cfn-nag 0.5.33 → 0.5.34

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. checksums.yaml +4 -4
  2. data/lib/cfn-nag/custom_rules/CloudfrontMinimumProtocolVersionRule.rb +41 -0
  3. metadata +3 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: d26301e0a7300e00b20d5e36cbea860498138a5a6b58b11700de040221820c22
4
- data.tar.gz: f31fd4913ebade626ac34ff207fffb3d1c2fc3203a24ea08cebd860505156685
3
+ metadata.gz: e1deb828110ef98e15fcffe2c1f3645fcb35570a40d37b85178361c31e015218
4
+ data.tar.gz: c721f2801a1d26453df7ade776dcfea8cca18970176dff171e7348a29bb5cc1e
5
5
  SHA512:
6
- metadata.gz: e908b0a203b5722fb5d3131d9d3f27361d14a6bba959a7cd7f00a755d70d472583743c9258e7fe695eda3ee9c107e946e9e1ef5072e2dfa4c34533da1eecf98e
7
- data.tar.gz: eb0ee9d5cba3dd1eb202d0c5be20c5b1b4a83ca25a6142b208d0898f1c66e69f3b010a493f89da9324e15a9071c264e1099a99d23372823a9bc28ae11477fd8b
6
+ metadata.gz: e3e088f5addf8a9372ba584f9bcbbe15b89c94419577c9c546e84fa20967107b5da2ded0a6cd4edf5894e65656a084a2aee3d7290499cab1586877049454ca78
7
+ data.tar.gz: 907006ecef680f5f3d971c4396cf6f5fa58c379f8dd9e6206f70090a69fd3a08f2072916ed51a29f6c0c2ea280c2af831ceec5b9bd069c805dcba73540d77731
data/lib/cfn-nag/custom_rules/CloudfrontMinimumProtocolVersionRule.rb ADDED
@@ -0,0 +1,41 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'cfn-nag/violation'
4
+ require_relative 'base'
5
+
6
+ class CloudfrontMinimumProtocolVersionRule < BaseRule
7
+ def rule_text
8
+ 'Cloudfront should use minimum protocol version TLS 1.2'
9
+ end
10
+
11
+ def rule_type
12
+ Violation::WARNING
13
+ end
14
+
15
+ def rule_id
16
+ 'W70'
17
+ end
18
+
19
+ def audit_impl(cfn_model)
20
+ violating_distributions = cfn_model.resources_by_type('AWS::CloudFront::Distribution')
21
+ .select do |dist|
22
+ dist.distributionConfig['ViewerCertificate'].nil? || tls_version?(dist.distributionConfig['ViewerCertificate'])
23
+ end
24
+
25
+ violating_distributions.map(&:logical_resource_id)
26
+ end
27
+
28
+ private
29
+
30
+ def tls_version?(viewer_certificate)
31
+ cert_has_bad_tls_version?(viewer_certificate) || override_tls_config?(viewer_certificate)
32
+ end
33
+
34
+ def cert_has_bad_tls_version?(viewer_certificate)
35
+ viewer_certificate['MinimumProtocolVersion'].nil? || viewer_certificate['MinimumProtocolVersion'] != 'TLSv1.2_2018'
36
+ end
37
+
38
+ def override_tls_config?(viewer_certificate)
39
+ !viewer_certificate['CloudFrontDefaultCertificate'].nil? && viewer_certificate['CloudFrontDefaultCertificate']
40
+ end
41
+ end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: cfn-nag
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.5.33
4
+ version: 0.5.34
5
5
  platform: ruby
6
6
  authors:
7
7
  - Eric Kascic
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2020-03-27 00:00:00.000000000 Z
11
+ date: 2020-04-08 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rake
@@ -191,6 +191,7 @@ files:
191
191
  - lib/cfn-nag/custom_rules/BatchJobDefinitionContainerPropertiesPrivilegedRule.rb
192
192
  - lib/cfn-nag/custom_rules/CloudFormationAuthenticationRule.rb
193
193
  - lib/cfn-nag/custom_rules/CloudFrontDistributionAccessLoggingRule.rb
194
+ - lib/cfn-nag/custom_rules/CloudfrontMinimumProtocolVersionRule.rb
194
195
  - lib/cfn-nag/custom_rules/CodeBuildEncryptionKeyRule.rb
195
196
  - lib/cfn-nag/custom_rules/CodePipelineWebhookAuthenticationConfigurationSecretTokenRule.rb
196
197
  - lib/cfn-nag/custom_rules/CognitoIdentityPoolAllowUnauthenticatedIdentitiesRule.rb