#
#####################################
##           Gherkin               ##
#####################################
# Rule Identifier:
#    RESTRICTED_INCOMING_TRAFFIC
#
# Description:
#    Checks if the security groups in use do not allow unrestricted incoming TCP traffic to the specified ports. 
#
# Reports on:
#    AWS::EC2::SecurityGroup
#
# Evaluates:
#    AWS CloudFormation
#
# Rule Parameters:
#    NA
#
# Scenarios:
# a) SKIP: when there are no Security Groups resource present
# b) SKIP when there are no TCP or UDP ingress rules
# c) PASS: when all Security Groups do no allow any of the restricted common ports
# d) FAIL: when a Security Group allows any of the restricted common ports
# e) SKIP: when metadata includes the suppression for rule RESTRICTED_INCOMING_TRAFFIC

#
# Select all Security Group resources from incoming template (payload)
#
let aws_security_groups_restricted_incoming_traffic = Resources.*[ Type == 'AWS::EC2::SecurityGroup' 
	some Properties.SecurityGroupIngress[*] {
		IpProtocol in ['tcp', 'udp']
	}
  Metadata.guard.SuppressedRules not exists or
  Metadata.guard.SuppressedRules.* != "RESTRICTED_INCOMING_TRAFFIC"
]

rule RESTRICTED_INCOMING_TRAFFIC when %aws_security_groups_restricted_incoming_traffic !empty {
	let violations = Resources.*[
		Type == 'AWS::EC2::SecurityGroup'
		some Properties.SecurityGroupIngress[*] {
			FromPort in [ 20, 21, 3389, 3306, 4333 ]
      ToPort in [ 20, 21, 3389, 3306, 4333 ]
		}
	]
	%violations empty 
	<<
		Violation: Security groups must not allow unrestricted incoming TCP/UDP traffic to the specified ports [20, 21, 3389, 3306, 4333].
		Fix: change the FromPort and ToPort properties in the SecurityGroupIngress list 
	>>
}