Policy Setting: AWS > VPC > Security Group > Ingress Rules > Approved > Rules
Policies
This policy setting is dependent on the following policy types:
Source
resource "turbot_policy_setting" "aws_vpc_security_group_ingress_rules_approved_rules" { resource = turbot_policy_pack.main.id type = "tmod:@turbot/aws-vpc-security#/policy/types/securityGroupIngressRulesApprovedRules" note = "AWS CIS v3.0.0 - Controls: 5.2, 5.3, 5.4" template_input = <<-EOT { securityGroup { GroupName: get(path: "GroupName") IpPermissions: get(path: "IpPermissions") } } EOT template = <<-EOT {%- if $.securityGroup.GroupName == "default" and $.securityGroup.IpPermissions | length > 0 -%} REJECT * {%- else -%} # Reject all ingress from 0.0.0.0/0 and ::/0 to remote server admin ports REJECT $.turbot.portRangeSize:-1 $.turbot.cidr:0.0.0.0/0
REJECT $.turbot.portRangeSize:-1 $.turbot.cidr:::/0
REJECT $.turbot.ports.+:22,3389 $.IpProtocol:tcp,udp $.turbot.cidr:0.0.0.0/0
REJECT $.turbot.ports.+:22,3389 $.IpProtocol:tcp,udp $.turbot.cidr:::/0
APPROVE * {%- endif %} EOT}