cfripper
cfripper copied to clipboard
Skyscanner
False positive for missing egress rules
CFRipper version 0.22.0 gives a false positive for missing egress rules.
It happens when the rule is defined as a SecurityGroupEgress resource.
Consider the following test1.yml template. It creates security group with no egress using a SecurityGroupEgress resource.
---
AWSTemplateFormatVersion: 2010-09-09
Description: Security Group without egress
Resources:
EC2SG:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: !Sub "${AWS::StackName}"
Tags:
- Key: Name
Value: !Sub "${AWS::StackName}"
EC2SGEgress:
Type: AWS::EC2::SecurityGroupEgress
Properties:
GroupId: !GetAtt EC2SG.GroupId
Description: Localhost only. CFN hack to forbid egress
IpProtocol: "-1"
CidrIp: 127.0.0.1/32
The result is invalid for test1.yml:
$ cfripper test1.yml
Analysing test.yml...
Valid: False
Issues found:
- EC2SecurityGroupMissingEgressRule: Missing egress rule in EC2SG means all traffic is allowed outbound. Make this explicit if it is desired configuration
Now consider the following test2.yml template. It also crease a security group with no egress, this time using the SecurityGroupEgress proprty of the SecurityGroup resource.
---
AWSTemplateFormatVersion: 2010-09-09
Description: Security Group without egress
Resources:
EC2SG:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: !Sub "${AWS::StackName}"
SecurityGroupEgress:
- IpProtocol: -1
CidrIp: 127.0.0.1/32
Tags:
- Key: Name
Value: !Sub "${AWS::StackName}"
The result is valid for test2.yml:
$ cfripper test2.yml
Analysing test.yml...
Valid: True
The result should be valid for both ways of writing this.
(I found the following Stack Overflow discussion useful while researching this.)
Good issue, thanks for raising!
We will have to update our EC2SecurityGroupMissingEgressRule to search the whole CFModel for AWS::EC2::SecurityGroupEgress linked to a particular AWS::EC2::SecurityGroup, to allow the test1.yml stack to be marked as valid.
