Add 'EC2 sensitive port publicly exposed' query for CloudFormation (#1642)

* Closes #1634

* simplifying query

* splitting into UDP and TCP queries

* removing comments

* fixing integration tests

* fixing unit tests

* fixing integration tests

Author: rogeriopeixotocx

assets/queries/cloudFormation/ec2_sensitive_tcp_port_is_publicly_exposed/metadata.json

@@ -0,0 +1,8 @@
+{
+  "id": "ec2_sensitive_tcp_port_is_publicly_exposed",
+  "queryName": "EC2 Sensitive TCP Port Is Publicly Exposed",
+  "severity": "HIGH",
+  "category": "Network Ports Security",
+  "descriptionText": "The EC2 instance has a sensitive port connection exposed to the entire internet.",
+  "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html"
+}

assets/queries/cloudFormation/ec2_sensitive_tcp_port_is_publicly_exposed/query.rego

@@ -0,0 +1,89 @@
+package Cx
+
+getIngress(securityGroup) = ingress {
+  ingress = securityGroup.Properties.SecurityGroupIngress
+}
+
+isAccessibleFromEntireNetwork(ingress) {
+  endswith(ingress.CidrIp, "/0")
+}
+
+CxPolicy [ result ] {
+  #############	inputs
+  # List of ports
+  portNumbers =	{
+    22: "SSH",
+    23: "Telnet",
+    25: "SMTP",
+    110: "POP3",
+    135: "MSSQL Debugger",
+    137: "NetBIOS Name Service",
+    138: "NetBIOS Datagram Service",
+    139: "NetBIOS Session Service",
+    389: "LDAP",
+    445: "Microsoft-DS",
+    636: "LDAP SSL",
+    1433: "MSSQL Server",
+    1434: "MSSQL Browser",
+    1521: "Oracl DB",
+    2382: "SQL Server Analysis",
+    2383: "SQL Server Analysis",
+    2483: "Oracle DB SSL",
+    2484: "Oracle DB SSL",
+    3000: "Prevalent known internal port",
+    3020: "CIFS / SMB",
+    3306: "MySQL",
+    3389: "Remote Desktop",
+    4505: "SaltStack Master",
+    4506: "SaltStack Master",
+    5432: "PostgreSQL",
+    5500: "VNC Listener",
+    5900: "VNC Server",
+    6379: "Redis",
+    7000: "Cassandra Internode Communication",
+    7001: "Cassandra",
+    7199: "Cassandra Monitoring",
+    8000: "Known internal web port",
+    8080: "Known internal web port",
+    8140: "Puppet Master",
+    8888: "Cassandra OpsCenter Website",
+    9000: "Hadoop Name Node",
+    9042: "Cassandra Client",
+    9090: "CiscoSecure: WebSM",
+    9160: "Cassandra Thrift",
+    9200: "Elastic Search",
+    9300: "Elastic Search",
+    11211: "Memcached",
+    11214: "Memcached SSL",
+    11215: "Memcached SSL",
+    27017: "Mongo",
+    27018: "Mongo Web Portal",
+    61620: "Cassandra OpsCenter",
+    61621: "Cassandra OpsCenter"
+  }
+
+  #############	document and resource
+  allResources := input.document[i].Resources
+  securityGroupName = [key | secGroup := allResources[key]; secGroup.Type == "AWS::EC2::SecurityGroup"; count(secGroup.Properties.SecurityGroupIngress) > 0][m]
+  securityGroup = allResources[securityGroupName]
+  ingress := getIngress(securityGroup)[n]
+
+  #############	get relevant fields
+  upper(ingress.IpProtocol) == "TCP"
+
+  #############	Checks
+  isAccessibleFromEntireNetwork(ingress)
+  portRange := numbers.range(ingress.FromPort, ingress.ToPort)
+  portNumbers[portRange[idx]]
+  portNumber = portRange[idx]
+  portName := portNumbers[portNumber]
+
+  #############	Result
+  result := {
+    "documentId": input.document[i].id,
+    "searchKey": sprintf("Resources.%s.SecurityGroupIngress", [securityGroupName]),
+    "issueType": "IncorrectValue",
+    "keyExpectedValue": sprintf("%s (%s:%d) should not be allowed in EC2 security group for instance", [portName, "TCP", portNumber]),
+    "keyActualValue": sprintf("%s (%s:%d) is allowed in EC2 security group for instance", [portName, "TCP", portNumber])
+  }
+}

assets/queries/cloudFormation/ec2_sensitive_tcp_port_is_publicly_exposed/test/negative.yaml

@@ -0,0 +1,29 @@
+AWSTemplateFormatVersion: 2010-09-09T00:00:00Z
+Resources:
+  SafeSecGroup:
+    Type: AWS::EC2::SecurityGroup
+    Properties:
+      SecurityGroupEgress:
+        - IpProtocol: tcp
+          FromPort: 22
+          ToPort: 22
+          CidrIp: 127.0.0.1/32
+      GroupDescription: Allow http and ssh
+      VpcId: my-vpc
+      SecurityGroupIngress:
+        - FromPort: 80
+          ToPort: 80
+          CidrIp: 127.0.0.1/32
+          IpProtocol: tcp
+        - ToPort: 77
+          CidrIp: 127.0.0.1/32
+          IpProtocol: all
+          FromPort: 77
+  MyNegativeEC2Instance:
+    Type: AWS::EC2::Instance
+    Properties:
+      SecurityGroups:
+        - SafeSecGroup
+      KeyName: my-new-rsa-key
+      ImageId: ami-79fd7eee
+      InstanceType: t3.medium

assets/queries/cloudFormation/ec2_sensitive_tcp_port_is_publicly_exposed/test/positive.yaml

@@ -0,0 +1,93 @@
+AWSTemplateFormatVersion: 2010-09-09T00:00:00Z
+Resources:
+  UnsafeSecGroup01:
+    Type: AWS::EC2::SecurityGroup
+    Properties:
+      GroupDescription: Allow http and ssh
+      VpcId: my-vpc
+      SecurityGroupIngress:
+        - FromPort: 8080
+          ToPort: 8080
+          CidrIp: 127.0.0.1/32
+          IpProtocol: tcp
+        - IpProtocol: tcp
+          FromPort: 6379
+          ToPort: 6379
+          CidrIp: 127.0.0.1/0
+      SecurityGroupEgress:
+        - FromPort: 22
+          ToPort: 22
+          CidrIp: 0.0.0.0/0
+          IpProtocol: tcp
+  EC2Instance01:
+    Type: AWS::EC2::Instance
+    Properties:
+      ImageId: ami-79fd7eee
+      InstanceType: t3.medium
+      SecurityGroups:
+        - UnsafeSecGroup01
+      KeyName: my-new-rsa-key
+---
+AWSTemplateFormatVersion: 2010-09-09T00:00:00Z
+Resources:
+  UnsafeSecGroup02:
+    Type: AWS::EC2::SecurityGroup
+    Properties:
+      GroupDescription: Allow http and ssh
+      VpcId: my-vpc
+      SecurityGroupIngress:
+        - IpProtocol: tcp
+          FromPort: 80
+          ToPort: 80
+          CidrIp: 127.0.0.1/32
+        - ToPort: 1434
+          CidrIp: 127.0.0.1/0
+          IpProtocol: tcp
+          FromPort: 1433
+        - IpProtocol: tcp
+          FromPort: 150
+          ToPort: 180
+          CidrIp: 127.0.0.1/0
+      SecurityGroupEgress:
+        - IpProtocol: tcp
+          FromPort: 22
+          ToPort: 22
+          CidrIp: 0.0.0.0/0
+  EC2Instance02:
+    Type: AWS::EC2::Instance
+    Properties:
+      InstanceType: t3.medium
+      SecurityGroups:
+        - UnsafeSecGroup02
+      KeyName: my-new-rsa-key
+      ImageId: ami-79fd7eee
+---
+AWSTemplateFormatVersion: 2010-09-09T00:00:00Z
+Resources:
+  UnsafeSecGroup03:
+    Type: AWS::EC2::SecurityGroup
+    Properties:
+      SecurityGroupEgress:
+        - IpProtocol: tcp
+          FromPort: 22
+          ToPort: 22
+          CidrIp: 0.0.0.0/0
+      GroupDescription: Allow http and ssh
+      VpcId: my-vpc
+      SecurityGroupIngress:
+        - ToPort: 80
+          CidrIp: 0.0.0.0/0
+          IpProtocol: tcp
+          FromPort: 80
+        - ToPort: 9000
+          CidrIp: 127.0.0.1/0
+          IpProtocol: tcp
+          FromPort: 9000
+  EC2Instance03:
+    Type: AWS::EC2::Instance
+    Properties:
+      SecurityGroups:
+        - UnsafeSecGroup03
+      KeyName: my-new-rsa-key
+      ImageId: ami-79fd7eee
+      InstanceType: t3.medium

assets/queries/cloudFormation/ec2_sensitive_tcp_port_is_publicly_exposed/test/positive_expected_result.json

@@ -0,0 +1,22 @@
+[
+	{
+		"queryName": "EC2 Sensitive TCP Port Is Publicly Exposed",
+		"severity": "HIGH",
+		"line": 8
+	},
+	{
+		"queryName": "EC2 Sensitive TCP Port Is Publicly Exposed",
+		"severity": "HIGH",
+		"line": 38
+	},
+	{
+		"queryName": "EC2 Sensitive TCP Port Is Publicly Exposed",
+		"severity": "HIGH",
+		"line": 38
+	},
+	{
+		"queryName": "EC2 Sensitive TCP Port Is Publicly Exposed",
+		"severity": "HIGH",
+		"line": 77
+	}
+]

assets/queries/cloudFormation/ec2_sensitive_udp_port_is_publicly_exposed/metadata.json

@@ -0,0 +1,8 @@
+{
+  "id": "ec2_sensitive_udp_port_is_publicly_exposed",
+  "queryName": "EC2 Sensitive UDP Port Is Publicly Exposed",
+  "severity": "HIGH",
+  "category": "Network Ports Security",
+  "descriptionText": "The EC2 instance has a sensitive port connection exposed to the entire internet.",
+  "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html"
+}

assets/queries/cloudFormation/ec2_sensitive_udp_port_is_publicly_exposed/query.rego

@@ -0,0 +1,60 @@
+package Cx
+
+getIngress(securityGroup) = ingress {
+  ingress = securityGroup.Properties.SecurityGroupIngress
+}
+
+isAccessibleFromEntireNetwork(ingress) {
+  endswith(ingress.CidrIp, "/0")
+}
+
+containsDestinationPort(port, ingress) {
+  ingress.FromPort == 0
+  ingress.ToPort == 0
+} else {
+  port == numbers.range(ingress.FromPort, ingress.ToPort)[_]
+}
+
+CxPolicy [ result ] {
+  #############	inputs
+  # List of ports
+  portNumbers =	[
+    [53, "DNS"],
+    [137, "NetBIOS Name Service"],
+    [138, "NetBIOS Datagram Service"],
+    [139, "NetBIOS Session Service"],
+    [161, "SNMP"],
+    [389, "LDAP"],
+    [1434, "MSSQL Browser"],
+    [2483, "Oracle DB SSL"],
+    [2484, "Oracle DB SSL"],
+    [5432, "PostgreSQL"],
+    [11211, "Memcached"],
+    [11214, "Memcached SSL"],
+    [11215, "Memcached SSL"]
+  ]
+
+  #############	document and resource
+  allResources := input.document[i].Resources
+  securityGroupName = [key | secGroup := allResources[key]; secGroup.Type == "AWS::EC2::SecurityGroup"; count(secGroup.Properties.SecurityGroupIngress) > 0][m]
+  securityGroup = allResources[securityGroupName]
+  ingress := getIngress(securityGroup)[n]
+
+  #############	get relevant fields
+  portNumber = portNumbers[j][0]
+  portName = portNumbers[j][1]
+  upper(ingress.IpProtocol) == "UDP"
+
+  #############	Checks
+  isAccessibleFromEntireNetwork(ingress)
+  containsDestinationPort(portNumber, ingress)
+
+  #############	Result
+  result := {
+    "documentId": input.document[i].id,
+    "searchKey": sprintf("Resources.%s.SecurityGroupIngress", [securityGroupName]),
+    "issueType": "IncorrectValue",
+    "keyExpectedValue": sprintf("%s (%s:%d) should not be allowed in EC2 security group for instance", [portName, "UDP", portNumber]),
+    "keyActualValue": sprintf("%s (%s:%d) is allowed in EC2 security group for instance", [portName, "UDP", portNumber])
+  }
+}

assets/queries/cloudFormation/ec2_sensitive_udp_port_is_publicly_exposed/test/negative.yaml

@@ -0,0 +1,29 @@
+AWSTemplateFormatVersion: 2010-09-09T00:00:00Z
+Resources:
+  SafeSecGroup:
+    Type: AWS::EC2::SecurityGroup
+    Properties:
+      SecurityGroupEgress:
+        - IpProtocol: tcp
+          FromPort: 22
+          ToPort: 22
+          CidrIp: 127.0.0.1/32
+      GroupDescription: Allow http and ssh
+      VpcId: my-vpc
+      SecurityGroupIngress:
+        - FromPort: 53
+          ToPort: 53
+          CidrIp: 127.0.0.1/32
+          IpProtocol: udp
+        - ToPort: 77
+          CidrIp: 127.0.0.1/32
+          IpProtocol: udp
+          FromPort: 77
+  MyNegativeEC2Instance:
+    Type: AWS::EC2::Instance
+    Properties:
+      SecurityGroups:
+        - SafeSecGroup
+      KeyName: my-new-rsa-key
+      ImageId: ami-79fd7eee
+      InstanceType: t3.medium