Skip to content

Commit 6834ee9

Browse files
ronsh12ronsh12
authored
feat: Updated query of security_groups_with_open_critical_ports (#13854)
A change was made because duplicate rows were inserted into the aws_policy_results table.
1 parent 540ad42 commit 6834ee9

2 files changed

Lines changed: 22 additions & 10 deletions

File tree

plugins/source/aws/policies/queries/ec2/security_groups_with_open_critical_ports.sql

Lines changed: 21 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -1,13 +1,10 @@
11
-- uses view which uses aws_security_group_ingress_rules.sql query
22
insert into aws_policy_results
3-
select
4-
:'execution_time' as execution_time,
5-
:'framework' as framework,
6-
:'check_id' as check_id,
7-
'Security groups should not allow unrestricted access to ports with high risk' as title,
8-
account_id,
3+
WITH IndividualRuleStatus AS (
4+
SELECT
5+
account_id,
96
id as resource_id,
10-
case when
7+
case when
118
(ip = '0.0.0.0/0' or ip = '::/0')
129
and ((from_port is null and to_port is null) -- all ports
1310
or 20 between from_port and to_port
@@ -36,5 +33,20 @@ select
3633
or 9300 between from_port and to_port)
3734
then 'fail'
3835
else 'pass'
39-
end
40-
from view_aws_security_group_ingress_rules
36+
end as status
37+
FROM view_aws_security_group_ingress_rules
38+
)
39+
40+
SELECT
41+
:'execution_time' as execution_time,
42+
:'framework' as framework,
43+
:'check_id' as check_id,
44+
'Aggregates rules of security groups with ports and IPs including ipv6' as title,
45+
account_id,
46+
resource_id,
47+
CASE
48+
WHEN SUM(CASE WHEN status = 'fail' THEN 1 ELSE 0 END) > 0 THEN 'fail'
49+
ELSE 'pass'
50+
END as status
51+
FROM IndividualRuleStatus
52+
GROUP BY account_id, resource_id

website/pages/docs/plugins/sources/aws/policies.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -320,7 +320,7 @@ AWS Foundational Security Best Practices performs the following checks:
320320
- Unused network access control lists should be removed
321321
- EC2 instances should not use multiple ENIs
322322
- Aggregates rules of security groups with ports and IPs including ipv6
323-
- Security groups should not allow unrestricted access to ports with high risk
323+
- Aggregates rules of security groups with ports and IPs including ipv6
324324
- Amazon ECS task definitions should have secure networking modes and user definitions
325325
- Amazon ECS services should not have public IP addresses assigned to them automatically
326326
- Amazon EFS should be configured to encrypt file data at rest using AWS KMS

0 commit comments

Comments
 (0)