Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The Security Group allows for 0.0.0.0/0 or ::/0 inbound access. in CDK #1556

Open
Harshitha2401 opened this issue Jan 9, 2024 · 5 comments
Open

The Security Group allows for 0.0.0.0/0 or ::/0 inbound access. in CDK #1556

Harshitha2401 opened this issue Jan 9, 2024 · 5 comments
Labels
bug Something isn't working needs-reproduction This issue needs reproduction

Comments

@Harshitha2401
Copy link

Harshitha2401 commented Jan 9, 2024
edited

What is the problem?

Though the ports are specifically mentioned for inbound getting the error as "The Security Group allows for 0.0.0.0/0 or ::/0 inbound access." with the warning compliance as UNKNOWN.
Trying to suppress the warning is also not working

Reproduction Steps

NA

What did you expect to happen?

When the suppression code is written the error compliance to be changed to Suppressed.

What actually happened?

Compliance of the error remains as UNKNOWN even after suppression logic added in the code

cdk-nag version

2.28.3

Language

Python

Other information

No response
@Harshitha2401 Harshitha2401 added bug Something isn't working needs-triage This issue or PR still needs to be triaged. labels Jan 9, 2024
@dontirun
Copy link
Collaborator

dontirun commented Jan 9, 2024

You should be able to suppress the validation error. Can you provide a snippet to reproduce the issue?

@dontirun dontirun added needs-reproduction This issue needs reproduction and removed needs-triage This issue or PR still needs to be triaged. labels Jan 9, 2024
@Harshitha2401
Copy link
Author

Unable to provide complete code
PFB sample code
ec2_security_group = ec2.SecurityGroup(
scope=self,
id=construct_id ,
vpc=vpc,
security_group_name="securitygroup",
allow_all_outbound=False,
description="Restricting traffic",
disable_inline_rules=False,
)

    ec2_security_group.add_ingress_rule(
        peer=ec2.Peer.ipv4(vpc.vpc_cidr_block),
        connection=ec2.Port(
            protocol=ec2.Protocol("TCP"),
            string_representation="TCP port for ingress from worker nodes",
            from_port=3546,
            to_port=3546,
        ),
    )

Suprresion code:
suppression_rule=cdk_nag.NagPackSuppression(
id= <warning_Id>,
reason= "",
)

cdk_nag.NagSuppressions.add_resource_suppressions(
construct= self,
suppressions= [suppression_rule],
apply_to_children= False
)

cdk_nag.NagSuppressions.add_resource_suppressions_by_path(self,"<Resource_Path>",[suppression_rule])

@dontirun
Copy link
Collaborator

Unfortunately that's not enough to reproduce the issue you are having with suppressions.

What is the exact error message you are getting? What does your suppression look like?

@Harshitha2401
Copy link
Author

There's no error
But the error status needs to change to "suppressed" which is not happening. Error status remains UNKNOWN

@dontirun
Copy link
Collaborator

The line should show up as suppressed in the report if the CdkNagValidationFailure warning message is suppressed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working needs-reproduction This issue needs reproduction
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dontirun @Harshitha2401