CloudFormation guard rules template for Security Groups

The following rules are included: 

  • Do Not Allow Ingress All IPs (0.0.0.0/0)
  • Do Not Allow Egress All IPs (0.0.0.0/0)
  • Do Not Allow Ingress all Ports
  • Do Not Allow Egress all Ports
  • Do Not Allow Ingress insecure ports
  • Do Not Allow Ingress SSH (TCP/22) All IPs (0.0.0.0/0)
  • Do Not Allow Ingress RDP (TCP/3389) All IPs (0.0.0.0/0)
  • Do Not Allow Ingress Oracle (TCP/1521,2483) All IPs (0.0.0.0/0)
  • Do Not Allow Ingress MySQL (TCP/3306) All IPs (0.0.0.0/0)
  • Do Not Allow Ingress PostgreSQL (TCP/5432) All IPs (0.0.0.0/0)
  • Do Not Allow Ingress Redis (TCP/6379) All IPs (0.0.0.0/0)
  • Do Not Allow Ingress MongoDB (TCP/27107-27018) All IPs (0.0.0.0/0)
  • Do Not Allow Ingress Cassandra (TCP/7199,9160,8888) All IPs (0.0.0.0/0)
  • Do Not Allow Ingress Memcached (TCP/11211) All IPs (0.0.0.0/0)

let sg_resources = Resources.*[
	Type == "AWS::EC2::SecurityGroup"
]

rule prevent_inbound_access_to_any_ip when %sg_resources !empty {
	%sg_resources {
		Properties {
			SecurityGroupIngress !exists or
			SecurityGroupIngress exists

			when SecurityGroupIngress exists {
				SecurityGroupIngress.* {
					when CidrIp exists {
						CidrIp		!= '0.0.0.0/0' <<IPv4 address cannot be 0.0.0.0/0>>
					}
					when CidrIpv6 exists {
						CidrIpv6	!= '::/0' <<IPv6 address cannot be ::/0>>
					}
				}
			}
		}
	}
}

rule prevent_outbound_access_to_any_ip when %sg_resources !empty {
	%sg_resources {
		Properties {
			SecurityGroupEgress exists <<All outbound traffic is allowed.>>

			when SecurityGroupEgress exists {
				SecurityGroupEgress.* {
					when CidrIp exists {
						CidrIp		!= '0.0.0.0/0' <<IPv4 address cannot be 0.0.0.0/0>>
					}
					when CidrIpv6 exists {
						CidrIpv6	!= '::/0' <<IPv6 address cannot be ::/0>>
					}
				}
			}
		}
	}
}

rule prevent_inbound_access_to_any_ports when %sg_resources !empty {
	%sg_resources {
		Properties {
			SecurityGroupIngress !exists or
			SecurityGroupIngress exists

			when SecurityGroupIngress exists {
				SecurityGroupIngress.* {
					IpProtocol != -1 <<All inbound traffic is allowed.>>

					when IpProtocol in ['tcp', 'udp'] {
						when FromPort == 0 {
							ToPort		!= 65535 <<All ingress ports should not be open>>
						}
					}
				}
			}
		}
	}
}

rule prevent_outbound_access_to_any_ports when %sg_resources !empty {
	%sg_resources {
		Properties {
			SecurityGroupEgress exists <<All outbound traffic is allowed.>>

			when SecurityGroupEgress exists {
				SecurityGroupEgress.* {
					IpProtocol != -1 <<All outbound traffic is allowed.>>

					when IpProtocol in ['tcp', 'udp'] {
						when FromPort == 0 {
							ToPort		!= 65535 <<All egress ports are open.>>
						}
					}
				}
			}
		}
	}
}

rule sg_ssh_all when %sg_resources !empty {
	%sg_resources {
		Properties {
			SecurityGroupIngress !exists OR
			SecurityGroupIngress exists

			when SecurityGroupIngress exists {
				SecurityGroupIngress.* {
					when IpProtocol == -1 {
						when CidrIp exists {
							CidrIp		!= '0.0.0.0/0' <<All traffic open to IPv4 address 0.0.0.0/0>>
						}
						when CidrIpv6 exists {
							CidrIpv6	!= '::/0' <<All traffic open to IPv6 address ::/0>>
						}
					}

					when IpProtocol == 'tcp' {
						when FromPort <= 22 
						ToPort >= 22 {
							when CidrIp exists {
								CidrIp		!= '0.0.0.0/0' <<SSH open to IPv4 address 0.0.0.0/0>>
							}
							when CidrIpv6 exists {
								CidrIpv6	!= '::/0' <<SSH open to IPv6 address ::/0>>
							}
						}
					}
				}
			}
		}
	}
}

rule sg_rdp_all when %sg_resources !empty {
	%sg_resources {
		Properties {
			SecurityGroupIngress !exists OR
			SecurityGroupIngress exists

			when SecurityGroupIngress exists {
				SecurityGroupIngress.* {
					when IpProtocol == -1 {
						when CidrIp exists {
							CidrIp		!= '0.0.0.0/0' <<All traffic open to IPv4 address 0.0.0.0/0>>
						}
						when CidrIpv6 exists {
							CidrIpv6	!= '::/0' <<All traffic open to IPv6 address ::/0>>
						}
					}

					when IpProtocol == 'tcp' {
						when FromPort <= 3389 
						ToPort >= 3389 {
							when CidrIp exists {
								CidrIp		!= '0.0.0.0/0' <<RDP open to IPv4 address 0.0.0.0/0>>
							}
							when CidrIpv6 exists {
								CidrIpv6	!= '::/0' <<RDP open to IPv6 address ::/0>>
							}
						}
					}
				}
			}
		}
	}
}

rule sg_oracle_all when %sg_resources !empty {
	%sg_resources {
		Properties {
			SecurityGroupIngress !exists OR
			SecurityGroupIngress exists

			when SecurityGroupIngress exists {
				SecurityGroupIngress.* {
					when IpProtocol == -1 {
						when CidrIp exists {
							CidrIp		!= '0.0.0.0/0' <<All traffic open to IPv4 address 0.0.0.0/0>>
						}
						when CidrIpv6 exists {
							CidrIpv6	!= '::/0' <<All traffic open to IPv6 address ::/0>>
						}
					}

					when IpProtocol == 'tcp' {
						when FromPort <= 1521
						ToPort >= 1521 {
							when CidrIp exists {
								CidrIp		!= '0.0.0.0/0' <<Oracle open to IPv4 address 0.0.0.0/0>>
							}
							when CidrIpv6 exists {
								CidrIpv6	!= '::/0' <<Oracle open to IPv6 address ::/0>>
							}
						}

						when FromPort <= 2483
						ToPort >= 2483 {
							when CidrIp exists {
								CidrIp		!= '0.0.0.0/0' <<Oracle open to IPv4 address 0.0.0.0/0>>
							}
							when CidrIpv6 exists {
								CidrIpv6	!= '::/0' <<Oracle open to IPv6 address ::/0>>
							}
						}
					}
				}
			}
		}
	}
}

rule sg_mysql_all when %sg_resources !empty {
	%sg_resources {
		Properties {
			SecurityGroupIngress !exists OR
			SecurityGroupIngress exists

			when SecurityGroupIngress exists {
				SecurityGroupIngress.* {
					when IpProtocol == -1 {
						when CidrIp exists {
							CidrIp		!= '0.0.0.0/0' <<All traffic open to IPv4 address 0.0.0.0/0>>
						}
						when CidrIpv6 exists {
							CidrIpv6	!= '::/0' <<All traffic open to IPv6 address ::/0>>
						}
					}

					when IpProtocol == 'tcp' {
						when FromPort <= 3306 
						ToPort >= 3306 {
							when CidrIp exists {
								CidrIp		!= '0.0.0.0/0' <<MySQL open to IPv4 address 0.0.0.0/0>>
							}
							when CidrIpv6 exists {
								CidrIpv6	!= '::/0' <<MySQL open to IPv6 address ::/0>>
							}
						}
					}
				}
			}
		}
	}
}

rule sg_postgres_all when %sg_resources !empty {
	%sg_resources {
		Properties {
			SecurityGroupIngress !exists OR
			SecurityGroupIngress exists

			when SecurityGroupIngress exists {
				SecurityGroupIngress.* {
					when IpProtocol == -1 {
						when CidrIp exists {
							CidrIp		!= '0.0.0.0/0' <<All traffic open to IPv4 address 0.0.0.0/0>>
						}
						when CidrIpv6 exists {
							CidrIpv6	!= '::/0' <<All traffic open to IPv6 address ::/0>>
						}
					}

					when IpProtocol == 'tcp' {
						when FromPort <= 5432 
						ToPort >= 5432 {
							when CidrIp exists {
								CidrIp		!= '0.0.0.0/0' <<PostgreSQL open to IPv4 address 0.0.0.0/0>>
							}
							when CidrIpv6 exists {
								CidrIpv6	!= '::/0' <<PostgreSQL open to IPv6 address ::/0>>
							}
						}
					}
				}
			}
		}
	}
}

rule sg_redis_all when %sg_resources !empty {
	%sg_resources {
		Properties {
			SecurityGroupIngress !exists OR
			SecurityGroupIngress exists

			when SecurityGroupIngress exists {
				SecurityGroupIngress.* {
					when IpProtocol == -1 {
						when CidrIp exists {
							CidrIp		!= '0.0.0.0/0' <<All traffic open to IPv4 address 0.0.0.0/0>>
						}
						when CidrIpv6 exists {
							CidrIpv6	!= '::/0' <<All traffic open to IPv6 address ::/0>>
						}
					}

					when IpProtocol == 'tcp' {
						when FromPort <= 6379 
						ToPort >= 6379 {
							when CidrIp exists {
								CidrIp		!= '0.0.0.0/0' <<Redis open to IPv4 address 0.0.0.0/0>>
							}
							when CidrIpv6 exists {
								CidrIpv6	!= '::/0' <<Redis open to IPv6 address ::/0>>
							}
						}
					}
				}
			}
		}
	}
}

rule sg_mongodb_all when %sg_resources !empty {
	%sg_resources {
		Properties {
			SecurityGroupIngress !exists OR
			SecurityGroupIngress exists

			when SecurityGroupIngress exists {
				SecurityGroupIngress.* {
					when IpProtocol == -1 {
						when CidrIp exists {
							CidrIp		!= '0.0.0.0/0' <<All traffic open to IPv4 address 0.0.0.0/0>>
						}
						when CidrIpv6 exists {
							CidrIpv6	!= '::/0' <<All traffic open to IPv6 address ::/0>>
						}
					}

					when IpProtocol == 'tcp' {
						when FromPort <= 27017
						ToPort >= 27017 {
							when CidrIp exists {
								CidrIp		!= '0.0.0.0/0' <<MongoDB open to IPv4 address 0.0.0.0/0>>
							}
							when CidrIpv6 exists {
								CidrIpv6	!= '::/0' <<MongoDB open to IPv6 address ::/0>>
							}
						}

						when FromPort <= 27018
						ToPort >= 27018 {
							when CidrIp exists {
								CidrIp		!= '0.0.0.0/0' <<MongoDB open to IPv4 address 0.0.0.0/0>>
							}
							when CidrIpv6 exists {
								CidrIpv6	!= '::/0' <<MongoDB open to IPv6 address ::/0>>
							}
						}
					}
				}
			}
		}
	}
}

rule sg_cassandra_all when %sg_resources !empty {
	%sg_resources {
		Properties {
			SecurityGroupIngress !exists OR
			SecurityGroupIngress exists

			when SecurityGroupIngress exists {
				SecurityGroupIngress.* {
					when IpProtocol == -1 {
						when CidrIp exists {
							CidrIp		!= '0.0.0.0/0' <<All traffic open to IPv4 address 0.0.0.0/0>>
						}
						when CidrIpv6 exists {
							CidrIpv6	!= '::/0' <<All traffic open to IPv6 address ::/0>>
						}
					}

					when IpProtocol == 'tcp' {
						when FromPort <= 7199
						ToPort >= 7199 {
							when CidrIp exists {
								CidrIp		!= '0.0.0.0/0' <<Cassandra open to IPv4 address 0.0.0.0/0>>
							}
							when CidrIpv6 exists {
								CidrIpv6	!= '::/0' <<Cassandra open to IPv6 address ::/0>>
							}
						}

						when FromPort <= 9160
						ToPort >= 9160 {
							when CidrIp exists {
								CidrIp		!= '0.0.0.0/0' <<Cassandra open to IPv4 address 0.0.0.0/0>>
							}
							when CidrIpv6 exists {
								CidrIpv6	!= '::/0' <<Cassandra open to IPv6 address ::/0>>
							}
						}

						when FromPort <= 8888
						ToPort >= 8888 {
							when CidrIp exists {
								CidrIp		!= '0.0.0.0/0' <<Cassandra open to IPv4 address 0.0.0.0/0>>
							}
							when CidrIpv6 exists {
								CidrIpv6	!= '::/0' <<Cassandra open to IPv6 address ::/0>>
							}
						}
					}
				}
			}
		}
	}
}

rule sg_memcached_all when %sg_resources !empty {
	%sg_resources {
		Properties {
			SecurityGroupIngress !exists OR
			SecurityGroupIngress exists

			when SecurityGroupIngress exists {
				SecurityGroupIngress.* {
					when IpProtocol == -1 {
						when CidrIp exists {
							CidrIp		!= '0.0.0.0/0' <<All traffic open to IPv4 address 0.0.0.0/0>>
						}
						when CidrIpv6 exists {
							CidrIpv6	!= '::/0' <<All traffic open to IPv6 address ::/0>>
						}
					}

					when IpProtocol == 'tcp' {
						when FromPort <= 11211 
						ToPort >= 11211 {
							when CidrIp exists {
								CidrIp		!= '0.0.0.0/0' <<Memcached open to IPv4 address 0.0.0.0/0>>
							}
							when CidrIpv6 exists {
								CidrIpv6	!= '::/0' <<Memcached open to IPv6 address ::/0>>
							}
						}
					}
				}
			}
		}
	}
}

rule sg_insecure_ports when %sg_resources !empty {
	%sg_resources {
		Properties {
			SecurityGroupIngress !exists OR
			SecurityGroupIngress exists

			when SecurityGroupIngress exists {
				SecurityGroupIngress.* {
					IpProtocol != -1 <<All inbound ports are open.>>
					when IpProtocol != -1 {
						FromPort > 21 OR
						ToPort < 21
						FromPort > 23 OR
						ToPort < 23
						FromPort > 80 OR
						ToPort < 80
						FromPort > 389 OR
						ToPort < 389
						FromPort > 4333 OR
						ToPort < 4333
					}
				}
			}
		}
	}
}



Actions



Customize Template

* Required field