restrict-all-traffic/test-data.json | 37B04986D084BE0C7061311BAC7AE919 |
| Open | /types/CA10__CaAwsSecurityGroup__c/object.extracts.yaml | A2471F2057DC88C21DECC644AE04DF58 |
Generate FULL scriptβ
java -jar repo-manager.jar policies generate FULL /ce/ca/aws/ec2/default-security-group-does-not-restrict-all-traffic/prod.logic.yaml
Generate DEBUG scriptβ
java -jar repo-manager.jar policies generate DEBUG /ce/ca/aws/ec2/default-security-group-does-not-restrict-all-traffic/prod.logic.yaml
Generate CAPTURE_TEST_DATA scriptβ
java -jar repo-manager.jar policies generate CAPTURE_TEST_DATA /ce/ca/aws/ec2/default-security-group-does-not-restrict-all-traffic/prod.logic.yaml
Generate TESTS scriptβ
java -jar repo-manager.jar policies generate TESTS /ce/ca/aws/ec2/default-security-group-does-not-restrict-all-traffic/prod.logic.yaml
Execute testsβ
java -jar repo-manager.jar policies test /ce/ca/aws/ec2/default-security-group-does-not-restrict-all-traffic/prod.logic.yaml
Contentβ
---
inputType: "CA10__CaAwsSecurityGroup__c"
testData:
- file: "test-data.json"
importExtracts:
- file: "/types/CA10__CaAwsSecurityGroup__c/object.extracts.yaml"
conditions:
- status: "INAPPLICABLE"
currentStateMessage: "This is not a default Security Group."
check:
NOT_EQUAL:
left:
EXTRACT: "Name"
right:
TEXT: "default"
- status: "INCOMPLIANT"
currentStateMessage: "This default Security Group doesn't restrict all traffic and is attached to an EC2 Instance."
remediationMessage: "Consider removing all rules from this Security Group and detaching it from all EC2 Instances to restrict all traffic."
check:
AND:
args:
- RELATED_LIST_HAS:
status: "INCOMPLIANT"
relationshipName: "CA10__AWS_EC2_Security_Group_Rules__r"
- RELATED_LIST_HAS:
status: "INCOMPLIANT"
relationshipName: "CA10__AWS_EC2_Instance_FWs__r"
- status: "INCOMPLIANT"
currentStateMessage: "This default Security Group doesn't restrict all traffic."
remediationMessage: "Consider removing all rules from this Security Group to restrict all traffic."
check:
RELATED_LIST_HAS:
status: "INCOMPLIANT"
relationshipName: "CA10__AWS_EC2_Security_Group_Rules__r"
- status: "INCOMPLIANT"
currentStateMessage: "This default Security Group is attached to an EC2 Instance."
remediationMessage: "Consider removing the default Security Group from all EC2 Instances."
check:
RELATED_LIST_HAS:
status: "INCOMPLIANT"
relationshipName: "CA10__AWS_EC2_Instance_FWs__r"
otherwise:
status: "COMPLIANT"
currentStateMessage: "The default security group restricts all traffic."
relatedLists:
- relationshipName: "CA10__AWS_EC2_Security_Group_Rules__r"
conditions: []
otherwise:
status: "INCOMPLIANT"
currentStateMessage: "This is a Security Group rule."
remediationMessage: "Consider removing this rule."
- relationshipName: "CA10__AWS_EC2_Instance_FWs__r"
conditions: []
otherwise:
status: "INCOMPLIANT"
currentStateMessage: "This Security Group is attached to an EC2 Instance."
remediationMessage: "Consider removing the default Security Group from the EC2 Instance."