diff --git a/src/rules/vpc/VPCDefaultSecurityGroupClosed.ts b/src/rules/vpc/VPCDefaultSecurityGroupClosed.ts index 07a1336933..79d8ea12d1 100644 --- a/src/rules/vpc/VPCDefaultSecurityGroupClosed.ts +++ b/src/rules/vpc/VPCDefaultSecurityGroupClosed.ts @@ -3,20 +3,38 @@ Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: Apache-2.0 */ import { parse } from 'path'; -import { CfnResource } from 'aws-cdk-lib'; +import { CfnResource, CustomResource } from 'aws-cdk-lib'; import { CfnVPC } from 'aws-cdk-lib/aws-ec2'; import { NagRuleCompliance } from '../../nag-rules'; /** * VPCs have their default security group closed * VPCs created via CloudFormation will not have their default security group closed. - * https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#DefaultSecurityGroup + * The L2 VPC Construct provides a way to remmediate this via a custom resource. + * @see https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#DefaultSecurityGroup + * @see https://github.com/aws/aws-cdk/pull/25297 * @param node the CfnResource to check */ export default Object.defineProperty( (node: CfnResource): NagRuleCompliance => { if (node instanceof CfnVPC) { - return NagRuleCompliance.NON_COMPLIANT; + const parent = node.node.scope; + if (parent) { + const restrictSgCR = parent.node.tryFindChild( + 'RestrictDefaultSecurityGroupCustomResource' + ) as CustomResource; + if ( + restrictSgCR && + (restrictSgCR.node.defaultChild as CfnResource).cfnResourceType == + 'Custom::VpcRestrictDefaultSG' + ) { + return NagRuleCompliance.COMPLIANT; + } else { + return NagRuleCompliance.NON_COMPLIANT; + } + } else { + return NagRuleCompliance.NON_COMPLIANT; + } } else { return NagRuleCompliance.NOT_APPLICABLE; } diff --git a/test/rules/VPC.test.ts b/test/rules/VPC.test.ts index aea3fd99d4..ec21d0a963 100644 --- a/test/rules/VPC.test.ts +++ b/test/rules/VPC.test.ts @@ -3,19 +3,19 @@ Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: Apache-2.0 */ import { - CfnVPC, + CfnFlowLog, CfnRoute, CfnSubnet, - Subnet, - Vpc, + CfnVPC, FlowLog, FlowLogResourceType, - CfnFlowLog, FlowLogTrafficType, NetworkAcl, + Subnet, + Vpc, } from 'aws-cdk-lib/aws-ec2'; import { Aspects, Stack } from 'aws-cdk-lib/core'; -import { TestPack, validateStack, TestType } from './utils'; +import { TestPack, TestType, validateStack } from './utils'; import { VPCDefaultSecurityGroupClosed, VPCFlowLogsEnabled, @@ -42,11 +42,19 @@ describe('Amazon Virtual Private Cloud (VPC)', () => { describe('VPCDefaultSecurityGroupClosed: VPCs have their default security group closed', () => { const ruleId = 'VPCDefaultSecurityGroupClosed'; test('Noncompliance 1', () => { - new CfnVPC(stack, 'rVPC', { + new CfnVPC(stack, 'VPC', { cidrBlock: '1.1.1.1', }); validateStack(stack, ruleId, TestType.NON_COMPLIANCE); }); + test('Noncompliance 2', () => { + new Vpc(stack, 'VPC', { restrictDefaultSecurityGroup: false }); + validateStack(stack, ruleId, TestType.NON_COMPLIANCE); + }); + test('Compliance', () => { + new Vpc(stack, 'VPC', { restrictDefaultSecurityGroup: true }); + validateStack(stack, ruleId, TestType.COMPLIANCE); + }); }); describe('VPCFlowLogsEnabled: VPCs have Flow Logs enabled', () => {