cfn-nag 0.4.41 → 0.4.42
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/cfn-nag/custom_rules/ApiGatewayAccessLoggingRule.rb +26 -0
- data/lib/cfn-nag/custom_rules/IamRoleElevatedManagedPolicyRule.rb +32 -0
- data/lib/cfn-nag/custom_rules/SecurityGroupEgressAllProtocolsRule.rb +12 -10
- data/lib/cfn-nag/custom_rules/SecurityGroupIngressAllProtocolsRule.rb +12 -10
- metadata +4 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: cf9086143d88b00f7108e8789779d2ef446fab7ebb704026bcc80003bdfc39c4
|
4
|
+
data.tar.gz: 6fb9e538518f2552bb9aa43797735ae42cad6e01f3b65a400c16557a4626a4fe
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 305cf556e4aaa473311687388b96270cf52d5251317e95c80fd969d438128dd462f308471f581571583bbed8f3256f0cd9335bc70c7a67fcdd5896871d5de771
|
7
|
+
data.tar.gz: 3cccb913d3cc87dc4cbccf54b26e6085fb215c264c5ceccf45f8d7fd5920d68498ab027842e2a018823d9200fdf50166ed6a779f97bfe1af1228717cceb3e573
|
@@ -0,0 +1,26 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'cfn-nag/violation'
|
4
|
+
require_relative 'base'
|
5
|
+
|
6
|
+
class ApiGatewayAccessLoggingRule < BaseRule
|
7
|
+
def rule_text
|
8
|
+
'ApiGateway should have access logging configured'
|
9
|
+
end
|
10
|
+
|
11
|
+
def rule_type
|
12
|
+
Violation::WARNING
|
13
|
+
end
|
14
|
+
|
15
|
+
def rule_id
|
16
|
+
'W45'
|
17
|
+
end
|
18
|
+
|
19
|
+
def audit_impl(cfn_model)
|
20
|
+
violating_deployments = cfn_model.resources_by_type('AWS::ApiGateway::Deployment').select do |deployment|
|
21
|
+
deployment.stageDescription.nil? || deployment.stageDescription['AccessLogSetting'].nil?
|
22
|
+
end
|
23
|
+
|
24
|
+
violating_deployments.map(&:logical_resource_id)
|
25
|
+
end
|
26
|
+
end
|
@@ -0,0 +1,32 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'cfn-nag/violation'
|
4
|
+
require_relative 'base'
|
5
|
+
|
6
|
+
class IamRoleElevatedManagedPolicyRule < BaseRule
|
7
|
+
def rule_text
|
8
|
+
'IAM role should not have Elevated Managed policy'
|
9
|
+
end
|
10
|
+
|
11
|
+
def rule_type
|
12
|
+
Violation::WARNING
|
13
|
+
end
|
14
|
+
|
15
|
+
def rule_id
|
16
|
+
'W44'
|
17
|
+
end
|
18
|
+
|
19
|
+
def includes_elevated_policy(role)
|
20
|
+
role.managedPolicyArns.find do |policy|
|
21
|
+
policy.include?('arn:aws:iam::aws:policy/PowerUserAccess') ||
|
22
|
+
policy.include?('arn:aws:iam::aws:policy/IAMFullAccess')
|
23
|
+
end
|
24
|
+
end
|
25
|
+
|
26
|
+
def audit_impl(cfn_model)
|
27
|
+
violating_roles = cfn_model.resources_by_type('AWS::IAM::Role').select do |role|
|
28
|
+
includes_elevated_policy(role)
|
29
|
+
end
|
30
|
+
violating_roles.map(&:logical_resource_id)
|
31
|
+
end
|
32
|
+
end
|
@@ -22,24 +22,26 @@ class SecurityGroupEgressAllProtocolsRule < BaseRule
|
|
22
22
|
def audit_impl(cfn_model)
|
23
23
|
violating_security_groups = cfn_model.security_groups.select do |security_group|
|
24
24
|
violating_egresses = security_group.egresses.select do |egress|
|
25
|
-
|
26
|
-
egress.ipProtocol.to_i == -1
|
27
|
-
else
|
28
|
-
false
|
29
|
-
end
|
25
|
+
violating_egress(egress)
|
30
26
|
end
|
31
27
|
|
32
28
|
!violating_egresses.empty?
|
33
29
|
end
|
34
30
|
|
35
31
|
violating_egresses = cfn_model.standalone_egress.select do |standalone_egress|
|
36
|
-
|
37
|
-
standalone_egress.ipProtocol.to_i == -1
|
38
|
-
else
|
39
|
-
false
|
40
|
-
end
|
32
|
+
violating_egress(standalone_egress)
|
41
33
|
end
|
42
34
|
|
43
35
|
violating_security_groups.map(&:logical_resource_id) + violating_egresses.map(&:logical_resource_id)
|
44
36
|
end
|
37
|
+
|
38
|
+
private
|
39
|
+
|
40
|
+
def violating_egress(egress)
|
41
|
+
if egress.ipProtocol.is_a?(Integer) || egress.ipProtocol.is_a?(String)
|
42
|
+
egress.ipProtocol.to_i == -1
|
43
|
+
else
|
44
|
+
false
|
45
|
+
end
|
46
|
+
end
|
45
47
|
end
|
@@ -22,24 +22,26 @@ class SecurityGroupIngressAllProtocolsRule < BaseRule
|
|
22
22
|
def audit_impl(cfn_model)
|
23
23
|
violating_security_groups = cfn_model.security_groups.select do |security_group|
|
24
24
|
violating_ingresses = security_group.ingresses.select do |ingress|
|
25
|
-
|
26
|
-
ingress.ipProtocol.to_i == -1
|
27
|
-
else
|
28
|
-
false
|
29
|
-
end
|
25
|
+
violating_ingress(ingress)
|
30
26
|
end
|
31
27
|
|
32
28
|
!violating_ingresses.empty?
|
33
29
|
end
|
34
30
|
|
35
31
|
violating_ingresses = cfn_model.standalone_ingress.select do |standalone_ingress|
|
36
|
-
|
37
|
-
standalone_ingress.ipProtocol.to_i == -1
|
38
|
-
else
|
39
|
-
false
|
40
|
-
end
|
32
|
+
violating_ingress(standalone_ingress)
|
41
33
|
end
|
42
34
|
|
43
35
|
violating_security_groups.map(&:logical_resource_id) + violating_ingresses.map(&:logical_resource_id)
|
44
36
|
end
|
37
|
+
|
38
|
+
private
|
39
|
+
|
40
|
+
def violating_ingress(ingress)
|
41
|
+
if ingress.ipProtocol.is_a?(Integer) || ingress.ipProtocol.is_a?(String)
|
42
|
+
ingress.ipProtocol.to_i == -1
|
43
|
+
else
|
44
|
+
false
|
45
|
+
end
|
46
|
+
end
|
45
47
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: cfn-nag
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.4.
|
4
|
+
version: 0.4.42
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Eric Kascic
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2019-10-
|
11
|
+
date: 2019-10-31 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: rake
|
@@ -171,6 +171,7 @@ files:
|
|
171
171
|
- lib/cfn-nag/cli_options.rb
|
172
172
|
- lib/cfn-nag/custom_rule_loader.rb
|
173
173
|
- lib/cfn-nag/custom_rules/AmplifyAppBasicAuthConfigPasswordRule.rb
|
174
|
+
- lib/cfn-nag/custom_rules/ApiGatewayAccessLoggingRule.rb
|
174
175
|
- lib/cfn-nag/custom_rules/BatchJobDefinitionContainerPropertiesPrivilegedRule.rb
|
175
176
|
- lib/cfn-nag/custom_rules/CloudFormationAuthenticationRule.rb
|
176
177
|
- lib/cfn-nag/custom_rules/CloudFrontDistributionAccessLoggingRule.rb
|
@@ -196,6 +197,7 @@ files:
|
|
196
197
|
- lib/cfn-nag/custom_rules/IamPolicyWildcardActionRule.rb
|
197
198
|
- lib/cfn-nag/custom_rules/IamPolicyWildcardResourceRule.rb
|
198
199
|
- lib/cfn-nag/custom_rules/IamRoleAdministratorAccessPolicyRule.rb
|
200
|
+
- lib/cfn-nag/custom_rules/IamRoleElevatedManagedPolicyRule.rb
|
199
201
|
- lib/cfn-nag/custom_rules/IamRoleNotActionOnPermissionsPolicyRule.rb
|
200
202
|
- lib/cfn-nag/custom_rules/IamRoleNotActionOnTrustPolicyRule.rb
|
201
203
|
- lib/cfn-nag/custom_rules/IamRoleNotPrincipalOnTrustPolicyRule.rb
|