include::../description.adoc[] include::../recommended.adoc[] == Noncompliant Code Example For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.Instance.html[aws-cdk-lib.aws_ec2.Instance] and other constructs that support a `connections` attribute: [source,javascript] ---- import {aws_ec2 as ec2} from 'aws-cdk-lib' const instance = new ec2.Instance(this, "default-own-security-group",{ instanceType: nanoT2, machineImage: ec2.MachineImage.latestAmazonLinux(), vpc: vpc, instanceName: "test-instance" }) instance.connections.allowFrom( ec2.Peer.anyIpv4(), // Noncompliant ec2.Port.tcp(22), /*description*/ "Allows SSH from all IPv4" ) ---- For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.SecurityGroup.html[aws-cdk-lib.aws_ec2.SecurityGroup] [source,javascript] ---- import {aws_ec2 as ec2} from 'aws-cdk-lib' const securityGroup = new ec2.SecurityGroup(this, "custom-security-group", { vpc: vpc }) securityGroup.addIngressRule( ec2.Peer.anyIpv4(), // Noncompliant ec2.Port.tcpRange(1, 1024) ) ---- For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.CfnSecurityGroup.html[aws-cdk-lib.aws_ec2.CfnSecurityGroup] [source,javascript] ---- import {aws_ec2 as ec2} from 'aws-cdk-lib' new ec2.CfnSecurityGroup( this, "cfn-based-security-group", { groupDescription: "cfn based security group", groupName: "cfn-based-security-group", vpcId: vpc.vpcId, securityGroupIngress: [ { ipProtocol: "6", cidrIp: "0.0.0.0/0", // Noncompliant fromPort: 22, toPort: 22 } ] } ) ---- For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.CfnSecurityGroupIngress.html[aws-cdk-lib.aws_ec2.CfnSecurityGroupIngress] [source,javascript] ---- import {aws_ec2 as ec2} from 'aws-cdk-lib' new ec2.CfnSecurityGroupIngress( // Noncompliant this, "ingress-all-ip-tcp-ssh", { ipProtocol: "tcp", cidrIp: "0.0.0.0/0", fromPort: 22, toPort: 22, groupId: securityGroup.attrGroupId }) ---- == Compliant Solution For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.Instance.html[aws-cdk-lib.aws_ec2.Instance] and other constructs that support a `connections` attribute: [source,javascript] ---- import {aws_ec2 as ec2} from 'aws-cdk-lib' const instance = new ec2.Instance(this, "default-own-security-group",{ instanceType: nanoT2, machineImage: ec2.MachineImage.latestAmazonLinux(), vpc: vpc, instanceName: "test-instance" }) instance.connections.allowFrom( ec2.Peer.ipv4("192.0.2.0/24"), ec2.Port.tcp(22), /*description*/ "Allows SSH from a trusted range" ) ---- For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.SecurityGroup.html[aws-cdk-lib.aws_ec2.SecurityGroup] [source,javascript] ---- import {aws_ec2 as ec2} from 'aws-cdk-lib' const securityGroup3 = new ec2.SecurityGroup(this, "custom-security-group", { vpc: vpc }) securityGroup3.addIngressRule( ec2.Peer.anyIpv4(), ec2.Port.tcpRange(1024, 1048) ) ---- For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.CfnSecurityGroup.html[aws-cdk-lib.aws_ec2.CfnSecurityGroup] [source,javascript] ---- import {aws_ec2 as ec2} from 'aws-cdk-lib' new ec2.CfnSecurityGroup( this, "cfn-based-security-group", { groupDescription: "cfn based security group", groupName: "cfn-based-security-group", vpcId: vpc.vpcId, securityGroupIngress: [ { ipProtocol: "6", cidrIp: "192.0.2.0/24", // Compliant fromPort: 22, toPort: 22 } ] } ) ---- For https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.CfnSecurityGroupIngress.html[aws-cdk-lib.aws_ec2.CfnSecurityGroupIngress] [source,javascript] ---- new ec2.CfnSecurityGroupIngress( this, "ingress-all-ipv4-tcp-http", { ipProtocol: "6", cidrIp: "0.0.0.0/0", fromPort: 80, toPort: 80, groupId: securityGroup.attrGroupId } ) ---- include::../see.adoc[] ifdef::env-github,rspecator-view[] ''' == Implementation Specification (visible only on this page) include::highlight.adoc[] include::message.adoc[] endif::env-github,rspecator-view[]