Security-Gateway Action remove-permissions deletes valid SG rules
See original GitHub issueWhen run a policy to remove any SG rule that has a source IP of 0.0.0.0/0 and is not http or https the filter appears to match okay, but the action removes ALL SG rules where the source is 0.0.0.0/0, including any with HTTP or HTTPS. Use of ingress: matched does not appear to make any difference. Policy:
policies:
- name: sg-test
resource: security-group
filters:
- and:
- type: ingress
OnlyPorts: [22, 80, 443]
#
- type: ingress
Cidr:
value_type: cidr
op: eq
value: 0.0.0.0/0
#
actions:
- type: remove-permissions
ingress: matched
Issue Analytics
- State:
- Created 5 years ago
- Reactions:1
- Comments:6 (2 by maintainers)
Top Results From Across the Web
Troubleshoot issues deleting an Amazon VPC security group
Follow the steps below to remove the rule associated with the security group you want to delete (sg-B in the preceding example):. 1....
Read more >aws.security-group — Cloud Custodian documentation
Permissions that match on the group are annotated onto the group and can subsequently be used by the remove-permission action. We have specialized...
Read more >Gaia Administration Guide R80.10
Configuring VRRP Rules for the Security Gateway . ... CLI - Add or remove permissions to use the Gaia CLI. Password Policy.
Read more >Setting Up Security in Planning - Oracle
You can define rules, called valid intersection rules, that filter cell ... In Manage Group, locate the group you want to delete and...
Read more >Restrict only Specific Ports in Specific Security Groups using ...
resource: security-group description: | Remove any rule from a security ... remove-permissions ingress: matched - name: sg-0987654321-ipv6 ...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
A colleague, @marcelluseasley, and I have been looking into this and we’ve identified the bug. It’s an unhandled edge case (and untested as far as I can tell) when OnlyPorts and Cidr are specified together.
It’s a very subtle issue in c7n.resources.vpc.SGPermission.process_ports:
In the above method, the return value (
found
) defaults to None. Ifonly_ports
is specified andports
is not, AND the permission we’re checking matches a port inonly_ports
, (i.e.only_found
becomes True)… the method ends up never settingfound
to False, it’s left at the default value of None.So given the above, when
only_ports
is set andports
is not set,process_ports()
returns True for ports that aren’t inonly_ports
but None for ports that are inonly_ports
.In the __call__ method of c7n.resources.vpc.SGPermission, we have the following block of code for evaluating each permission on the SG:
This code checks for permission matches for ports, cidrs, and self-references, and then builds a list of all of those values that are not None.
The end result of this is that when a port matches one of the OnlyPorts values,
process_ports()
returns None, which gets ignored when buildingperm_match_values
. In this case, the port check is effectively ignored and if all other checks (CIDR or self_reference) are True, the permission is considered a match.The fix for this is adding a simple branch at the end of
process_ports
to return False ifonly_ports
is present andonly_found
is True - i.e. stop ignoring the negated match for only_ports and return False.We’ll be trying to work up a PR for this that includes the relevant tests; it appears that OnlyPorts is not currently tested in combination with cidr or self-reference.
@JoshRosen thanks for the example that seems definitely out of alignment to the intent of how that should work.