def evaluate_compliance()

in scripts/security_group_is_secure.py [0:0]

• 18 lines of code
• 5 McCabe index (conditional complexity)

def evaluate_compliance(configuration_item, rule_parameters):
    undesired_port = int(rule_parameters['UndesiredPort'])

    configuration = configuration_item['configuration']

    for ip_permissions in configuration['ipPermissions']:
        if 'fromPort' not in ip_permissions and 'toPort' not in ip_permissions:
            return {
                'compliance_type': 'NON_COMPLIANT',
                'annotation': 'Security Group is open to all traffic so port %s is not blocked' % str(undesired_port)
            }
        if ip_permissions['fromPort'] <= undesired_port <= ip_permissions['toPort']:
            return {
                'compliance_type': 'NON_COMPLIANT',
                'annotation': 'Security Group port %s is not blocked' % str(undesired_port)
            }

    return {
        'compliance_type': 'COMPLIANT',
        'annotation': 'Port %s not open for ingress' % str(undesired_port)
    }