Merge pull request #183 from trussworks/sg-vpc-ports

Inputs for check_vpc_sg_open_only_to_authorized_ports rule
trussworks · Jun 27, 2023 · 2189015 · 2189015
2 parents cbbe91f + 5c42dd4
commit 2189015
Show file tree

Hide file tree

Showing 4 changed files with 33 additions and 5 deletions.
diff --git a/README.md b/README.md
@@ -284,7 +284,7 @@ No modules.
 | check\_s3\_bucket\_server\_side\_encryption\_enabled | Enable s3-bucket-server-side-encryption-enabled rule | `bool` | `true` | no |
 | check\_s3\_bucket\_ssl\_requests\_only | Enable s3-bucket-ssl-requests-only rule | `bool` | `true` | no |
 | check\_vpc\_default\_security\_group\_closed | Enable vpc-default-security-group-closed rule | `bool` | `true` | no |
-| check\_vpc\_sg\_open\_only\_to\_authorized\_ports | Enable vpc-sg-open-only-to-authorized-ports rule | `bool` | `true` | no |
+| check\_vpc\_sg\_open\_only\_to\_authorized\_ports | Enable vpc-sg-open-only-to-authorized-ports rule | `bool` | `false` | no |
 | cloud\_trail\_cloud\_watch\_logs\_enabled | Enable cloud\_trail\_cloud\_watch\_logs\_enabled rule | `bool` | `true` | no |
 | config\_aggregator\_name | The name of the aggregator. | `string` | `"organization"` | no |
 | config\_delivery\_frequency | The frequency with which AWS Config delivers configuration snapshots. | `string` | `"Six_Hours"` | no |
@@ -318,6 +318,8 @@ No modules.
 | resource\_types | A list that specifies the types of AWS resources for which AWS Config records configuration changes (for example, AWS::EC2::Instance or AWS::CloudTrail::Trail). See relevant part of AWS Docs for available types. | `list(string)` | `[]` | no |
 | s3\_bucket\_public\_access\_prohibited\_exclusion | Comma-separated list of known allowed public Amazon S3 bucket names. | `string` | `"example,CSV"` | no |
 | tags | Tags to apply to AWS Config resources | `map(string)` | `{}` | no |
+| vpc\_sg\_authorized\_TCP\_ports | Comma-separated list of TCP ports authorized to be open to 0.0.0.0/0. Ranges are defined by dash. example, '443,1020-1025' | `string` | `"none"` | no |
+| vpc\_sg\_authorized\_UDP\_ports | Comma-separated list of UDP ports authorized to be open to 0.0.0.0/0. Ranges are defined by dash. example, '500,1020-1025' | `string` | `"none"` | no |
 
 ## Outputs
 

diff --git a/config-policies/vpc_sg_authorized_ports.tpl b/config-policies/vpc_sg_authorized_ports.tpl
@@ -0,0 +1,4 @@
+{
+ "authorizedTcpPorts": "${vpc_sg_authorized_TCP_ports}",
+ "authorizedUdpPorts": "${vpc_sg_authorized_UDP_ports}"
+}
diff --git a/config-rules.tf b/config-rules.tf
@@ -82,6 +82,13 @@ locals {
  s3_bucket_public_access_prohibited_exclusion = var.s3_bucket_public_access_prohibited_exclusion
  }
  )
+
+ aws_config_vpc_sg_authorized_ports = templatefile("${path.module}/config-policies/vpc_sg_authorized_ports.tpl",
+ {
+ vpc_sg_authorized_TCP_ports = var.vpc_sg_authorized_TCP_ports
+ vpc_sg_authorized_UDP_ports = var.vpc_sg_authorized_UDP_ports
+ }
+ )
 }
 
 
@@ -936,9 +943,10 @@ resource "aws_config_config_rule" "s3-bucket-server-side-encryption-enabled" {
 }
 
 resource "aws_config_config_rule" "vpc-sg-open-only-to-authorized-ports" {
- count = var.check_vpc_sg_open_only_to_authorized_ports ? 1 : 0
- name = "vpc-sg-open-only-to-authorized-ports"
- description = "Checks whether any security groups with inbound 0.0.0.0/0 have TCP or UDP ports accessible. The rule is NON_COMPLIANT when a security group with inbound 0.0.0.0/0 has a port accessible which is not specified in the rule parameters. "
+ count = var.check_vpc_sg_open_only_to_authorized_ports ? 1 : 0
+ name = "vpc-sg-open-only-to-authorized-ports"
+ description = "Checks if security groups with inbound 0.0.0.0/0 have TCP or UDP ports accessible. NON_COMPLIANT if security group with inbound 0.0.0.0/0 has a port accessible which is not specified in rule parameters.(both Terraform inputs required if enabled)"
+ input_parameters = local.aws_config_vpc_sg_authorized_ports
 
  source {
  owner = "AWS"

diff --git a/variables.tf b/variables.tf
@@ -522,7 +522,21 @@ variable "check_s3_bucket_server_side_encryption_enabled" {
 variable "check_vpc_sg_open_only_to_authorized_ports" {
  description = "Enable vpc-sg-open-only-to-authorized-ports rule"
  type = bool
- default = true
+ default = false
+}
+
+variable "vpc_sg_authorized_TCP_ports" {
+ description = "Comma-separated list of TCP ports authorized to be open to 0.0.0.0/0. Ranges are defined by dash. example, '443,1020-1025'"
+ type = string
+ #default value can't be blank
+ default = "none"
+}
+
+variable "vpc_sg_authorized_UDP_ports" {
+ description = "Comma-separated list of UDP ports authorized to be open to 0.0.0.0/0. Ranges are defined by dash. example, '500,1020-1025'"
+ type = string
+ #default value can't be blank
+ default = "none"
 }
 
 variable "resource_types" {