cfn-nag 0.4.41 → 0.4.42
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/cfn-nag/custom_rules/ApiGatewayAccessLoggingRule.rb +26 -0
- data/lib/cfn-nag/custom_rules/IamRoleElevatedManagedPolicyRule.rb +32 -0
- data/lib/cfn-nag/custom_rules/SecurityGroupEgressAllProtocolsRule.rb +12 -10
- data/lib/cfn-nag/custom_rules/SecurityGroupIngressAllProtocolsRule.rb +12 -10
- metadata +4 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: cf9086143d88b00f7108e8789779d2ef446fab7ebb704026bcc80003bdfc39c4
|
|
4
|
+
data.tar.gz: 6fb9e538518f2552bb9aa43797735ae42cad6e01f3b65a400c16557a4626a4fe
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 305cf556e4aaa473311687388b96270cf52d5251317e95c80fd969d438128dd462f308471f581571583bbed8f3256f0cd9335bc70c7a67fcdd5896871d5de771
|
|
7
|
+
data.tar.gz: 3cccb913d3cc87dc4cbccf54b26e6085fb215c264c5ceccf45f8d7fd5920d68498ab027842e2a018823d9200fdf50166ed6a779f97bfe1af1228717cceb3e573
|
|
@@ -0,0 +1,26 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
require 'cfn-nag/violation'
|
|
4
|
+
require_relative 'base'
|
|
5
|
+
|
|
6
|
+
class ApiGatewayAccessLoggingRule < BaseRule
|
|
7
|
+
def rule_text
|
|
8
|
+
'ApiGateway should have access logging configured'
|
|
9
|
+
end
|
|
10
|
+
|
|
11
|
+
def rule_type
|
|
12
|
+
Violation::WARNING
|
|
13
|
+
end
|
|
14
|
+
|
|
15
|
+
def rule_id
|
|
16
|
+
'W45'
|
|
17
|
+
end
|
|
18
|
+
|
|
19
|
+
def audit_impl(cfn_model)
|
|
20
|
+
violating_deployments = cfn_model.resources_by_type('AWS::ApiGateway::Deployment').select do |deployment|
|
|
21
|
+
deployment.stageDescription.nil? || deployment.stageDescription['AccessLogSetting'].nil?
|
|
22
|
+
end
|
|
23
|
+
|
|
24
|
+
violating_deployments.map(&:logical_resource_id)
|
|
25
|
+
end
|
|
26
|
+
end
|
|
@@ -0,0 +1,32 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
require 'cfn-nag/violation'
|
|
4
|
+
require_relative 'base'
|
|
5
|
+
|
|
6
|
+
class IamRoleElevatedManagedPolicyRule < BaseRule
|
|
7
|
+
def rule_text
|
|
8
|
+
'IAM role should not have Elevated Managed policy'
|
|
9
|
+
end
|
|
10
|
+
|
|
11
|
+
def rule_type
|
|
12
|
+
Violation::WARNING
|
|
13
|
+
end
|
|
14
|
+
|
|
15
|
+
def rule_id
|
|
16
|
+
'W44'
|
|
17
|
+
end
|
|
18
|
+
|
|
19
|
+
def includes_elevated_policy(role)
|
|
20
|
+
role.managedPolicyArns.find do |policy|
|
|
21
|
+
policy.include?('arn:aws:iam::aws:policy/PowerUserAccess') ||
|
|
22
|
+
policy.include?('arn:aws:iam::aws:policy/IAMFullAccess')
|
|
23
|
+
end
|
|
24
|
+
end
|
|
25
|
+
|
|
26
|
+
def audit_impl(cfn_model)
|
|
27
|
+
violating_roles = cfn_model.resources_by_type('AWS::IAM::Role').select do |role|
|
|
28
|
+
includes_elevated_policy(role)
|
|
29
|
+
end
|
|
30
|
+
violating_roles.map(&:logical_resource_id)
|
|
31
|
+
end
|
|
32
|
+
end
|
|
@@ -22,24 +22,26 @@ class SecurityGroupEgressAllProtocolsRule < BaseRule
|
|
|
22
22
|
def audit_impl(cfn_model)
|
|
23
23
|
violating_security_groups = cfn_model.security_groups.select do |security_group|
|
|
24
24
|
violating_egresses = security_group.egresses.select do |egress|
|
|
25
|
-
|
|
26
|
-
egress.ipProtocol.to_i == -1
|
|
27
|
-
else
|
|
28
|
-
false
|
|
29
|
-
end
|
|
25
|
+
violating_egress(egress)
|
|
30
26
|
end
|
|
31
27
|
|
|
32
28
|
!violating_egresses.empty?
|
|
33
29
|
end
|
|
34
30
|
|
|
35
31
|
violating_egresses = cfn_model.standalone_egress.select do |standalone_egress|
|
|
36
|
-
|
|
37
|
-
standalone_egress.ipProtocol.to_i == -1
|
|
38
|
-
else
|
|
39
|
-
false
|
|
40
|
-
end
|
|
32
|
+
violating_egress(standalone_egress)
|
|
41
33
|
end
|
|
42
34
|
|
|
43
35
|
violating_security_groups.map(&:logical_resource_id) + violating_egresses.map(&:logical_resource_id)
|
|
44
36
|
end
|
|
37
|
+
|
|
38
|
+
private
|
|
39
|
+
|
|
40
|
+
def violating_egress(egress)
|
|
41
|
+
if egress.ipProtocol.is_a?(Integer) || egress.ipProtocol.is_a?(String)
|
|
42
|
+
egress.ipProtocol.to_i == -1
|
|
43
|
+
else
|
|
44
|
+
false
|
|
45
|
+
end
|
|
46
|
+
end
|
|
45
47
|
end
|
|
@@ -22,24 +22,26 @@ class SecurityGroupIngressAllProtocolsRule < BaseRule
|
|
|
22
22
|
def audit_impl(cfn_model)
|
|
23
23
|
violating_security_groups = cfn_model.security_groups.select do |security_group|
|
|
24
24
|
violating_ingresses = security_group.ingresses.select do |ingress|
|
|
25
|
-
|
|
26
|
-
ingress.ipProtocol.to_i == -1
|
|
27
|
-
else
|
|
28
|
-
false
|
|
29
|
-
end
|
|
25
|
+
violating_ingress(ingress)
|
|
30
26
|
end
|
|
31
27
|
|
|
32
28
|
!violating_ingresses.empty?
|
|
33
29
|
end
|
|
34
30
|
|
|
35
31
|
violating_ingresses = cfn_model.standalone_ingress.select do |standalone_ingress|
|
|
36
|
-
|
|
37
|
-
standalone_ingress.ipProtocol.to_i == -1
|
|
38
|
-
else
|
|
39
|
-
false
|
|
40
|
-
end
|
|
32
|
+
violating_ingress(standalone_ingress)
|
|
41
33
|
end
|
|
42
34
|
|
|
43
35
|
violating_security_groups.map(&:logical_resource_id) + violating_ingresses.map(&:logical_resource_id)
|
|
44
36
|
end
|
|
37
|
+
|
|
38
|
+
private
|
|
39
|
+
|
|
40
|
+
def violating_ingress(ingress)
|
|
41
|
+
if ingress.ipProtocol.is_a?(Integer) || ingress.ipProtocol.is_a?(String)
|
|
42
|
+
ingress.ipProtocol.to_i == -1
|
|
43
|
+
else
|
|
44
|
+
false
|
|
45
|
+
end
|
|
46
|
+
end
|
|
45
47
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: cfn-nag
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.4.
|
|
4
|
+
version: 0.4.42
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Eric Kascic
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2019-10-
|
|
11
|
+
date: 2019-10-31 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rake
|
|
@@ -171,6 +171,7 @@ files:
|
|
|
171
171
|
- lib/cfn-nag/cli_options.rb
|
|
172
172
|
- lib/cfn-nag/custom_rule_loader.rb
|
|
173
173
|
- lib/cfn-nag/custom_rules/AmplifyAppBasicAuthConfigPasswordRule.rb
|
|
174
|
+
- lib/cfn-nag/custom_rules/ApiGatewayAccessLoggingRule.rb
|
|
174
175
|
- lib/cfn-nag/custom_rules/BatchJobDefinitionContainerPropertiesPrivilegedRule.rb
|
|
175
176
|
- lib/cfn-nag/custom_rules/CloudFormationAuthenticationRule.rb
|
|
176
177
|
- lib/cfn-nag/custom_rules/CloudFrontDistributionAccessLoggingRule.rb
|
|
@@ -196,6 +197,7 @@ files:
|
|
|
196
197
|
- lib/cfn-nag/custom_rules/IamPolicyWildcardActionRule.rb
|
|
197
198
|
- lib/cfn-nag/custom_rules/IamPolicyWildcardResourceRule.rb
|
|
198
199
|
- lib/cfn-nag/custom_rules/IamRoleAdministratorAccessPolicyRule.rb
|
|
200
|
+
- lib/cfn-nag/custom_rules/IamRoleElevatedManagedPolicyRule.rb
|
|
199
201
|
- lib/cfn-nag/custom_rules/IamRoleNotActionOnPermissionsPolicyRule.rb
|
|
200
202
|
- lib/cfn-nag/custom_rules/IamRoleNotActionOnTrustPolicyRule.rb
|
|
201
203
|
- lib/cfn-nag/custom_rules/IamRoleNotPrincipalOnTrustPolicyRule.rb
|