GUARDRAIL "[CIS - AWS] 5.3 Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports"
  WHEN aws_security_group_rule.type = "ingress" AND aws_security_group_rule.protocol IN ["tcp", "6", "udp", "17", "all", "-1"] AND (aws_security_group_rule.from_port = -1 AND aws_security_group_rule.to_port = -1)
    REQUIRE EVERY cidr_blocks != "0.0.0.0/0"
  WHEN aws_security_group.ingress AND aws_security_group.ingress.protocol IN ["tcp", "6", "udp", "17", "all", "-1"] AND (aws_security_group.ingress.from_port = -1 AND aws_security_group.ingress.to_port = -1)
    REQUIRE EVERY ingress.cidr_blocks != "0.0.0.0/0"    
  WHEN aws_security_group_rule.type = "ingress" AND aws_security_group_rule.protocol IN ["tcp", "6", "udp", "17", "all", "-1"] AND (aws_security_group_rule.from_port <= 22 AND aws_security_group_rule.to_port >= 22)
    REQUIRE EVERY cidr_blocks != "0.0.0.0/0"
  WHEN aws_security_group.ingress AND aws_security_group.ingress.protocol IN ["tcp", "6", "udp", "17", "all", "-1"] AND (aws_security_group.ingress.from_port = 22 AND aws_security_group.ingress.to_port = 22)
    REQUIRE EVERY ingress.cidr_blocks != "0.0.0.0/0"    
  WHEN aws_security_group_rule.type = "ingress" AND aws_security_group_rule.protocol IN ["tcp", "6", "udp", "17", "all", "-1"] AND (aws_security_group_rule.from_port <= 3389 AND aws_security_group_rule.to_port >= 3389)
    REQUIRE EVERY cidr_blocks != "0.0.0.0/0"
  WHEN aws_security_group.ingress AND aws_security_group.ingress.protocol IN ["tcp", "6", "udp", "17", "all", "-1"] AND (aws_security_group.ingress.from_port = 3389 AND aws_security_group.ingress.to_port = 3389)
    REQUIRE EVERY ingress.cidr_blocks != "0.0.0.0/0"        
  OVERRIDE WITH APPROVAL @security