cfn-nag 0.0.44 → 0.1.0

data/lib/json_rules/iam_user_rules.rb

@@ -1,15 +0,0 @@
-violation id: 'F10',
-          jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Type == "AWS::IAM::User")|'\
-              'select(.Properties.Policies|length > 0)]|map(.LogicalResourceId) ',
-          message: 'IAM user should not have any directly attached policies.  Should be on group'
-
-violation id: 'F11',
-          jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Type == "AWS::IAM::Policy")|'\
-              'select(.Properties.Users|length > 0)]|map(.LogicalResourceId) ',
-          message: 'IAM policy should not apply directly to users.  Should be on group'
-
-violation id: 'F12',
-          jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Type == "AWS::IAM::ManagedPolicy")|'\
-              'select(.Properties.Users|length > 0)]|map(.LogicalResourceId) ',
-          message: 'IAM managed policy should not apply directly to users.  Should be on group'
-

data/lib/json_rules/lambda_rules.rb

@@ -1,9 +0,0 @@
-warning id: 'W24',
-        jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Type == "AWS::Lambda::Permission")|'\
-              'select(.Properties.Action != "lambda:InvokeFunction")]|map(.LogicalResourceId) ',
-        message: 'Lambda permission beside InvokeFunction might not be what you want?  Not sure!?'
-
-violation id: 'F13',
-          jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Type == "AWS::Lambda::Permission")|'\
-              'select(.Properties.Principal == "*")]|map(.LogicalResourceId) ',
-        message: 'Lambda permission principal should not be wildcard'

data/lib/json_rules/loadbalancer_rules.rb

@@ -1,9 +0,0 @@
-warning id: 'W25',
-        jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Type == "AWS::ElasticLoadBalancing::LoadBalancer")|'\
-              'select(.Properties.AccessLoggingPolicy == null)]|map(.LogicalResourceId) ',
-        message: 'Elastic Load Balancer should have access logging configured'
-
-warning id: 'W26',
-        jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Type == "AWS::ElasticLoadBalancing::LoadBalancer")|'\
-              'select(.Properties.AccessLoggingPolicy?.Enabled == false)]|map(.LogicalResourceId) ',
-        message: 'Elastic Load Balancer should have access logging enabled'

data/lib/json_rules/port_rules.rb

@@ -1,33 +0,0 @@
-warning id: 'W27',
-        jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | '\
-            'select(.Type == "AWS::EC2::SecurityGroup")| '\
-            'if (.Properties.SecurityGroupIngress|type == "object") '\
-            'then select(.Properties.SecurityGroupIngress.ToPort != .Properties.SecurityGroupIngress.FromPort) '\
-            'else if (.Properties.SecurityGroupIngress|type == "array") '\
-            '     then select([.Properties.SecurityGroupIngress[].ToPort] != [.Properties.SecurityGroupIngress[].FromPort]) '\
-            '     else empty '\
-            '     end '\
-            'end '\
-            ']|map(.LogicalResourceId)',
-        message:  'Security Groups found ingress with port range instead of just a single port'
-
-warning id: 'W28',
-        jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Type == "AWS::EC2::SecurityGroupIngress")|select(.Properties.ToPort != .Properties.FromPort)]|map(.LogicalResourceId)',
-        message:  'Security Group ingress with port range instead of just a single port'
-
-warning id: 'W29',
-        jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | '\
-            'select(.Type == "AWS::EC2::SecurityGroup")| '\
-            'if (.Properties.SecurityGroupEgress|type == "object") '\
-            'then select(.Properties.SecurityGroupEgress.ToPort != .Properties.SecurityGroupEgress.FromPort) '\
-            'else if (.Properties.SecurityGroupEgress|type == "array") '\
-            '     then select([.Properties.SecurityGroupEgress[].ToPort] != [.Properties.SecurityGroupEgress[].FromPort]) '\
-            '     else empty '\
-            '     end '\
-            'end'\
-            ']|map(.LogicalResourceId)',
-        message:  'Security Groups found egress with port range instead of just a single port'
-
-warning id: 'W30',
-        jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Type == "AWS::EC2::SecurityGroupEgress")|select(.Properties.ToPort != .Properties.FromPort)]|map(.LogicalResourceId)',
-        message:  'Security Group egress with port range instead of just a single port'

data/lib/json_rules/s3_bucket_rules.rb

@@ -1,51 +0,0 @@
-warning id: 'W31',
-        jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Type == "AWS::S3::Bucket")|'\
-              'select(.Properties.AccessControl? == "PublicRead")]|map(.LogicalResourceId) ',
-        message: 'S3 Bucket likely should not have a public read acl'
-
-violation id: 'F14',
-          jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Type == "AWS::S3::Bucket")|'\
-              'select(.Properties.AccessControl? == "PublicReadWrite")]|map(.LogicalResourceId) ',
-          message: 'S3 Bucket should not have a public read-write acl'
-
-
-
-s3_wildcard_action_filter = <<END
-def s3_wildcard_action:
-  if .Statement|type == "object"
-  then select(.Statement.Effect == "Allow" and (if .Statement.Action|type=="string" then (.Statement.Action == "s3:*" or .Statement.Action == "*") else ((.Statement.Action|indices("s3:*")|length > 0) or (.Statement.Action|indices("*")|length > 0)) end))
-  else select(.Statement[]|.Effect == "Allow" and (if .Action|type=="string" then (.Action == "s3:*" or .Action == "*") else ((.Action|indices("s3:*")|length > 0) or (.Action|indices("*")|length > 0)) end))
-  end;
-END
-
-s3_wildcard_principal_filter = <<END
-def s3_wildcard_principal:
-  if .Statement|type == "object"
-  then select(.Statement.Effect == "Allow" and (.Statement.Principal?|type=="string") and (.Statement.Principal == "*") )
-  else select(.Statement[]|.Effect == "Allow" and ((.Principal?|type=="string") and (.Principal == "*")) )
-  end;
-END
-
-s3_wildcard_aws_principal_filter = <<END
-def s3_wildcard_aws_principal:
-  if .Statement|type == "object"
-  then select(.Statement.Effect == "Allow" and (.Statement.Principal?|type=="object") and (.Statement.Principal.AWS == "*"))
-  else select(.Statement[]|(.Effect == "Allow" and (.Principal?|type=="object") and (.Principal.AWS == "*")))
-  end;
-END
-
-
-violation id: 'F15',
-          jq: s3_wildcard_action_filter +
-              "[#{resources_by_type('AWS::S3::BucketPolicy')}|select(.Properties.PolicyDocument|s3_wildcard_action)]|map(.LogicalResourceId) ",
-          message: 'S3 Bucket policy should not allow * action'
-
-violation id: 'F16',
-          jq: s3_wildcard_principal_filter +
-              "[#{resources_by_type('AWS::S3::BucketPolicy')}|select(.Properties.PolicyDocument|s3_wildcard_principal)]|map(.LogicalResourceId) ",
-          message: 'S3 Bucket policy should not allow * principal'
-
-violation id: 'F17',
-          jq: s3_wildcard_aws_principal_filter +
-              "[#{resources_by_type('AWS::S3::BucketPolicy')}|select(.Properties.PolicyDocument|s3_wildcard_aws_principal)]|map(.LogicalResourceId) ",
-          message: 'S3 Bucket policy should not allow * AWS principal'

data/lib/json_rules/sns_rules.rb

@@ -1,29 +0,0 @@
-sns_wildcard_principal_filter = <<END
-def sns_wildcard_principal:
-  if .Statement|type == "object"
-  then select(.Statement.Effect == "Allow" and (.Statement.Principal?|type=="string") and (.Statement.Principal == "*"))
-  else select(.Statement[]|(.Effect == "Allow" and (.Principal?|type=="string") and (.Principal == "*")))
-  end;
-END
-
-sns_wildcard_aws_principal_filter = <<END
-def sns_wildcard_aws_principal:
-  if .Statement|type == "object"
-  then select(.Statement.Effect == "Allow" and (.Statement.Principal?|type=="object") and (.Statement.Principal.AWS == "*"))
-  else select(.Statement[]|(.Effect == "Allow" and (.Principal?|type=="object") and (.Principal.AWS == "*")))
-  end;
-END
-
-# i guess we could have principal "AWS": ["1111111111", "*", "222222222222"]... or ["*","arn:..."]
-
-#sns action wildcard doesnt seem to be accepted by sns so dont sweat it
-
-violation id: 'F18',
-          jq: sns_wildcard_principal_filter +
-              "[#{resources_by_type('AWS::SNS::TopicPolicy')}|select(.Properties.PolicyDocument|sns_wildcard_principal)]|map(.LogicalResourceId) ",
-          message: 'SNS topic policy should not allow * principal'
-
-violation id: 'F19',
-          jq: sns_wildcard_aws_principal_filter +
-              "[#{resources_by_type('AWS::SNS::TopicPolicy')}|select(.Properties.PolicyDocument|sns_wildcard_aws_principal)]|map(.LogicalResourceId) ",
-          message: 'SNS topic policy should not allow * AWS principal'

data/lib/json_rules/sqs_rules.rb

@@ -1,25 +0,0 @@
-sqs_wildcard_action_filter = <<END
-def sqs_wildcard_action:
-  if .Statement|type == "object"
-  then select(.Statement.Effect == "Allow" and .Statement.Action and (if .Statement.Action|type=="string" then (.Statement.Action | contains("*") ) else (.Statement.Action|contains(["*"])) end))
-  else select(.Statement[]|.Effect == "Allow" and .Action and (if .Action|type=="string" then (.Action | contains("*")) else (.Action|contains(["*"])) end))
-  end;
-END
-
-sqs_wildcard_principal_filter = <<END
-def sqs_wildcard_principal:
-  if .Statement|type == "object"
-  then select(.Statement.Effect == "Allow" and (((.Statement.Principal?|type=="string") and (.Statement.Principal|contains("*"))) or ((.Statement.Principal?|type=="object") and (.Statement.Principal|contains({"AWS": "*"}))) ))
-  else select(.Statement[]|.Effect == "Allow" and ( ((.Principal?|type=="string") and (.Principal|contains("*"))) or ((.Principal?|type=="object") and (.Principal|contains({"AWS": "*"}))) )      )
-  end;
-END
-
-violation id: 'F20',
-          jq: sqs_wildcard_action_filter +
-              "[#{resources_by_type('AWS::SQS::QueuePolicy')}|select(.Properties.PolicyDocument|sqs_wildcard_action)]|map(.LogicalResourceId) ",
-          message: 'SQS Queue policy should not allow * action'
-
-violation id: 'F21',
-          jq: sqs_wildcard_principal_filter +
-              "[#{resources_by_type('AWS::SQS::QueuePolicy')}|select(.Properties.PolicyDocument|sqs_wildcard_principal)]|map(.LogicalResourceId) ",
-          message: 'SQS Queue policy should not allow * principal'

data/lib/model/action_parser.rb

@@ -1,27 +0,0 @@
-require 'json'
-
-class ActionParser
-
-  def include?(actual_action:, action_to_look_for:)
-    if actual_action.is_a? Array
-      matches = actual_action.find do |single_action|
-        match_potentially_wildcard_action(actual_action: single_action,
-                                          action_to_look_for: action_to_look_for)
-      end
-      not matches.nil?
-    elsif actual_action.is_a? String
-      match_potentially_wildcard_action(actual_action: actual_action,
-                                        action_to_look_for: action_to_look_for)
-    else
-      fail "actual_action needs to be a String or Array (of String),not : #{actual_action.class}"
-    end
-  end
-
-  private
-
-  def match_potentially_wildcard_action(actual_action:, action_to_look_for:)
-    actual_action_regex = actual_action.gsub /\*/, '.*'
-    match_position = Regexp.new(actual_action_regex) =~ action_to_look_for
-    not match_position.nil?
-  end
-end

data/lib/model/cfn_model.rb

@@ -1,182 +0,0 @@
-require 'json'
-require_relative 'parser_registry'
-
-# consider a canonical form for template too...
-# always transform optional things into more general forms....
-# although referencing violations becomes tricky then (a la c preprocessor)
-
-class CfnModel
-  def initialize
-    @dangling_ingress_or_egress_rules = []
-    @dangler = Object.new
-  end
-
-  def parse(cfn_json_string)
-    @json_hash = JSON.load cfn_json_string
-    self
-  end
-
-  def parameters
-    @json_hash['Parameters']
-  end
-
-  def security_groups
-    fail 'must call parse first' unless @json_hash
-    security_groups_hash = resources_by_type('AWS::EC2::SecurityGroup')
-    wire_ingress_rules_to_security_groups(security_groups_hash)
-    wire_egress_rules_to_security_groups(security_groups_hash)
-    security_groups_hash.values
-  end
-
-  def dangling_ingress_or_egress_rules
-    fail 'must call parse first' unless @json_hash
-    @dangling_ingress_or_egress_rules
-  end
-
-  def iam_users
-    fail 'must call parse first' unless @json_hash
-    iam_users_hash = resources_by_type('AWS::IAM::User')
-    wire_user_to_group_additions_to_users(iam_users_hash)
-    iam_users_hash.values
-  end
-
-  def bucket_policies
-    bucket_policy_hash = resources_by_type('AWS::S3::BucketPolicy')
-    bucket_policy_hash.values
-  end
-
-  def resources_by_type(resource_type)
-    resources_map = {}
-    resources.each do |resource_name, resource|
-      if resource['Type'] == resource_type
-        resource_parser = ParserRegistry.instance.registry[resource_type].new
-        resources_map[resource_name] = resource_parser.parse(resource_name, resource)
-      end
-    end
-    resources_map
-  end
-
-  private
-
-  def resolve_user_logical_resource_id(user)
-    if not user['Ref'].nil?
-      user['Ref']
-    elsif not user['Fn::GetAtt'].nil?
-      fail 'Arn not legal for user to group addition'
-    else
-      @dangler
-    end
-  end
-
-  def resolve_group_id(group_id)
-    if not group_id['Ref'].nil?
-      group_id['Ref']
-    elsif not group_id['Fn::GetAtt'].nil?
-      fail 'GroupId only legal att on security group resource' unless group_id['Fn::GetAtt'][1] == 'GroupId'
-      group_id['Fn::GetAtt'][0]
-    else
-      @dangling_ingress_or_egress_rules << group_id
-      @dangler
-    end
-  end
-
-  def wire_user_to_group_additions_to_users(iam_users_hash)
-    resources_by_type('AWS::IAM::UserToGroupAddition').each do |resource_name, user_to_group_addition|
-      user_to_group_addition['Users'].each do |user|
-        unless resolve_user_logical_resource_id(user) == @dangler
-          iam_users_hash[resolve_user_logical_resource_id(user)].add_group user_to_group_addition['GroupName']
-        end
-      end
-    end
-    iam_users_hash
-  end
-
-  def wire_ingress_rules_to_security_groups(security_groups_hash)
-    resources_by_type('AWS::EC2::SecurityGroupIngress').each do |resource_name, ingress_rule|
-      if not ingress_rule['GroupId'].nil?
-        group_id = resolve_group_id(ingress_rule['GroupId'])
-
-        unless group_id == @dangler
-          security_groups_hash[group_id].add_ingress_rule ingress_rule
-        end
-      else
-        fail "GroupId must be set: #{ingress_rule}"
-      end
-    end
-    security_groups_hash
-  end
-
-  def wire_egress_rules_to_security_groups(security_groups_hash)
-    resources_by_type('AWS::EC2::SecurityGroupEgress').each do |resource_name, egress_rule|
-      if not egress_rule['GroupId'].nil?
-        group_id = resolve_group_id(egress_rule['GroupId'])
-
-        unless group_id == @dangler
-          security_groups_hash[group_id].add_egress_rule egress_rule
-        end
-      else
-        fail "GroupId must be set: #{egress_rule}"
-      end
-    end
-    security_groups_hash
-  end
-
-  def resources
-    @json_hash['Resources']
-  end
-
-
-end
-
-class SecurityGroup
-  attr_accessor :group_description, :vpc_id, :logical_resource_id
-  attr_reader :ingress_rules, :egress_rules
-
-  def initialize
-    @ingress_rules = []
-    @egress_rules = []
-  end
-
-  def add_ingress_rule(ingress_rule)
-    @ingress_rules << ingress_rule
-  end
-
-  def add_egress_rule(egress_rule)
-    @egress_rules << egress_rule
-  end
-
-  def to_s
-    <<-END
-    {
-      logical_resource_id: #{@logical_resource_id}
-      group_description: #{@group_description}
-      vpc_id: #{@vpc_id}
-      ingress_rules: #{@ingress_rules}
-      egress_rules: #{@egress_rules}
-    }
-    END
-  end
-end
-
-class IamUser
-  attr_accessor :logical_resource_id
-  attr_reader :groups
-
-  def initialize
-    @groups = []
-  end
-
-  def add_group(group)
-    @groups << group
-  end
-
-  def to_s
-    <<-END
-    {
-      logical_resource_id: #{@logical_resource_id}
-      groups: #{@groups}
-    }
-    END
-  end
-end
-

data/lib/model/iam_user_parser.rb

@@ -1,34 +0,0 @@
-require_relative 'cfn_model'
-
-
-class IamUserParser
-
-  def parse(resource_name, resource_json)
-    properties = resource_json['Properties']
-    iam_user = IamUser.new
-
-    iam_user.logical_resource_id = resource_name
-
-    unless properties.nil?
-      unless properties['Groups'].nil?
-        properties['Groups'].each do |group|
-          iam_user.add_group group
-        end
-      end
-    end
-
-    iam_user
-  end
-end
-
-class IamUserToGroupAdditionParser
-
-  def parse(resource_name, resource_json)
-    user_to_group_addition = {}
-    user_to_group_addition['logical_resource_id'] = resource_name
-    resource_json['Properties'].each_pair do |key, value|
-      user_to_group_addition[key] = value
-    end
-    user_to_group_addition
-  end
-end

data/lib/model/parser_registry.rb

@@ -1,31 +0,0 @@
-require_relative 'security_group_parser'
-require_relative 'iam_user_parser'
-require_relative 's3_bucket_policy_parser'
-require_relative 'parser_registry'
-
-class ParserRegistry
-  attr_reader :registry
-
-  def initialize
-    @registry = {
-      'AWS::EC2::SecurityGroup' => SecurityGroupParser,
-      'AWS::EC2::SecurityGroupIngress' => SecurityGroupXgressParser,
-      'AWS::EC2::SecurityGroupEgress' => SecurityGroupXgressParser,
-      'AWS::IAM::User' => IamUserParser,
-      'AWS::IAM::UserToGroupAddition' => IamUserToGroupAdditionParser,
-      'AWS::S3::BucketPolicy' => S3BucketPolicyParser
-    }
-  end
-
-  def self.instance
-    if @instance.nil?
-      @instance = ParserRegistry.new
-    end
-    @instance
-  end
-
-  def add_parser(resource_name, parser)
-    @registry[resource_name] = parser
-  end
-
-end