Adding VPC SG tests

Author: jkamenik

aws/cloudformation/abstract/vpc-flow-logs-missing/README.md

@@ -0,0 +1,10 @@
+# VPC Flow Logs Missing
+
+Here there are no flow logs.  A flow log block should be added
+
+## Unguessable info
+
+The expectation assumes the following:
+
+1. The VPC Flow Log Object Name: `FlowLogBucket`
+1. The VPC Flow Log LogDestination: `!Sub "arn:aws:s3:::gomboc-security-flowlogs-480437182633/${VPC}/"`

aws/cloudformation/abstract/vpc-flow-logs-missing/expected/main.yaml

@@ -0,0 +1,29 @@
+AWSTemplateFormatVersion: 2010-09-09
+
+Transform: AWS::Serverless-2016-10-31
+
+Parameters:
+  EnvironmentName:
+    Description: An environment name that is prefixed to resource names
+    Type: String
+    Default: iac-scanning-poc-cf
+
+Resources:
+  VPC:
+    Type: AWS::EC2::VPC
+    Properties:
+      CidrBlock: 10.0.0.0/16
+      EnableDnsSupport: true
+      EnableDnsHostnames: true
+      Tags:
+        - Key: Name
+          Value: !Ref EnvironmentName
+
+  FlowLogBucket:
+    Type: AWS::EC2::FlowLog
+    Properties:
+      LogDestination: !Sub "arn:aws:s3:::gomboc-security-flowlogs-480437182633/${VPC}/"
+      LogDestinationType: s3
+      ResourceId: !Ref VPC
+      ResourceType: VPC
+      TrafficType: ALL

aws/cloudformation/abstract/vpc-flow-logs-missing/main.yaml

@@ -0,0 +1,20 @@
+AWSTemplateFormatVersion: 2010-09-09
+
+Transform: AWS::Serverless-2016-10-31
+
+Parameters:
+  EnvironmentName:
+    Description: An environment name that is prefixed to resource names
+    Type: String
+    Default: iac-scanning-poc-cf
+
+Resources:
+  VPC:
+    Type: AWS::EC2::VPC
+    Properties:
+      CidrBlock: 10.0.0.0/16
+      EnableDnsSupport: true
+      EnableDnsHostnames: true
+      Tags:
+        - Key: Name
+          Value: !Ref EnvironmentName

aws/cloudformation/abstract/vpc-undefined-default-sg/README.md

@@ -0,0 +1,10 @@
+# VPC with undefined Default SG
+
+A VPC without a defined default SG has an insecure enabled.  There is no way to prevent that, so the best solution is to make the default SG useless.
+
+## Unguessable Information
+
+The expected results assumes the following:
+
+1. The VPC SG safe port is "65535"
+2. The VPC SG safe CIDR is "1.1.1.1/32"

aws/cloudformation/abstract/vpc-undefined-default-sg/expected/main.yaml

@@ -0,0 +1,42 @@
+---
+AWSTemplateFormatVersion: 2010-09-09
+
+Transform: AWS::Serverless-2016-10-31
+
+Parameters:
+  EnvironmentName:
+    Description: An environment name that is prefixed to resource names
+    Type: String
+    Default: iac-scanning-poc-cf
+
+Resources:
+#################################
+## This section is for the VPC ##
+#################################
+  VPC:
+    Type: AWS::EC2::VPC
+    Properties:
+      CidrBlock: 10.0.0.0/16
+      EnableDnsSupport: true
+      EnableDnsHostnames: true
+      Tags:
+        - Key: Name
+          Value: !Ref EnvironmentName
+
+  DefaultSecurityGroupIngress:
+    Type: AWS::EC2::SecurityGroupIngress
+    Properties:
+      GroupId: !GetAtt VPC.DefaultSecurityGroup
+      IpProtocol: tcp
+      FromPort: 65535
+      ToPort: 65535
+      CidrIp: 1.1.1.1/32
+
+  VPCFlowLogs:
+    Type: AWS::EC2::FlowLog
+    Properties:
+      LogDestination: !Sub "arn:aws:s3:::gomboc-security-flowlogs-480437182633/${VPC}/"
+      LogDestinationType: s3
+      ResourceId: !Ref VPC
+      ResourceType: VPC
+      TrafficType: ALL

aws/cloudformation/abstract/vpc-undefined-default-sg/main.yaml

@@ -0,0 +1,33 @@
+---
+AWSTemplateFormatVersion: 2010-09-09
+
+Transform: AWS::Serverless-2016-10-31
+
+Parameters:
+  EnvironmentName:
+    Description: An environment name that is prefixed to resource names
+    Type: String
+    Default: iac-scanning-poc-cf
+
+Resources:
+#################################
+## This section is for the VPC ##
+#################################
+  VPC:
+    Type: AWS::EC2::VPC
+    Properties:
+      CidrBlock: 10.0.0.0/16
+      EnableDnsSupport: true
+      EnableDnsHostnames: true
+      Tags:
+        - Key: Name
+          Value: !Ref EnvironmentName
+
+  VPCFlowLogs:
+    Type: AWS::EC2::FlowLog
+    Properties:
+      LogDestination: !Sub "arn:aws:s3:::gomboc-security-flowlogs-480437182633/${VPC}/"
+      LogDestinationType: s3
+      ResourceId: !Ref VPC
+      ResourceType: VPC
+      TrafficType: ALL

aws/cloudformation/abstract/vpc-unsafe-default-sg/README.md

@@ -0,0 +1,10 @@
+# VPC with undefined Default SG
+
+This is a VPC where the Default SG has unsafe settings
+
+## Unguessable Information
+
+The expected results assumes the following:
+
+1. The VPC SG safe port is "65535"
+2. The VPC SG safe CIDR is "1.1.1.1/32"

aws/cloudformation/abstract/vpc-unsafe-default-sg/expected/main.yaml

@@ -0,0 +1,42 @@
+---
+AWSTemplateFormatVersion: 2010-09-09
+
+Transform: AWS::Serverless-2016-10-31
+
+Parameters:
+  EnvironmentName:
+    Description: An environment name that is prefixed to resource names
+    Type: String
+    Default: iac-scanning-poc-cf
+
+Resources:
+#################################
+## This section is for the VPC ##
+#################################
+  VPC:
+    Type: AWS::EC2::VPC
+    Properties:
+      CidrBlock: 10.0.0.0/16
+      EnableDnsSupport: true
+      EnableDnsHostnames: true
+      Tags:
+        - Key: Name
+          Value: !Ref EnvironmentName
+
+  VPCFlowLogs:
+    Type: AWS::EC2::FlowLog
+    Properties:
+      LogDestination: !Sub "arn:aws:s3:::gomboc-security-flowlogs-480437182633/${VPC}/"
+      LogDestinationType: s3
+      ResourceId: !Ref VPC
+      ResourceType: VPC
+      TrafficType: ALL
+
+  DefaultSG:
+    Type: AWS::EC2::SecurityGroupIngress
+    Properties:
+      GroupId: !GetAtt VPC.DefaultSecurityGroup
+      IpProtocol: tcp
+      FromPort: 65535
+      ToPort: 65535
+      CidrIp: 1.1.1.1/32

aws/cloudformation/abstract/vpc-unsafe-default-sg/main.yaml

@@ -0,0 +1,41 @@
+---
+AWSTemplateFormatVersion: 2010-09-09
+
+Transform: AWS::Serverless-2016-10-31
+
+Parameters:
+  EnvironmentName:
+    Description: An environment name that is prefixed to resource names
+    Type: String
+    Default: iac-scanning-poc-cf
+
+Resources:
+#################################
+## This section is for the VPC ##
+#################################
+  VPC:
+    Type: AWS::EC2::VPC
+    Properties:
+      CidrBlock: 10.0.0.0/16
+      EnableDnsSupport: true
+      EnableDnsHostnames: true
+      Tags:
+        - Key: Name
+          Value: !Ref EnvironmentName
+
+  VPCFlowLogs:
+    Type: AWS::EC2::FlowLog
+    Properties:
+      LogDestination: !Sub "arn:aws:s3:::gomboc-security-flowlogs-480437182633/${VPC}/"
+      LogDestinationType: s3
+      ResourceId: !Ref VPC
+      ResourceType: VPC
+      TrafficType: ALL
+
+  DefaultSG:
+    Type: AWS::EC2::SecurityGroupIngress
+    Properties:
+      GroupId: !GetAtt VPC.DefaultSecurityGroup
+      IpProtocol: tcp
+      FromPort: 0
+      ToPort: 65535

aws/cloudformation/iac-scanning-poc/expected/main.yaml

@@ -269,8 +269,8 @@ Resources:
       BlockDeviceMappings:
         - DeviceName: /dev/xvda
           Ebs:
-            VolumeSize: 20
             Encrypted: true
+            VolumeSize: 20
         - DeviceName: /dev/xvdb
           Ebs:
             VolumeSize: 20