π§ AWS EC2 Security Group allows public IPv4 (0.0.0.0/0) access to admin ports - prod.logic.yaml π’
- Contextual name: π§ prod.logic.yaml π’
- ID:
/ce/ca/aws/ec2/security-group-allows-public-ipv4-to-admin-ports/prod.logic.yaml - Located in: π AWS EC2 Security Group allows public IPv4 (0.0.0.0/0) access to admin ports π’
Flagsβ
- π’ Logic test success
- π’ Logic with extracts
- π’ Logic with test data
Input Typeβ
| Type | API Name | Extracts | Extract Files | Logic Files | |
|---|---|---|---|---|---|
| π | π AWS EC2 Security Group | CA10__CaAwsSecurityGroup__c | 1 | 1 | 17 |
Usesβ
Test Results π’β
Generated at: 2025-04-24T23:44:35.705692539Z Open
| Result | Id | Condition Index | Condition Text | Runtime Error |
|---|---|---|---|---|
| π’ | test1 | βοΈ 99 | βοΈ isDisappeared(CA10__disappearanceTime__c) | βοΈ null |
| π’ | test2 | βοΈ 199 | βοΈ CA10__AWS_EC2_Security_Group_Rules__r.has(INCOMPLIANT) | βοΈ null |
| π’ | test3 | βοΈ 199 | βοΈ CA10__AWS_EC2_Security_Group_Rules__r.has(INCOMPLIANT) | βοΈ null |
| π’ | test4 | βοΈ 199 | βοΈ CA10__AWS_EC2_Security_Group_Rules__r.has(INCOMPLIANT) | βοΈ null |
| π’ | test5 | βοΈ 199 | βοΈ CA10__AWS_EC2_Security_Group_Rules__r.has(INCOMPLIANT) | βοΈ null |
| π’ | test6 | βοΈ 199 | βοΈ CA10__AWS_EC2_Security_Group_Rules__r.has(INCOMPLIANT) | βοΈ null |
| π’ | test7 | βοΈ 200 | βοΈ otherwise | βοΈ null |
| π’ | test8 | βοΈ 200 | βοΈ otherwise | βοΈ null |
| π’ | test9 | βοΈ 200 | βοΈ otherwise | βοΈ null |
| π’ | test10 | βοΈ 200 | βοΈ otherwise | βοΈ null |
| π’ | test11 | βοΈ 200 | βοΈ otherwise | βοΈ null |
Generationβ
| File | MD5 | |
|---|---|---|
| Open | /ce/ca/aws/ec2/security-group-allows-public-ipv4-to-admin-ports/policy.yaml | 891E68A0C63B092E6AA4DDBEE94C857F |
| Open | /ce/ca/aws/ec2/security-group-allows-public-ipv4-to-admin-ports/prod.logic.yaml | 3C1DD3E3D6AD04825C41CC524C6F0F58 |
| Open | /ce/ca/aws/ec2/security-group-allows-public-ipv4-to-admin-ports/test-data.json | AE2B2619878774C1DCDA1180B94352D3 |
| Open | /types/CA10__CaAwsSecurityGroupRule2__c/object.extracts.yaml | 58DC1872D7462985D50972C65C61C237 |
Generate FULL scriptβ
java -jar repo-manager.jar policies generate FULL /ce/ca/aws/ec2/security-group-allows-public-ipv4-to-admin-ports/prod.logic.yaml
Generate DEBUG scriptβ
java -jar repo-manager.jar policies generate DEBUG /ce/ca/aws/ec2/security-group-allows-public-ipv4-to-admin-ports/prod.logic.yaml
Generate CAPTURE_TEST_DATA scriptβ
java -jar repo-manager.jar policies generate CAPTURE_TEST_DATA /ce/ca/aws/ec2/security-group-allows-public-ipv4-to-admin-ports/prod.logic.yaml
Generate TESTS scriptβ
java -jar repo-manager.jar policies generate TESTS /ce/ca/aws/ec2/security-group-allows-public-ipv4-to-admin-ports/prod.logic.yaml
Execute testsβ
java -jar repo-manager.jar policies test /ce/ca/aws/ec2/security-group-allows-public-ipv4-to-admin-ports/prod.logic.yaml
Contentβ
---
inputType: "CA10__CaAwsSecurityGroup__c"
testData:
- file: "test-data.json"
conditions:
- status: "INCOMPLIANT"
currentStateMessage: "This Security Group allows ingress from 0.0.0.0/0 to remote server administration ports."
remediationMessage: "Consider changing the Security Group source field to a range other than 0.0.0.0/0 or delete the offending inbound rule."
check:
RELATED_LIST_HAS:
status: "INCOMPLIANT"
relationshipName: "CA10__AWS_EC2_Security_Group_Rules__r"
otherwise:
status: "COMPLIANT"
currentStateMessage: "This Security Group doesn't allow ingress from 0.0.0.0/0."
relatedLists:
- relationshipName: "CA10__AWS_EC2_Security_Group_Rules__r"
importExtracts:
- file: "/types/CA10__CaAwsSecurityGroupRule2__c/object.extracts.yaml"
conditions:
- status: "INAPPLICABLE"
currentStateMessage: "This is an outbound security group rule."
check:
NOT_EQUAL:
left:
EXTRACT: "CA10__direction__c"
right:
TEXT: "Inbound"
- status: "INAPPLICABLE"
currentStateMessage: "This security group rule does not allow unrestricted access."
check:
NOT_EQUAL:
left:
EXTRACT: "CA10__sourceIpRange__c"
right:
TEXT: "0.0.0.0/0"
- status: "INAPPLICABLE"
currentStateMessage: "This security group rule protocol is not All, TCP, or UDP."
check:
# check that protocol is neither all, tcp, or udp
NOT:
arg:
OR:
args:
- IS_EQUAL:
left:
EXTRACT: "CA10__protocol__c"
right:
TEXT: "All"
- IS_EQUAL:
left:
EXTRACT: "CA10__protocol__c"
right:
TEXT: "tcp"
- IS_EQUAL:
left:
EXTRACT: "CA10__protocol__c"
right:
TEXT: "udp"
- status: "INCOMPLIANT"
currentStateMessage: "This Security Group allows ingress from 0.0.0.0/0."
remediationMessage: "Consider changing the source field to a range other than 0.0.0.0/0 or delete the offending inbound rule."
check:
# check that port range either includes port 22 or port 3389, or the range is empty (all ports)
OR:
args:
- AND:
args:
- LESS_THAN_EQUAL:
left:
EXTRACT: "CA10__fromPort__c"
right:
NUMBER: 22.0
- GREATER_THAN_EQUAL:
left:
EXTRACT: "CA10__toPort__c"
right:
NUMBER: 22.0
- AND:
args:
- LESS_THAN_EQUAL:
left:
EXTRACT: "CA10__fromPort__c"
right:
NUMBER: 3389.0
- GREATER_THAN_EQUAL:
left:
EXTRACT: "CA10__toPort__c"
right:
NUMBER: 3389.0
- IS_EMPTY:
arg:
EXTRACT: "CA10__fromPort__c"
- IS_EMPTY:
arg:
EXTRACT: "CA10__toPort__c"
otherwise:
status: "COMPLIANT"
currentStateMessage: "This Security Group doesn't allow ingress from 0.0.0.0/0."