security-group ingress filters do not support both OnlyPorts and Cidr
See original GitHub issueHere’s a sample policy that I’ve been fighting with for the past week with no success:
policies:
- name: high-risk-security-groups-notify
resource: security-group
description: |
Notifies if any rule from a security group that allows 0.0.0.0/0
ingress, not on ports 80 or 443, and notify the user who added the
violating rule.
mode:
type: cloudtrail
role: arn:aws:iam::xxx:role/CloudCustodian
events:
- source: ec2.amazonaws.com
event: AuthorizeSecurityGroupIngress
ids: "requestParameters.groupId"
- source: ec2.amazonaws.com
event: AuthorizeSecurityGroupEgress
ids: "requestParameters.groupId"
- source: ec2.amazonaws.com
event: RevokeSecurityGroupEgress
ids: "requestParameters.groupId"
- source: ec2.amazonaws.com
event: RevokeSecurityGroupIngress
ids: "requestParameters.groupId"
filters:
- type: ingress
OnlyPorts: [80, 443]
Cidr:
value: "0.0.0.0/0"
actions:
- type: notify
template: default.html
priority_header: 1
subject: "Open Security Group Rule Created-[custodian {{ account }} - {{ region }}]"
violation_desc: "Security Group(s) Which Had Rules Open To The World:"
action_desc: |
"Actions Taken: The Violating Security Group Rule Violates Our Company's
Cloud Policy. Please Refer To The Cloud FAQ."
to:
- event-owner
transport:
type: sqs
queue: https://sqs.us-east-1.amazonaws.com/xxx/cloud-custodian-mailer
region: us-east-1
I’ve tried using -and
when defining the filter conditions, but that didn’t seem to make a difference.
Issue Analytics
- State:
- Created 6 years ago
- Comments:10 (1 by maintainers)
Top Results From Across the Web
aws.security-group — Cloud Custodian documentation
Filter for verifying security group ingress and egress permissions. All attributes of a security group permission are available as value filters.
Read more >Restrict only Specific Ports in Specific Security Groups using ...
I want to restrict all of the ports exposed to public apart from a few security groups. For example for one of the...
Read more >Control traffic to resources using security groups
Use security groups to control the inbound and outbound traffic for associated resources.
Read more >Working with Security Groups — documentation
The rules within a security group may allow only a single IP address/port ... not defining any port range and using the CIDR...
Read more >Dome9 - GSL Knowledge Base
Ensure no security groups allow ingress from 0.0.0.0/0 to SSH (TCP:22). Risk Level: High. AWS Security Group.
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
So how would this work now after all the changes? Everything I’ve tried breaks in one manner or another.
the
and
references in my comments earlier were specific to the internals of the implementation and are configured via match-operator… which defaults toand