let aws_security_groups_restricted_ssh = Resources.*[ 
	Type == 'AWS::EC2::SecurityGroup'
	some Properties.SecurityGroupIngress[*] {
		ToPort == "22"
		FromPort == "22"
		IpProtocol == "tcp"
	}
]

rule INCOMING_SSH_DISABLED when %aws_security_groups_restricted_ssh !empty {
	%aws_security_groups_restricted_ssh.Properties.SecurityGroupIngress[*] != {CidrIp:"0.0.0.0/0", ToPort:"22", FromPort:"22", IpProtocol:"tcp"}
  <<
    Violation: IP addresses of the incoming SSH traffic in the security groups are restricted (CIDR other than 0.0.0.0/0)
    Fix: set SecurityGroupIngress.CidrIp property to a more restrictive CIDR than 0.0.0.0/0
  >>
}