-
Notifications
You must be signed in to change notification settings - Fork 30
/
Copy pathdeny-public-rdp-acl-rules.sentinel
executable file
·79 lines (68 loc) · 2.38 KB
/
deny-public-rdp-acl-rules.sentinel
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
import "tfplan/v2" as tfplan
aws_security_groups = filter tfplan.resource_changes as _, resource_changes {
resource_changes.mode is "managed" and
resource_changes.type is "aws_security_group" and
(resource_changes.change.actions contains "create" or
resource_changes.change.actions is ["update"]) and
(resource_changes.change.after.ingress else []) is not empty
}
aws_security_group_rules = filter tfplan.resource_changes as _, resource_changes {
resource_changes.mode is "managed" and
resource_changes.type is "aws_security_group_rule" and
(resource_changes.change.actions contains "create" or
resource_changes.change.actions is ["update"]) and
resource_changes.change.after.type is "ingress"
}
rdp_security_groups = filter aws_security_groups as _, asg {
any asg.change.after.ingress as _, ingress {
!ingress.self and
(ingress.to_port is 3389 or
(ingress.from_port <= 3389 and
ingress.to_port >= 3389))
}
}
rdp_security_group_rules = filter aws_security_group_rules as _, asgr {
!asgr.change.after.self and
(asgr.change.after.to_port is 3389 or
(asgr.change.after.from_port <= 3389 and
asgr.change.after.to_port >= 3389))
}
protocol_security_groups = filter aws_security_groups as _, asg {
all asg.change.after.ingress as _, ingress {
ingress.protocol is "-1" and !ingress.self
}
}
protocol_security_group_rules = filter aws_security_group_rules as _, asgr {
asgr.change.after.protocol is "-1" and !asgr.change.after.self
}
deny_public_rdp_security_groups = rule {
all rdp_security_groups as _, rsg {
all rsg.change.after.ingress as _, ingress {
ingress.cidr_blocks not contains "0.0.0.0/0"
}
}
}
deny_public_rdp_security_group_rules = rule {
all rdp_security_group_rules as _, rsgr {
rsgr.change.after.cidr_blocks not contains "0.0.0.0/0"
}
}
deny_all_open_protocol_security_groups = rule {
all protocol_security_groups as _, psg {
all psg.change.after.ingress as _, ingress {
ingress.cidr_blocks not contains "0.0.0.0/0"
}
}
}
deny_all_open_protocol_security_group_rules = rule {
all protocol_security_group_rules as _, psgr {
psgr.change.after.cidr_blocks not contains "0.0.0.0/0"
}
}
// Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389.
main = rule {
deny_public_rdp_security_groups and
deny_public_rdp_security_group_rules and
deny_all_open_protocol_security_groups and
deny_all_open_protocol_security_group_rules
}