Making API externally reachable

[ncc-erik-steringer]

In this demo, we update the API SG and allow everyone to access the instances via port 443. This should result in a test case failure with Scout Suite since we don't wanna allow any ports open to 0.0.0.0/0.

[github-actions]

PMapper Test Results:

test_no_privesc (test_permissions.TestAuthorizationBoundaries)
Ensure that nobody can escalate their privileges from non-admin to to admin. ... ok
test_support_cannot_put (test_permissions.TestAuthorizationBoundaries)
Ensure that the IAM Role named 'support-staff' cannot call s3:PutObject for any of the S3 buckets. ... ok
test_support_has_no_edges (test_permissions.TestAuthorizationBoundaries)
Ensure that the IAM Role named 'support-staff' cannot access any other users or roles in the account. ... ok

----------------------------------------------------------------------
Ran 3 tests in 0.108s

OK

[github-actions]

Scout Suite Test Results:

test_ec2_no_ports_open_to_all (test_scoutsuite_rails.TestScoutSuiteExpected)
Verify that none of the security groups have a port open to 0.0.0.0/0 ... ok
test_iam_no_inline_notaction (test_scoutsuite_rails.TestScoutSuiteExpected)
Verify no inline IAM Policies (for Users/Roles/Groups) use the NotAction field ... ok
test_iam_no_inline_passrole (test_scoutsuite_rails.TestScoutSuiteExpected)
Verify there are no inline policies granting iam:PassRole for * ... ok

----------------------------------------------------------------------
Ran 3 tests in 0.009s

OK

[github-actions]

PMapper Test Results:

test_no_privesc (test_permissions.TestAuthorizationBoundaries)
Ensure that nobody can escalate their privileges from non-admin to to admin. ... ok
test_support_cannot_put (test_permissions.TestAuthorizationBoundaries)
Ensure that the IAM Role named 'support-staff' cannot call s3:PutObject for any of the S3 buckets. ... ok
test_support_has_no_edges (test_permissions.TestAuthorizationBoundaries)
Ensure that the IAM Role named 'support-staff' cannot access any other users or roles in the account. ... ok

----------------------------------------------------------------------
Ran 3 tests in 0.117s

OK

[github-actions]

Scout Suite Test Results:

test_ec2_no_ports_open_to_all (test_scoutsuite_rails.TestScoutSuiteExpected)
Verify that none of the security groups have a port open to 0.0.0.0/0 ... FAIL
test_iam_no_inline_notaction (test_scoutsuite_rails.TestScoutSuiteExpected)
Verify no inline IAM Policies (for Users/Roles/Groups) use the NotAction field ... ok
test_iam_no_inline_passrole (test_scoutsuite_rails.TestScoutSuiteExpected)
Verify there are no inline policies granting iam:PassRole for * ... ok

======================================================================
FAIL: test_ec2_no_ports_open_to_all (test_scoutsuite_rails.TestScoutSuiteExpected)
Verify that none of the security groups have a port open to 0.0.0.0/0
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/runner/work/Aerides/Aerides/testcode/test_scoutsuite_rails.py", line 73, in test_ec2_no_ports_open_to_all
    self.fail(
AssertionError: ScoutSuite reported the following EC2 Security Group findings:

ec2-security-group-opens-RDP-port-to-all
ec2.regions.us-east-1.vpcs.vpc-619a5efc.security_groups.sg-c8f3dc58927963850.rules.ingress.protocols.TCP.ports.3389.cidrs.0.CIDR

ec2-security-group-opens-TCP-port-to-all
ec2.regions.us-east-1.vpcs.vpc-619a5efc.security_groups.sg-c8f3dc58927963850.rules.ingress.protocols.TCP.ports.445.cidrs.0.CIDR

----------------------------------------------------------------------
Ran 3 tests in 0.008s

FAILED (failures=1)