cfn-nag 0.4.30 → 0.4.31
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/cfn-nag/custom_rules/IamManagedPolicyPassRoleWildcardResourceRule.rb +22 -0
- data/lib/cfn-nag/custom_rules/IamPolicyPassRoleWildcardResourceRule.rb +22 -0
- data/lib/cfn-nag/custom_rules/IamRolePassRoleWildcardResourceRule.rb +44 -0
- data/lib/cfn-nag/custom_rules/passrole_base_rule.rb +35 -0
- data/lib/cfn-nag/util/wildcard_patterns.rb +44 -0
- metadata +6 -1
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 2130f00e6dff534fdfa6c39d625c00b7909e998ecf3878a8ea3dae1c4b948417
|
4
|
+
data.tar.gz: 7fe2fdd16898699d4453e276cee8f14d982bebee6e78519dd2995c602566f709
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: c6e4d718d5915fa3457cd111ecc7cb0d098a1db5eecc9e39937c89ce15b2a85fcfa3ace72ea611ef53864ad2dfb8b6c8f95475055face3e03e68a21a6ef91495
|
7
|
+
data.tar.gz: 31c79377d5f089c6b2378dc0912d8822ab8bcfc7cca106abf716a2b4cb4e23fa1617a05c9672477dfb03b53bb027ebab68f3e6898257a28ff5500ecc1dd4c630
|
@@ -0,0 +1,22 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'cfn-nag/violation'
|
4
|
+
require_relative 'passrole_base_rule'
|
5
|
+
|
6
|
+
class IamManagedPolicyPassRoleWildcardResourceRule < PassRoleBaseRule
|
7
|
+
def rule_text
|
8
|
+
'IAM managed policy should not allow a * resource with PassRole action'
|
9
|
+
end
|
10
|
+
|
11
|
+
def rule_type
|
12
|
+
Violation::FAILING_VIOLATION
|
13
|
+
end
|
14
|
+
|
15
|
+
def rule_id
|
16
|
+
'F40'
|
17
|
+
end
|
18
|
+
|
19
|
+
def policy_type
|
20
|
+
'AWS::IAM::ManagedPolicy'
|
21
|
+
end
|
22
|
+
end
|
@@ -0,0 +1,22 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'cfn-nag/violation'
|
4
|
+
require_relative 'passrole_base_rule'
|
5
|
+
|
6
|
+
class IamPolicyPassRoleWildcardResourceRule < PassRoleBaseRule
|
7
|
+
def rule_text
|
8
|
+
'IAM policy should not allow * resource with PassRole action'
|
9
|
+
end
|
10
|
+
|
11
|
+
def rule_type
|
12
|
+
Violation::FAILING_VIOLATION
|
13
|
+
end
|
14
|
+
|
15
|
+
def rule_id
|
16
|
+
'F39'
|
17
|
+
end
|
18
|
+
|
19
|
+
def policy_type
|
20
|
+
'AWS::IAM::Policy'
|
21
|
+
end
|
22
|
+
end
|
@@ -0,0 +1,44 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'cfn-nag/violation'
|
4
|
+
require_relative 'base'
|
5
|
+
require 'cfn-nag/util/wildcard_patterns'
|
6
|
+
|
7
|
+
class IamRolePassRoleWildcardResourceRule < BaseRule
|
8
|
+
IAM_ACTION_PATTERNS = wildcard_patterns('PassRole').map! { |x| 'iam:' + x } + ['*']
|
9
|
+
|
10
|
+
def rule_text
|
11
|
+
'IAM role should not allow * resource with PassRole action on its permissions policy'
|
12
|
+
end
|
13
|
+
|
14
|
+
def rule_type
|
15
|
+
Violation::FAILING_VIOLATION
|
16
|
+
end
|
17
|
+
|
18
|
+
def rule_id
|
19
|
+
'F38'
|
20
|
+
end
|
21
|
+
|
22
|
+
def audit_impl(cfn_model)
|
23
|
+
violating_roles = cfn_model.resources_by_type('AWS::IAM::Role').select do |role|
|
24
|
+
violating_policies = role.policy_objects.select do |policy|
|
25
|
+
violating_statements = policy.policy_document.statements.select do |statement|
|
26
|
+
passrole_action?(statement) && wildcard_resource?(statement)
|
27
|
+
end
|
28
|
+
!violating_statements.empty?
|
29
|
+
end
|
30
|
+
!violating_policies.empty?
|
31
|
+
end
|
32
|
+
violating_roles.map(&:logical_resource_id)
|
33
|
+
end
|
34
|
+
|
35
|
+
private
|
36
|
+
|
37
|
+
def passrole_action?(statement)
|
38
|
+
statement.actions.find { |action| IAM_ACTION_PATTERNS.include? action }
|
39
|
+
end
|
40
|
+
|
41
|
+
def wildcard_resource?(statement)
|
42
|
+
statement.resources.find { |resource| resource == '*' }
|
43
|
+
end
|
44
|
+
end
|
@@ -0,0 +1,35 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'cfn-nag/violation'
|
4
|
+
require_relative 'base'
|
5
|
+
require 'cfn-nag/util/wildcard_patterns'
|
6
|
+
|
7
|
+
class PassRoleBaseRule < BaseRule
|
8
|
+
IAM_ACTION_PATTERNS = wildcard_patterns('PassRole').map { |pattern| 'iam:' + pattern } + ['*']
|
9
|
+
|
10
|
+
def policy_type
|
11
|
+
raise 'must implement in subclass'
|
12
|
+
end
|
13
|
+
|
14
|
+
def audit_impl(cfn_model)
|
15
|
+
policies = cfn_model.resources_by_type(policy_type)
|
16
|
+
|
17
|
+
violating_policies = policies.select do |policy|
|
18
|
+
violating_statements = policy.policy_document.statements.select do |statement|
|
19
|
+
passrole_action?(statement) && wildcard_resource?(statement)
|
20
|
+
end
|
21
|
+
!violating_statements.empty?
|
22
|
+
end
|
23
|
+
violating_policies.map(&:logical_resource_id)
|
24
|
+
end
|
25
|
+
|
26
|
+
private
|
27
|
+
|
28
|
+
def passrole_action?(statement)
|
29
|
+
statement.actions.find { |action| IAM_ACTION_PATTERNS.include? action }
|
30
|
+
end
|
31
|
+
|
32
|
+
def wildcard_resource?(statement)
|
33
|
+
statement.resources.find { |resource| resource == '*' }
|
34
|
+
end
|
35
|
+
end
|
@@ -0,0 +1,44 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
# Create array of wildcard patterns for a given input string
|
4
|
+
|
5
|
+
def wildcard_patterns(input, pattern_types: %w[front back both])
|
6
|
+
input_string = input.to_s
|
7
|
+
results = [input_string]
|
8
|
+
pattern_types.each do |pattern_type|
|
9
|
+
case pattern_type
|
10
|
+
when 'front'
|
11
|
+
results += wildcard_front(input_string)
|
12
|
+
when 'back'
|
13
|
+
results += wildcard_back(input_string)
|
14
|
+
when 'both'
|
15
|
+
results += wildcard_front_back(input_string)
|
16
|
+
else
|
17
|
+
raise "no pattern of type: #{pattern_type}. Use one or more of: front, back, both"
|
18
|
+
end
|
19
|
+
end
|
20
|
+
results + ['*']
|
21
|
+
end
|
22
|
+
|
23
|
+
private
|
24
|
+
|
25
|
+
def wildcard_back(input_string, results = [], prepend: '')
|
26
|
+
return results if input_string.empty?
|
27
|
+
|
28
|
+
results << "#{prepend}#{input_string}*"
|
29
|
+
wildcard_back(input_string.chop, results, prepend: prepend)
|
30
|
+
end
|
31
|
+
|
32
|
+
def wildcard_front(input_string, results = [])
|
33
|
+
return results if input_string.empty?
|
34
|
+
|
35
|
+
results << "*#{input_string}"
|
36
|
+
wildcard_front(input_string[1..-1], results)
|
37
|
+
end
|
38
|
+
|
39
|
+
def wildcard_front_back(input_string, results = [])
|
40
|
+
return results if input_string.empty?
|
41
|
+
|
42
|
+
results += wildcard_back(input_string, prepend: '*')
|
43
|
+
wildcard_front_back(input_string[1..-1], results)
|
44
|
+
end
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: cfn-nag
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.4.
|
4
|
+
version: 0.4.31
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Eric Kascic
|
@@ -186,16 +186,19 @@ files:
|
|
186
186
|
- lib/cfn-nag/custom_rules/ElasticLoadBalancerAccessLoggingRule.rb
|
187
187
|
- lib/cfn-nag/custom_rules/IamManagedPolicyNotActionRule.rb
|
188
188
|
- lib/cfn-nag/custom_rules/IamManagedPolicyNotResourceRule.rb
|
189
|
+
- lib/cfn-nag/custom_rules/IamManagedPolicyPassRoleWildcardResourceRule.rb
|
189
190
|
- lib/cfn-nag/custom_rules/IamManagedPolicyWildcardActionRule.rb
|
190
191
|
- lib/cfn-nag/custom_rules/IamManagedPolicyWildcardResourceRule.rb
|
191
192
|
- lib/cfn-nag/custom_rules/IamPolicyNotActionRule.rb
|
192
193
|
- lib/cfn-nag/custom_rules/IamPolicyNotResourceRule.rb
|
194
|
+
- lib/cfn-nag/custom_rules/IamPolicyPassRoleWildcardResourceRule.rb
|
193
195
|
- lib/cfn-nag/custom_rules/IamPolicyWildcardActionRule.rb
|
194
196
|
- lib/cfn-nag/custom_rules/IamPolicyWildcardResourceRule.rb
|
195
197
|
- lib/cfn-nag/custom_rules/IamRoleNotActionOnPermissionsPolicyRule.rb
|
196
198
|
- lib/cfn-nag/custom_rules/IamRoleNotActionOnTrustPolicyRule.rb
|
197
199
|
- lib/cfn-nag/custom_rules/IamRoleNotPrincipalOnTrustPolicyRule.rb
|
198
200
|
- lib/cfn-nag/custom_rules/IamRoleNotResourceOnPermissionsPolicyRule.rb
|
201
|
+
- lib/cfn-nag/custom_rules/IamRolePassRoleWildcardResourceRule.rb
|
199
202
|
- lib/cfn-nag/custom_rules/IamRoleWildcardActionOnPermissionsPolicyRule.rb
|
200
203
|
- lib/cfn-nag/custom_rules/IamRoleWildcardActionOnTrustPolicyRule.rb
|
201
204
|
- lib/cfn-nag/custom_rules/IamRoleWildcardResourceOnPermissionsPolicyRule.rb
|
@@ -241,6 +244,7 @@ files:
|
|
241
244
|
- lib/cfn-nag/custom_rules/WorkspacesWorkspaceEncryptionRule.rb
|
242
245
|
- lib/cfn-nag/custom_rules/base.rb
|
243
246
|
- lib/cfn-nag/custom_rules/boolean_base_rule.rb
|
247
|
+
- lib/cfn-nag/custom_rules/passrole_base_rule.rb
|
244
248
|
- lib/cfn-nag/custom_rules/password_base_rule.rb
|
245
249
|
- lib/cfn-nag/ip_addr.rb
|
246
250
|
- lib/cfn-nag/jmes_path_discovery.rb
|
@@ -260,6 +264,7 @@ files:
|
|
260
264
|
- lib/cfn-nag/util/enforce_reference_parameter.rb
|
261
265
|
- lib/cfn-nag/util/enforce_string_or_dynamic_reference.rb
|
262
266
|
- lib/cfn-nag/util/truthy.rb
|
267
|
+
- lib/cfn-nag/util/wildcard_patterns.rb
|
263
268
|
- lib/cfn-nag/violation.rb
|
264
269
|
- lib/cfn-nag/violation_filtering.rb
|
265
270
|
homepage: https://github.com/stelligent/cfn_nag
|