cfn-nag 0.0.44 → 0.1.0

data/lib/cfn-nag/custom_rules/PolicyOnUserRule.rb

@@ -0,0 +1,24 @@
+require 'cfn-nag/violation'
+require_relative 'base'
+
+class PolicyOnUserRule < BaseRule
+  def rule_text
+    'IAM policy should not apply directly to users.  Should be on group'
+  end
+
+  def rule_type
+    Violation::FAILING_VIOLATION
+  end
+
+  def rule_id
+    'F11'
+  end
+
+  def audit_impl(cfn_model)
+    violating_policies = cfn_model.resources_by_type('AWS::IAM::Policy').select do |policy|
+      policy.users.size > 0
+    end
+
+    violating_policies.map { |violating_user| violating_user.logical_resource_id }
+  end
+end

data/lib/cfn-nag/custom_rules/S3BucketPolicyNotActionRule.rb

@@ -0,0 +1,25 @@
+require 'cfn-nag/violation'
+require_relative 'base'
+
+class S3BucketPolicyNotActionRule < BaseRule
+
+  def rule_text
+    'S3 Bucket policy should not allow Allow+NotAction'
+  end
+
+  def rule_type
+    Violation::WARNING
+  end
+
+  def rule_id
+    'W20'
+  end
+
+  def audit_impl(cfn_model)
+    violating_policies = cfn_model.resources_by_type('AWS::S3::BucketPolicy').select do |policy|
+      !policy.policyDocument.allows_not_action.empty?
+    end
+
+    violating_policies.map { |policy| policy.logical_resource_id }
+  end
+end

data/lib/cfn-nag/custom_rules/S3BucketPolicyNotPrincipalRule.rb

@@ -0,0 +1,25 @@
+require 'cfn-nag/violation'
+require_relative 'base'
+
+class S3BucketPolicyNotPrincipalRule < BaseRule
+
+  def rule_text
+    'S3 Bucket policy should not allow Allow+NotPrincipal'
+  end
+
+  def rule_type
+    Violation::FAILING_VIOLATION
+  end
+
+  def rule_id
+    'F9'
+  end
+
+  def audit_impl(cfn_model)
+    violating_policies = cfn_model.resources_by_type('AWS::S3::BucketPolicy').select do |policy|
+      !policy.policyDocument.allows_not_principal.empty?
+    end
+
+    violating_policies.map { |policy| policy.logical_resource_id }
+  end
+end

data/lib/cfn-nag/custom_rules/S3BucketPolicyWildcardActionRule.rb

@@ -0,0 +1,30 @@
+require 'cfn-nag/violation'
+require_relative 'base'
+
+class S3BucketPolicyWildcardActionRule < BaseRule
+
+  def rule_text
+    'S3 Bucket policy should not allow * action'
+  end
+
+  def rule_type
+    Violation::FAILING_VIOLATION
+  end
+
+  def rule_id
+    'F15'
+  end
+
+  def audit_impl(cfn_model)
+    logical_resource_ids = []
+
+    cfn_model.resources_by_type('AWS::S3::BucketPolicy').each do |bucket_policy|
+
+      if !bucket_policy.policyDocument.wildcard_allowed_actions.empty?
+        logical_resource_ids << bucket_policy.logical_resource_id
+      end
+    end
+
+    logical_resource_ids
+  end
+end

data/lib/cfn-nag/custom_rules/S3BucketPolicyWildcardPrincipalRule.rb

@@ -0,0 +1,29 @@
+require 'cfn-nag/violation'
+require_relative 'base'
+
+class S3BucketPolicyWildcardPrincipalRule < BaseRule
+
+  def rule_text
+    'S3 Bucket policy should not allow * principal'
+  end
+
+  def rule_type
+    Violation::FAILING_VIOLATION
+  end
+
+  def rule_id
+    'F16'
+  end
+
+  def audit_impl(cfn_model)
+    logical_resource_ids = []
+
+    cfn_model.resources_by_type('AWS::S3::BucketPolicy').each do |topic_policy|
+      if !topic_policy.policyDocument.wildcard_allowed_principals.empty?
+        logical_resource_ids << topic_policy.logical_resource_id
+      end
+    end
+
+    logical_resource_ids
+  end
+end

data/lib/cfn-nag/custom_rules/S3BucketPublicReadAclRule.rb

@@ -0,0 +1,29 @@
+require 'cfn-nag/violation'
+require_relative 'base'
+
+class S3BucketPublicReadAclRule < BaseRule
+
+  def rule_text
+    'S3 Bucket likely should not have a public read acl'
+  end
+
+  def rule_type
+    Violation::WARNING
+  end
+
+  def rule_id
+    'W31'
+  end
+
+  def audit_impl(cfn_model)
+    logical_resource_ids = []
+
+    cfn_model.resources_by_type('AWS::S3::Bucket').each do |bucket|
+      if bucket.accessControl == 'PublicRead'
+        logical_resource_ids << bucket.logical_resource_id
+      end
+    end
+
+    logical_resource_ids
+  end
+end

data/lib/cfn-nag/custom_rules/S3BucketPublicReadWriteAclRule.rb

@@ -0,0 +1,29 @@
+require 'cfn-nag/violation'
+require_relative 'base'
+
+class S3BucketPublicReadWriteAclRule < BaseRule
+
+  def rule_text
+    'S3 Bucket should not have a public read-write acl'
+  end
+
+  def rule_type
+    Violation::FAILING_VIOLATION
+  end
+
+  def rule_id
+    'F14'
+  end
+
+  def audit_impl(cfn_model)
+    logical_resource_ids = []
+
+    cfn_model.resources_by_type('AWS::S3::Bucket').each do |bucket|
+      if bucket.accessControl == 'PublicReadWrite'
+        logical_resource_ids << bucket.logical_resource_id
+      end
+    end
+
+    logical_resource_ids
+  end
+end

data/lib/cfn-nag/custom_rules/SecurityGroupEgressOpenToWorldRule.rb

@@ -0,0 +1,39 @@
+require 'cfn-nag/violation'
+require_relative 'base'
+
+class SecurityGroupEgressOpenToWorldRule < BaseRule
+
+  def rule_text
+    'Security Groups found with cidr open to world on egress'
+  end
+
+  def rule_type
+    Violation::WARNING
+  end
+
+  def rule_id
+    'W5'
+  end
+
+  ##
+  # This will behave slightly different than the legacy jq based rule which was targeted against inline ingress only
+  def audit_impl(cfn_model)
+    logical_resource_ids = []
+    cfn_model.security_groups.each do |security_group|
+      violating_egresses = security_group.securityGroupEgress.select do |egress|
+        # only care about literals.  if a Hash/Ref not going to chase it down given likely a Parameter with external val
+        egress.cidrIp.is_a?(String) && egress.cidrIp == '0.0.0.0/0'
+      end
+
+      unless violating_egresses.empty?
+        logical_resource_ids << security_group.logical_resource_id
+      end
+    end
+
+    violating_egresses = cfn_model.standalone_egress.select do |standalone_egress|
+      standalone_egress.cidrIp.is_a?(String) && standalone_egress.cidrIp == '0.0.0.0/0'
+    end
+
+    logical_resource_ids + violating_egresses.map { |egress| egress.logical_resource_id}
+  end
+end

data/lib/cfn-nag/custom_rules/SecurityGroupEgressPortRangeRule.rb

@@ -0,0 +1,38 @@
+require 'cfn-nag/violation'
+require_relative 'base'
+
+class SecurityGroupEgressPortRangeRule < BaseRule
+
+  def rule_text
+    'Security Groups found egress with port range instead of just a single port'
+  end
+
+  def rule_type
+    Violation::WARNING
+  end
+
+  def rule_id
+    'W29'
+  end
+
+  ##
+  # This will behave slightly different than the legacy jq based rule which was targeted against inline ingress only
+  def audit_impl(cfn_model)
+    logical_resource_ids = []
+    cfn_model.security_groups.each do |security_group|
+      violating_egresses = security_group.securityGroupEgress.select do |egress|
+        egress.fromPort != egress.toPort
+      end
+
+      unless violating_egresses.empty?
+        logical_resource_ids << security_group.logical_resource_id
+      end
+    end
+
+    violating_egresses = cfn_model.standalone_egress.select do |standalone_egress|
+      standalone_egress.fromPort != standalone_egress.toPort
+    end
+
+    logical_resource_ids + violating_egresses.map { |egress| egress.logical_resource_id}
+  end
+end

data/lib/cfn-nag/custom_rules/SecurityGroupIngressCidrNon32Rule.rb

@@ -0,0 +1,40 @@
+require 'cfn-nag/violation'
+require_relative 'base'
+
+class SecurityGroupIngressCidrNon32Rule < BaseRule
+
+  def rule_text
+    'Security Groups found with ingress cidr that is not /32'
+  end
+
+  def rule_type
+    Violation::WARNING
+  end
+
+  def rule_id
+    'W9'
+  end
+
+  ##
+  # This will behave slightly different than the legacy jq based rule which was targeted against inline ingress only
+  def audit_impl(cfn_model)
+    logical_resource_ids = []
+    cfn_model.security_groups.each do |security_group|
+      violating_ingresses = security_group.securityGroupIngress.select do |ingress|
+        # only care about literals.  if a Hash/Ref not going to chase it down given likely a Parameter with external val
+        ingress.cidrIp.is_a?(String) && !ingress.cidrIp.end_with?('/32')
+      end
+
+      unless violating_ingresses.empty?
+        logical_resource_ids << security_group.logical_resource_id
+      end
+    end
+
+    violating_ingresses = cfn_model.standalone_ingress.select do |standalone_ingress|
+      standalone_ingress.cidrIp.is_a?(String) && !standalone_ingress.cidrIp.end_with?('/32')
+    end
+
+    logical_resource_ids + violating_ingresses.map { |ingress| ingress.logical_resource_id}
+  end
+end
+

data/lib/cfn-nag/custom_rules/SecurityGroupIngressOpenToWorldRule.rb

@@ -0,0 +1,39 @@
+require 'cfn-nag/violation'
+require_relative 'base'
+
+class SecurityGroupIngressOpenToWorldRule < BaseRule
+
+  def rule_text
+    'Security Groups found with cidr open to world on ingress.  This should never be true on instance.  Permissible on ELB'
+  end
+
+  def rule_type
+    Violation::WARNING
+  end
+
+  def rule_id
+    'W2'
+  end
+
+  ##
+  # This will behave slightly different than the legacy jq based rule which was targeted against inline ingress only
+  def audit_impl(cfn_model)
+    logical_resource_ids = []
+    cfn_model.security_groups.each do |security_group|
+      violating_ingresses = security_group.securityGroupIngress.select do |ingress|
+        # only care about literals.  if a Hash/Ref not going to chase it down given likely a Parameter with external val
+        ingress.cidrIp.is_a?(String) && ingress.cidrIp == '0.0.0.0/0'
+      end
+
+      unless violating_ingresses.empty?
+        logical_resource_ids << security_group.logical_resource_id
+      end
+    end
+
+    violating_ingresses = cfn_model.standalone_ingress.select do |standalone_ingress|
+      standalone_ingress.cidrIp.is_a?(String) && standalone_ingress.cidrIp == '0.0.0.0/0'
+    end
+
+    logical_resource_ids + violating_ingresses.map { |ingress| ingress.logical_resource_id}
+  end
+end

data/lib/cfn-nag/custom_rules/SecurityGroupIngressPortRangeRule.rb

@@ -0,0 +1,38 @@
+require 'cfn-nag/violation'
+require_relative 'base'
+
+class SecurityGroupIngressPortRangeRule < BaseRule
+
+  def rule_text
+    'Security Groups found ingress with port range instead of just a single port'
+  end
+
+  def rule_type
+    Violation::WARNING
+  end
+
+  def rule_id
+    'W27'
+  end
+
+  ##
+  # This will behave slightly different than the legacy jq based rule which was targeted against inline ingress only
+  def audit_impl(cfn_model)
+    logical_resource_ids = []
+    cfn_model.security_groups.each do |security_group|
+      violating_ingresses = security_group.securityGroupIngress.select do |ingress|
+        ingress.fromPort != ingress.toPort
+      end
+
+      unless violating_ingresses.empty?
+        logical_resource_ids << security_group.logical_resource_id
+      end
+    end
+
+    violating_ingresses = cfn_model.standalone_ingress.select do |standalone_ingress|
+      standalone_ingress.fromPort != standalone_ingress.toPort
+    end
+
+    logical_resource_ids + violating_ingresses.map { |ingress| ingress.logical_resource_id}
+  end
+end

data/lib/{custom_rules/security_group_missing_egress.rb → cfn-nag/custom_rules/SecurityGroupMissingEgressRule.rb}

@@ -1,6 +1,7 @@
-require_relative '../violation'
+require 'cfn-nag/violation'
+require_relative 'base'
 
-class SecurityGroupMissingEgressRule
+class SecurityGroupMissingEgressRule < BaseRule
 
   def rule_text
     'Missing egress rule means all traffic is allowed outbound.  Make this explicit if it is desired configuration'
@@ -14,21 +15,14 @@ class SecurityGroupMissingEgressRule
     'F1000'
   end
 
-  def audit(cfn_model)
+  def audit_impl(cfn_model)
     logical_resource_ids = []
     cfn_model.security_groups.each do |security_group|
-      if security_group.egress_rules.size == 0
+      if security_group.securityGroupEgress.empty?
         logical_resource_ids << security_group.logical_resource_id
       end
     end
 
-    if logical_resource_ids.size > 0
-      Violation.new(id: rule_id,
-                    type: rule_type,
-                    message: rule_text,
-                    logical_resource_ids: logical_resource_ids)
-    else
-      nil
-    end
+    logical_resource_ids
   end
 end

data/lib/cfn-nag/custom_rules/SnsTopicPolicyNotActionRule.rb

@@ -0,0 +1,25 @@
+require 'cfn-nag/violation'
+require_relative 'base'
+
+class SnsTopicPolicyNotActionRule < BaseRule
+
+  def rule_text
+    'SNS Topic policy should not allow Allow+NotAction'
+  end
+
+  def rule_type
+    Violation::WARNING
+  end
+
+  def rule_id
+    'W19'
+  end
+
+  def audit_impl(cfn_model)
+    violating_policies = cfn_model.resources_by_type('AWS::SNS::TopicPolicy').select do |policy|
+      !policy.policyDocument.allows_not_action.empty?
+    end
+
+    violating_policies.map { |policy| policy.logical_resource_id }
+  end
+end