cfn-nag 0.0.44 → 0.1.0

data/lib/custom_rule_loader.rb

@@ -1,64 +0,0 @@
-require_relative 'model/parser_registry'
-require_relative 'model/cfn_model'
-require_relative 'custom_rules/security_group_missing_egress'
-require_relative 'custom_rules/unencrypted_s3_put_allowed'
-require_relative 'custom_rules/user_missing_group'
-
-class CustomRuleLoader
-
-  attr_reader :custom_rule_registry
-
-  @custom_rule_directory = '/var/lib/cfn_nag_plugins'
-
-  def self.custom_rule_directory=(directory)
-    @custom_rule_directory = directory
-  end
-
-  def self.custom_rule_directory
-    @custom_rule_directory
-  end
-
-  def initialize(rule_registry)
-    @custom_rule_registry = [
-      SecurityGroupMissingEgressRule,
-      UserMissingGroupRule,
-      UnencryptedS3PutObjectAllowedRule
-    ]
-    @violations = []
-    @rule_registry = rule_registry
-    discover_rules
-  end
-
-  def custom_rules(input_json)
-    @violations = []
-
-    @custom_rule_registry.each do |rule_class|
-      rule = rule_class.new
-      @rule_registry.definition(id: rule.rule_id,
-                                type: rule.rule_type,
-                                message: rule.rule_text)
-
-      if rule.respond_to? 'custom_parsers'
-        rule.custom_parsers.each do |custom_parser|
-          ParserRegistry.instance.add_parser custom_parser[0], custom_parser[1]
-        end
-      end
-
-      cfn_model = CfnModel.new.parse(input_json)
-      audit_result = rule_class.new.audit(cfn_model)
-      @violations << audit_result unless audit_result.nil?
-    end
-    @violations
-  end
-
-  private
-
-  def discover_rules(rule_directory: CustomRuleLoader.custom_rule_directory)
-    rules = Dir[File.join(rule_directory, '*Rule.rb')].sort
-
-    rules.each do |rule|
-      require(rule)
-      @custom_rule_registry << Object.const_get(File.basename(rule, '.rb'))
-    end
-  end
-end

data/lib/custom_rules/unencrypted_s3_put_allowed.rb

@@ -1,58 +0,0 @@
-require_relative '../violation'
-require 'model/action_parser'
-
-class UnencryptedS3PutObjectAllowedRule
-
-  def rule_text
-    'It appears that the S3 Bucket Policy allows s3:PutObject without server-side encryption'
-  end
-
-  def rule_type
-    Violation::WARNING
-  end
-
-  def rule_id
-    'W1000'
-  end
-
-  def audit(cfn_model)
-    logical_resource_ids = []
-    cfn_model.bucket_policies.each do |bucket_policy|
-      found_statement = bucket_policy.statements.find do |statement|
-        blocks_put_object_without_encryption(statement)
-      end
-      if found_statement.nil?
-        logical_resource_ids << bucket_policy.logical_resource_id
-      end
-    end
-
-    if logical_resource_ids.size > 0
-      Violation.new(id: rule_id,
-                    type: rule_type,
-                    message: rule_text,
-                    logical_resource_ids: logical_resource_ids)
-    else
-      nil
-    end
-  end
-
-  private
-
-  def blocks_put_object_without_encryption(statement)
-    encryption_condition = {
-      'StringNotEquals' => {
-        's3:x-amz-server-side-encryption' => 'AES256'
-      }
-    }
-
-    # this isn't quite complete.  parsing the Resource field can be tricky
-    # looking for a trailing wildcard will likely be right most of the time
-    # but there are a lot of string manipulations to confuse things so...
-    # just warn when we can't find at least the Deny+encryption - they may have an
-    # incomplete Deny (for encryption) and that will slip through
-    statement['Effect'] == 'Deny' and
-        ActionParser.new.include?(actual_action: statement['Action'], action_to_look_for: 's3:PutObject') and
-        S3BucketPolicy::condition_includes?(statement, encryption_condition) and
-        statement['Principal'] == '*'
-  end
-end

data/lib/custom_rules/user_missing_group.rb

@@ -1,34 +0,0 @@
-require_relative '../violation'
-
-class UserMissingGroupRule
-
-  def rule_text
-    'User is not assigned to a group'
-  end
-
-  def rule_type
-    Violation::FAILING_VIOLATION
-  end
-
-  def rule_id
-    'F2000'
-  end
-
-  def audit(cfn_model)
-    logical_resource_ids = []
-    cfn_model.iam_users.each do |iam_user|
-      if iam_user.groups.size == 0
-        logical_resource_ids << iam_user.logical_resource_id
-      end
-    end
-
-    if logical_resource_ids.size > 0
-      Violation.new(id: rule_id,
-                    type: rule_type,
-                    message: rule_text,
-                    logical_resource_ids: logical_resource_ids)
-    else
-      nil
-    end
-  end
-end

data/lib/json_rules/basic_rules.rb

@@ -1,49 +0,0 @@
-raw_fatal_assertion id: 'FATAL',
-                    jq: '.Resources|length > 0',
-                    message: 'A CloudFormation template must have at least 1 resource'
-
-
-%w(
-  AWS::IAM::Role
-  AWS::IAM::Policy
-  AWS::IAM::ManagedPolicy
-  AWS::S3::BucketPolicy
-  AWS::SQS::QueuePolicy
-  AWS::SNS::TopicPolicy
-  AWS::IAM::UserToGroupAddition
-  AWS::EC2::SecurityGroup
-  AWS::EC2::SecurityGroupIngress
-  AWS::EC2::SecurityGroupEgress
-).each do |resource_must_have_properties|
-  fatal_violation id: 'FATAL',
-                  jq: "[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Type == \"#{resource_must_have_properties}\" and .Properties == null)]|map(.LogicalResourceId)",
-                  message: "#{resource_must_have_properties} must have Properties"
-end
-
-missing_reference_jq = <<END
-  (
-    (
-      ([..|.Ref?]|map(select(. != null)) +  [..|."Fn::GetAtt"?[0]]|map(select(. != null)))
-    )
-    -
-    (
-      ["AWS::AccountId","AWS::StackName","AWS::Region","AWS::StackId","AWS::NoValue","AWS::NotificationARNs"] +
-      ([.Resources|keys]|flatten) +
-      (if .Parameters? then ([.Parameters|keys]|flatten) else [] end)
-    )
-  )|if length==0 then false else . end
-END
-
-raw_fatal_violation id: 'FATAL',
-                    jq: missing_reference_jq,
-                    message: 'All Ref and Fn::GetAtt must reference existing logical resource ids'
-
-
-%w(
-  AWS::EC2::SecurityGroupIngress
-  AWS::EC2::SecurityGroupEgress
-).each do |xgress|
-  fatal_violation id: 'FATAL',
-                  jq: "[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Type == \"#{xgress}\" and .Properties.GroupName != null)]|map(.LogicalResourceId)",
-                  message: "#{xgress} must not have GroupName - EC2 classic is a no-go!"
-end

data/lib/json_rules/cfn_rules.rb

@@ -1,4 +0,0 @@
-warning id: 'W1',
-        jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Metadata."AWS::CloudFormation::Authentication") ]|'\
-              'map(.LogicalResourceId) ',
-        message: 'Specifying credentials in the template itself is probably not the safest thing'

data/lib/json_rules/cidr_rules.rb

@@ -1,77 +0,0 @@
-##### inline ingress
-warning id: 'W2',
-        jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Type == "AWS::EC2::SecurityGroup" and (.Properties.SecurityGroupIngress|type == "object"))|select(.Properties.SecurityGroupIngress.CidrIp? == "0.0.0.0/0")]|map(.LogicalResourceId)',
-        message: 'Security Groups found with cidr open to world on ingress.  This should never be true on instance.  Permissible on ELB'
-
-warning id: 'W3',
-        jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Type == "AWS::EC2::SecurityGroup" and (.Properties.SecurityGroupIngress|type == "array"))|first(select(.Properties.SecurityGroupIngress[].CidrIp? == "0.0.0.0/0"))]|map(.LogicalResourceId)',
-        message: 'Security Groups found with cidr open to world on ingress array.  This should never be true on instance.  Permissible on ELB'
-
-##### external ingress
-warning id: 'W4',
-        jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Type == "AWS::EC2::SecurityGroupIngress")|select(.Properties.CidrIp? == "0.0.0.0/0")]|map(.LogicalResourceId)',
-        message: 'Security Group Standalone Ingress found with cidr open to world. This should never be true on instance.  Permissible on ELB'
-
-
-###### inline egress
-warning id: 'W5',
-        jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Type == "AWS::EC2::SecurityGroup" and (.Properties.SecurityGroupEgress|type == "object"))|select(.Properties.SecurityGroupEgress.CidrIp? == "0.0.0.0/0")]|map(.LogicalResourceId)',
-        message: 'Security Groups found with cidr open to world on egress'
-
-
-warning id: 'W6',
-        jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Type == "AWS::EC2::SecurityGroup" and (.Properties.SecurityGroupEgress|type == "array"))|first(select(.Properties.SecurityGroupEgress[].CidrIp? == "0.0.0.0/0"))]|map(.LogicalResourceId)',
-        message: 'Security Groups found with cidr open to world on egress array'
-
-
-##### external egress
-warning id: 'W7',
-        jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Type == "AWS::EC2::SecurityGroupEgress")|select(.Properties.CidrIp? == "0.0.0.0/0")]|map(.LogicalResourceId)',
-        message: 'Security Group Standalone Egress found with cidr open to world.'
-
-non32_cidr_standalone_ingress = <<END
-[.Resources|
- with_entries(.value.LogicalResourceId = .key)[] |
- select(.Type == "AWS::EC2::SecurityGroupIngress") |
- if(.Properties.CidrIp|type == "string")
- then select(.Properties.CidrIp|endswith("/32")|not)
- else (
-   if(.Properties.CidrIp|type == "array")
-   then (select(.Properties.CidrIp[]|if (type == "string") then (endswith("/32")|not) else false end))
-   else empty
-   end
- )
- end ]|map(.LogicalResourceId)
-END
-
-# BEWARE with escapes \d -> \\\d because of how the escapes get munged from ruby through to shell
-warning id: 'W8',
-        jq: non32_cidr_standalone_ingress,
-        message: 'Security Group Standalone Ingress cidr found that is not /32'
-
-non_32_cidr_jq_expression = <<END
-[.Resources |
- with_entries(.value.LogicalResourceId = .key)[] |
- select(.Type == "AWS::EC2::SecurityGroup") |
- if (.Properties.SecurityGroupIngress|type == "object")
- then (
-        if (.Properties.SecurityGroupIngress.CidrIp|type == "string")
-        then (select(.Properties.SecurityGroupIngress.CidrIp|endswith("/32")|not))
-        else empty
-        end
-      )
- else (
-        if (.Properties.SecurityGroupIngress|type == "array")
-        then (
-               select(.Properties.SecurityGroupIngress[]|(if (.CidrIp|type == "string") then (select(.CidrIp|endswith("/32")|not)) else empty end))
-             )
-        else empty
-        end
-      )
-  end
-  ]|map(.LogicalResourceId)
-END
-
-warning id: 'W9',
-        jq: non_32_cidr_jq_expression,
-        message: 'Security Groups found with cidr that is not /32'

data/lib/json_rules/cloudfront_rules.rb

@@ -1,4 +0,0 @@
-warning id: 'W10',
-        jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Type == "AWS::CloudFront::Distribution")|'\
-              'select(.Properties.DistributionConfig.Logging == null)]|map(.LogicalResourceId) ',
-        message: 'CloudFront Distribution should enable access logging'

data/lib/json_rules/ebs_rules.rb

@@ -1,4 +0,0 @@
-violation id: 'F1',
-          jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Type == "AWS::EC2::Volume")|'\
-              'select(.Properties.Encrypted == null or .Properties.Encrypted == false)]|map(.LogicalResourceId) ',
-          message: 'EBS volume should have server-side encryption enabled'

data/lib/json_rules/iam_policy_rules.rb

@@ -1,153 +0,0 @@
-wildcard_action_filter = <<END
-def wildcard_action:
-  if .Statement|type == "object"
-  then select(.Statement.Effect == "Allow" and (if .Statement.Action|type=="string" then (.Statement.Action == "*") else (.Statement.Action|indices("*")|length > 0) end))
-  else select(.Statement[]|.Effect == "Allow" and (if .Action|type=="string" then (.Action == "*") else (.Action|indices("*")|length > 0) end))
-  end;
-END
-
-violation id: 'F2',
-          jq: wildcard_action_filter +
-             "[#{resources_by_type('AWS::IAM::Role')}|select(.Properties.AssumeRolePolicyDocument|wildcard_action)]|map(.LogicalResourceId) ",
-          message: 'IAM role should not allow * action on its trust policy'
-
-violation id: 'F3',
-          jq: wildcard_action_filter +
-              "[#{resources_by_type('AWS::IAM::Role')}|select(.Properties.Policies !=null)|select(.Properties.Policies[].PolicyDocument|wildcard_action)]|map(.LogicalResourceId)",
-          message: 'IAM role should not allow * action on its permissions policy'
-
-
-violation id: 'F4',
-          jq: wildcard_action_filter +
-              "[#{resources_by_type('AWS::IAM::Policy')}|select(.Properties.PolicyDocument|wildcard_action)]|map(.LogicalResourceId) ",
-          message: 'IAM policy should not allow * action'
-
-
-violation id: 'F5',
-          jq: wildcard_action_filter +
-              "[#{resources_by_type('AWS::IAM::ManagedPolicy')}|select(.Properties.PolicyDocument|wildcard_action)]|map(.LogicalResourceId) ",
-          message: 'IAM managed policy should not allow * action'
-
-wildcard_resource_filter = <<END
-def wildcard_resource:
-  if .Statement|type == "object"
-  then select(.Statement.Effect == "Allow" and (if .Statement.Resource|type=="string" then (.Statement.Resource == "*") else (.Statement.Resource|indices("*")|length > 0) end))
-  else select(.Statement[]|.Effect == "Allow" and (if .Resource|type=="string" then (.Resource == "*") else (.Statement.Resource|indices("*")|length > 0) end))
-  end;
-END
-
-warning id: 'W11',
-        jq: wildcard_resource_filter +
-            "[#{resources_by_type('AWS::IAM::Role')}|select(.Properties.Policies !=null)|select(.Properties.Policies[].PolicyDocument|wildcard_resource)]|map(.LogicalResourceId)",
-        message: 'IAM role should not allow * resource on its permissions policy'
-
-
-warning id: 'W12',
-        jq: wildcard_resource_filter +
-            "[#{resources_by_type('AWS::IAM::Policy')}|select(.Properties.PolicyDocument|wildcard_resource)]|map(.LogicalResourceId)",
-        message: 'IAM policy should not allow * resource'
-
-warning id: 'W13',
-        jq: wildcard_resource_filter +
-            "[#{resources_by_type('AWS::IAM::ManagedPolicy')}|select(.Properties.PolicyDocument|wildcard_resource)]|map(.LogicalResourceId)",
-        message: 'IAM managed policy should not allow * resource'
-
-allow_not_action_filter = <<END
-def allow_not_action:
-  if .Statement|type == "object"
-  then select(.Statement.Effect == "Allow" and .Statement.NotAction != null)
-  else select(.Statement[]|(.Effect == "Allow" and .NotAction != null))
-  end;
-END
-
-warning id: 'W14',
-        jq: allow_not_action_filter +
-            "[#{resources_by_type('AWS::IAM::Role')}|select(.Properties.AssumeRolePolicyDocument|allow_not_action)]|map(.LogicalResourceId)",
-        message: 'IAM role should not allow Allow+NotAction on trust permissinos'
-
-
-warning id: 'W15',
-        jq: allow_not_action_filter +
-            "[#{resources_by_type('AWS::IAM::Role')}|select(.Properties.Policies !=null)|select(.Properties.Policies[].PolicyDocument|allow_not_action)]|map(.LogicalResourceId)",
-        message: 'IAM role should not allow Allow+NotAction'
-
-
-warning id: 'W16',
-        jq: allow_not_action_filter +
-            "[#{resources_by_type('AWS::IAM::Policy')}|select(.Properties.PolicyDocument|allow_not_action)]|map(.LogicalResourceId)",
-        message: 'IAM policy should not allow Allow+NotAction'
-
-
-warning id: 'W17',
-        jq: allow_not_action_filter +
-            "[#{resources_by_type('AWS::IAM::ManagedPolicy')}|select(.Properties.PolicyDocument|allow_not_action)]|map(.LogicalResourceId)",
-        message: 'IAM managed policy should not allow Allow+NotAction'
-
-warning id: 'W18',
-        jq: allow_not_action_filter +
-            "[#{resources_by_type('AWS::SQS::QueuePolicy')}|select(.Properties.PolicyDocument|allow_not_action)]|map(.LogicalResourceId)",
-        message: 'SQS Queue policy should not allow Allow+NotAction'
-
-warning id: 'W19',
-        jq: allow_not_action_filter +
-            "[#{resources_by_type('AWS::SNS::TopicPolicy')}|select(.Properties.PolicyDocument|allow_not_action)]|map(.LogicalResourceId)",
-        message: 'SNS Topic policy should not allow Allow+NotAction'
-
-warning id: 'W20',
-        jq: allow_not_action_filter +
-            "[#{resources_by_type('AWS::S3::BucketPolicy')}|select(.Properties.PolicyDocument|allow_not_action)]|map(.LogicalResourceId)",
-        message: 'S3 Bucket policy should not allow Allow+NotAction'
-
-allow_not_resource_filter = <<END
-def allow_not_resource:
-  if .Statement|type == "object"
-  then select(.Statement.Effect == "Allow" and .Statement.NotResource != null)
-  else select(.Statement[]|(.Effect == "Allow" and .NotResource != null))
-  end;
-END
-
-warning id: 'W21',
-        jq: allow_not_resource_filter +
-            "[#{resources_by_type('AWS::IAM::Role')}|select(.Properties.Policies !=null)|select(.Properties.Policies[].PolicyDocument|allow_not_resource)]|map(.LogicalResourceId)",
-        message: 'IAM role should not allow Allow+NotResource'
-
-
-warning id: 'W22',
-        jq: allow_not_resource_filter +
-            "[#{resources_by_type('AWS::IAM::Policy')}|select(.Properties.PolicyDocument|allow_not_resource)]|map(.LogicalResourceId)",
-        message: 'IAM policy should not allow Allow+NotResource'
-
-
-warning id: 'W23',
-        jq: allow_not_resource_filter +
-           "[#{resources_by_type('AWS::IAM::ManagedPolicy')}|select(.Properties.PolicyDocument|allow_not_resource)]|map(.LogicalResourceId)",
-        message: 'IAM managed policy should not allow Allow+NotResource'
-
-
-allow_not_principal_filter = <<END
-def allow_not_principal:
-  if .Statement|type == "object"
-  then select(.Statement.Effect == "Allow" and .Statement.NotPrincipal != null)
-  else select(.Statement[]|(.Effect == "Allow" and .NotPrincipal != null))
-  end;
-END
-
-violation id: 'F6',
-          jq: allow_not_principal_filter +
-              "[#{resources_by_type('AWS::IAM::Role')}|select(.Properties.AssumeRolePolicyDocument|allow_not_principal)]|map(.LogicalResourceId)",
-          message: 'IAM role should not allow Allow+NotPrincipal in its trust policy'
-
-violation id: 'F7',
-          jq: allow_not_principal_filter +
-              "[#{resources_by_type('AWS::SQS::QueuePolicy')}|select(.Properties.PolicyDocument|allow_not_principal)]|map(.LogicalResourceId)",
-          message: 'SQS Queue policy should not allow Allow+NotPrincipal'
-
-violation id: 'F8',
-          jq: allow_not_principal_filter +
-              "[#{resources_by_type('AWS::SNS::TopicPolicy')}|select(.Properties.PolicyDocument|allow_not_principal)]|map(.LogicalResourceId)",
-          message: 'SNS Topic policy should not allow Allow+NotPrincipal'
-
-violation id: 'F9',
-          jq: allow_not_principal_filter +
-              "[#{resources_by_type('AWS::S3::BucketPolicy')}|select(.Properties.PolicyDocument|allow_not_principal)]|map(.LogicalResourceId)",
-          message: 'S3 Bucket policy should not allow Allow+NotPrincipal'