Policy Packs

guardrails-samples

Allow only approved ingress rules for AWS VPC Security Groups to ensure that only specific ports (22, 443, 3389) are accessible from individual IP addresses (bitmask =32) and specific CIDRs.

Enforce Unapproved Traffic is Blocked for AWS VPC Security Groups

main

aws_vpc_security_security_group_ingress_rules_approved

Configure Security Group Ingress Rule checking. This policy defines whether&#92;nto verify the security group ingress rules are approved, as well as the&#92;nsubsequent action to take on unapproved items. Rules for all `Approved`&#92;npolicies will be compiled in `Approved &gt; Compiled Rules` and then&#92;nevaluated.&#92;n&#92;nIf set to `Enforce: Delete unapproved`, any unapproved rules will be&#92;nrevoked from the security group.&#92;n

securityGroupIngressRulesApproved

AWS > VPC > Security Group > Ingress Rules > Approved

aws_vpc_security_security_group_ingress_rules_approved_rules

An [Object Control List (OCL)](https://turbot.com/guardrails/docs/reference/ocl)&#92;nwith a list of filter rules to approve or reject security group rules.&#92;n&#92;nNote that the Approved control does not operate directly from this policy,&#92;nbut from the `Approved &gt; Compiled Rules`. The rules are processed in order,&#92;nand any built-in Turbot rules will appear first in the list of compiled&#92;nrules.&#92;n&#92;nExamples:&#92;n  ```&#92;n  Allow HTTP and HTTPS rules for RFC1918 private space&#92;n  APPROVE $.turbot.fromPort:=80 $.turbot.toPort:=80 $.turbot.cidr:&lt;=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16&#92;n  APPROVE $.turbot.fromPort:=443 $.turbot.toPort:=443 $.turbot.cidr:&lt;=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16&#92;n&#92;n  Allow all rules from security groups in this account&#92;n  APPROVE $.UserIdGroupPairs.+.UserId:&quot;969297701313&quot;&#92;n&#92;n  Reject any rule from 0.0.0.0/0&#92;n  REJECT $.turbot.cidr:0.0.0.0/0&#92;n  ```&#92;n

securityGroupIngressRulesApprovedRules

AWS > VPC > Security Group > Ingress Rules > Approved > Rules

turbot_policy_setting.aws_vpc_security_security_group_ingress_rules_approved

turbot_policy_setting.aws_vpc_security_security_group_ingress_rules_approved_rules

Policy	Setting	Note
AWS > VPC > Security Group > Ingress Rules > Approved	Check: Approved
AWS > VPC > Security Group > Ingress Rules > Approved > Rules	# Allow ports 22,443,3389 from individual IP addresses (bitmask = 32) APPROVE $.turbot.fromPort:=22 $.turbot.toPort:=22 $.turbot.bitmaskLength:>=32 APPROVE $.turbot.fromPort:=443 $.turbot.toPort:=443 $.turbot.bitmaskLength:>=32 APPROVE $.turbot.fromPort:=3389 $.turbot.toPort:=3389 $.turbot.bitmaskLength:>=32 # List of CIDRs (RFC 1918) that are approved for use APPROVE $.turbot.cidr:<=10.0.0.0/8 APPROVE $.turbot.cidr:<=172.16.0.0/12 APPROVE $.turbot.cidr:<=192.168.0.0/16 # Reject unmatched rules REJECT *

Policy Settings