|
158 | 158 | end |
159 | 159 |
|
160 | 160 | control_id = 'darkbit-aws-23' |
| 161 | +opts = { control_pack: control_pack, control_id: control_id, "#{control_id}": true } |
161 | 162 | RSpec.describe "[#{control_id}] #{titles[control_id]}" do |
162 | | - describe 'Placeholder', control_pack: control_pack, control_id: control_id, "#{control_id}": true do |
163 | | - it 'should not have a placeholder configuration' do |
164 | | - expect(true).to eq(true) |
| 163 | + q = %( |
| 164 | + MATCH (sg:AWS_SECURITY_GROUP)-[r]-(rule:AWS_SECURITY_GROUP_INGRESS_RULE) |
| 165 | + WHERE r.cidr_ip = '0.0.0.0/0' AND r.to_port IN ['22','3389'] |
| 166 | + RETURN count(rule) AS ingress_rule_count, |
| 167 | + sg.name AS name, |
| 168 | + sg.region AS region, |
| 169 | + sg.account AS account |
| 170 | + ) |
| 171 | + security_groups = graphdb.query(q).mapped_results |
| 172 | + security_groups.each do |security_group| |
| 173 | + describe "arn:aws:ec2:#{security_group.region}:#{security_group.account}:#{security_group.name}", opts do |
| 174 | + it 'SG should not have IP ingress rules for source 0.0.0.0/0 on tcp port 22 or 3389' do |
| 175 | + expect(security_group.ingress_rule_count).to eq(0) |
| 176 | + end |
165 | 177 | end |
166 | 178 | end |
167 | 179 | end |
|
579 | 591 | ) |
580 | 592 | security_groups = graphdb.query(q).mapped_results |
581 | 593 | security_groups.each do |security_group| |
582 | | - describe security_group.name, opts do |
| 594 | + describe "arn:aws:ec2:#{security_group.region}:#{security_group.account}:#{security_group.name}", opts do |
583 | 595 | it 'default SG should not have any IP ingress rules' do |
584 | 596 | expect(security_group.ingress_rule_count).to eq(0) |
585 | 597 | end |
|
0 commit comments