Can you use REGEX with the ingress cidr filter?

82 views
Skip to first unread message

ivzk...@gmail.com

unread,
Apr 15, 2019, 5:30:20 PM4/15/19
to cloud-custodian
Hi there, i'm trying to expand on the classic "0.0.0.0/0" security group removal, and was hoping I could do this with regex.   It doesn't appear to work, but i'm also fairly new to this and struggling with syntax.  Any help would be appreciated.  


vars:

  tag-actions:  &tag-actions
    - type: tag
      key:  ToDelete  
      value:  "Yes"

policies:
  - name: high-risk-security-groups-remediate
    resource: security-group
    description: |
      Remove any rule from a security group that allows 0.0.0.0/0 or any other CIDR block in the 0-12 range, excluding 10.0.0.0/8
    mode:
        role: arn:aws:iam::XXXXXXXXXXXXX:role/XXX-XXXXXXXXXXXXX
        type: cloudtrail
        events:
          - source: ec2.amazonaws.com
            event: AuthorizeSecurityGroupIngress
            ids: "requestParameters.groupId"
          - source: ec2.amazonaws.com
            event: AuthorizeSecurityGroupEgress
            ids: "requestParameters.groupId"
          - source: ec2.amazonaws.com
            event: RevokeSecurityGroupEgress
            ids: "requestParameters.groupId"
          - source: ec2.amazonaws.com
            event: RevokeSecurityGroupIngress
            ids: "requestParameters.groupId"
    filters:
      - type: ingress
        key: cidr
        op: regex
        value: "^(?!.*10.0.0.0\/8)([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1][0]|[1][1]|[1][2]))?$"
    actions:
      *tag-actions
#        - type: remove-permissions
#          ingress: matched

Kapil Thangavelu

unread,
Apr 16, 2019, 4:56:02 PM4/16/19
to cloud-custodian
you can regex on any string value, but I think you want value_type: cidr which lets you do various types of comparisons, container (in/not-in) and greater than/less than comparisons by first converting to a cidr network (via convert to a stdlib style cidr object per https://docs.python.org/3/library/ipaddress.html, although slightly different as we've vendored in the original which has py2 compatibility till end of year.

cheers,
Kapil

ivzk...@gmail.com

unread,
Apr 18, 2019, 11:46:11 AM4/18/19
to cloud-custodian
Thanks Kapil, 

I have tried a few times to do this in the yaml config file, but it keeps failing on syntax.  Any chance you could give me a filter syntax example that would block something like all /4 subnets?   

ivzk...@gmail.com

unread,
Apr 18, 2019, 12:10:36 PM4/18/19
to cloud-custodian
Nevermind, I got it: 

    filters:
      - type: ingress
        Cidr:
          op: regex
          value: ^(?!.*10.0.0.0\/8)([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1][0]|[1][1]|[1][2]))?$
Reply all
Reply to author
Forward
0 new messages