cfn-nag 0.3.26 → 0.3.29
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/bin/cfn_nag_rules +7 -3
- data/bin/cfn_nag_scan +34 -17
- data/lib/cfn-nag.rb +3 -1
- data/lib/cfn-nag/cfn_nag.rb +6 -7
- data/lib/cfn-nag/custom_rule_loader.rb +3 -4
- data/lib/cfn-nag/custom_rules/CloudFormationAuthenticationRule.rb +2 -3
- data/lib/cfn-nag/custom_rules/CloudFrontDistributionAccessLoggingRule.rb +1 -1
- data/lib/cfn-nag/custom_rules/EbsVolumeHasSseRule.rb +1 -1
- data/lib/cfn-nag/custom_rules/ElasticLoadBalancerAccessLoggingRule.rb +1 -1
- data/lib/cfn-nag/custom_rules/IamManagedPolicyNotActionRule.rb +1 -2
- data/lib/cfn-nag/custom_rules/IamManagedPolicyNotResourceRule.rb +1 -2
- data/lib/cfn-nag/custom_rules/IamManagedPolicyWildcardActionRule.rb +2 -3
- data/lib/cfn-nag/custom_rules/IamManagedPolicyWildcardResourceRule.rb +1 -2
- data/lib/cfn-nag/custom_rules/IamPolicyNotActionRule.rb +1 -2
- data/lib/cfn-nag/custom_rules/IamPolicyNotResourceRule.rb +1 -2
- data/lib/cfn-nag/custom_rules/IamPolicyWildcardActionRule.rb +2 -3
- data/lib/cfn-nag/custom_rules/IamPolicyWildcardResourceRule.rb +1 -2
- data/lib/cfn-nag/custom_rules/IamRoleNotActionOnPermissionsPolicyRule.rb +1 -2
- data/lib/cfn-nag/custom_rules/IamRoleNotActionOnTrustPolicyRule.rb +1 -2
- data/lib/cfn-nag/custom_rules/IamRoleNotPrincipalOnTrustPolicyRule.rb +1 -2
- data/lib/cfn-nag/custom_rules/IamRoleNotResourceOnPermissionsPolicyRule.rb +1 -2
- data/lib/cfn-nag/custom_rules/IamRoleWildcardActionOnPermissionsPolicyRule.rb +2 -3
- data/lib/cfn-nag/custom_rules/IamRoleWildcardActionOnTrustPolicyRule.rb +1 -4
- data/lib/cfn-nag/custom_rules/IamRoleWildcardResourceOnPermissionsPolicyRule.rb +2 -3
- data/lib/cfn-nag/custom_rules/LambdaPermissionInvokeFunctionActionRule.rb +1 -1
- data/lib/cfn-nag/custom_rules/LambdaPermissionWildcardPrincipalRule.rb +1 -1
- data/lib/cfn-nag/custom_rules/ManagedPolicyOnUserRule.rb +1 -1
- data/lib/cfn-nag/custom_rules/PolicyOnUserRule.rb +1 -1
- data/lib/cfn-nag/custom_rules/RDSInstanceMasterUserPasswordRule.rb +3 -4
- data/lib/cfn-nag/custom_rules/RDSInstancePubliclyAccessibleRule.rb +1 -2
- data/lib/cfn-nag/custom_rules/S3BucketPolicyNotActionRule.rb +1 -2
- data/lib/cfn-nag/custom_rules/S3BucketPolicyNotPrincipalRule.rb +1 -2
- data/lib/cfn-nag/custom_rules/S3BucketPolicyWildcardActionRule.rb +0 -1
- data/lib/cfn-nag/custom_rules/S3BucketPolicyWildcardPrincipalRule.rb +0 -1
- data/lib/cfn-nag/custom_rules/S3BucketPublicReadAclRule.rb +0 -1
- data/lib/cfn-nag/custom_rules/S3BucketPublicReadWriteAclRule.rb +0 -1
- data/lib/cfn-nag/custom_rules/SecurityGroupEgressOpenToWorldRule.rb +1 -1
- data/lib/cfn-nag/custom_rules/SecurityGroupEgressPortRangeRule.rb +1 -2
- data/lib/cfn-nag/custom_rules/SecurityGroupIngressCidrNon32Rule.rb +1 -2
- data/lib/cfn-nag/custom_rules/SecurityGroupIngressOpenToWorldRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/SecurityGroupIngressPortRangeRule.rb +1 -2
- data/lib/cfn-nag/custom_rules/SecurityGroupMissingEgressRule.rb +1 -2
- data/lib/cfn-nag/custom_rules/SnsTopicPolicyNotActionRule.rb +2 -3
- data/lib/cfn-nag/custom_rules/SnsTopicPolicyNotPrincipalRule.rb +1 -3
- data/lib/cfn-nag/custom_rules/SnsTopicPolicyWildcardPrincipalRule.rb +0 -1
- data/lib/cfn-nag/custom_rules/SqsQueuePolicyNotActionRule.rb +1 -2
- data/lib/cfn-nag/custom_rules/SqsQueuePolicyNotPrincipalRule.rb +1 -2
- data/lib/cfn-nag/custom_rules/SqsQueuePolicyWildcardActionRule.rb +0 -1
- data/lib/cfn-nag/custom_rules/SqsQueuePolicyWildcardPrincipalRule.rb +0 -1
- data/lib/cfn-nag/custom_rules/UserHasInlinePolicyRule.rb +1 -2
- data/lib/cfn-nag/custom_rules/UserMissingGroupRule.rb +1 -2
- data/lib/cfn-nag/custom_rules/WafWebAclDefaultActionRule.rb +1 -2
- data/lib/cfn-nag/custom_rules/base.rb +2 -3
- data/lib/cfn-nag/custom_rules/unencrypted_s3_put_allowed.rb +1 -1
- data/lib/cfn-nag/ip_addr.rb +1 -2
- data/lib/cfn-nag/jmes_path_discovery.rb +1 -1
- data/lib/cfn-nag/jmes_path_evaluator.rb +1 -1
- data/lib/cfn-nag/profile.rb +1 -1
- data/lib/cfn-nag/profile_loader.rb +1 -3
- data/lib/cfn-nag/result_view/json_results.rb +2 -3
- data/lib/cfn-nag/result_view/rules_view.rb +4 -6
- data/lib/cfn-nag/result_view/simple_stdout_results.rb +5 -8
- data/lib/cfn-nag/rule_definition.rb +4 -6
- data/lib/cfn-nag/rule_dumper.rb +1 -1
- data/lib/cfn-nag/rule_registry.rb +1 -1
- data/lib/cfn-nag/template_discovery.rb +8 -8
- data/lib/cfn-nag/violation.rb +14 -14
- metadata +16 -16
|
@@ -2,7 +2,6 @@ require 'cfn-nag/violation'
|
|
|
2
2
|
require_relative 'base'
|
|
3
3
|
|
|
4
4
|
class IamRoleWildcardResourceOnPermissionsPolicyRule < BaseRule
|
|
5
|
-
|
|
6
5
|
def rule_text
|
|
7
6
|
'IAM role should not allow * resource on its permissions policy'
|
|
8
7
|
end
|
|
@@ -23,6 +22,6 @@ class IamRoleWildcardResourceOnPermissionsPolicyRule < BaseRule
|
|
|
23
22
|
!violating_policies.empty?
|
|
24
23
|
end
|
|
25
24
|
|
|
26
|
-
violating_roles.map
|
|
25
|
+
violating_roles.map(&:logical_resource_id)
|
|
27
26
|
end
|
|
28
|
-
end
|
|
27
|
+
end
|
|
@@ -19,6 +19,6 @@ class LambdaPermissionInvokeFunctionActionRule < BaseRule
|
|
|
19
19
|
lambda_permission.action != 'lambda:InvokeFunction'
|
|
20
20
|
end
|
|
21
21
|
|
|
22
|
-
violating_lambdas.map
|
|
22
|
+
violating_lambdas.map(&:logical_resource_id)
|
|
23
23
|
end
|
|
24
24
|
end
|
|
@@ -20,6 +20,6 @@ class LambdaPermissionWildcardPrincipalRule < BaseRule
|
|
|
20
20
|
LambdaPrincipal.wildcard? lambda_permission.principal
|
|
21
21
|
end
|
|
22
22
|
|
|
23
|
-
violating_lambdas.map
|
|
23
|
+
violating_lambdas.map(&:logical_resource_id)
|
|
24
24
|
end
|
|
25
25
|
end
|
|
@@ -2,7 +2,6 @@ require 'cfn-nag/violation'
|
|
|
2
2
|
require_relative 'base'
|
|
3
3
|
|
|
4
4
|
class RDSInstanceMasterUserPasswordRule < BaseRule
|
|
5
|
-
|
|
6
5
|
def rule_text
|
|
7
6
|
'RDS instance master user password must be Ref to NoEcho Parameter'
|
|
8
7
|
end
|
|
@@ -27,7 +26,7 @@ class RDSInstanceMasterUserPasswordRule < BaseRule
|
|
|
27
26
|
end
|
|
28
27
|
end
|
|
29
28
|
|
|
30
|
-
|
|
29
|
+
violating_rdsinstances.map(&:logical_resource_id)
|
|
31
30
|
end
|
|
32
31
|
|
|
33
32
|
private
|
|
@@ -43,8 +42,8 @@ class RDSInstanceMasterUserPasswordRule < BaseRule
|
|
|
43
42
|
def references_no_echo_parameter_without_default?(cfn_model, master_user_password)
|
|
44
43
|
# i feel like i've written this mess somewhere before
|
|
45
44
|
if master_user_password.is_a? Hash
|
|
46
|
-
if master_user_password.
|
|
47
|
-
if cfn_model.parameters.
|
|
45
|
+
if master_user_password.key? 'Ref'
|
|
46
|
+
if cfn_model.parameters.key? master_user_password['Ref']
|
|
48
47
|
parameter = cfn_model.parameters[master_user_password['Ref']]
|
|
49
48
|
|
|
50
49
|
return to_boolean(parameter.noEcho) && parameter.default.nil?
|
|
@@ -2,7 +2,6 @@ require 'cfn-nag/violation'
|
|
|
2
2
|
require_relative 'base'
|
|
3
3
|
|
|
4
4
|
class RDSInstancePubliclyAccessibleRule < BaseRule
|
|
5
|
-
|
|
6
5
|
def rule_text
|
|
7
6
|
'RDS instance should not be publicly accessible'
|
|
8
7
|
end
|
|
@@ -20,6 +19,6 @@ class RDSInstancePubliclyAccessibleRule < BaseRule
|
|
|
20
19
|
instance.publiclyAccessible.nil? || instance.publiclyAccessible.to_s.downcase == 'true'
|
|
21
20
|
end
|
|
22
21
|
|
|
23
|
-
violating_rdsinstances.map
|
|
22
|
+
violating_rdsinstances.map(&:logical_resource_id)
|
|
24
23
|
end
|
|
25
24
|
end
|
|
@@ -2,7 +2,6 @@ require 'cfn-nag/violation'
|
|
|
2
2
|
require_relative 'base'
|
|
3
3
|
|
|
4
4
|
class S3BucketPolicyNotActionRule < BaseRule
|
|
5
|
-
|
|
6
5
|
def rule_text
|
|
7
6
|
'S3 Bucket policy should not allow Allow+NotAction'
|
|
8
7
|
end
|
|
@@ -20,6 +19,6 @@ class S3BucketPolicyNotActionRule < BaseRule
|
|
|
20
19
|
!policy.policy_document.allows_not_action.empty?
|
|
21
20
|
end
|
|
22
21
|
|
|
23
|
-
violating_policies.map
|
|
22
|
+
violating_policies.map(&:logical_resource_id)
|
|
24
23
|
end
|
|
25
24
|
end
|
|
@@ -2,7 +2,6 @@ require 'cfn-nag/violation'
|
|
|
2
2
|
require_relative 'base'
|
|
3
3
|
|
|
4
4
|
class S3BucketPolicyNotPrincipalRule < BaseRule
|
|
5
|
-
|
|
6
5
|
def rule_text
|
|
7
6
|
'S3 Bucket policy should not allow Allow+NotPrincipal'
|
|
8
7
|
end
|
|
@@ -20,6 +19,6 @@ class S3BucketPolicyNotPrincipalRule < BaseRule
|
|
|
20
19
|
!policy.policy_document.allows_not_principal.empty?
|
|
21
20
|
end
|
|
22
21
|
|
|
23
|
-
violating_policies.map
|
|
22
|
+
violating_policies.map(&:logical_resource_id)
|
|
24
23
|
end
|
|
25
24
|
end
|
|
@@ -35,6 +35,6 @@ class SecurityGroupEgressOpenToWorldRule < BaseRule
|
|
|
35
35
|
ip4_open?(standalone_egress) || ip6_open?(standalone_egress)
|
|
36
36
|
end
|
|
37
37
|
|
|
38
|
-
logical_resource_ids + violating_egresses.map
|
|
38
|
+
logical_resource_ids + violating_egresses.map(&:logical_resource_id)
|
|
39
39
|
end
|
|
40
40
|
end
|
|
@@ -2,7 +2,6 @@ require 'cfn-nag/violation'
|
|
|
2
2
|
require_relative 'base'
|
|
3
3
|
|
|
4
4
|
class SecurityGroupEgressPortRangeRule < BaseRule
|
|
5
|
-
|
|
6
5
|
def rule_text
|
|
7
6
|
'Security Groups found egress with port range instead of just a single port'
|
|
8
7
|
end
|
|
@@ -33,6 +32,6 @@ class SecurityGroupEgressPortRangeRule < BaseRule
|
|
|
33
32
|
standalone_egress.fromPort != standalone_egress.toPort
|
|
34
33
|
end
|
|
35
34
|
|
|
36
|
-
logical_resource_ids + violating_egresses.map
|
|
35
|
+
logical_resource_ids + violating_egresses.map(&:logical_resource_id)
|
|
37
36
|
end
|
|
38
37
|
end
|
|
@@ -35,7 +35,6 @@ class SecurityGroupIngressCidrNon32Rule < BaseRule
|
|
|
35
35
|
ip4_cidr_range?(standalone_ingress) || ip6_cidr_range?(standalone_ingress)
|
|
36
36
|
end
|
|
37
37
|
|
|
38
|
-
logical_resource_ids + violating_ingresses.map
|
|
38
|
+
logical_resource_ids + violating_ingresses.map(&:logical_resource_id)
|
|
39
39
|
end
|
|
40
40
|
end
|
|
41
|
-
|
|
@@ -4,7 +4,7 @@ require 'cfn-nag/ip_addr'
|
|
|
4
4
|
|
|
5
5
|
class SecurityGroupIngressOpenToWorldRule < BaseRule
|
|
6
6
|
include IpAddr
|
|
7
|
-
|
|
7
|
+
|
|
8
8
|
def rule_text
|
|
9
9
|
'Security Groups found with cidr open to world on ingress. This should never be true on instance. Permissible on ELB'
|
|
10
10
|
end
|
|
@@ -35,6 +35,6 @@ class SecurityGroupIngressOpenToWorldRule < BaseRule
|
|
|
35
35
|
ip4_open?(standalone_ingress) || ip6_open?(standalone_ingress)
|
|
36
36
|
end
|
|
37
37
|
|
|
38
|
-
logical_resource_ids + violating_ingresses.map
|
|
38
|
+
logical_resource_ids + violating_ingresses.map(&:logical_resource_id)
|
|
39
39
|
end
|
|
40
40
|
end
|
|
@@ -2,7 +2,6 @@ require 'cfn-nag/violation'
|
|
|
2
2
|
require_relative 'base'
|
|
3
3
|
|
|
4
4
|
class SecurityGroupIngressPortRangeRule < BaseRule
|
|
5
|
-
|
|
6
5
|
def rule_text
|
|
7
6
|
'Security Groups found ingress with port range instead of just a single port'
|
|
8
7
|
end
|
|
@@ -33,6 +32,6 @@ class SecurityGroupIngressPortRangeRule < BaseRule
|
|
|
33
32
|
standalone_ingress.fromPort != standalone_ingress.toPort
|
|
34
33
|
end
|
|
35
34
|
|
|
36
|
-
logical_resource_ids + violating_ingresses.map
|
|
35
|
+
logical_resource_ids + violating_ingresses.map(&:logical_resource_id)
|
|
37
36
|
end
|
|
38
37
|
end
|
|
@@ -2,7 +2,6 @@ require 'cfn-nag/violation'
|
|
|
2
2
|
require_relative 'base'
|
|
3
3
|
|
|
4
4
|
class SecurityGroupMissingEgressRule < BaseRule
|
|
5
|
-
|
|
6
5
|
def rule_text
|
|
7
6
|
'Missing egress rule means all traffic is allowed outbound. Make this explicit if it is desired configuration'
|
|
8
7
|
end
|
|
@@ -25,4 +24,4 @@ class SecurityGroupMissingEgressRule < BaseRule
|
|
|
25
24
|
|
|
26
25
|
logical_resource_ids
|
|
27
26
|
end
|
|
28
|
-
end
|
|
27
|
+
end
|
|
@@ -2,7 +2,6 @@ require 'cfn-nag/violation'
|
|
|
2
2
|
require_relative 'base'
|
|
3
3
|
|
|
4
4
|
class SnsTopicPolicyNotActionRule < BaseRule
|
|
5
|
-
|
|
6
5
|
def rule_text
|
|
7
6
|
'SNS Topic policy should not allow Allow+NotAction'
|
|
8
7
|
end
|
|
@@ -20,6 +19,6 @@ class SnsTopicPolicyNotActionRule < BaseRule
|
|
|
20
19
|
!policy.policy_document.allows_not_action.empty?
|
|
21
20
|
end
|
|
22
21
|
|
|
23
|
-
violating_policies.map
|
|
22
|
+
violating_policies.map(&:logical_resource_id)
|
|
24
23
|
end
|
|
25
|
-
end
|
|
24
|
+
end
|
|
@@ -2,7 +2,6 @@ require 'cfn-nag/violation'
|
|
|
2
2
|
require_relative 'base'
|
|
3
3
|
|
|
4
4
|
class SnsTopicPolicyNotPrincipalRule < BaseRule
|
|
5
|
-
|
|
6
5
|
def rule_text
|
|
7
6
|
'SNS Topic policy should not allow Allow+NotPrincipal'
|
|
8
7
|
end
|
|
@@ -20,7 +19,6 @@ class SnsTopicPolicyNotPrincipalRule < BaseRule
|
|
|
20
19
|
!policy.policy_document.allows_not_principal.empty?
|
|
21
20
|
end
|
|
22
21
|
|
|
23
|
-
violating_policies.map
|
|
22
|
+
violating_policies.map(&:logical_resource_id)
|
|
24
23
|
end
|
|
25
24
|
end
|
|
26
|
-
|
|
@@ -2,7 +2,6 @@ require 'cfn-nag/violation'
|
|
|
2
2
|
require_relative 'base'
|
|
3
3
|
|
|
4
4
|
class SqsQueuePolicyNotActionRule < BaseRule
|
|
5
|
-
|
|
6
5
|
def rule_text
|
|
7
6
|
'SQS Queue policy should not allow Allow+NotAction'
|
|
8
7
|
end
|
|
@@ -20,6 +19,6 @@ class SqsQueuePolicyNotActionRule < BaseRule
|
|
|
20
19
|
!policy.policy_document.allows_not_action.empty?
|
|
21
20
|
end
|
|
22
21
|
|
|
23
|
-
violating_policies.map
|
|
22
|
+
violating_policies.map(&:logical_resource_id)
|
|
24
23
|
end
|
|
25
24
|
end
|
|
@@ -2,7 +2,6 @@ require 'cfn-nag/violation'
|
|
|
2
2
|
require_relative 'base'
|
|
3
3
|
|
|
4
4
|
class SqsQueuePolicyNotPrincipalRule < BaseRule
|
|
5
|
-
|
|
6
5
|
def rule_text
|
|
7
6
|
'SQS Queue policy should not allow Allow+NotPrincipal'
|
|
8
7
|
end
|
|
@@ -20,6 +19,6 @@ class SqsQueuePolicyNotPrincipalRule < BaseRule
|
|
|
20
19
|
!policy.policy_document.allows_not_principal.empty?
|
|
21
20
|
end
|
|
22
21
|
|
|
23
|
-
violating_policies.map
|
|
22
|
+
violating_policies.map(&:logical_resource_id)
|
|
24
23
|
end
|
|
25
24
|
end
|
|
@@ -2,7 +2,6 @@ require 'cfn-nag/violation'
|
|
|
2
2
|
require_relative 'base'
|
|
3
3
|
|
|
4
4
|
class UserHasInlinePolicyRule < BaseRule
|
|
5
|
-
|
|
6
5
|
def rule_text
|
|
7
6
|
'IAM user should not have any inline policies. Should be centralized Policy object on group'
|
|
8
7
|
end
|
|
@@ -20,6 +19,6 @@ class UserHasInlinePolicyRule < BaseRule
|
|
|
20
19
|
iam_user.policy_objects.size > 0
|
|
21
20
|
end
|
|
22
21
|
|
|
23
|
-
violating_users.map
|
|
22
|
+
violating_users.map(&:logical_resource_id)
|
|
24
23
|
end
|
|
25
24
|
end
|
|
@@ -2,7 +2,6 @@ require 'cfn-nag/violation'
|
|
|
2
2
|
require_relative 'base'
|
|
3
3
|
|
|
4
4
|
class UserMissingGroupRule < BaseRule
|
|
5
|
-
|
|
6
5
|
def rule_text
|
|
7
6
|
'User is not assigned to a group'
|
|
8
7
|
end
|
|
@@ -25,4 +24,4 @@ class UserMissingGroupRule < BaseRule
|
|
|
25
24
|
|
|
26
25
|
logical_resource_ids
|
|
27
26
|
end
|
|
28
|
-
end
|
|
27
|
+
end
|
|
@@ -11,7 +11,6 @@ require 'cfn-nag/violation'
|
|
|
11
11
|
require_relative 'base'
|
|
12
12
|
|
|
13
13
|
class WafWebAclDefaultActionRule < BaseRule
|
|
14
|
-
|
|
15
14
|
def rule_text
|
|
16
15
|
'WebAcl DefaultAction should not be ALLOW'
|
|
17
16
|
end
|
|
@@ -29,6 +28,6 @@ class WafWebAclDefaultActionRule < BaseRule
|
|
|
29
28
|
web_acl.defaultAction['Type'] == 'ALLOW'
|
|
30
29
|
end
|
|
31
30
|
|
|
32
|
-
violating_web_acls.map
|
|
31
|
+
violating_web_acls.map(&:logical_resource_id)
|
|
33
32
|
end
|
|
34
33
|
end
|
|
@@ -1,11 +1,10 @@
|
|
|
1
1
|
require 'cfn-nag/violation'
|
|
2
2
|
|
|
3
3
|
class BaseRule
|
|
4
|
-
|
|
5
4
|
##
|
|
6
5
|
# Returns a collection of logical resource ids
|
|
7
6
|
#
|
|
8
|
-
def audit_impl(
|
|
7
|
+
def audit_impl(_cfn_model)
|
|
9
8
|
raise 'must implement in subclass'
|
|
10
9
|
end
|
|
11
10
|
|
|
@@ -25,4 +24,4 @@ class BaseRule
|
|
|
25
24
|
nil
|
|
26
25
|
end
|
|
27
26
|
end
|
|
28
|
-
end
|
|
27
|
+
end
|
data/lib/cfn-nag/ip_addr.rb
CHANGED
|
@@ -6,7 +6,6 @@ module IpAddr
|
|
|
6
6
|
ingress.cidrIp.is_a?(String) && ingress.cidrIp == '0.0.0.0/0'
|
|
7
7
|
end
|
|
8
8
|
|
|
9
|
-
|
|
10
9
|
def ip6_open?(ingress)
|
|
11
10
|
normalized_cidr_ip6 = normalize_cidr_ip6(ingress)
|
|
12
11
|
return false if normalized_cidr_ip6.nil?
|
|
@@ -41,4 +40,4 @@ module IpAddr
|
|
|
41
40
|
nil
|
|
42
41
|
end
|
|
43
42
|
end
|
|
44
|
-
end
|
|
43
|
+
end
|