rspec/rules/S6329/python/rule.adoc

include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_ec2/Instance.html[aws_cdk.aws_ec2.Instance] and similar constructs:
[source,python]
----
from aws_cdk import aws_ec2 as ec2

ec2.Instance(
    self,
    "vpc_subnet_public",
    instance_type=nano_t2,
    machine_image=ec2.MachineImage.latest_amazon_linux(),
    vpc=vpc,
    vpc_subnets=ec2.SubnetSelection(subnet_type=ec2.SubnetType.PUBLIC) # Sensitive
)
----

For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_ec2/CfnInstance.html[aws_cdk.aws_ec2.CfnInstance]:
[source,python]
----
from aws_cdk import aws_ec2 as ec2

ec2.CfnInstance(
    self,
    "cfn_public_exposed",
    instance_type="t2.micro",
    image_id="ami-0ea0f26a6d50850c5",
    network_interfaces=[
        ec2.CfnInstance.NetworkInterfaceProperty(
            device_index="0",
            associate_public_ip_address=True, # Sensitive
            delete_on_termination=True,
            subnet_id=vpc.select_subnets(subnet_type=ec2.SubnetType.PUBLIC).subnet_ids[0]
        )
    ]
)
----

For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_dms/CfnReplicationInstance.html[aws_cdk.aws_dms.CfnReplicationInstance]:
[source,python]
----
from aws_cdk import aws_dms as dms

rep_instance = dms.CfnReplicationInstance(
    self,
    "explicit_public",
    replication_instance_class="dms.t2.micro",
    allocated_storage=5,
    publicly_accessible=True, # Sensitive
    replication_subnet_group_identifier=subnet_group.replication_subnet_group_identifier,
    vpc_security_group_ids=[vpc.vpc_default_security_group]
)
----

For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_rds/CfnDBInstance.html[aws_cdk.aws_rds.CfnDBInstance]:
[source,python]
----
from aws_cdk import aws_rds as rds
from aws_cdk import aws_ec2 as ec2

rds_subnet_group_public = rds.CfnDBSubnetGroup(
    self,
    "public_subnet",
    db_subnet_group_description="Subnets",
    subnet_ids=vpc.select_subnets(
        subnet_type=ec2.SubnetType.PUBLIC
    ).subnet_ids
)

rds.CfnDBInstance(
    self,
    "public-public-subnet",
    engine="postgres",
    master_username="foobar",
    master_user_password="12345678",
    db_instance_class="db.r5.large",
    allocated_storage="200",
    iops=1000,
    db_subnet_group_name=rds_subnet_group_public.ref,
    publicly_accessible=True, # Sensitive
    vpc_security_groups=[sg.security_group_id]
)
----

== Compliant Solution

For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_ec2/Instance.html[aws_cdk.aws_ec2.Instance]:
[source,python]
----
from aws_cdk import aws_ec2 as ec2

ec2.Instance(
    self,
    "vpc_subnet_private",
    instance_type=nano_t2,
    machine_image=ec2.MachineImage.latest_amazon_linux(),
    vpc=vpc,
    vpc_subnets=ec2.SubnetSelection(subnet_type=ec2.SubnetType.PRIVATE_WITH_NAT)
)
----

For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_ec2/CfnInstance.html[aws_cdk.aws_ec2.CfnInstance]:
[source,python]
----
from aws_cdk import aws_ec2 as ec2

ec2.CfnInstance(
    self,
    "cfn_private",
    instance_type="t2.micro",
    image_id="ami-0ea0f26a6d50850c5",
    network_interfaces=[
        ec2.CfnInstance.NetworkInterfaceProperty(
            device_index="0",
            associate_public_ip_address=False, # Compliant
            delete_on_termination=True,
            subnet_id=vpc.select_subnets(subnet_type=ec2.SubnetType.PRIVATE_WITH_NAT).subnet_ids[0]
        )
    ]
)
----

For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_dms/CfnReplicationInstance.html[aws_cdk.aws_dms.CfnReplicationInstance]:
[source,python]
----
from aws_cdk import aws_dms as dms

rep_instance = dms.CfnReplicationInstance(
    self,
    "explicit_private",
    replication_instance_class="dms.t2.micro",
    allocated_storage=5,
    publicly_accessible=False,
    replication_subnet_group_identifier=subnet_group.replication_subnet_group_identifier,
    vpc_security_group_ids=[vpc.vpc_default_security_group]
)
----

For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_rds/CfnDBInstance.html[aws_cdk.aws_rds.CfnDBInstance]:
[source,python]
----
from aws_cdk import aws_rds as rds
from aws_cdk import aws_ec2 as ec2

rds_subnet_group_private = rds.CfnDBSubnetGroup(
    self,
    "private_subnet",
    db_subnet_group_description="Subnets",
    subnet_ids=vpc.select_subnets(
        subnet_type=ec2.SubnetType.PRIVATE_WITH_NAT
    ).subnet_ids
)

rds.CfnDBInstance(
    self,
    "private-private-subnet",
    engine="postgres",
    master_username="foobar",
    master_user_password="12345678",
    db_instance_class="db.r5.large",
    allocated_storage="200",
    iops=1000,
    db_subnet_group_name=rds_subnet_group_private.ref,
    publicly_accessible=False,
    vpc_security_groups=[sg.security_group_id]
)
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message
* Make sure allowing public network access is safe here.

=== Highlight

For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_ec2/Instance.html[aws_cdk.aws_ec2.Instances]:

* Highlight the `vpc_subnets` property (or dict entry) when set to a selection of public subnets.

For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_ec2/CfnInstance.html[aws_cdk.aws_ec2.CfnInstance]

* Highlight the `associate_public_ip_address` property when set to `True`

For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_dms/CfnReplicationInstance.html[aws_cdk.aws_dms.CfnReplicationInstance]

* Highlight the `publicly_accessible` property when set to `True`
* Highlight the constructor code when the `publicly_accessible` property is
    not set

For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_rds/DatabaseInstance.html[aws_cdk.aws_rds.DatabaseInstance]

* If the `vpc_subnets` attribute contains a public subnet, highlight the 
    `publicly_accessible` property if set to `True`
* Highlight the `vpc_subnets` attribute if it contains a public subnet, and
    the `publicly_accessible` property if not set
* If the `vpc_subnets` public / private state can not be decided,       
    highlight the `publicly_accessible` property if set to `True`

For https://docs.aws.amazon.com/cdk/api/v2/python/aws_cdk.aws_rds/CfnDBInstance.html[aws_cdk.aws_rds.CfnDBInstance]

* If the `db_subnet_group_name` points to a public subnet, highlight the 
    `publicly_accessible` property if set to `True`
* If the `db_subnet_group_name` public / private state can not be
    decided, highlight the `publicly_accessible` property if set to `True`


endif::env-github,rspecator-view[]