You must be logged in to view saved presets
S3 Cloudformation Guard Rules for Security Groups
CloudFormation guard rules template for Security Groups
The following rules are included:
- Do Not Allow Ingress All IPs (0.0.0.0/0)
- Do Not Allow Egress All IPs (0.0.0.0/0)
- Do Not Allow Ingress all Ports
- Do Not Allow Egress all Ports
- Do Not Allow Ingress insecure ports
- Do Not Allow Ingress SSH (TCP/22) All IPs (0.0.0.0/0)
- Do Not Allow Ingress RDP (TCP/3389) All IPs (0.0.0.0/0)
- Do Not Allow Ingress Oracle (TCP/1521,2483) All IPs (0.0.0.0/0)
- Do Not Allow Ingress MySQL (TCP/3306) All IPs (0.0.0.0/0)
- Do Not Allow Ingress PostgreSQL (TCP/5432) All IPs (0.0.0.0/0)
- Do Not Allow Ingress Redis (TCP/6379) All IPs (0.0.0.0/0)
- Do Not Allow Ingress MongoDB (TCP/27107-27018) All IPs (0.0.0.0/0)
- Do Not Allow Ingress Cassandra (TCP/7199,9160,8888) All IPs (0.0.0.0/0)
- Do Not Allow Ingress Memcached (TCP/11211) All IPs (0.0.0.0/0)
let sg_resources = Resources.*[
Type == "AWS::EC2::SecurityGroup"
]
rule prevent_inbound_access_to_any_ip when %sg_resources !empty {
%sg_resources {
Properties {
SecurityGroupIngress !exists or
SecurityGroupIngress exists
when SecurityGroupIngress exists {
SecurityGroupIngress.* {
when CidrIp exists {
CidrIp != '0.0.0.0/0' <<IPv4 address cannot be 0.0.0.0/0>>
}
when CidrIpv6 exists {
CidrIpv6 != '::/0' <<IPv6 address cannot be ::/0>>
}
}
}
}
}
}
rule prevent_outbound_access_to_any_ip when %sg_resources !empty {
%sg_resources {
Properties {
SecurityGroupEgress exists <<All outbound traffic is allowed.>>
when SecurityGroupEgress exists {
SecurityGroupEgress.* {
when CidrIp exists {
CidrIp != '0.0.0.0/0' <<IPv4 address cannot be 0.0.0.0/0>>
}
when CidrIpv6 exists {
CidrIpv6 != '::/0' <<IPv6 address cannot be ::/0>>
}
}
}
}
}
}
rule prevent_inbound_access_to_any_ports when %sg_resources !empty {
%sg_resources {
Properties {
SecurityGroupIngress !exists or
SecurityGroupIngress exists
when SecurityGroupIngress exists {
SecurityGroupIngress.* {
IpProtocol != -1 <<All inbound traffic is allowed.>>
when IpProtocol in ['tcp', 'udp'] {
when FromPort == 0 {
ToPort != 65535 <<All ingress ports should not be open>>
}
}
}
}
}
}
}
rule prevent_outbound_access_to_any_ports when %sg_resources !empty {
%sg_resources {
Properties {
SecurityGroupEgress exists <<All outbound traffic is allowed.>>
when SecurityGroupEgress exists {
SecurityGroupEgress.* {
IpProtocol != -1 <<All outbound traffic is allowed.>>
when IpProtocol in ['tcp', 'udp'] {
when FromPort == 0 {
ToPort != 65535 <<All egress ports are open.>>
}
}
}
}
}
}
}
rule sg_ssh_all when %sg_resources !empty {
%sg_resources {
Properties {
SecurityGroupIngress !exists OR
SecurityGroupIngress exists
when SecurityGroupIngress exists {
SecurityGroupIngress.* {
when IpProtocol == -1 {
when CidrIp exists {
CidrIp != '0.0.0.0/0' <<All traffic open to IPv4 address 0.0.0.0/0>>
}
when CidrIpv6 exists {
CidrIpv6 != '::/0' <<All traffic open to IPv6 address ::/0>>
}
}
when IpProtocol == 'tcp' {
when FromPort <= 22
ToPort >= 22 {
when CidrIp exists {
CidrIp != '0.0.0.0/0' <<SSH open to IPv4 address 0.0.0.0/0>>
}
when CidrIpv6 exists {
CidrIpv6 != '::/0' <<SSH open to IPv6 address ::/0>>
}
}
}
}
}
}
}
}
rule sg_rdp_all when %sg_resources !empty {
%sg_resources {
Properties {
SecurityGroupIngress !exists OR
SecurityGroupIngress exists
when SecurityGroupIngress exists {
SecurityGroupIngress.* {
when IpProtocol == -1 {
when CidrIp exists {
CidrIp != '0.0.0.0/0' <<All traffic open to IPv4 address 0.0.0.0/0>>
}
when CidrIpv6 exists {
CidrIpv6 != '::/0' <<All traffic open to IPv6 address ::/0>>
}
}
when IpProtocol == 'tcp' {
when FromPort <= 3389
ToPort >= 3389 {
when CidrIp exists {
CidrIp != '0.0.0.0/0' <<RDP open to IPv4 address 0.0.0.0/0>>
}
when CidrIpv6 exists {
CidrIpv6 != '::/0' <<RDP open to IPv6 address ::/0>>
}
}
}
}
}
}
}
}
rule sg_oracle_all when %sg_resources !empty {
%sg_resources {
Properties {
SecurityGroupIngress !exists OR
SecurityGroupIngress exists
when SecurityGroupIngress exists {
SecurityGroupIngress.* {
when IpProtocol == -1 {
when CidrIp exists {
CidrIp != '0.0.0.0/0' <<All traffic open to IPv4 address 0.0.0.0/0>>
}
when CidrIpv6 exists {
CidrIpv6 != '::/0' <<All traffic open to IPv6 address ::/0>>
}
}
when IpProtocol == 'tcp' {
when FromPort <= 1521
ToPort >= 1521 {
when CidrIp exists {
CidrIp != '0.0.0.0/0' <<Oracle open to IPv4 address 0.0.0.0/0>>
}
when CidrIpv6 exists {
CidrIpv6 != '::/0' <<Oracle open to IPv6 address ::/0>>
}
}
when FromPort <= 2483
ToPort >= 2483 {
when CidrIp exists {
CidrIp != '0.0.0.0/0' <<Oracle open to IPv4 address 0.0.0.0/0>>
}
when CidrIpv6 exists {
CidrIpv6 != '::/0' <<Oracle open to IPv6 address ::/0>>
}
}
}
}
}
}
}
}
rule sg_mysql_all when %sg_resources !empty {
%sg_resources {
Properties {
SecurityGroupIngress !exists OR
SecurityGroupIngress exists
when SecurityGroupIngress exists {
SecurityGroupIngress.* {
when IpProtocol == -1 {
when CidrIp exists {
CidrIp != '0.0.0.0/0' <<All traffic open to IPv4 address 0.0.0.0/0>>
}
when CidrIpv6 exists {
CidrIpv6 != '::/0' <<All traffic open to IPv6 address ::/0>>
}
}
when IpProtocol == 'tcp' {
when FromPort <= 3306
ToPort >= 3306 {
when CidrIp exists {
CidrIp != '0.0.0.0/0' <<MySQL open to IPv4 address 0.0.0.0/0>>
}
when CidrIpv6 exists {
CidrIpv6 != '::/0' <<MySQL open to IPv6 address ::/0>>
}
}
}
}
}
}
}
}
rule sg_postgres_all when %sg_resources !empty {
%sg_resources {
Properties {
SecurityGroupIngress !exists OR
SecurityGroupIngress exists
when SecurityGroupIngress exists {
SecurityGroupIngress.* {
when IpProtocol == -1 {
when CidrIp exists {
CidrIp != '0.0.0.0/0' <<All traffic open to IPv4 address 0.0.0.0/0>>
}
when CidrIpv6 exists {
CidrIpv6 != '::/0' <<All traffic open to IPv6 address ::/0>>
}
}
when IpProtocol == 'tcp' {
when FromPort <= 5432
ToPort >= 5432 {
when CidrIp exists {
CidrIp != '0.0.0.0/0' <<PostgreSQL open to IPv4 address 0.0.0.0/0>>
}
when CidrIpv6 exists {
CidrIpv6 != '::/0' <<PostgreSQL open to IPv6 address ::/0>>
}
}
}
}
}
}
}
}
rule sg_redis_all when %sg_resources !empty {
%sg_resources {
Properties {
SecurityGroupIngress !exists OR
SecurityGroupIngress exists
when SecurityGroupIngress exists {
SecurityGroupIngress.* {
when IpProtocol == -1 {
when CidrIp exists {
CidrIp != '0.0.0.0/0' <<All traffic open to IPv4 address 0.0.0.0/0>>
}
when CidrIpv6 exists {
CidrIpv6 != '::/0' <<All traffic open to IPv6 address ::/0>>
}
}
when IpProtocol == 'tcp' {
when FromPort <= 6379
ToPort >= 6379 {
when CidrIp exists {
CidrIp != '0.0.0.0/0' <<Redis open to IPv4 address 0.0.0.0/0>>
}
when CidrIpv6 exists {
CidrIpv6 != '::/0' <<Redis open to IPv6 address ::/0>>
}
}
}
}
}
}
}
}
rule sg_mongodb_all when %sg_resources !empty {
%sg_resources {
Properties {
SecurityGroupIngress !exists OR
SecurityGroupIngress exists
when SecurityGroupIngress exists {
SecurityGroupIngress.* {
when IpProtocol == -1 {
when CidrIp exists {
CidrIp != '0.0.0.0/0' <<All traffic open to IPv4 address 0.0.0.0/0>>
}
when CidrIpv6 exists {
CidrIpv6 != '::/0' <<All traffic open to IPv6 address ::/0>>
}
}
when IpProtocol == 'tcp' {
when FromPort <= 27017
ToPort >= 27017 {
when CidrIp exists {
CidrIp != '0.0.0.0/0' <<MongoDB open to IPv4 address 0.0.0.0/0>>
}
when CidrIpv6 exists {
CidrIpv6 != '::/0' <<MongoDB open to IPv6 address ::/0>>
}
}
when FromPort <= 27018
ToPort >= 27018 {
when CidrIp exists {
CidrIp != '0.0.0.0/0' <<MongoDB open to IPv4 address 0.0.0.0/0>>
}
when CidrIpv6 exists {
CidrIpv6 != '::/0' <<MongoDB open to IPv6 address ::/0>>
}
}
}
}
}
}
}
}
rule sg_cassandra_all when %sg_resources !empty {
%sg_resources {
Properties {
SecurityGroupIngress !exists OR
SecurityGroupIngress exists
when SecurityGroupIngress exists {
SecurityGroupIngress.* {
when IpProtocol == -1 {
when CidrIp exists {
CidrIp != '0.0.0.0/0' <<All traffic open to IPv4 address 0.0.0.0/0>>
}
when CidrIpv6 exists {
CidrIpv6 != '::/0' <<All traffic open to IPv6 address ::/0>>
}
}
when IpProtocol == 'tcp' {
when FromPort <= 7199
ToPort >= 7199 {
when CidrIp exists {
CidrIp != '0.0.0.0/0' <<Cassandra open to IPv4 address 0.0.0.0/0>>
}
when CidrIpv6 exists {
CidrIpv6 != '::/0' <<Cassandra open to IPv6 address ::/0>>
}
}
when FromPort <= 9160
ToPort >= 9160 {
when CidrIp exists {
CidrIp != '0.0.0.0/0' <<Cassandra open to IPv4 address 0.0.0.0/0>>
}
when CidrIpv6 exists {
CidrIpv6 != '::/0' <<Cassandra open to IPv6 address ::/0>>
}
}
when FromPort <= 8888
ToPort >= 8888 {
when CidrIp exists {
CidrIp != '0.0.0.0/0' <<Cassandra open to IPv4 address 0.0.0.0/0>>
}
when CidrIpv6 exists {
CidrIpv6 != '::/0' <<Cassandra open to IPv6 address ::/0>>
}
}
}
}
}
}
}
}
rule sg_memcached_all when %sg_resources !empty {
%sg_resources {
Properties {
SecurityGroupIngress !exists OR
SecurityGroupIngress exists
when SecurityGroupIngress exists {
SecurityGroupIngress.* {
when IpProtocol == -1 {
when CidrIp exists {
CidrIp != '0.0.0.0/0' <<All traffic open to IPv4 address 0.0.0.0/0>>
}
when CidrIpv6 exists {
CidrIpv6 != '::/0' <<All traffic open to IPv6 address ::/0>>
}
}
when IpProtocol == 'tcp' {
when FromPort <= 11211
ToPort >= 11211 {
when CidrIp exists {
CidrIp != '0.0.0.0/0' <<Memcached open to IPv4 address 0.0.0.0/0>>
}
when CidrIpv6 exists {
CidrIpv6 != '::/0' <<Memcached open to IPv6 address ::/0>>
}
}
}
}
}
}
}
}
rule sg_insecure_ports when %sg_resources !empty {
%sg_resources {
Properties {
SecurityGroupIngress !exists OR
SecurityGroupIngress exists
when SecurityGroupIngress exists {
SecurityGroupIngress.* {
IpProtocol != -1 <<All inbound ports are open.>>
when IpProtocol != -1 {
FromPort > 21 OR
ToPort < 21
FromPort > 23 OR
ToPort < 23
FromPort > 80 OR
ToPort < 80
FromPort > 389 OR
ToPort < 389
FromPort > 4333 OR
ToPort < 4333
}
}
}
}
}
}
Actions
Customize Template
* Required field
© 2024 asecurecloud. All rights reserved.