Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New rule to warn on ipProtocol -1 #273

Closed
atkinsonm opened this issue Jul 30, 2019 · 6 comments
Closed

New rule to warn on ipProtocol -1 #273

atkinsonm opened this issue Jul 30, 2019 · 6 comments
Labels
customer Initiated from, or received feedback about from outside Stelligent feature good first issue

Comments

@atkinsonm
Copy link

atkinsonm commented Jul 30, 2019
edited
Loading

Setting IpProtocol: '-1' can produce unexpected results. Per the docs, when -1 is used, ToPort and FromPort are essentially ignored and access is granted on all ports from all protocols.

I believe this configuration should be treated the same as W27 and throw a warning for port ranges instead of single ports.

Credit to @grolston for the original find.
@twellspring twellspring added customer Initiated from, or received feedback about from outside Stelligent feature good first issue labels Jul 30, 2019
@twellspring
Copy link
Contributor

@atkinsonm Thanks for the input. Yes having a warning for this makes sense.

@Mr-Lizard
Copy link
Contributor

I have to ask - what is meant by a 'dangling' egress/ingress ?

Mr-Lizard added a commit to Mr-Lizard/cfn_nag that referenced this issue Aug 8, 2019
@Mr-Lizard
stelligent#273 - New rule to warn on ipProtocol -1
aa0fff3
@Mr-Lizard
Copy link
Contributor

created PR for this - # 279

@ghost
Copy link

ghost commented Aug 11, 2019

I have to ask - what is meant by a 'dangling' egress/ingress ?

the egress/ingress is "dangling" if there is a resource for an ingress or egress in a given cfn template, but the security group it attaches to is NOT in the same template. for example template1 could define a security group. the template2 could accept an sg-id as a Parameter and create an egress/ingress rule using that sg-id.

@Mr-Lizard
Copy link
Contributor

Thanks, I couldn't find a definition anywhere for that.

Mr-Lizard added a commit to Mr-Lizard/cfn_nag that referenced this issue Aug 11, 2019
@Mr-Lizard
stelligent#273 Renamed rules for clarity
cf2f2ff
Mr-Lizard added a commit to Mr-Lizard/cfn_nag that referenced this issue Aug 11, 2019
@Mr-Lizard
stelligent#273 json files renamed for clarity
309ee98
Mr-Lizard added a commit to Mr-Lizard/cfn_nag that referenced this issue Aug 11, 2019
@Mr-Lizard
stelligent#273 All Protocols rules now accept either -1 or "-1" for i…
0bc645a 
…pProtocol value.
@twellspring twellspring mentioned this issue Aug 13, 2019
Closed
ghost pushed a commit that referenced this issue Aug 17, 2019
@Mr-Lizard
#273 - New rule to warn on ipProtocol -1 (#279)
b1affbb 
* 'gem build' command fixed.

* #273 - New rule to warn on ipProtocol -1

* #273  Renamed rules for clarity

* Rules changed to just regard ipProtocol

* Rubocop formatting corrected

* #273  json files renamed for clarity

* #273  All Protocols rules now accept either -1 or "-1" for ipProtocol value.
ghost pushed a commit that referenced this issue Aug 17, 2019
#273 add egress to description
77d17b3
@ghost ghost closed this as completed Aug 17, 2019
ghost pushed a commit that referenced this issue Aug 17, 2019
#273 fix warning id collision
7c22932
@atkinsonm
Copy link
Author

Thanks all!

This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
customer Initiated from, or received feedback about from outside Stelligent feature good first issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@atkinsonm @twellspring @Mr-Lizard