Skip to content

Commit

Permalink
fix: VPCDefaultSecurityGroupClosed rule return non compliance when re…
Browse files Browse the repository at this point in the history
…strictDefaultSecurityGroup enabled on L2 VPC construct (#1461)
  • Loading branch information
dontirun authored Oct 2, 2023
1 parent a60d14a commit 7e8ab21
Show file tree
Hide file tree
Showing 2 changed files with 35 additions and 9 deletions.
24 changes: 21 additions & 3 deletions src/rules/vpc/VPCDefaultSecurityGroupClosed.ts
Original file line number Diff line number Diff line change
Expand Up @@ -3,20 +3,38 @@ Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
SPDX-License-Identifier: Apache-2.0
*/
import { parse } from 'path';
import { CfnResource } from 'aws-cdk-lib';
import { CfnResource, CustomResource } from 'aws-cdk-lib';
import { CfnVPC } from 'aws-cdk-lib/aws-ec2';
import { NagRuleCompliance } from '../../nag-rules';

/**
* VPCs have their default security group closed
* VPCs created via CloudFormation will not have their default security group closed.
* https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#DefaultSecurityGroup
* The L2 VPC Construct provides a way to remmediate this via a custom resource.
* @see https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#DefaultSecurityGroup
* @see https://github.com/aws/aws-cdk/pull/25297
* @param node the CfnResource to check
*/
export default Object.defineProperty(
(node: CfnResource): NagRuleCompliance => {
if (node instanceof CfnVPC) {
return NagRuleCompliance.NON_COMPLIANT;
const parent = node.node.scope;
if (parent) {
const restrictSgCR = parent.node.tryFindChild(
'RestrictDefaultSecurityGroupCustomResource'
) as CustomResource;
if (
restrictSgCR &&
(restrictSgCR.node.defaultChild as CfnResource).cfnResourceType ==
'Custom::VpcRestrictDefaultSG'
) {
return NagRuleCompliance.COMPLIANT;
} else {
return NagRuleCompliance.NON_COMPLIANT;
}
} else {
return NagRuleCompliance.NON_COMPLIANT;
}
} else {
return NagRuleCompliance.NOT_APPLICABLE;
}
Expand Down
20 changes: 14 additions & 6 deletions test/rules/VPC.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -3,19 +3,19 @@ Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
SPDX-License-Identifier: Apache-2.0
*/
import {
CfnVPC,
CfnFlowLog,
CfnRoute,
CfnSubnet,
Subnet,
Vpc,
CfnVPC,
FlowLog,
FlowLogResourceType,
CfnFlowLog,
FlowLogTrafficType,
NetworkAcl,
Subnet,
Vpc,
} from 'aws-cdk-lib/aws-ec2';
import { Aspects, Stack } from 'aws-cdk-lib/core';
import { TestPack, validateStack, TestType } from './utils';
import { TestPack, TestType, validateStack } from './utils';
import {
VPCDefaultSecurityGroupClosed,
VPCFlowLogsEnabled,
Expand All @@ -42,11 +42,19 @@ describe('Amazon Virtual Private Cloud (VPC)', () => {
describe('VPCDefaultSecurityGroupClosed: VPCs have their default security group closed', () => {
const ruleId = 'VPCDefaultSecurityGroupClosed';
test('Noncompliance 1', () => {
new CfnVPC(stack, 'rVPC', {
new CfnVPC(stack, 'VPC', {
cidrBlock: '1.1.1.1',
});
validateStack(stack, ruleId, TestType.NON_COMPLIANCE);
});
test('Noncompliance 2', () => {
new Vpc(stack, 'VPC', { restrictDefaultSecurityGroup: false });
validateStack(stack, ruleId, TestType.NON_COMPLIANCE);
});
test('Compliance', () => {
new Vpc(stack, 'VPC', { restrictDefaultSecurityGroup: true });
validateStack(stack, ruleId, TestType.COMPLIANCE);
});
});

describe('VPCFlowLogsEnabled: VPCs have Flow Logs enabled', () => {
Expand Down

0 comments on commit 7e8ab21

Please sign in to comment.