🧠 AWS EC2 Security Group allows unrestricted traffic to MSSQL - prod.logic.yaml 🟢

• Contextual name: 🧠 prod.logic.yaml 🟢
• ID: /ce/ca/aws/ec2/security-group-allows-unrestricted-traffic-to-mssql/prod.logic.yaml
• Located in: 📝 AWS EC2 Security Group allows unrestricted traffic to MSSQL 🟢

Flags

• 🟢 Logic test success
• 🟢 Logic with extracts
• 🟢 Logic with test data

Input Type

	Type	API Name	Extracts	Extract Files	Logic Files
🔒	📕 AWS EC2 Security Group	CA10__CaAwsSecurityGroup__c	1	1	17

Uses

• 🔌 AWS EC2 Security Group Rule - object.extracts.yaml
• 🧪 test-data.json

Test Results 🟢

Generated at: 2025-04-24T23:44:45.933207514Z Open

Result	Id	Condition Index	Condition Text	Runtime Error
🟢	test1	✔️ 99	✔️ isDisappeared(CA10__disappearanceTime__c)	✔️ null
🟢	test2	✔️ 199	✔️ CA10__AWS_EC2_Security_Group_Rules__r.has(INCOMPLIANT)	✔️ null
🟢	test3	✔️ 199	✔️ CA10__AWS_EC2_Security_Group_Rules__r.has(INCOMPLIANT)	✔️ null
🟢	test5	✔️ 200	✔️ otherwise	✔️ null
🟢	test6	✔️ 200	✔️ otherwise	✔️ null
🟢	test7	✔️ 200	✔️ otherwise	✔️ null
🟢	test8	✔️ 200	✔️ otherwise	✔️ null

Generation

	File	MD5
Open	/ce/ca/aws/ec2/security-group-allows-unrestricted-traffic-to-mssql/policy.yaml	4532F486F2AB91C4200FD2A2F4A8346C
Open	/ce/ca/aws/ec2/security-group-allows-unrestricted-traffic-to-mssql/prod.logic.yaml	1B07FB1771B0563F26967BAEC6565FF2
Open	/ce/ca/aws/ec2/security-group-allows-unrestricted-traffic-to-mssql/test-data.json	8685EDD3EC803D1469398F74831BF784
Open	/types/CA10__CaAwsSecurityGroupRule2__c/object.extracts.yaml	58DC1872D7462985D50972C65C61C237

Generate FULL script

java -jar repo-manager.jar policies generate FULL /ce/ca/aws/ec2/security-group-allows-unrestricted-traffic-to-mssql/prod.logic.yaml

Generate DEBUG script

java -jar repo-manager.jar policies generate DEBUG /ce/ca/aws/ec2/security-group-allows-unrestricted-traffic-to-mssql/prod.logic.yaml

Generate CAPTURE_TEST_DATA script

java -jar repo-manager.jar policies generate CAPTURE_TEST_DATA /ce/ca/aws/ec2/security-group-allows-unrestricted-traffic-to-mssql/prod.logic.yaml

Generate TESTS script

java -jar repo-manager.jar policies generate TESTS /ce/ca/aws/ec2/security-group-allows-unrestricted-traffic-to-mssql/prod.logic.yaml

Execute tests

java -jar repo-manager.jar policies test /ce/ca/aws/ec2/security-group-allows-unrestricted-traffic-to-mssql/prod.logic.yaml

Content

Open File

---
inputType: "CA10__CaAwsSecurityGroup__c"
testData:
  - file: "test-data.json"
conditions:
  - status: "INCOMPLIANT"
    currentStateMessage: "This Security Group allows access from 0.0.0.0/0 or ::/0 to MSSQL on port 1433."
    remediationMessage: "Consider changing the Security Group source field to a range other than 0.0.0.0/0 or delete the offending inbound rule."
    check:
      RELATED_LIST_HAS:
        status: "INCOMPLIANT"
        relationshipName: "CA10__AWS_EC2_Security_Group_Rules__r"
otherwise:
  status: "COMPLIANT"
  currentStateMessage: "This Security Group doesn't allow unrestricted access to MSSQL."
relatedLists: 
  - relationshipName: "CA10__AWS_EC2_Security_Group_Rules__r"
    importExtracts:
    - file: "/types/CA10__CaAwsSecurityGroupRule2__c/object.extracts.yaml"
    conditions:
      - status: "INAPPLICABLE"
        currentStateMessage: "This is an outbound security group rule."
        check:
          NOT_EQUAL:
            left:
              EXTRACT: "CA10__direction__c"
            right:
              TEXT: "Inbound"
      - status: "INAPPLICABLE"
        currentStateMessage: "This security group rule does not allow unrestricted access."
        check:
          AND:
            args:
              - NOT_EQUAL:
                  left:
                    EXTRACT: "CA10__sourceIpRange__c"
                  right:
                    TEXT: "0.0.0.0/0"
              - NOT_EQUAL:
                  left:
                    EXTRACT: "CA10__sourceIpRange__c"
                  right:
                    TEXT: "::/0"
      - status: "INAPPLICABLE"
        currentStateMessage: "This security group rule protocol is not All or TCP."
        check:
# check that protocol is neither all or tcp
          NOT:
            arg:
              OR:
                args:
                  - IS_EQUAL:
                      left:
                        EXTRACT: "CA10__protocol__c"
                      right:
                        TEXT: "All"
                  - IS_EQUAL:
                      left:
                        EXTRACT: "CA10__protocol__c"
                      right:
                        TEXT: "tcp"
      - status: "INCOMPLIANT"
        currentStateMessage: "This Security Group allows access from 0.0.0.0/0 or\
          \ ::/0 to MSSQL on port 1433."
        remediationMessage: "Consider changing the source field to a range other\
          \ than 0.0.0.0/0 or delete the offending inbound rule."
        check:
          AND:
            args:
              - LESS_THAN_EQUAL:
                  left:
                    EXTRACT: "CA10__fromPort__c"
                  right:
                    NUMBER: 1433.0
              - GREATER_THAN_EQUAL:
                  left:
                    EXTRACT: "CA10__toPort__c"
                  right:
                    NUMBER: 1433.0
    otherwise:
      status: "COMPLIANT"
      currentStateMessage: "This Security Group doesn't allow unrestricted access."