Guardrails for GitHub →
Policy Packs
AWS CIS v3.0.0 - Section 5 - Networking

Policy Setting: AWS > VPC > Security Group > Ingress Rules > Approved > Rules

Policies

This policy setting is dependent on the following policy types:

Source

resource "turbot_policy_setting" "aws_vpc_security_group_ingress_rules_approved_rules" {
resource = turbot_policy_pack.main.id
type = "tmod:@turbot/aws-vpc-security#/policy/types/securityGroupIngressRulesApprovedRules"
note = "AWS CIS v3.0.0 - Controls: 5.2, 5.3, 5.4"
template_input = <<-EOT
{
securityGroup {
GroupName: get(path: "GroupName")
IpPermissions: get(path: "IpPermissions")
}
}
EOT
template = <<-EOT
{%- if $.securityGroup.GroupName == "default" and $.securityGroup.IpPermissions | length > 0 -%}
REJECT *
{%- else -%}
# Reject all ingress from 0.0.0.0/0 and ::/0 to remote server admin ports
REJECT $.turbot.portRangeSize:-1 $.turbot.cidr:0.0.0.0/0
REJECT $.turbot.portRangeSize:-1 $.turbot.cidr:::/0
REJECT $.turbot.ports.+:22,3389 $.IpProtocol:tcp,udp $.turbot.cidr:0.0.0.0/0
REJECT $.turbot.ports.+:22,3389 $.IpProtocol:tcp,udp $.turbot.cidr:::/0
APPROVE *
{%- endif %}
EOT
}