Skip to content

Commit 44f29a5

Browse files
omribz156omribz156
committed
fix(query): allow cloudformation db security group /24 cidrs
1 parent 600c046 commit 44f29a5

3 files changed

Lines changed: 9 additions & 2 deletions

File tree

assets/queries/cloudFormation/aws/db_security_group_open_to_large_scope/query.rego

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -32,7 +32,7 @@ large_scope(ip_address, cidr) {
3232
to_number(input_mask[1]) < 120 # should be 120-128
3333
} else {
3434
input_mask := split(ip_address, "/")
35-
to_number(input_mask[1]) < 25 # should be 25-32
35+
to_number(input_mask[1]) < 24 # should be 24-32
3636
}
3737

3838
exposed_inline_or_standalone_ingress(res, ing_index, type, resource_index) = results { # inline ingresses

assets/queries/cloudFormation/aws/db_security_group_open_to_large_scope/test/negative1.yaml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,10 +13,11 @@ Resources:
1313
GroupDescription: "Ingress for Amazon EC2 security group"
1414
SecurityGroupIngress:
1515
- CidrIp: 1.2.3.4/28
16+
- CidrIp: 10.0.0.0/24
1617

1718
DbSecurityByEC2SecurityGroup2:
1819
Type: AWS::EC2::SecurityGroup
1920
Properties:
2021
GroupDescription: "Ingress for Amazon EC2 security group"
2122
SecurityGroupIngress:
22-
- CidrIpv6: 2001:db8:a::123/121
23+
- CidrIpv6: 2001:db8:a::123/121

assets/queries/cloudFormation/aws/db_security_group_open_to_large_scope/test/negative2.yaml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,12 @@ Resources:
1212
GroupId: !Ref DbSecurityByEC2SecurityGroup1
1313
CidrIp: 1.2.3.4/28
1414

15+
StandaloneIngressIPv4Max256Hosts:
16+
Type: AWS::EC2::SecurityGroupIngress
17+
Properties:
18+
GroupId: !Ref DbSecurityByEC2SecurityGroup1
19+
CidrIp: 10.0.0.0/24
20+
1521
StandaloneIngressIPv6:
1622
Type: AWS::EC2::SecurityGroupIngress
1723
Properties:

0 commit comments

Comments
 (0)