in code/SecGuardRails/stack_validate_lambda.py [0:0]
def control_4_1_ensure_ssh_not_open_to_world(regions, stackName):
"""Summary
Returns:
TYPE: Description
"""
result = True
failReason = ""
offenders = []
control = "4.1"
description = "Ensure that security groups allow ingress from approved CIDR range to port 22"
scored = True
for n in regions:
client = boto3.client('ec2', region_name=n)
response = client.describe_security_groups(
Filters=[{'Name': 'tag:aws:cloudformation:stack-name', 'Values': [stackName]}])
for m in response['SecurityGroups']:
if "1.2.3.4/32" not in str(m['IpPermissions']):
for o in m['IpPermissions']:
try:
if int(o['FromPort']) <= 22 <= int(o['ToPort']):
result = False
failReason = "Found Security Group with port 22 open to the wrong source IP range. Allowed IP is: 1.2.3.4/32"
offenders.append(str(m['GroupId']))
except:
if str(o['IpProtocol']) == "-1":
result = False
failReason = "Found Security Group with port 22 open to the wrong source IP range. Allowed IP is: 1.2.3.4/32"
offenders.append(str(n) + " : " + str(m['GroupId']))
return {'Result': result, 'failReason': failReason, 'Offenders': offenders, 'ScoredControl': scored,
'Description': description, 'ControlId': control}