Skip to main content

🧠 AWS VPC Network ACL exposes admin ports to public internet ports - prod.logic.yaml 🟒

Flags​

Input Type​

TypeAPI NameExtractsExtract FilesLogic Files
πŸ”’πŸ“• AWS VPC Network ACLCA10__CaAwsNetworkAcl__c1

Uses​

Test Results πŸŸ’β€‹

Generated at: 2025-04-24T23:45:14.356846364Z Open

ResultIdCondition IndexCondition TextRuntime Error
🟒test1βœ”οΈ 199βœ”οΈ CA10__networkAclEntities__r.has(INCOMPLIANT)βœ”οΈ null
🟒test2βœ”οΈ 199βœ”οΈ CA10__networkAclEntities__r.has(INCOMPLIANT)βœ”οΈ null
🟒test3βœ”οΈ 199βœ”οΈ CA10__networkAclEntities__r.has(INCOMPLIANT)βœ”οΈ null
🟒test4βœ”οΈ 99βœ”οΈ isDisappeared(CA10__disappearanceTime__c)βœ”οΈ null
🟒test5βœ”οΈ 200βœ”οΈ otherwiseβœ”οΈ null
🟒test6βœ”οΈ 200βœ”οΈ otherwiseβœ”οΈ null
🟒test7βœ”οΈ 200βœ”οΈ otherwiseβœ”οΈ null
🟒test8βœ”οΈ 200βœ”οΈ otherwiseβœ”οΈ null
🟒test9βœ”οΈ 200βœ”οΈ otherwiseβœ”οΈ null

Generation​

FileMD5
Open/ce/ca/aws/vpc/network-acl-exposes-admin-ports-to-internet/policy.yamlB03DAB97F8BE046214831817BECAB2E1
Open/ce/ca/aws/vpc/network-acl-exposes-admin-ports-to-internet/prod.logic.yaml719BA9B75500735E839E7CBAB7634602
Open/ce/ca/aws/vpc/network-acl-exposes-admin-ports-to-internet/test-data.json3B07CD5BF0C157145B5E07DC17B5F257
Open/types/CA10__CaAwsNetworkAclEntry__c/object.extracts.yaml8A3F6EF27459B886B11192B9BEB514B5

Generate FULL script​

java -jar repo-manager.jar policies generate FULL /ce/ca/aws/vpc/network-acl-exposes-admin-ports-to-internet/prod.logic.yaml

Generate DEBUG script​

java -jar repo-manager.jar policies generate DEBUG /ce/ca/aws/vpc/network-acl-exposes-admin-ports-to-internet/prod.logic.yaml

Generate CAPTURE_TEST_DATA script​

java -jar repo-manager.jar policies generate CAPTURE_TEST_DATA /ce/ca/aws/vpc/network-acl-exposes-admin-ports-to-internet/prod.logic.yaml

Generate TESTS script​

java -jar repo-manager.jar policies generate TESTS /ce/ca/aws/vpc/network-acl-exposes-admin-ports-to-internet/prod.logic.yaml

Execute tests​

java -jar repo-manager.jar policies test /ce/ca/aws/vpc/network-acl-exposes-admin-ports-to-internet/prod.logic.yaml

Content​

Open File

---
inputType: "CA10__CaAwsNetworkAcl__c"
testData:
  - file: "test-data.json"
conditions:
  - status: "INCOMPLIANT"
    currentStateMessage: "This Network ACL allows ingress from 0.0.0.0/0 to remote server administration ports."
    remediationMessage: "Consider changing the Network ACL source field to a range other than 0.0.0.0/0 or delete the offending inbound rule."
    check:
      RELATED_LIST_HAS:
        status: "INCOMPLIANT"
        relationshipName: "CA10__networkAclEntities__r"
otherwise:
  status: "COMPLIANT"
  currentStateMessage: "This Network ACL doesn't allow ingress from 0.0.0.0/0."
relatedLists: 
  - relationshipName: "CA10__networkAclEntities__r"
    importExtracts:
    - file: "/types/CA10__CaAwsNetworkAclEntry__c/object.extracts.yaml"
    conditions:
      - status: "INAPPLICABLE"
        currentStateMessage: "This is an egress NACL rule."
        check:
          IS_EQUAL:
            left:
              EXTRACT: "CA10__egress__c"
            right:
              BOOLEAN: true
      - status: "INAPPLICABLE"
        currentStateMessage: "This is not an allow NACL rule."
        check:
          NOT_EQUAL:
            left:
              EXTRACT: "CA10__ruleAction__c"
            right:
              TEXT: "allow"
      - status: "INAPPLICABLE"
        currentStateMessage: "This NACL rule does not allow unrestricted access."
        check:
          NOT_EQUAL:
            left:
              EXTRACT: "CA10__cidrBlock__c"
            right:
              TEXT: "0.0.0.0/0"
      - status: "INAPPLICABLE"
        currentStateMessage: "This NACL rule does not use All, TCP, or UDP ports."
        check:
# check that protocol is neither all, tcp, or udp
          NOT:
            arg:
              OR:
                args:
                  - IS_EQUAL:
                      left:
                        EXTRACT: "CA10__protocol__c"
                      right:
                        TEXT: "All"
                  - IS_EQUAL:
                      left:
                        EXTRACT: "CA10__protocol__c"
                      right:
                        TEXT: "tcp"
                  - IS_EQUAL:
                      left:
                        EXTRACT: "CA10__protocol__c"
                      right:
                        TEXT: "udp"
      - status: "INCOMPLIANT"
        currentStateMessage: "This Network ACL allows ingress from 0.0.0.0/0."
        remediationMessage: "Consider changing the source field to a range other than 0.0.0.0/0 or delete the offending inbound rule."
        check:
# check that port range either includes port 22 or port 3389, or the range is empty (all ports)
          OR:
            args:
              - AND:
                  args:
                    - LESS_THAN_EQUAL:
                        left:
                          EXTRACT: "CA10__portRangeFrom__c"
                        right:
                          NUMBER: 22.0
                    - GREATER_THAN_EQUAL:
                        left:
                          EXTRACT: "CA10__portRangeTo__c"
                        right:
                          NUMBER: 22.0
              - AND:
                  args:
                    - LESS_THAN_EQUAL:
                        left:
                          EXTRACT: "CA10__portRangeFrom__c"
                        right:
                          NUMBER: 3389.0
                    - GREATER_THAN_EQUAL:
                        left:
                          EXTRACT: "CA10__portRangeTo__c"
                        right:
                          NUMBER: 3389.0
              - IS_EMPTY:
                  arg:
                    EXTRACT: "CA10__portRangeFrom__c"
              - IS_EMPTY:
                  arg:
                    EXTRACT: "CA10__portRangeTo__c"
    otherwise:
      status: "COMPLIANT"
      currentStateMessage: "This Network ACL doesn't allow ingress from 0.0.0.0/0."