aquasecurity · nikpivkin · Dec 24, 2024 · Jan 16, 2025
@@ -1,6 +1,5 @@
 
-Network security rules should not use very broad subnets.
-Where possible, segments should be broken into smaller subnets.
+Opening up ports to allow connections from the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
 
 
 ### Impact

@@ -1,6 +1,5 @@
 
-Network security rules should not use very broad subnets.
-Where possible, segments should be broken into smaller subnets.
+Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
 
 
 ### Impact

@@ -1,5 +1,5 @@
 
-Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
+Opening up ports to allow connections from the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
 
 
 ### Impact

@@ -1,5 +1,5 @@
 
-Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.
+Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
 
 
 ### Impact

@@ -1,6 +1,5 @@
 
-Network security rules should not use very broad subnets.
-Where possible, segments should be broken into smaller subnets and avoid using the <code>/0</code> subnet.
+Opening up ports to allow connections from the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
 
 
 ### Impact

@@ -1,6 +1,5 @@
 
-Network security rules should not use very broad subnets.
-Where possible, segments should be broken into smaller subnets and avoid using the <code>/0</code> subnet.
+Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
 
 
 ### Impact

@@ -1,5 +1,6 @@
 
-You should not expose infrastructure to the public internet except where explicitly required
+Opening up ports to allow connections from the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
+
 
 ### Impact
 <!-- Add Impact here -->

@@ -1,5 +1,5 @@
 
-Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.
+Opening up ports to allow connections from the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
 
 When publishing web applications, use a load balancer instead of publishing directly to instances.
 

@@ -1,5 +1,5 @@
 
-Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.
+Opening up ports to allow connections from the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
 
 
 ### Impact

@@ -1,5 +1,5 @@
 
-Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.
+Opening up ports to allow connections from the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
 
 
 ### Impact

@@ -1,5 +1,5 @@
 # METADATA
-# title: An egress security group rule allows traffic to /0.
+# title: A security group rule should not allow unrestricted egress to any IP address.
 # description: |
 #   Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
 # scope: package
@@ -35,13 +35,14 @@ package builtin.aws.ec2.aws0104
 
 import rego.v1
 
+import data.lib.net
+
 deny contains res if {
 	some rule in input.aws.ec2.securitygroups[_].egressrules
 	some block in rule.cidrs
-	cidr.is_public(block.value)
-	cidr.count_addresses(block.value) > 1
+	net.cidr_allows_all_ips(block.value)
 	res := result.new(
-		"Security group rule allows egress to multiple public internet addresses.",
+		"Security group rule allows unrestricted egress to any IP address.",
 		block,
 	)
 }
@@ -12,7 +12,11 @@ test_deny_sg_with_public_egress if {
 }
 
 test_allow_sg_without_private_egress if {
-	inp := {"aws": {"ec2": {"securitygroups": [{"egressrules": [{"cidrs": [{"value": "10.0.0.0/16"}]}]}]}}}
+	inp := {"aws": {"ec2": {"securitygroups": [{"egressrules": [{"cidrs": [
+		{"value": "10.0.0.0/8"},
+		{"value": "192.168.164.0/23"},
+		{"value": "22.0.0.0/8"},
+	]}]}]}}}
 
 	test.assert_empty(check.deny) with input as inp
 }
@@ -1,5 +1,5 @@
 # METADATA
-# title: Network ACLs should not allow ingress from 0.0.0.0/0 to port 22 or port 3389.
+# title: Network ACLs should not allow unrestricted ingress to SSH or RDP from any IP address.
 # description: |
 #   The Network Access Control List (NACL) function provide stateless filtering of ingress and
 #   egress network traffic to AWS resources. It is recommended that no NACL allows
@@ -56,7 +56,7 @@ deny contains res if {
 	some block in rule.cidrs
 	net.cidr_allows_all_ips(block.value)
 	res := result.new(
-		"Network ACL rule allows ingress from public internet.",
+		"Network ACL rule allows unrestricted ingress from any IP address.",
 		block,
 	)
 }

@@ -1,5 +1,5 @@
 # METADATA
-# title: Security groups should not allow ingress from 0.0.0.0/0 or ::/0 to port 22 or port 3389.
+# title: Security groups should not allow unrestricted ingress to SSH or RDP from any IP address.
 # description: |
 #   Security groups provide stateful filtering of ingress and egress network traffic to AWS
 #   resources. It is recommended that no security group allows unrestricted ingress access to
@@ -53,7 +53,7 @@ deny contains res if {
 	some block in rule.cidrs
 	net.cidr_allows_all_ips(block.value)
 	res := result.new(
-		"Security group rule allows ingress from public internet.",
+		"Security group rule allows unrestricted ingress from any IP address.",
 		block,
 	)
 }
@@ -1,5 +1,5 @@
 # METADATA
-# title: RDP access should not be accessible from the Internet, should be blocked on port 3389
+# title: A security group should not allow unrestricted ingress to the RDP port from any IP address.
 # description: |
 #   RDP access can be configured on either the network security group or in the network security group rule.
 #   RDP access should not be permitted from the internet (*, 0.0.0.0, /0, internet, any). Consider using the Azure Bastion Service.
@@ -32,6 +32,8 @@ package builtin.azure.network.azure0048
 
 import rego.v1
 
+import data.lib.net
+
 deny contains res if {
 	some group in input.azure.network.securitygroups
 	some rule in group.rules
@@ -41,10 +43,9 @@ deny contains res if {
 	some ports in rule.destinationports
 	port_range_includes(ports.start, ports.end, 3389)
 	some ip in rule.sourceaddresses
-	cidr.is_public(ip.value)
-	cidr.count_addresses(ip.value) > 1
+	net.cidr_allows_all_ips(ip.value)
 	res := result.new(
-		"Security group rule allows ingress to RDP port from multiple public internet addresses.",
+		"Security group rule allows unrestricted ingress to RDP port from any IP address.",
 		ip,
 	)
 }

@@ -1,8 +1,7 @@
 # METADATA
-# title: An outbound network security rule allows traffic to /0.
+# title: A security rule should not allow unrestricted egress to any IP address.
 # description: |
-#   Network security rules should not use very broad subnets.
-#   Where possible, segments should be broken into smaller subnets.
+#   Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
 # scope: package
 # schemas:
 #   - input: schema["cloud"]
@@ -31,12 +30,14 @@ package builtin.azure.network.azure0051
 
 import rego.v1
 
+import data.lib.net
+
 deny contains res if {
 	some group in input.azure.network.securitygroups
 	some rule in group.rules
 	rule.outbound.value
 	rule.allow.value
 	some addr in rule.destinationaddresses
-	cidr.is_public(addr.value)
-	res := result.new("Security group rule allows egress to public internet.", addr)
+	net.cidr_allows_all_ips(addr.value)
+	res := result.new("Security group rule allows unrestricted egress to any IP address.", addr)
 }
@@ -16,6 +16,17 @@ test_deny_outbound_rule_with_wildcard_destination_address if {
 	count(res) == 1
 }
 
+test_deny_outbound_rule_with_public_destination_address if {
+	inp := {"azure": {"network": {"securitygroups": [{"rules": [{
+		"allow": {"value": true},
+		"outbound": {"value": true},
+		"destinationaddresses": [{"value": "0.0.0.0/0"}],
+	}]}]}}}
+
+	res := check.deny with input as inp
+	count(res) == 1
+}
+
 test_allow_outbound_rule_with_private_destination_address if {
 	inp := {"azure": {"network": {"securitygroups": [{"rules": [{
 		"allow": {"value": true},

@@ -1,8 +1,7 @@
 # METADATA
-# title: An inbound network security rule allows traffic from /0.
+# title: A security group rule should not allow unrestricted ingress from any IP address.
 # description: |
-#   Network security rules should not use very broad subnets.
-#   Where possible, segments should be broken into smaller subnets.
+#   Opening up ports to allow connections from the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
 # scope: package
 # schemas:
 #   - input: schema["cloud"]
@@ -31,13 +30,14 @@ package builtin.azure.network.azure0047
 
 import rego.v1
 
+import data.lib.net
+
 deny contains res if {
 	some group in input.azure.network.securitygroups
 	some rule in group.rules
 	not rule.outbound.value
 	rule.allow.value
 	some addr in rule.sourceaddresses
-	cidr.is_public(addr.value)
-	cidr.count_addresses(addr.value) > 1
-	res := result.new("Security group rule allows ingress from public internet.", addr)
+	net.cidr_allows_all_ips(addr.value)
+	res := result.new("Security group rule allows unrestricted ingress from any IP address.", addr)
 }
@@ -1,5 +1,5 @@
 # METADATA
-# title: SSH access should not be accessible from the Internet, should be blocked on port 22
+# title: Security group should not allow unrestricted ingress to SSH port from any IP address.
 # description: |
 #   SSH access can be configured on either the network security group or in the network security group rule.
 #   SSH access should not be permitted from the internet (*, 0.0.0.0, /0, internet, any)
@@ -30,6 +30,8 @@ package builtin.azure.network.azure0050
 
 import rego.v1
 
+import data.lib.net
+
 deny contains res if {
 	some group in input.azure.network.securitygroups
 	some rule in group.rules
@@ -39,10 +41,9 @@ deny contains res if {
 	some ports in rule.destinationports
 	port_range_includes(ports.start, ports.end, 22)
 	some ip in rule.sourceaddresses
-	cidr.is_public(ip.value)
-	cidr.count_addresses(ip.value) > 1
+	net.cidr_allows_all_ips(ip.value)
 	res := result.new(
-		"Security group rule allows ingress to SSH port from multiple public internet addresses.",
+		"Security group rule allows unrestricted ingress to SSH port from any IP address.",
 		ip,
 	)
 }

@@ -1,7 +1,7 @@
 # METADATA
-# title: The firewall has an outbound rule with open access
+# title: A firewall rule should not allow unrestricted egress to any IP address.
 # description: |
-#   Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.
+#   Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
 # scope: package
 # schemas:
 #   - input: schema["cloud"]
@@ -30,12 +30,13 @@ package builtin.digitalocean.compute.digitalocean0003
 
 import rego.v1
 
+import data.lib.net
+
 deny contains res if {
 	some address in input.digitalocean.compute.firewalls[_].outboundrules[_].destinationaddresses
-	cidr.is_public(address.value)
-	cidr.count_addresses(address.value) > 1
+	net.cidr_allows_all_ips(address.value)
 	res := result.new(
-		"Egress rule allows access to multiple public addresses.",
+		"Firewall rule allows egress traffic to any IP address.",
 		address,
 	)
 }
@@ -1,7 +1,7 @@
 # METADATA
-# title: The firewall has an inbound rule with open access
+# title: A firewall rule should not allow unrestricted ingress from any IP address.
 # description: |
-#   Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
+#   Opening up ports to allow connections from the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
 # scope: package
 # schemas:
 #   - input: schema["cloud"]
@@ -30,12 +30,13 @@ package builtin.digitalocean.compute.digitalocean0001
 
 import rego.v1
 
+import data.lib.net
+
 deny contains res if {
 	some address in input.digitalocean.compute.firewalls[_].inboundrules[_].sourceaddresses
-	cidr.is_public(address.value)
-	cidr.count_addresses(address.value) > 1
+	net.cidr_allows_all_ips(address.value)
 	res := result.new(
-		"Ingress rule allows access from multiple public addresses.",
+		"Firewall rule allows unrestricted ingress from any IP address.",
 		address,
 	)
 }
@@ -1,8 +1,7 @@
 # METADATA
-# title: An outbound firewall rule allows traffic to /0.
+# title: A firewall rule should not allow unrestricted egress to any IP address.
 # description: |
-#   Network security rules should not use very broad subnets.
-#   Where possible, segments should be broken into smaller subnets and avoid using the <code>/0</code> subnet.
+#   Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
 # scope: package
 # schemas:
 #   - input: schema["cloud"]
@@ -31,16 +30,17 @@ package builtin.google.compute.google0035
 
 import rego.v1
 
+import data.lib.net
+
 deny contains res if {
 	some network in input.google.compute.networks
 	some rule in network.firewall.egressrules
 	rule.firewallrule.isallow.value
 	rule.firewallrule.enforced.value
 	some destination in rule.destinationranges
-	cidr.is_public(destination.value)
-	cidr.count_addresses(destination.value) > 1
+	net.cidr_allows_all_ips(destination.value)
 	res := result.new(
-		"Firewall rule allows egress traffic to multiple addresses on the public internet.",
+		"Firewall rule allows unrestricted egress to any IP address.",
 		destination,
 	)
 }
@@ -21,7 +21,7 @@ test_deny_egress_rule_with_multiple_public_destinations if {
 	count(res) == 1
 }
 
-test_allow_egress_rule_with_public_destination if {
+test_allow_egress_rule_with_private_destination if {
 	inp := {"google": {"compute": {"networks": [{"firewall": {"egressrules": [{
 		"firewallrule": {
 			"isallow": {"value": true},