CFRipper version 0.22.0 gives a false positive for missing egress rules.
It happens when the rule is defined as a SecurityGroupEgress resource.
Consider the following test1.yml template. It creates security group with no egress using a SecurityGroupEgress resource.
---
AWSTemplateFormatVersion: 2010-09-09
Description: Security Group without egress
Resources:
EC2SG:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: !Sub "${AWS::StackName}"
Tags:
- Key: Name
Value: !Sub "${AWS::StackName}"
EC2SGEgress:
Type: AWS::EC2::SecurityGroupEgress
Properties:
GroupId: !GetAtt EC2SG.GroupId
Description: Localhost only. CFN hack to forbid egress
IpProtocol: "-1"
CidrIp: 127.0.0.1/32The result is invalid for test1.yml:
$ cfripper test1.yml
Analysing test.yml...
Valid: False
Issues found:
- EC2SecurityGroupMissingEgressRule: Missing egress rule in EC2SG means all traffic is allowed outbound. Make this explicit if it is desired configuration
Now consider the following test2.yml template. It also crease a security group with no egress, this time using the SecurityGroupEgress proprty of the SecurityGroup resource.
---
AWSTemplateFormatVersion: 2010-09-09
Description: Security Group without egress
Resources:
EC2SG:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: !Sub "${AWS::StackName}"
SecurityGroupEgress:
- IpProtocol: -1
CidrIp: 127.0.0.1/32
Tags:
- Key: Name
Value: !Sub "${AWS::StackName}"The result is valid for test2.yml:
$ cfripper test2.yml
Analysing test.yml...
Valid: True
The result should be valid for both ways of writing this.
(I found the following Stack Overflow discussion useful while researching this.)
CFRipper version 0.22.0 gives a false positive for missing egress rules.
It happens when the rule is defined as a SecurityGroupEgress resource.
Consider the following test1.yml template. It creates security group with no egress using a SecurityGroupEgress resource.
The result is invalid for test1.yml:
Now consider the following test2.yml template. It also crease a security group with no egress, this time using the SecurityGroupEgress proprty of the SecurityGroup resource.
The result is valid for test2.yml:
The result should be valid for both ways of writing this.
(I found the following Stack Overflow discussion useful while researching this.)