cfn-nag 0.0.44 → 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/bin/cfn_nag +27 -11
- data/bin/cfn_nag_rules +5 -4
- data/bin/cfn_nag_scan +29 -0
- data/lib/cfn-nag.rb +3 -0
- data/lib/cfn-nag/cfn_nag.rb +115 -0
- data/lib/cfn-nag/custom_rule_loader.rb +72 -0
- data/lib/cfn-nag/custom_rules/CloudFormationAuthenticationRule.rb +28 -0
- data/lib/cfn-nag/custom_rules/CloudFrontDistributionAccessLoggingRule.rb +24 -0
- data/lib/cfn-nag/custom_rules/EbsVolumeHasSseRule.rb +24 -0
- data/lib/cfn-nag/custom_rules/ElasticLoadBalancerAccessLoggingRule.rb +24 -0
- data/lib/cfn-nag/custom_rules/IamManagedPolicyNotActionRule.rb +25 -0
- data/lib/cfn-nag/custom_rules/IamManagedPolicyNotResourceRule.rb +25 -0
- data/lib/cfn-nag/custom_rules/IamManagedPolicyWildcardActionRule.rb +25 -0
- data/lib/cfn-nag/custom_rules/IamManagedPolicyWildcardResourceRule.rb +25 -0
- data/lib/cfn-nag/custom_rules/IamPolicyNotActionRule.rb +25 -0
- data/lib/cfn-nag/custom_rules/IamPolicyNotResourceRule.rb +25 -0
- data/lib/cfn-nag/custom_rules/IamPolicyWildcardActionRule.rb +25 -0
- data/lib/cfn-nag/custom_rules/IamPolicyWildcardResourceRule.rb +25 -0
- data/lib/cfn-nag/custom_rules/IamRoleNotActionOnPermissionsPolicyRule.rb +28 -0
- data/lib/cfn-nag/custom_rules/IamRoleNotActionOnTrustPolicyRule.rb +25 -0
- data/lib/cfn-nag/custom_rules/IamRoleNotPrincipalOnTrustPolicyRule.rb +25 -0
- data/lib/cfn-nag/custom_rules/IamRoleNotResourceOnPermissionsPolicyRule.rb +28 -0
- data/lib/cfn-nag/custom_rules/IamRoleWildcardActionOnPermissionsPolicyRule.rb +28 -0
- data/lib/cfn-nag/custom_rules/IamRoleWildcardActionOnTrustPolicyRule.rb +27 -0
- data/lib/cfn-nag/custom_rules/IamRoleWildcardResourceOnPermissionsPolicyRule.rb +28 -0
- data/lib/cfn-nag/custom_rules/LambdaPermissionInvokeFunctionActionRule.rb +24 -0
- data/lib/cfn-nag/custom_rules/LambdaPermissionWildcardPrincipalRule.rb +24 -0
- data/lib/cfn-nag/custom_rules/ManagedPolicyOnUserRule.rb +24 -0
- data/lib/cfn-nag/custom_rules/PolicyOnUserRule.rb +24 -0
- data/lib/cfn-nag/custom_rules/S3BucketPolicyNotActionRule.rb +25 -0
- data/lib/cfn-nag/custom_rules/S3BucketPolicyNotPrincipalRule.rb +25 -0
- data/lib/cfn-nag/custom_rules/S3BucketPolicyWildcardActionRule.rb +30 -0
- data/lib/cfn-nag/custom_rules/S3BucketPolicyWildcardPrincipalRule.rb +29 -0
- data/lib/cfn-nag/custom_rules/S3BucketPublicReadAclRule.rb +29 -0
- data/lib/cfn-nag/custom_rules/S3BucketPublicReadWriteAclRule.rb +29 -0
- data/lib/cfn-nag/custom_rules/SecurityGroupEgressOpenToWorldRule.rb +39 -0
- data/lib/cfn-nag/custom_rules/SecurityGroupEgressPortRangeRule.rb +38 -0
- data/lib/cfn-nag/custom_rules/SecurityGroupIngressCidrNon32Rule.rb +40 -0
- data/lib/cfn-nag/custom_rules/SecurityGroupIngressOpenToWorldRule.rb +39 -0
- data/lib/cfn-nag/custom_rules/SecurityGroupIngressPortRangeRule.rb +38 -0
- data/lib/{custom_rules/security_group_missing_egress.rb → cfn-nag/custom_rules/SecurityGroupMissingEgressRule.rb} +6 -12
- data/lib/cfn-nag/custom_rules/SnsTopicPolicyNotActionRule.rb +25 -0
- data/lib/cfn-nag/custom_rules/SnsTopicPolicyNotPrincipalRule.rb +26 -0
- data/lib/cfn-nag/custom_rules/SnsTopicPolicyWildcardPrincipalRule.rb +29 -0
- data/lib/cfn-nag/custom_rules/SqsQueuePolicyNotActionRule.rb +25 -0
- data/lib/cfn-nag/custom_rules/SqsQueuePolicyNotPrincipalRule.rb +25 -0
- data/lib/cfn-nag/custom_rules/SqsQueuePolicyWildcardActionRule.rb +30 -0
- data/lib/cfn-nag/custom_rules/SqsQueuePolicyWildcardPrincipalRule.rb +29 -0
- data/lib/cfn-nag/custom_rules/UserHasInlinePolicyRule.rb +25 -0
- data/lib/cfn-nag/custom_rules/UserMissingGroupRule.rb +28 -0
- data/lib/cfn-nag/custom_rules/WafWebAclDefaultActionRule.rb +34 -0
- data/lib/cfn-nag/custom_rules/base.rb +28 -0
- data/lib/cfn-nag/custom_rules/unencrypted_s3_put_allowed.rb +58 -0
- data/lib/{profile.rb → cfn-nag/profile.rb} +0 -1
- data/lib/{profile_loader.rb → cfn-nag/profile_loader.rb} +2 -2
- data/lib/{result_view → cfn-nag/result_view}/json_results.rb +0 -0
- data/lib/{result_view → cfn-nag/result_view}/rules_view.rb +0 -0
- data/lib/{result_view → cfn-nag/result_view}/simple_stdout_results.rb +5 -12
- data/lib/cfn-nag/rule_definition.rb +36 -0
- data/lib/cfn-nag/rule_dumper.rb +23 -0
- data/lib/cfn-nag/rule_registry.rb +43 -0
- data/lib/cfn-nag/template_discovery.rb +24 -0
- data/lib/cfn-nag/violation.rb +58 -0
- metadata +79 -36
- data/lib/cfn_nag.rb +0 -219
- data/lib/custom_rule_loader.rb +0 -64
- data/lib/custom_rules/unencrypted_s3_put_allowed.rb +0 -58
- data/lib/custom_rules/user_missing_group.rb +0 -34
- data/lib/json_rules/basic_rules.rb +0 -49
- data/lib/json_rules/cfn_rules.rb +0 -4
- data/lib/json_rules/cidr_rules.rb +0 -77
- data/lib/json_rules/cloudfront_rules.rb +0 -4
- data/lib/json_rules/ebs_rules.rb +0 -4
- data/lib/json_rules/iam_policy_rules.rb +0 -153
- data/lib/json_rules/iam_user_rules.rb +0 -15
- data/lib/json_rules/lambda_rules.rb +0 -9
- data/lib/json_rules/loadbalancer_rules.rb +0 -9
- data/lib/json_rules/port_rules.rb +0 -33
- data/lib/json_rules/s3_bucket_rules.rb +0 -51
- data/lib/json_rules/sns_rules.rb +0 -29
- data/lib/json_rules/sqs_rules.rb +0 -25
- data/lib/model/action_parser.rb +0 -27
- data/lib/model/cfn_model.rb +0 -182
- data/lib/model/iam_user_parser.rb +0 -34
- data/lib/model/parser_registry.rb +0 -31
- data/lib/model/s3_bucket_policy.rb +0 -25
- data/lib/model/s3_bucket_policy_parser.rb +0 -28
- data/lib/model/security_group_parser.rb +0 -59
- data/lib/rule.rb +0 -208
- data/lib/rule_registry.rb +0 -45
- data/lib/violation.rb +0 -41
|
@@ -0,0 +1,25 @@
|
|
|
1
|
+
require 'cfn-nag/violation'
|
|
2
|
+
require_relative 'base'
|
|
3
|
+
|
|
4
|
+
class IamManagedPolicyNotResourceRule < BaseRule
|
|
5
|
+
|
|
6
|
+
def rule_text
|
|
7
|
+
'IAM managed policy should not allow Allow+NotResource'
|
|
8
|
+
end
|
|
9
|
+
|
|
10
|
+
def rule_type
|
|
11
|
+
Violation::WARNING
|
|
12
|
+
end
|
|
13
|
+
|
|
14
|
+
def rule_id
|
|
15
|
+
'W23'
|
|
16
|
+
end
|
|
17
|
+
|
|
18
|
+
def audit_impl(cfn_model)
|
|
19
|
+
violating_policies = cfn_model.resources_by_type('AWS::IAM::ManagedPolicy').select do |policy|
|
|
20
|
+
!policy.policyDocument.allows_not_resource.empty?
|
|
21
|
+
end
|
|
22
|
+
|
|
23
|
+
violating_policies.map { |policy| policy.logical_resource_id }
|
|
24
|
+
end
|
|
25
|
+
end
|
|
@@ -0,0 +1,25 @@
|
|
|
1
|
+
require 'cfn-nag/violation'
|
|
2
|
+
require_relative 'base'
|
|
3
|
+
|
|
4
|
+
class IamManagedPolicyWildcardActionRule < BaseRule
|
|
5
|
+
|
|
6
|
+
def rule_text
|
|
7
|
+
'IAM managed policy should not allow * action'
|
|
8
|
+
end
|
|
9
|
+
|
|
10
|
+
def rule_type
|
|
11
|
+
Violation::FAILING_VIOLATION
|
|
12
|
+
end
|
|
13
|
+
|
|
14
|
+
def rule_id
|
|
15
|
+
'F5'
|
|
16
|
+
end
|
|
17
|
+
|
|
18
|
+
def audit_impl(cfn_model)
|
|
19
|
+
violating_policies = cfn_model.resources_by_type('AWS::IAM::ManagedPolicy').select do |policy|
|
|
20
|
+
!policy.policyDocument.wildcard_allowed_actions.empty?
|
|
21
|
+
end
|
|
22
|
+
|
|
23
|
+
violating_policies.map { |policy| policy.logical_resource_id }
|
|
24
|
+
end
|
|
25
|
+
end
|
|
@@ -0,0 +1,25 @@
|
|
|
1
|
+
require 'cfn-nag/violation'
|
|
2
|
+
require_relative 'base'
|
|
3
|
+
|
|
4
|
+
class IamManagedPolicyWildcardResourceRule < BaseRule
|
|
5
|
+
|
|
6
|
+
def rule_text
|
|
7
|
+
'IAM managed policy should not allow * resource'
|
|
8
|
+
end
|
|
9
|
+
|
|
10
|
+
def rule_type
|
|
11
|
+
Violation::WARNING
|
|
12
|
+
end
|
|
13
|
+
|
|
14
|
+
def rule_id
|
|
15
|
+
'W13'
|
|
16
|
+
end
|
|
17
|
+
|
|
18
|
+
def audit_impl(cfn_model)
|
|
19
|
+
violating_policies = cfn_model.resources_by_type('AWS::IAM::ManagedPolicy').select do |policy|
|
|
20
|
+
!policy.policyDocument.wildcard_allowed_resources.empty?
|
|
21
|
+
end
|
|
22
|
+
|
|
23
|
+
violating_policies.map { |policy| policy.logical_resource_id }
|
|
24
|
+
end
|
|
25
|
+
end
|
|
@@ -0,0 +1,25 @@
|
|
|
1
|
+
require 'cfn-nag/violation'
|
|
2
|
+
require_relative 'base'
|
|
3
|
+
|
|
4
|
+
class IamPolicyNotActionRule < BaseRule
|
|
5
|
+
|
|
6
|
+
def rule_text
|
|
7
|
+
'IAM policy should not allow Allow+NotAction'
|
|
8
|
+
end
|
|
9
|
+
|
|
10
|
+
def rule_type
|
|
11
|
+
Violation::WARNING
|
|
12
|
+
end
|
|
13
|
+
|
|
14
|
+
def rule_id
|
|
15
|
+
'W16'
|
|
16
|
+
end
|
|
17
|
+
|
|
18
|
+
def audit_impl(cfn_model)
|
|
19
|
+
violating_policies = cfn_model.resources_by_type('AWS::IAM::Policy').select do |policy|
|
|
20
|
+
!policy.policyDocument.allows_not_action.empty?
|
|
21
|
+
end
|
|
22
|
+
|
|
23
|
+
violating_policies.map { |policy| policy.logical_resource_id }
|
|
24
|
+
end
|
|
25
|
+
end
|
|
@@ -0,0 +1,25 @@
|
|
|
1
|
+
require 'cfn-nag/violation'
|
|
2
|
+
require_relative 'base'
|
|
3
|
+
|
|
4
|
+
class IamPolicyNotResourceRule < BaseRule
|
|
5
|
+
|
|
6
|
+
def rule_text
|
|
7
|
+
'IAM policy should not allow Allow+NotResource'
|
|
8
|
+
end
|
|
9
|
+
|
|
10
|
+
def rule_type
|
|
11
|
+
Violation::WARNING
|
|
12
|
+
end
|
|
13
|
+
|
|
14
|
+
def rule_id
|
|
15
|
+
'W22'
|
|
16
|
+
end
|
|
17
|
+
|
|
18
|
+
def audit_impl(cfn_model)
|
|
19
|
+
violating_policies = cfn_model.resources_by_type('AWS::IAM::Policy').select do |policy|
|
|
20
|
+
!policy.policyDocument.allows_not_resource.empty?
|
|
21
|
+
end
|
|
22
|
+
|
|
23
|
+
violating_policies.map { |policy| policy.logical_resource_id }
|
|
24
|
+
end
|
|
25
|
+
end
|
|
@@ -0,0 +1,25 @@
|
|
|
1
|
+
require 'cfn-nag/violation'
|
|
2
|
+
require_relative 'base'
|
|
3
|
+
|
|
4
|
+
class IamPolicyWildcardActionRule < BaseRule
|
|
5
|
+
|
|
6
|
+
def rule_text
|
|
7
|
+
'IAM policy should not allow * action'
|
|
8
|
+
end
|
|
9
|
+
|
|
10
|
+
def rule_type
|
|
11
|
+
Violation::FAILING_VIOLATION
|
|
12
|
+
end
|
|
13
|
+
|
|
14
|
+
def rule_id
|
|
15
|
+
'F4'
|
|
16
|
+
end
|
|
17
|
+
|
|
18
|
+
def audit_impl(cfn_model)
|
|
19
|
+
violating_policies = cfn_model.resources_by_type('AWS::IAM::Policy').select do |policy|
|
|
20
|
+
!policy.policyDocument.wildcard_allowed_actions.empty?
|
|
21
|
+
end
|
|
22
|
+
|
|
23
|
+
violating_policies.map { |policy| policy.logical_resource_id }
|
|
24
|
+
end
|
|
25
|
+
end
|
|
@@ -0,0 +1,25 @@
|
|
|
1
|
+
require 'cfn-nag/violation'
|
|
2
|
+
require_relative 'base'
|
|
3
|
+
|
|
4
|
+
class IamPolicyWildcardResourceRule < BaseRule
|
|
5
|
+
|
|
6
|
+
def rule_text
|
|
7
|
+
'IAM policy should not allow * resource'
|
|
8
|
+
end
|
|
9
|
+
|
|
10
|
+
def rule_type
|
|
11
|
+
Violation::WARNING
|
|
12
|
+
end
|
|
13
|
+
|
|
14
|
+
def rule_id
|
|
15
|
+
'W12'
|
|
16
|
+
end
|
|
17
|
+
|
|
18
|
+
def audit_impl(cfn_model)
|
|
19
|
+
violating_policies = cfn_model.resources_by_type('AWS::IAM::Policy').select do |policy|
|
|
20
|
+
!policy.policyDocument.wildcard_allowed_resources.empty?
|
|
21
|
+
end
|
|
22
|
+
|
|
23
|
+
violating_policies.map { |policy| policy.logical_resource_id }
|
|
24
|
+
end
|
|
25
|
+
end
|
|
@@ -0,0 +1,28 @@
|
|
|
1
|
+
require 'cfn-nag/violation'
|
|
2
|
+
require_relative 'base'
|
|
3
|
+
|
|
4
|
+
class IamRoleNotActionOnPermissionsPolicyRule < BaseRule
|
|
5
|
+
|
|
6
|
+
def rule_text
|
|
7
|
+
'IAM role should not allow Allow+NotAction'
|
|
8
|
+
end
|
|
9
|
+
|
|
10
|
+
def rule_type
|
|
11
|
+
Violation::WARNING
|
|
12
|
+
end
|
|
13
|
+
|
|
14
|
+
def rule_id
|
|
15
|
+
'W15'
|
|
16
|
+
end
|
|
17
|
+
|
|
18
|
+
def audit_impl(cfn_model)
|
|
19
|
+
violating_roles = cfn_model.resources_by_type('AWS::IAM::Role').select do |role|
|
|
20
|
+
violating_policies = role.policies.select do |policy|
|
|
21
|
+
!policy.policyDocument.allows_not_action.empty?
|
|
22
|
+
end
|
|
23
|
+
!violating_policies.empty?
|
|
24
|
+
end
|
|
25
|
+
|
|
26
|
+
violating_roles.map { |role| role.logical_resource_id }
|
|
27
|
+
end
|
|
28
|
+
end
|
|
@@ -0,0 +1,25 @@
|
|
|
1
|
+
require 'cfn-nag/violation'
|
|
2
|
+
require_relative 'base'
|
|
3
|
+
|
|
4
|
+
class IamRoleNotActionOnTrustPolicyRule < BaseRule
|
|
5
|
+
|
|
6
|
+
def rule_text
|
|
7
|
+
'IAM role should not allow Allow+NotAction on trust permissions'
|
|
8
|
+
end
|
|
9
|
+
|
|
10
|
+
def rule_type
|
|
11
|
+
Violation::WARNING
|
|
12
|
+
end
|
|
13
|
+
|
|
14
|
+
def rule_id
|
|
15
|
+
'W14'
|
|
16
|
+
end
|
|
17
|
+
|
|
18
|
+
def audit_impl(cfn_model)
|
|
19
|
+
violating_roles = cfn_model.resources_by_type('AWS::IAM::Role').select do |role|
|
|
20
|
+
!role.assumeRolePolicyDocument.allows_not_action.empty?
|
|
21
|
+
end
|
|
22
|
+
|
|
23
|
+
violating_roles.map { |role| role.logical_resource_id }
|
|
24
|
+
end
|
|
25
|
+
end
|
|
@@ -0,0 +1,25 @@
|
|
|
1
|
+
require 'cfn-nag/violation'
|
|
2
|
+
require_relative 'base'
|
|
3
|
+
|
|
4
|
+
class IamRoleNotPrincipalOnTrustPolicyRule < BaseRule
|
|
5
|
+
|
|
6
|
+
def rule_text
|
|
7
|
+
'IAM role should not allow Allow+NotPrincipal in its trust policy'
|
|
8
|
+
end
|
|
9
|
+
|
|
10
|
+
def rule_type
|
|
11
|
+
Violation::FAILING_VIOLATION
|
|
12
|
+
end
|
|
13
|
+
|
|
14
|
+
def rule_id
|
|
15
|
+
'F6'
|
|
16
|
+
end
|
|
17
|
+
|
|
18
|
+
def audit_impl(cfn_model)
|
|
19
|
+
violating_roles = cfn_model.resources_by_type('AWS::IAM::Role').select do |role|
|
|
20
|
+
!role.assumeRolePolicyDocument.allows_not_principal.empty?
|
|
21
|
+
end
|
|
22
|
+
|
|
23
|
+
violating_roles.map { |role| role.logical_resource_id }
|
|
24
|
+
end
|
|
25
|
+
end
|
|
@@ -0,0 +1,28 @@
|
|
|
1
|
+
require 'cfn-nag/violation'
|
|
2
|
+
require_relative 'base'
|
|
3
|
+
|
|
4
|
+
class IamRoleNotResourceOnPermissionsPolicyRule < BaseRule
|
|
5
|
+
|
|
6
|
+
def rule_text
|
|
7
|
+
'IAM role should not allow Allow+NotResource'
|
|
8
|
+
end
|
|
9
|
+
|
|
10
|
+
def rule_type
|
|
11
|
+
Violation::WARNING
|
|
12
|
+
end
|
|
13
|
+
|
|
14
|
+
def rule_id
|
|
15
|
+
'W21'
|
|
16
|
+
end
|
|
17
|
+
|
|
18
|
+
def audit_impl(cfn_model)
|
|
19
|
+
violating_roles = cfn_model.resources_by_type('AWS::IAM::Role').select do |role|
|
|
20
|
+
violating_policies = role.policies.select do |policy|
|
|
21
|
+
!policy.policyDocument.allows_not_resource.empty?
|
|
22
|
+
end
|
|
23
|
+
!violating_policies.empty?
|
|
24
|
+
end
|
|
25
|
+
|
|
26
|
+
violating_roles.map { |role| role.logical_resource_id }
|
|
27
|
+
end
|
|
28
|
+
end
|
|
@@ -0,0 +1,28 @@
|
|
|
1
|
+
require 'cfn-nag/violation'
|
|
2
|
+
require_relative 'base'
|
|
3
|
+
|
|
4
|
+
class IamRoleWildcardActionOnPermissionsPolicyRule < BaseRule
|
|
5
|
+
|
|
6
|
+
def rule_text
|
|
7
|
+
'IAM role should not allow * action on its permissions policy'
|
|
8
|
+
end
|
|
9
|
+
|
|
10
|
+
def rule_type
|
|
11
|
+
Violation::FAILING_VIOLATION
|
|
12
|
+
end
|
|
13
|
+
|
|
14
|
+
def rule_id
|
|
15
|
+
'F3'
|
|
16
|
+
end
|
|
17
|
+
|
|
18
|
+
def audit_impl(cfn_model)
|
|
19
|
+
violating_roles = cfn_model.resources_by_type('AWS::IAM::Role').select do |role|
|
|
20
|
+
violating_policies = role.policies.select do |policy|
|
|
21
|
+
!policy.policyDocument.wildcard_allowed_actions.empty?
|
|
22
|
+
end
|
|
23
|
+
!violating_policies.empty?
|
|
24
|
+
end
|
|
25
|
+
|
|
26
|
+
violating_roles.map { |role| role.logical_resource_id }
|
|
27
|
+
end
|
|
28
|
+
end
|
|
@@ -0,0 +1,27 @@
|
|
|
1
|
+
require 'cfn-nag/violation'
|
|
2
|
+
require_relative 'base'
|
|
3
|
+
|
|
4
|
+
class IamRoleWildcardActionOnTrustPolicyRule < BaseRule
|
|
5
|
+
|
|
6
|
+
def rule_text
|
|
7
|
+
'IAM role should not allow * action on its trust policy'
|
|
8
|
+
end
|
|
9
|
+
|
|
10
|
+
def rule_type
|
|
11
|
+
Violation::FAILING_VIOLATION
|
|
12
|
+
end
|
|
13
|
+
|
|
14
|
+
def rule_id
|
|
15
|
+
'F2'
|
|
16
|
+
end
|
|
17
|
+
|
|
18
|
+
def audit_impl(cfn_model)
|
|
19
|
+
violating_roles = cfn_model.resources_by_type('AWS::IAM::Role').select do |role|
|
|
20
|
+
!role.assumeRolePolicyDocument.wildcard_allowed_actions.empty?
|
|
21
|
+
end
|
|
22
|
+
|
|
23
|
+
violating_roles.map { |role| role.logical_resource_id}
|
|
24
|
+
end
|
|
25
|
+
end
|
|
26
|
+
|
|
27
|
+
|
|
@@ -0,0 +1,28 @@
|
|
|
1
|
+
require 'cfn-nag/violation'
|
|
2
|
+
require_relative 'base'
|
|
3
|
+
|
|
4
|
+
class IamRoleWildcardResourceOnPermissionsPolicyRule < BaseRule
|
|
5
|
+
|
|
6
|
+
def rule_text
|
|
7
|
+
'IAM role should not allow * resource on its permissions policy'
|
|
8
|
+
end
|
|
9
|
+
|
|
10
|
+
def rule_type
|
|
11
|
+
Violation::WARNING
|
|
12
|
+
end
|
|
13
|
+
|
|
14
|
+
def rule_id
|
|
15
|
+
'W11'
|
|
16
|
+
end
|
|
17
|
+
|
|
18
|
+
def audit_impl(cfn_model)
|
|
19
|
+
violating_roles = cfn_model.resources_by_type('AWS::IAM::Role').select do |role|
|
|
20
|
+
violating_policies = role.policies.select do |policy|
|
|
21
|
+
!policy.policyDocument.wildcard_allowed_resources.empty?
|
|
22
|
+
end
|
|
23
|
+
!violating_policies.empty?
|
|
24
|
+
end
|
|
25
|
+
|
|
26
|
+
violating_roles.map { |role| role.logical_resource_id }
|
|
27
|
+
end
|
|
28
|
+
end
|
|
@@ -0,0 +1,24 @@
|
|
|
1
|
+
require 'cfn-nag/violation'
|
|
2
|
+
require_relative 'base'
|
|
3
|
+
|
|
4
|
+
class LambdaPermissionInvokeFunctionActionRule < BaseRule
|
|
5
|
+
def rule_text
|
|
6
|
+
'Lambda permission beside InvokeFunction might not be what you want? Not sure!?'
|
|
7
|
+
end
|
|
8
|
+
|
|
9
|
+
def rule_type
|
|
10
|
+
Violation::WARNING
|
|
11
|
+
end
|
|
12
|
+
|
|
13
|
+
def rule_id
|
|
14
|
+
'W24'
|
|
15
|
+
end
|
|
16
|
+
|
|
17
|
+
def audit_impl(cfn_model)
|
|
18
|
+
violating_lambdas = cfn_model.resources_by_type('AWS::Lambda::Permission').select do |lambda_permission|
|
|
19
|
+
lambda_permission.action != 'lambda:InvokeFunction'
|
|
20
|
+
end
|
|
21
|
+
|
|
22
|
+
violating_lambdas.map { |violating_lambda| violating_lambda.logical_resource_id }
|
|
23
|
+
end
|
|
24
|
+
end
|
|
@@ -0,0 +1,24 @@
|
|
|
1
|
+
require 'cfn-nag/violation'
|
|
2
|
+
require_relative 'base'
|
|
3
|
+
|
|
4
|
+
class LambdaPermissionWildcardPrincipalRule < BaseRule
|
|
5
|
+
def rule_text
|
|
6
|
+
'Lambda permission principal should not be wildcard'
|
|
7
|
+
end
|
|
8
|
+
|
|
9
|
+
def rule_type
|
|
10
|
+
Violation::FAILING_VIOLATION
|
|
11
|
+
end
|
|
12
|
+
|
|
13
|
+
def rule_id
|
|
14
|
+
'F13'
|
|
15
|
+
end
|
|
16
|
+
|
|
17
|
+
def audit_impl(cfn_model)
|
|
18
|
+
violating_lambdas = cfn_model.resources_by_type('AWS::Lambda::Permission').select do |lambda_permission|
|
|
19
|
+
Principal.wildcard? lambda_permission.principal
|
|
20
|
+
end
|
|
21
|
+
|
|
22
|
+
violating_lambdas.map { |violating_lambda| violating_lambda.logical_resource_id }
|
|
23
|
+
end
|
|
24
|
+
end
|
|
@@ -0,0 +1,24 @@
|
|
|
1
|
+
require 'cfn-nag/violation'
|
|
2
|
+
require_relative 'base'
|
|
3
|
+
|
|
4
|
+
class ManagedPolicyOnUserRule < BaseRule
|
|
5
|
+
def rule_text
|
|
6
|
+
'IAM managed policy should not apply directly to users. Should be on group'
|
|
7
|
+
end
|
|
8
|
+
|
|
9
|
+
def rule_type
|
|
10
|
+
Violation::FAILING_VIOLATION
|
|
11
|
+
end
|
|
12
|
+
|
|
13
|
+
def rule_id
|
|
14
|
+
'F12'
|
|
15
|
+
end
|
|
16
|
+
|
|
17
|
+
def audit_impl(cfn_model)
|
|
18
|
+
violating_policies = cfn_model.resources_by_type('AWS::IAM::ManagedPolicy').select do |policy|
|
|
19
|
+
policy.users.size > 0
|
|
20
|
+
end
|
|
21
|
+
|
|
22
|
+
violating_policies.map { |violating_user| violating_user.logical_resource_id }
|
|
23
|
+
end
|
|
24
|
+
end
|