search

awslabs / sustainability-scanner

MIT No Attribution
104 stars 10 forks source link

bug: `from_port_is_ssh` and `to_port_is_ssh` rules fails when using a parameter #14

Closed alex9smith closed 6 months ago

alex9smith commented 6 months ago

The from_port_is_ssh and to_port_is_ssh rules incorrectly fail if a security group uses a reference to a template parameter for the port numbers, even when the parameter has a default value that's not 22.

Minimum example template:

AWSTemplateFormatVersion: "2010-09-09"
Transform:
  - AWS::Serverless-2016-10-31

Parameters:
  ContainerPort:
    Description: The port on which the container is running
    Type: Number
    Default: 6001
  SourceSecurityGroupId:
    Type: String
    Default: abc123

Resources:
  ContainerServiceSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: !Sub "Security Group to access the Container Service"
      GroupName: !Join
        - "-"
        - - !Ref AWS::StackName
          - ContainerService

      SecurityGroupIngress:
        - Description: !Sub "Allow traffic from the load balancer on port ${ContainerPort}"
          SourceSecurityGroupId: !Ref SourceSecurityGroupId
          IpProtocol: tcp
          FromPort: !Ref ContainerPort
          ToPort: !Ref ContainerPort

Sustainability scanner output:

{
    "title": "Sustainability Scanner Report",
    "file": "test-template.yaml",
    "version": "1.2.4",
    "sustainability_score": 4,
    "failed_rules": [
        {
            "rule_name": "from_port_is_ssh",
            "severity": "MEDIUM",
            "message": "Consider using AWS Systems Manager to access your Amazon EC2 instances instead of direct access or bastion host.",
            "links": [
                "https://docs.aws.amazon.com/wellarchitected/latest/sustainability-pillar/sus_sus_dev_a4.html"
            ],
            "resources": [
                {
                    "name": "/Resources/ContainerServiceSecurityGroup/Properties/SecurityGroupIngress/0/FromPort",
                    "line": "27"
                }
            ]
        },
        {
            "rule_name": "to_port_is_ssh",
            "severity": "MEDIUM",
            "message": "Consider using AWS Systems Manager to access your Amazon EC2 instances instead of direct access or bastion host.",
            "links": [
                "https://docs.aws.amazon.com/wellarchitected/latest/sustainability-pillar/sus_sus_dev_a4.html"
            ],
            "resources": [
                {
                    "name": "/Resources/ContainerServiceSecurityGroup/Properties/SecurityGroupIngress/0/ToPort",
                    "line": "28"
                }
            ]
        }
    ]
}

I'm on version 1.2.4 of susscanner and 3.0.3 of cfn-guard.

jyriseiger commented 6 months ago

Thank you for reporting this! The bug is fixed now and new version 1.2.5 is published.