223 lines
5.0 KiB
Plaintext
223 lines
5.0 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
|
|
== Noncompliant Code Example
|
|
|
|
For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_ec2/Instance.html[aws_cdk.aws_ec2.Instance] and other constructs that support a `connections` attribute:
|
|
|
|
[source,python]
|
|
----
|
|
from aws_cdk import aws_ec2 as ec2
|
|
|
|
instance = ec2.Instance(
|
|
self,
|
|
"my_instance",
|
|
instance_type=nano_t2,
|
|
machine_image=ec2.MachineImage.latest_amazon_linux(),
|
|
vpc=vpc
|
|
)
|
|
|
|
instance.connections.allow_from(
|
|
ec2.Peer.any_ipv4(), # Noncompliant
|
|
ec2.Port.tcp(22),
|
|
description="Allows SSH from all IPv4"
|
|
)
|
|
instance.connections.allow_from_any_ipv4( # Noncompliant
|
|
ec2.Port.tcp(3389),
|
|
description="Allows Terminal Server from all IPv4"
|
|
)
|
|
----
|
|
|
|
For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_ec2/SecurityGroup.html[aws_cdk.aws_ec2.SecurityGroup]
|
|
|
|
[source,python]
|
|
----
|
|
from aws_cdk import aws_ec2 as ec2
|
|
security_group = ec2.SecurityGroup(
|
|
self,
|
|
"custom-security-group",
|
|
vpc=vpc
|
|
)
|
|
|
|
security_group.add_ingress_rule(
|
|
ec2.Peer.any_ipv4(), # Noncompliant
|
|
ec2.Port.tcp_range(1, 1024)
|
|
)
|
|
----
|
|
|
|
For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_ec2/CfnSecurityGroup.html[aws_cdk.aws_ec2.CfnSecurityGroup]
|
|
|
|
[source,python]
|
|
----
|
|
from aws_cdk import aws_ec2 as ec2
|
|
|
|
ec2.CfnSecurityGroup(
|
|
self,
|
|
"cfn-based-security-group",
|
|
group_description="cfn based security group",
|
|
group_name="cfn-based-security-group",
|
|
vpc_id=vpc.vpc_id,
|
|
security_group_ingress=[
|
|
ec2.CfnSecurityGroup.IngressProperty( # Noncompliant
|
|
ip_protocol="6",
|
|
cidr_ip="0.0.0.0/0",
|
|
from_port=22,
|
|
to_port=22
|
|
),
|
|
ec2.CfnSecurityGroup.IngressProperty( # Noncompliant
|
|
ip_protocol="tcp",
|
|
cidr_ip="0.0.0.0/0",
|
|
from_port=3389,
|
|
to_port=3389
|
|
),
|
|
{ # Noncompliant
|
|
"ipProtocol":"-1",
|
|
"cidrIpv6":"::/0"
|
|
}
|
|
]
|
|
)
|
|
----
|
|
|
|
For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_ec2/CfnSecurityGroupIngress.html[aws_cdk.aws_ec2.CfnSecurityGroupIngress]
|
|
|
|
[source,python]
|
|
----
|
|
from aws_cdk import aws_ec2 as ec2
|
|
|
|
ec2.CfnSecurityGroupIngress( # Noncompliant
|
|
self,
|
|
"ingress-all-ip-tcp-ssh",
|
|
ip_protocol="tcp",
|
|
cidr_ip="0.0.0.0/0",
|
|
from_port=22,
|
|
to_port=22,
|
|
group_id=security_group.attr_group_id
|
|
)
|
|
|
|
ec2.CfnSecurityGroupIngress( # Noncompliant
|
|
self,
|
|
"ingress-all-ipv6-all-tcp",
|
|
ip_protocol="-1",
|
|
cidr_ipv6="::/0",
|
|
group_id=security_group.attr_group_id
|
|
)
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_ec2/Instance.html[aws_cdk.aws_ec2.Instance] and other constructs that support a `connections` attribute:
|
|
|
|
[source,python]
|
|
----
|
|
from aws_cdk import aws_ec2 as ec2
|
|
|
|
instance = ec2.Instance(
|
|
self,
|
|
"my_instance",
|
|
instance_type=nano_t2,
|
|
machine_image=ec2.MachineImage.latest_amazon_linux(),
|
|
vpc=vpc
|
|
)
|
|
|
|
instance.connections.allow_from_any_ipv4(
|
|
ec2.Port.tcp(1234),
|
|
description="Allows 1234 from all IPv4"
|
|
)
|
|
|
|
instance.connections.allow_from(
|
|
ec2.Peer.ipv4("192.0.2.0/24"),
|
|
ec2.Port.tcp(22),
|
|
description="Allows SSH from all IPv4"
|
|
)
|
|
----
|
|
|
|
For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_ec2/SecurityGroup.html[aws_cdk.aws_ec2.SecurityGroup]
|
|
|
|
[source,python]
|
|
----
|
|
from aws_cdk import aws_ec2 as ec2
|
|
security_group = ec2.SecurityGroup(
|
|
self,
|
|
"custom-security-group",
|
|
vpc=vpc
|
|
)
|
|
|
|
security_group.add_ingress_rule(
|
|
ec2.Peer.any_ipv4(),
|
|
ec2.Port.tcp_range(1024, 1048)
|
|
)
|
|
----
|
|
|
|
For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_ec2/CfnSecurityGroup.html[aws_cdk.aws_ec2.CfnSecurityGroup]
|
|
|
|
[source,python]
|
|
----
|
|
from aws_cdk import aws_ec2 as ec2
|
|
|
|
ec2.CfnSecurityGroup(
|
|
self,
|
|
"cfn-based-security-group",
|
|
group_description="cfn based security group",
|
|
group_name="cfn-based-security-group",
|
|
vpc_id=vpc.vpc_id,
|
|
security_group_ingress=[
|
|
ec2.CfnSecurityGroup.IngressProperty(
|
|
ip_protocol="tcp",
|
|
cidr_ip="0.0.0.0/0",
|
|
from_port=1024,
|
|
to_port=1048
|
|
),
|
|
{
|
|
"ipProtocol":"6",
|
|
"cidrIp":"192.0.2.0/24",
|
|
"fromPort":22,
|
|
"toPort":22
|
|
}
|
|
]
|
|
)
|
|
----
|
|
|
|
For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_ec2/CfnSecurityGroupIngress.html[aws_cdk.aws_ec2.CfnSecurityGroupIngress]
|
|
|
|
[source,python]
|
|
----
|
|
from aws_cdk import aws_ec2 as ec2
|
|
|
|
ec2.CfnSecurityGroupIngress(
|
|
self,
|
|
"ingress-all-ipv4-tcp-http",
|
|
ip_protocol="6",
|
|
cidr_ip="0.0.0.0/0",
|
|
from_port=80,
|
|
to_port=80,
|
|
group_id=security_group.attr_group_id
|
|
)
|
|
|
|
ec2.CfnSecurityGroupIngress(
|
|
self,
|
|
"ingress-range-tcp-rdp",
|
|
ip_protocol="tcp",
|
|
cidr_ip="192.0.2.0/24",
|
|
from_port=3389,
|
|
to_port=3389,
|
|
group_id=security_group.attr_group_id
|
|
)
|
|
----
|
|
|
|
|
|
include::../see.adoc[]
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::highlight.adoc[]
|
|
|
|
include::message.adoc[]
|
|
|
|
endif::env-github,rspecator-view[] |