Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue which Security group Ingress filter type #7830

Open
BinduHK opened this issue Oct 4, 2022 · 3 comments
Open

Issue which Security group Ingress filter type #7830

BinduHK opened this issue Oct 4, 2022 · 3 comments
Labels
kind/question

Comments

@BinduHK
Copy link

BinduHK commented Oct 4, 2022

Describe the bug

We tired remediating the RDP ingress connection from some specific IP’s but filter section does not work as expected.

  1. I have tired giving below filter section where it checks for those inbound connections of type RDP that are not in this five filter sections CIDR value but it evaluates only the first filter so any IP address which is in other four CIDR blocks is invalid which is wrong .

    We are giving value as different valid CIDR's where we can have RDP connection from but looks it it doesnt even evaluate the any other ingress condition

    - type: ingress
   FromPort: 3389
   Cidr:
      value_type: cidr
      op: not-in
      value: ""
 - type: ingress
   FromPort: 3389
   Cidr:
     value_type: cidr
     op: not-in
     value: ""
 - type: ingress
   FromPort: 3389
   Cidr:
     value_type: cidr
     op: not-in
     value: ""
 - type: ingress
   FromPort: 3389
   Cidr:
     value_type: cidr
     op: not-in
     value: ""
 - type: ingress
   FromPort: 3389
   Cidr:
     value_type: cidr
     op: not-in
     value: ""

  2. We tired given the CIDR_value as array as below in the filter section but there also it evaluates to those CIDR which resides inside those CIDR range which is again wrong

      - type: ingress
   FromPort: 3389
   Cidr:
      value_type: cidr
      op: not-in
      value: ["", "", "", "", ""]

What did you expect to happen?

I want Security Group to detect those RDP inbound connections which are not in that value list which i am specifying as five different CIDR values.

Cloud Provider

Amazon Web Services (AWS)

Cloud Custodian version and dependency information

No response

Policy

type: ingress
          FromPort: 3389
          Cidr:
             value_type: cidr
             op: not-in
             value: ""
        - type: ingress
          FromPort: 3389
          Cidr:
            value_type: cidr
            op: not-in
            value: ""
        - type: ingress
          FromPort: 3389
          Cidr:
            value_type: cidr
            op: not-in
            value: ""
        - type: ingress
          FromPort: 3389
          Cidr:
            value_type: cidr
            op: not-in
            value: ""
        - type: ingress
          FromPort: 3389
          Cidr:
            value_type: cidr
            op: not-in
            value: ""

Relevant log/traceback output

It is not evaluating for any of the CIDR values apart from the one which is specified in the first ingress type and gives any other IP as invalid.

Extra information or context

No response
@kapilt
Copy link
Collaborator

kapilt commented Oct 4, 2022

you've given a snippet of the policy, instead of the whole policy, which does not make clear if you combining these filters in an or block or the default and block`.. also the use of an empty string for cidr is intended as a example, ie actual value omitted?

@kapilt
Copy link
Collaborator

kapilt commented Oct 4, 2022

as another suggestion, you might consider coming out to the slack/gitter channel for asking questions for interactive help from the community.

@BinduHK
Copy link
Author

BinduHK commented Oct 6, 2022
edited

Hi Kapil,

Thank you for your response

I have written on gitter as well but there was no reply so i thought i can raise a bug in git hub,

I can write full policy but i cannot disclose the CIDR values as it is confidential.

policies:

  • name: aws-security-group-rdp-ingress-rem
    resource: security-group
    mode:
    type: cloudtrail
    events:
    - source: ec2.amazonaws.com
    event: ModifySecurityGroupRules
    ids: "requestParameters.ModifySecurityGroupRulesRequest.GroupId"
    - source: ec2.amazonaws.com
    event: AuthorizeSecurityGroupIngress
    ids: "responseElements.securityGroupRuleSet.items[].groupId"
    role: arn:aws:iam::123456789:role/test_instance_profile
    member-role: arn:aws:iam::{account_id}:role/test
    filters:
    • and:
      • type: ingress
        FromPort: 3389
        Cidr:
        value_type: cidr
        op: not-in
        value: ""
      • type: ingress
        FromPort: 3389
        Cidr:
        value_type: cidr
        op: not-in
        value: ""
      • type: ingress
        FromPort: 3389
        Cidr:
        value_type: cidr
        op: not-in
        value: ""
      • type: ingress
        FromPort: 3389
        Cidr:
        value_type: cidr
        op: not-in
        value: ""
      • type: ingress
        FromPort: 3389
        Cidr:
        value_type: cidr
        op: not-in
        value: ""
        actions:
    • type: remove-permissions
      ingress: matched

My query is : I have 5 CIDR Ranges where i have to detect those RDP ingress which are not in those 5 CIDR values which we have specified in that value section of the policy.
But when we try to give CIDR values with default and condition it does not evaluates properly it is detecting even the valid CIDR Ranges as well that are in the specified CIDR values in the policy.

Please help me .

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kapilt @BinduHK