Class: Terracop::Cop::Aws::UnrestrictedIngressPorts

Inherits:

SecurityGroupRuleCop

• Object
• Base
• SecurityGroupRuleCop
• Terracop::Cop::Aws::UnrestrictedIngressPorts

Defined in:

lib/terracop/cop/aws/unrestricted_ingress_ports.rb

Overview

This cop warns against ingress security group rules that allow any port. Servers usually run multiple services that might open different ports, exposing them to a range of vulnerabilities. Only allow the specific ports you want to receive traffic on, and no more.

Examples:

# bad
resource "aws_security_group_rule" "ingress" {
  type        = "ingress"
  from_port   = 0
  to_port     = 65535
}

# good
resource "aws_security_group_rule" "ingress" {
  type        = "ingress"
  from_port   = 443
  to_port     = 443
}

Instance Attribute Summary

Attributes inherited from Base

#attributes, #index, #name, #offenses, #type

Instance Method Summary

• #check ⇒ Object

Methods inherited from Base

config, cop_name, #human_name, #initialize, #offense, run

Constructor Details

This class inherits a constructor from Terracop::Cop::Base

Instance Method Details

#check ⇒ Object

# File 'lib/terracop/cop/aws/unrestricted_ingress_ports.rb', line 30

def check
  return unless ingress? && (tcp? || udp?) && any_port?

  offense('Limit ingress traffic to small port ranges.', :security)
end