let sg_resources = Resources.*[ Type == "AWS::EC2::SecurityGroup" ] rule prevent_outbound_access_to_any_ip when %sg_resources !empty { # select egress rules that are strings let egress = %sg_resources.Properties.SecurityGroupEgress[ CidrIp is_string or CidrIpv6 is_string ] when %egress !empty { %egress.CidrIp != '0.0.0.0/0' <> or %egress.CidrIpv6 != '::/0' <> } } rule prevent_inbound_access_to_any_ip when %sg_resources !empty { let ingress = %sg_resources.Properties.SecurityGroupIngress[ CidrIp is_string or CidrIpv6 is_string ] when %ingress !empty { %ingress.CidrIp != '0.0.0.0/0' <> or %ingress.CidrIpv6 != '::/0' <> } }