Create rule S6463: Allowing unrestricted outbound communications is security-sensitive (#1295)

rules/S6463/ask-yourself.adoc

@@ -0,0 +1,7 @@
+== Ask Yourself Whether
+
+* The resource has access to sensitive data.
+* The resource is part of a private network.
+
+There is a risk if you answered yes to any of those questions.
+

rules/S6463/description.adoc

@@ -0,0 +1,9 @@
+Allowing unrestricted outbound communications can lead to data leaks.
+
+A restrictive security group is an additional layer of protection that might
+prevent the abuse or exploitation of a resource. For example, it complicates the
+exfiltration of data in the case of a successfully exploited vulnerability.
+
+When deciding if outgoing connections should be limited, consider that limiting
+the connections results in additional administration and maintenance work.
+

rules/S6463/metadata.json

@@ -0,0 +1,39 @@
+{
+  "title": "Allowing unrestricted outbound communications is security-sensitive",
+  "type": "SECURITY_HOTSPOT",
+  "status": "ready",
+  "remediation": {
+    "func": "Constant\/Issue",
+    "constantCost": "60min"
+  },
+  "tags": [
+    "aws",
+    "cwe"
+  ],
+  "extra": {
+    "replacementRules": [
+
+    ],
+    "legacyKeys": [
+
+    ]
+  },
+  "defaultSeverity": "Major",
+  "ruleSpecification": "RSPEC-6463",
+  "sqKey": "S6463",
+  "scope": "Main",
+  "securityStandards": {
+    "CWE": [
+      284
+    ],
+    "PCI DSS 3.2": [
+      "6.5.8"
+    ],
+    "PCI DSS 4.0": [
+      "6.2.4"
+    ]
+  },
+  "defaultQualityProfiles": [
+    "Sonar way"
+  ]
+}

rules/S6463/python/message.adoc

@@ -0,0 +1,5 @@
+=== Message
+
+* Make sure that allowing unrestricted outbound communications is safe here.
+* Omitting "allow_all_outbound" enables unrestricted outbound communications. Make sure it is safe here.
+

rules/S6463/python/metadata.json

@@ -0,0 +1,2 @@
+{
+}

rules/S6463/python/rule.adoc

@@ -0,0 +1,59 @@
+include::../description.adoc[]
+
+include::../ask-yourself.adoc[]
+
+include::../recommended.adoc[]
+
+== Sensitive Code Example
+
+For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.SecurityGroup.html[aws_cdk.aws_ec2.SecurityGroup]:
+
+[source,python]
+----
+from aws_cdk import (
+    aws_ec2 as ec2
+)
+
+ec2.SecurityGroup(  # Sensitive; allow_all_outbound is enabled by default
+    self,
+    "example",
+    vpc=vpc
+)
+----
+
+== Compliant Solution
+
+For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.SecurityGroup.html[aws_cdk.aws_ec2.SecurityGroup]:
+
+[source,python]
+----
+from aws_cdk import (
+    aws_ec2 as ec2
+)
+
+sg = ec2.SecurityGroup(
+    self,
+    "example",
+    vpc=vpc,
+    allow_all_outbound=False
+)
+
+sg.add_egress_rule(
+    peer=ec2.Peer.ipv4("203.0.113.127/32"),
+    connection=ec2.Port.tcp(443)
+)
+----
+
+include::../see.adoc[]
+
+ifdef::env-github,rspecator-view[]
+
+'''
+
+== Implementation Specification
+(visible only on this page)
+
+include::message.adoc[]
+
+endif::env-github,rspecator-view[]
+

rules/S6463/recommended.adoc

@@ -0,0 +1,4 @@
+== Recommended Secure Coding Practices
+
+It is recommended to restrict outgoing connections to a set of trusted
+destinations.

rules/S6463/see.adoc

@@ -0,0 +1,6 @@
+== See
+
+* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Broken Access Control
+* https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html[AWS Documentation] - Control traffic to resources using security groups
+* https://cwe.mitre.org/data/definitions/284[MITRE, CWE-284] - Improper Access Control
+* https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[OWASP Top 10 2017 Category A5] - Broken Access Control