cfn-nag 0.0.44 → 0.1.0

data/lib/cfn-nag/custom_rules/SnsTopicPolicyNotPrincipalRule.rb

@@ -0,0 +1,26 @@
+require 'cfn-nag/violation'
+require_relative 'base'
+
+class SnsTopicPolicyNotPrincipalRule < BaseRule
+
+  def rule_text
+    'SNS Topic policy should not allow Allow+NotPrincipal'
+  end
+
+  def rule_type
+    Violation::FAILING_VIOLATION
+  end
+
+  def rule_id
+    'F8'
+  end
+
+  def audit_impl(cfn_model)
+    violating_policies = cfn_model.resources_by_type('AWS::SNS::TopicPolicy').select do |policy|
+      !policy.policyDocument.allows_not_principal.empty?
+    end
+
+    violating_policies.map { |policy| policy.logical_resource_id }
+  end
+end
+

data/lib/cfn-nag/custom_rules/SnsTopicPolicyWildcardPrincipalRule.rb

@@ -0,0 +1,29 @@
+require 'cfn-nag/violation'
+require_relative 'base'
+
+class SnsTopicPolicyWildcardPrincipalRule < BaseRule
+
+  def rule_text
+    'SNS topic policy should not allow * principal'
+  end
+
+  def rule_type
+    Violation::FAILING_VIOLATION
+  end
+
+  def rule_id
+    'F18'
+  end
+
+  def audit_impl(cfn_model)
+    logical_resource_ids = []
+
+    cfn_model.resources_by_type('AWS::SNS::TopicPolicy').each do |topic_policy|
+      if !topic_policy.policyDocument.wildcard_allowed_principals.empty?
+        logical_resource_ids << topic_policy.logical_resource_id
+      end
+    end
+
+    logical_resource_ids
+  end
+end

data/lib/cfn-nag/custom_rules/SqsQueuePolicyNotActionRule.rb

@@ -0,0 +1,25 @@
+require 'cfn-nag/violation'
+require_relative 'base'
+
+class SqsQueuePolicyNotActionRule < BaseRule
+
+  def rule_text
+    'SQS Queue policy should not allow Allow+NotAction'
+  end
+
+  def rule_type
+    Violation::WARNING
+  end
+
+  def rule_id
+    'W18'
+  end
+
+  def audit_impl(cfn_model)
+    violating_policies = cfn_model.resources_by_type('AWS::SQS::QueuePolicy').select do |policy|
+      !policy.policyDocument.allows_not_action.empty?
+    end
+
+    violating_policies.map { |policy| policy.logical_resource_id }
+  end
+end

data/lib/cfn-nag/custom_rules/SqsQueuePolicyNotPrincipalRule.rb

@@ -0,0 +1,25 @@
+require 'cfn-nag/violation'
+require_relative 'base'
+
+class SqsQueuePolicyNotPrincipalRule < BaseRule
+
+  def rule_text
+    'SQS Queue policy should not allow Allow+NotPrincipal'
+  end
+
+  def rule_type
+    Violation::FAILING_VIOLATION
+  end
+
+  def rule_id
+    'F7'
+  end
+
+  def audit_impl(cfn_model)
+    violating_policies = cfn_model.resources_by_type('AWS::SQS::QueuePolicy').select do |policy|
+      !policy.policyDocument.allows_not_principal.empty?
+    end
+
+    violating_policies.map { |policy| policy.logical_resource_id }
+  end
+end

data/lib/cfn-nag/custom_rules/SqsQueuePolicyWildcardActionRule.rb

@@ -0,0 +1,30 @@
+require 'cfn-nag/violation'
+require_relative 'base'
+
+class SqsQueuePolicyWildcardActionRule < BaseRule
+
+  def rule_text
+    'SQS Queue policy should not allow * action'
+  end
+
+  def rule_type
+    Violation::FAILING_VIOLATION
+  end
+
+  def rule_id
+    'F20'
+  end
+
+  def audit_impl(cfn_model)
+    logical_resource_ids = []
+
+    cfn_model.resources_by_type('AWS::SQS::QueuePolicy').each do |queue_policy|
+
+      if !queue_policy.policyDocument.wildcard_allowed_actions.empty?
+        logical_resource_ids << queue_policy.logical_resource_id
+      end
+    end
+
+    logical_resource_ids
+  end
+end

data/lib/cfn-nag/custom_rules/SqsQueuePolicyWildcardPrincipalRule.rb

@@ -0,0 +1,29 @@
+require 'cfn-nag/violation'
+require_relative 'base'
+
+class SqsQueuePolicyWildcardPrincipalRule < BaseRule
+
+  def rule_text
+    'SQS Queue policy should not allow * principal'
+  end
+
+  def rule_type
+    Violation::FAILING_VIOLATION
+  end
+
+  def rule_id
+    'F21'
+  end
+
+  def audit_impl(cfn_model)
+    logical_resource_ids = []
+
+    cfn_model.resources_by_type('AWS::SQS::QueuePolicy').each do |topic_policy|
+      if !topic_policy.policyDocument.wildcard_allowed_principals.empty?
+        logical_resource_ids << topic_policy.logical_resource_id
+      end
+    end
+
+    logical_resource_ids
+  end
+end

data/lib/cfn-nag/custom_rules/UserHasInlinePolicyRule.rb

@@ -0,0 +1,25 @@
+require 'cfn-nag/violation'
+require_relative 'base'
+
+class UserHasInlinePolicyRule < BaseRule
+
+  def rule_text
+    'IAM user should not have any inline policies.  Should be centralized Policy object on group'
+  end
+
+  def rule_type
+    Violation::FAILING_VIOLATION
+  end
+
+  def rule_id
+    'F10'
+  end
+
+  def audit_impl(cfn_model)
+    violating_users = cfn_model.iam_users.select do |iam_user|
+      iam_user.policies.size > 0
+    end
+
+    violating_users.map { |violating_user| violating_user.logical_resource_id }
+  end
+end

data/lib/cfn-nag/custom_rules/UserMissingGroupRule.rb

@@ -0,0 +1,28 @@
+require 'cfn-nag/violation'
+require_relative 'base'
+
+class UserMissingGroupRule < BaseRule
+
+  def rule_text
+    'User is not assigned to a group'
+  end
+
+  def rule_type
+    Violation::FAILING_VIOLATION
+  end
+
+  def rule_id
+    'F2000'
+  end
+
+  def audit_impl(cfn_model)
+    logical_resource_ids = []
+    cfn_model.iam_users.each do |iam_user|
+      if iam_user.groups.empty?
+        logical_resource_ids << iam_user.logical_resource_id
+      end
+    end
+
+    logical_resource_ids
+  end
+end

data/lib/cfn-nag/custom_rules/WafWebAclDefaultActionRule.rb

@@ -0,0 +1,34 @@
+# Copy
+# "MyWebACL": {
+#   "Type": "AWS::WAF::WebACL",
+#   "Properties": {
+#     "Name": "WebACL to with three rules",
+#     "DefaultAction": {
+#       "Type": "ALLOW"
+#     },
+
+require 'cfn-nag/violation'
+require_relative 'base'
+
+class WafWebAclDefaultActionRule < BaseRule
+
+  def rule_text
+    'WebAcl DefaultAction should not be ALLOW'
+  end
+
+  def rule_type
+    Violation::FAILING_VIOLATION
+  end
+
+  def rule_id
+    'F665'
+  end
+
+  def audit_impl(cfn_model)
+    violating_web_acls = cfn_model.resources_by_type('AWS::WAF::WebACL').select do |web_acl|
+      web_acl.defaultAction['Type'] == 'ALLOW'
+    end
+
+    violating_web_acls.map { |web_acl| web_acl.logical_resource_id }
+  end
+end

data/lib/cfn-nag/custom_rules/base.rb

@@ -0,0 +1,28 @@
+require 'cfn-nag/violation'
+
+class BaseRule
+
+  ##
+  # Returns a collection of logical resource ids
+  #
+  def audit_impl(cfn_model)
+    raise 'must implement in subclass'
+  end
+
+  ##
+  # Returns nil when there are no violations
+  # Returns a Violation object otherwise
+  #
+  def audit(cfn_model)
+    logical_resource_ids = audit_impl(cfn_model)
+
+    if !logical_resource_ids.empty?
+      Violation.new(id: rule_id,
+                    type: rule_type,
+                    message: rule_text,
+                    logical_resource_ids: logical_resource_ids)
+    else
+      nil
+    end
+  end
+end

data/lib/cfn-nag/custom_rules/unencrypted_s3_put_allowed.rb

@@ -0,0 +1,58 @@
+# require 'cfn-nag/violation'
+# require 'model/action_parser'
+#
+# class UnencryptedS3PutObjectAllowedRule
+#
+#   def rule_text
+#     'It appears that the S3 Bucket Policy allows s3:PutObject without server-side encryption'
+#   end
+#
+#   def rule_type
+#     Violation::WARNING
+#   end
+#
+#   def rule_id
+#     'W1000'
+#   end
+#
+#   def audit(cfn_model)
+#     logical_resource_ids = []
+#     cfn_model.bucket_policies.each do |bucket_policy|
+#       found_statement = bucket_policy.statements.find do |statement|
+#         blocks_put_object_without_encryption(statement)
+#       end
+#       if found_statement.nil?
+#         logical_resource_ids << bucket_policy.logical_resource_id
+#       end
+#     end
+#
+#     if logical_resource_ids.size > 0
+#       Violation.new(id: rule_id,
+#                     type: rule_type,
+#                     message: rule_text,
+#                     logical_resource_ids: logical_resource_ids)
+#     else
+#       nil
+#     end
+#   end
+#
+#   private
+#
+#   def blocks_put_object_without_encryption(statement)
+#     encryption_condition = {
+#       'StringNotEquals' => {
+#         's3:x-amz-server-side-encryption' => 'AES256'
+#       }
+#     }
+#
+#     # this isn't quite complete.  parsing the Resource field can be tricky
+#     # looking for a trailing wildcard will likely be right most of the time
+#     # but there are a lot of string manipulations to confuse things so...
+#     # just warn when we can't find at least the Deny+encryption - they may have an
+#     # incomplete Deny (for encryption) and that will slip through
+#     statement['Effect'] == 'Deny' and
+#         ActionParser.new.include?(actual_action: statement['Action'], action_to_look_for: 's3:PutObject') and
+#         S3BucketPolicy::condition_includes?(statement, encryption_condition) and
+#         statement['Principal'] == '*'
+#   end
+# end

data/lib/{profile.rb → cfn-nag/profile.rb}

@@ -1,7 +1,6 @@
 require 'set'
 
 class Profile
-
   attr_reader :rule_ids
 
   def initialize

data/lib/{profile_loader.rb → cfn-nag/profile_loader.rb}

@@ -16,8 +16,8 @@ class ProfileLoader
 
     profile_definition.each_line do |line|
       rule_id = line.chomp
-      if @rules_registry.by_id(rule_id) == []
-        raise "#{rule_id} is not a legal rule identifier from: #{@rules_registry.rules}"
+      if @rules_registry.by_id(rule_id) == nil
+        raise "#{rule_id} is not a legal rule identifier from: #{@rules_registry.rules.map { |rule| rule.id }}"
       else
         new_profile.add_rule rule_id
       end

data/lib/{result_view → cfn-nag/result_view}/simple_stdout_results.rb

@@ -1,4 +1,4 @@
-require 'rule'
+require 'cfn-nag/violation'
 
 class SimpleStdoutResults
 
@@ -11,11 +11,10 @@ class SimpleStdoutResults
       result[:file_results][:violations].each do |violation|
         message message_type: "#{violation.type} #{violation.id}",
                 message: violation.message,
-                logical_resource_ids: violation.logical_resource_ids,
-                violating_code: violation.violating_code
+                logical_resource_ids: violation.logical_resource_ids
       end
-      puts "\nFailures count: #{Rule::count_failures(result[:file_results][:violations])}"
-      puts "Warnings count: #{Rule::count_warnings(result[:file_results][:violations])}"
+      puts "\nFailures count: #{Violation.count_failures(result[:file_results][:violations])}"
+      puts "Warnings count: #{Violation.count_warnings(result[:file_results][:violations])}"
     end
   end
 
@@ -23,8 +22,7 @@ class SimpleStdoutResults
 
   def message(message_type:,
               message:,
-              logical_resource_ids: nil,
-              violating_code: nil)
+              logical_resource_ids: nil)
 
     if logical_resource_ids == []
       logical_resource_ids = nil
@@ -37,11 +35,6 @@ class SimpleStdoutResults
     puts "| Resources: #{logical_resource_ids}" unless logical_resource_ids.nil?
     puts '|' unless logical_resource_ids.nil?
     puts "| #{message}"
-
-    unless violating_code.nil?
-      puts '|'
-      puts indent_multiline_string_with_prefix('|', violating_code.to_s)
-    end
   end
 
   def indent_multiline_string_with_prefix(prefix, multiline_string)

data/lib/cfn-nag/rule_definition.rb

@@ -0,0 +1,36 @@
+class RuleDefinition
+  WARNING = 'WARN'
+  FAILING_VIOLATION = 'FAIL'
+
+  attr_reader :id, :type, :message
+
+  def initialize(id:,
+                 type:,
+                 message:)
+    @id = id
+    @type = type
+    @message = message
+
+    [@id, @type, @message].each do |required|
+      if required.nil?
+        raise 'No parameters to Violation constructor can be nil'
+      end
+    end
+  end
+
+  def to_s
+    "#{@id} #{@type} #{@message}"
+  end
+
+  def to_h
+    {
+      id: @id,
+      type: @type,
+      message: @message
+    }
+  end
+
+  def ==(other_violation)
+    other_violation.class == self.class && other_violation.to_h == to_h
+  end
+end