ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Create rule S6329: Allowing public network access to cloud resources is security-sensitive - Adding python (APPSEC-147)(#1288)

Browse Source
This commit is contained in:
github-actions[bot] 2022-09-30 16:30:17 +02:00 committed by GitHub
parent 0061c0f0ea
commit 13cb1f6290
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 221 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
rules/S6329/python/highlight.adoc Normal file
View File

@ -0,0 +1,31 @@
=== Highlight
For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_ec2/Instance.html[aws_cdk.aws_ec2.Instances]:
* Highlight the `vpc_subnets` property (or dict entry) when set to a selection of public subnets.
For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_ec2/CfnInstance.html[aws_cdk.aws_ec2.CfnInstance]
* Highlight the `associate_public_ip_address` property when set to `True`
For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_dms/CfnReplicationInstance.html[aws_cdk.aws_dms.CfnReplicationInstance]
* Highlight the `publicly_accessible` property when set to `True`
* Highlight the constructor code when the `publicly_accessible` property is
not set
For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_rds/DatabaseInstance.html[aws_cdk.aws_rds.DatabaseInstance]
* If the `vpc_subnets` attribute contains a public subnet, highlight the
`publicly_accessible` property if set to `True`
* Highlight the `vpc_subnets` attribute if it contains a public subnet, and
the `publicly_accessible` property if not set
* If the `vpc_subnets` public / private state can not be decided,
highlight the `publicly_accessible` property if set to `True`
For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_rds/CfnDBInstance.html[aws_cdk.aws_rds.CfnDBInstance]
* If the `db_subnet_group_name` points to a public subnet, highlight the
`publicly_accessible` property if set to `True`
* If the `db_subnet_group_name` public / private state can not be
decided, highlight the `publicly_accessible` property if set to `True`

2
rules/S6329/python/message.adoc Normal file
View File

@ -0,0 +1,2 @@
=== Message
* Make sure allowing public network access is safe here.

2
rules/S6329/python/metadata.json Normal file
View File

@ -0,0 +1,2 @@
{
}

186
rules/S6329/python/rule.adoc Normal file
View File

@ -0,0 +1,186 @@
include::../description.adoc[]
include::../ask-yourself.adoc[]
include::../recommended.adoc[]
== Sensitive Code Example
For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_ec2/Instance.html[aws_cdk.aws_ec2.Instance] and similar constructs:
[source,python]
----
from aws_cdk import aws_ec2 as ec2
ec2.Instance(
self,
"vpc_subnet_public",
instance_type=nano_t2,
machine_image=ec2.MachineImage.latest_amazon_linux(),
vpc=vpc,
vpc_subnets=ec2.SubnetSelection(subnet_type=ec2.SubnetType.PUBLIC) # Sensitive
)
----
For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_ec2/CfnInstance.html[aws_cdk.aws_ec2.CfnInstance]:
[source,python]
----
from aws_cdk import aws_ec2 as ec2
ec2.CfnInstance(
self,
"cfn_public_exposed",
instance_type="t2.micro",
image_id="ami-0ea0f26a6d50850c5",
network_interfaces=[
ec2.CfnInstance.NetworkInterfaceProperty(
device_index="0",
associate_public_ip_address=True, # Sensitive
delete_on_termination=True,
subnet_id=vpc.select_subnets(subnet_type=ec2.SubnetType.PUBLIC).subnet_ids[0]
)
]
)
----
For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_dms/CfnReplicationInstance.html[aws_cdk.aws_dms.CfnReplicationInstance]:
[source,python]
----
from aws_cdk import aws_dms as dms
rep_instance = dms.CfnReplicationInstance(
self,
"explicit_public",
replication_instance_class="dms.t2.micro",
allocated_storage=5,
publicly_accessible=True, # Sensitive
replication_subnet_group_identifier=subnet_group.replication_subnet_group_identifier,
vpc_security_group_ids=[vpc.vpc_default_security_group]
)
----
For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_rds/CfnDBInstance.html[aws_cdk.aws_rds.CfnDBInstance]:
[source,python]
----
from aws_cdk import aws_rds as rds
from aws_cdk import aws_ec2 as ec2
rds_subnet_group_public = rds.CfnDBSubnetGroup(
self,
"public_subnet",
db_subnet_group_description="Subnets",
subnet_ids=vpc.select_subnets(
subnet_type=ec2.SubnetType.PUBLIC
).subnet_ids
)
rds.CfnDBInstance(
self,
"public-public-subnet",
engine="postgres",
master_username="foobar",
master_user_password="12345678",
db_instance_class="db.r5.large",
allocated_storage="200",
iops=1000,
db_subnet_group_name=rds_subnet_group_public.ref,
publicly_accessible=True, # Sensitive
vpc_security_groups=[sg.security_group_id]
)
----
== Compliant Solution
For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_ec2/Instance.html[aws_cdk.aws_ec2.Instance]:
[source,python]
----
from aws_cdk import aws_ec2 as ec2
ec2.Instance(
self,
"vpc_subnet_private",
instance_type=nano_t2,
machine_image=ec2.MachineImage.latest_amazon_linux(),
vpc=vpc,
vpc_subnets=ec2.SubnetSelection(subnet_type=ec2.SubnetType.PRIVATE_WITH_NAT)
)
----
For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_ec2/CfnInstance.html[aws_cdk.aws_ec2.CfnInstance]:
[source,python]
----
from aws_cdk import aws_ec2 as ec2
ec2.CfnInstance(
self,
"cfn_private",
instance_type="t2.micro",
image_id="ami-0ea0f26a6d50850c5",
network_interfaces=[
ec2.CfnInstance.NetworkInterfaceProperty(
device_index="0",
associate_public_ip_address=False, # Compliant
delete_on_termination=True,
subnet_id=vpc.select_subnets(subnet_type=ec2.SubnetType.PRIVATE_WITH_NAT).subnet_ids[0]
)
]
)
----
For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_dms/CfnReplicationInstance.html[aws_cdk.aws_dms.CfnReplicationInstance]:
[source,python]
----
from aws_cdk import aws_dms as dms
rep_instance = dms.CfnReplicationInstance(
self,
"explicit_private",
replication_instance_class="dms.t2.micro",
allocated_storage=5,
publicly_accessible=False,
replication_subnet_group_identifier=subnet_group.replication_subnet_group_identifier,
vpc_security_group_ids=[vpc.vpc_default_security_group]
)
----
For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_rds/CfnDBInstance.html[aws_cdk.aws_rds.CfnDBInstance]:
[source,python]
----
from aws_cdk import aws_rds as rds
from aws_cdk import aws_ec2 as ec2
rds_subnet_group_private = rds.CfnDBSubnetGroup(
self,
"private_subnet",
db_subnet_group_description="Subnets",
subnet_ids=vpc.select_subnets(
subnet_type=ec2.SubnetType.PRIVATE_WITH_NAT
).subnet_ids
)
rds.CfnDBInstance(
self,
"private-private-subnet",
engine="postgres",
master_username="foobar",
master_user_password="12345678",
db_instance_class="db.r5.large",
allocated_storage="200",
iops=1000,
db_subnet_group_name=rds_subnet_group_private.ref,
publicly_accessible=False,
vpc_security_groups=[sg.security_group_id]
)
----
include::../see.adoc[]
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
include::message.adoc[]
include::highlight.adoc[]
endif::env-github,rspecator-view[]