cfn-nag 0.5.60 → 0.6.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/bin/spcm_scan +69 -0
- data/lib/cfn-nag/cfn_nag.rb +1 -0
- data/lib/cfn-nag/cfn_nag_config.rb +4 -1
- data/lib/cfn-nag/cfn_nag_executor.rb +22 -1
- data/lib/cfn-nag/cli_options.rb +18 -0
- data/lib/cfn-nag/custom_rule_loader.rb +23 -72
- data/lib/cfn-nag/custom_rules/AmazonMQBrokerUsersPasswordRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/AmplifyAppAccessTokenRule.rb +2 -1
- data/lib/cfn-nag/custom_rules/AmplifyAppBasicAuthConfigPasswordRule.rb +2 -1
- data/lib/cfn-nag/custom_rules/AmplifyAppOauthTokenRule.rb +2 -1
- data/lib/cfn-nag/custom_rules/AmplifyBranchBasicAuthConfigPasswordRule.rb +2 -1
- data/lib/cfn-nag/custom_rules/AppStreamDirectoryConfigServiceAccountCredentialsAccountPasswordRule.rb +3 -2
- data/lib/cfn-nag/custom_rules/CodePipelineWebhookAuthenticationConfigurationSecretTokenRule.rb +2 -1
- data/lib/cfn-nag/custom_rules/DMSEndpointMongoDbSettingsPasswordRule.rb +2 -1
- data/lib/cfn-nag/custom_rules/DMSEndpointPasswordRule.rb +2 -1
- data/lib/cfn-nag/custom_rules/DirectoryServiceMicrosoftADPasswordRule.rb +2 -1
- data/lib/cfn-nag/custom_rules/DirectoryServiceSimpleADPasswordRule.rb +2 -1
- data/lib/cfn-nag/custom_rules/DocDBDBClusterMasterUserPasswordRule.rb +2 -1
- data/lib/cfn-nag/custom_rules/EMRClusterKerberosAttributesADDomainJoinPasswordRule.rb +2 -1
- data/lib/cfn-nag/custom_rules/EMRClusterKerberosAttributesCrossRealmTrustPrincipalPasswordRule.rb +3 -2
- data/lib/cfn-nag/custom_rules/EMRClusterKerberosAttributesKdcAdminPasswordRule.rb +2 -1
- data/lib/cfn-nag/custom_rules/ElastiCacheReplicationGroupAuthTokenRule.rb +2 -1
- data/lib/cfn-nag/custom_rules/IAMUserLoginProfilePasswordRule.rb +2 -1
- data/lib/cfn-nag/custom_rules/KinesisFirehoseDeliveryStreamRedshiftDestinationConfigurationPasswordRule.rb +3 -2
- data/lib/cfn-nag/custom_rules/KinesisFirehoseDeliveryStreamSplunkDestinationConfigurationHECTokenRule.rb +3 -2
- data/lib/cfn-nag/custom_rules/LambdaPermissionEventSourceTokenRule.rb +2 -1
- data/lib/cfn-nag/custom_rules/OpsWorksAppAppSourcePasswordRule.rb +2 -1
- data/lib/cfn-nag/custom_rules/OpsWorksAppSslConfigurationPrivateKeyRule.rb +2 -1
- data/lib/cfn-nag/custom_rules/OpsWorksStackCustomCookbooksSourcePasswordRule.rb +2 -1
- data/lib/cfn-nag/custom_rules/OpsWorksStackRdsDbInstancesDbPasswordRule.rb +3 -2
- data/lib/cfn-nag/custom_rules/PinpointAPNSChannelPrivateKeyRule.rb +2 -1
- data/lib/cfn-nag/custom_rules/PinpointAPNSChannelTokenKeyRule.rb +2 -1
- data/lib/cfn-nag/custom_rules/PinpointAPNSSandboxChannelPrivateKeyRule.rb +2 -1
- data/lib/cfn-nag/custom_rules/PinpointAPNSSandboxChannelTokenKeyRule.rb +2 -1
- data/lib/cfn-nag/custom_rules/PinpointAPNSVoipChannelPrivateKeyRule.rb +2 -1
- data/lib/cfn-nag/custom_rules/PinpointAPNSVoipChannelTokenKeyRule.rb +2 -1
- data/lib/cfn-nag/custom_rules/PinpointAPNSVoipSandboxChannelPrivateKeyRule.rb +2 -1
- data/lib/cfn-nag/custom_rules/PinpointAPNSVoipSandboxChannelTokenKeyRule.rb +2 -1
- data/lib/cfn-nag/custom_rules/RDSDBClusterMasterUserPasswordRule.rb +2 -1
- data/lib/cfn-nag/custom_rules/RDSDBInstanceMasterUserPasswordRule.rb +2 -1
- data/lib/cfn-nag/custom_rules/RDSDBInstanceMasterUsernameRule.rb +2 -1
- data/lib/cfn-nag/custom_rules/RedshiftClusterMasterUserPasswordRule.rb +2 -1
- data/lib/cfn-nag/custom_rules/SPCMRule.rb +66 -0
- data/lib/cfn-nag/custom_rules/SecretsManagerSecretKmsKeyIdRule.rb +4 -3
- data/lib/cfn-nag/iam_complexity_metric/condition_metric.rb +85 -0
- data/lib/cfn-nag/iam_complexity_metric/html_results_renderer.rb +45 -0
- data/lib/cfn-nag/iam_complexity_metric/policy_document_metric.rb +11 -0
- data/lib/cfn-nag/iam_complexity_metric/spcm.rb +79 -0
- data/lib/cfn-nag/iam_complexity_metric/statement_metric.rb +104 -0
- data/lib/cfn-nag/iam_complexity_metric/weights.rb +22 -0
- data/lib/cfn-nag/metadata.rb +78 -0
- metadata +15 -5
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: a047f25fcc08c4ddfa4b199b36e48332c8ea6bbd10ed613513532274ea4f9738
|
4
|
+
data.tar.gz: 41fa094e3c0d2d532c34323ec132dba428e9c4002253a6d5c44595eff095358a
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 0f8e7154c41e611348f2d749a7bcb54d265b9a0f2c07b66e746282a26913e125b6204e61eb1e6e469db339e643fd3ae4550cb67a53b0944961fb3ec5b2fbd549
|
7
|
+
data.tar.gz: b8d9680b8b57594013136ef30f3bff151b12b84884fcdb8017462236cd0b3d739f45045927c579510c10473dd930debb3a7579d1e8d918c3fd146bbfd6757635
|
data/bin/spcm_scan
ADDED
@@ -0,0 +1,69 @@
|
|
1
|
+
#!/usr/bin/env ruby
|
2
|
+
# frozen_string_literal: true
|
3
|
+
|
4
|
+
require 'cfn-nag/iam_complexity_metric/spcm'
|
5
|
+
require 'cfn-nag/iam_complexity_metric/html_results_renderer'
|
6
|
+
require 'optimist'
|
7
|
+
require 'json'
|
8
|
+
|
9
|
+
# rubocop:disable Metrics/BlockLength
|
10
|
+
opts = Optimist.options do
|
11
|
+
opt :parameter_values_path,
|
12
|
+
'Path to a JSON file to pull Parameter values from',
|
13
|
+
type: :string,
|
14
|
+
required: false,
|
15
|
+
default: nil
|
16
|
+
opt :condition_values_path,
|
17
|
+
'Path to a JSON file to pull Condition values from',
|
18
|
+
type: :string,
|
19
|
+
required: false,
|
20
|
+
default: nil
|
21
|
+
opt :input_path,
|
22
|
+
'CloudFormation template to measure SPCM on or directory of templates.',
|
23
|
+
type: :string,
|
24
|
+
required: true
|
25
|
+
opt :template_pattern,
|
26
|
+
'Within the --input-path, match files to scan against this regular expression',
|
27
|
+
type: :string,
|
28
|
+
required: false,
|
29
|
+
default: '..*\.json|..*\.yaml|..*\.yml|..*\.template'
|
30
|
+
opt :ignore_templates_without_iam,
|
31
|
+
'Within the --input-path ignore files without IAM role/policy resources',
|
32
|
+
type: :boolean,
|
33
|
+
required: false,
|
34
|
+
default: true
|
35
|
+
opt :output_format,
|
36
|
+
'Format of results: [json, html]',
|
37
|
+
type: :string,
|
38
|
+
default: 'json'
|
39
|
+
end
|
40
|
+
# rubocop:enable Metrics/BlockLength
|
41
|
+
|
42
|
+
def read_conditionally(path)
|
43
|
+
unless path.nil?
|
44
|
+
IO.read(path)
|
45
|
+
end
|
46
|
+
end
|
47
|
+
|
48
|
+
parameter_values_string = read_conditionally(opts[:parameter_values_path])
|
49
|
+
|
50
|
+
condition_values_string = read_conditionally(opts[:condition_values_path])
|
51
|
+
|
52
|
+
metrics = SPCM.new.aggregate_metrics(
|
53
|
+
input_path: opts[:input_path],
|
54
|
+
parameter_values_path: parameter_values_string,
|
55
|
+
condition_values_path: condition_values_string,
|
56
|
+
template_pattern: opts[:template_pattern]
|
57
|
+
)
|
58
|
+
|
59
|
+
if opts[:ignore_templates_without_iam]
|
60
|
+
metrics = metrics.select do |metric|
|
61
|
+
metric[:file_results]['AWS::IAM::Role'] != {} || metric[:file_results]['AWS::IAM::Policy'] != {}
|
62
|
+
end
|
63
|
+
end
|
64
|
+
|
65
|
+
if opts[:output_format] == 'json'
|
66
|
+
puts JSON.generate(metrics)
|
67
|
+
else
|
68
|
+
puts HtmlRenderer.new.render(results: metrics)
|
69
|
+
end
|
data/lib/cfn-nag/cfn_nag.rb
CHANGED
@@ -87,6 +87,7 @@ class CfnNag
|
|
87
87
|
parameter_values_string,
|
88
88
|
true,
|
89
89
|
condition_values_string
|
90
|
+
CustomRuleLoader.rule_arguments = @config.rule_arguments
|
90
91
|
violations += @config.custom_rule_loader.execute_custom_rules(
|
91
92
|
cfn_model,
|
92
93
|
@config.custom_rule_loader.rule_definitions
|
@@ -9,7 +9,8 @@ class CfnNagConfig
|
|
9
9
|
print_suppression: false,
|
10
10
|
isolate_custom_rule_exceptions: false,
|
11
11
|
fail_on_warnings: false,
|
12
|
-
rule_repository_definitions: []
|
12
|
+
rule_repository_definitions: [],
|
13
|
+
rule_arguments: {})
|
13
14
|
@rule_directory = rule_directory
|
14
15
|
@custom_rule_loader = CustomRuleLoader.new(
|
15
16
|
rule_directory: rule_directory,
|
@@ -22,9 +23,11 @@ class CfnNagConfig
|
|
22
23
|
@blacklist_definition = blacklist_definition
|
23
24
|
@fail_on_warnings = fail_on_warnings
|
24
25
|
@rule_repositories = rule_repositories
|
26
|
+
@rule_arguments = rule_arguments
|
25
27
|
end
|
26
28
|
# rubocop:enable Metrics/ParameterLists
|
27
29
|
|
30
|
+
attr_reader :rule_arguments
|
28
31
|
attr_reader :rule_directory
|
29
32
|
attr_reader :custom_rule_loader
|
30
33
|
attr_reader :profile_definition
|
@@ -11,6 +11,7 @@ class CfnNagExecutor
|
|
11
11
|
@parameter_values_string = nil
|
12
12
|
@condition_values_string = nil
|
13
13
|
@rule_repository_definitions = []
|
14
|
+
@rule_arguments_string = nil
|
14
15
|
end
|
15
16
|
|
16
17
|
def scan(options_type:)
|
@@ -77,6 +78,12 @@ class CfnNagExecutor
|
|
77
78
|
Optimist.die(:output_format,
|
78
79
|
'Must be colortxt, txt, or json')
|
79
80
|
end
|
81
|
+
|
82
|
+
opts[:rule_arguments]&.each do |rule_argument|
|
83
|
+
unless rule_argument.include?(':')
|
84
|
+
Optimist.die(:rule_arguments, 'Must be of form name:value')
|
85
|
+
end
|
86
|
+
end
|
80
87
|
end
|
81
88
|
|
82
89
|
def execute_io_options(opts)
|
@@ -88,6 +95,8 @@ class CfnNagExecutor
|
|
88
95
|
|
89
96
|
@condition_values_string = read_conditionally(opts[:condition_values_path])
|
90
97
|
|
98
|
+
@rule_arguments_string = read_conditionally(opts[:rule_arguments_path])
|
99
|
+
|
91
100
|
opts[:rule_repository]&.each do |rule_repository|
|
92
101
|
@rule_repository_definitions << IO.read(rule_repository)
|
93
102
|
end
|
@@ -99,6 +108,17 @@ class CfnNagExecutor
|
|
99
108
|
end
|
100
109
|
end
|
101
110
|
|
111
|
+
def merge_rule_arguments(opts)
|
112
|
+
rule_arguments = {}
|
113
|
+
rule_arguments = JSON.parse(@rule_arguments_string) if @rule_arguments_string
|
114
|
+
opts[:rule_arguments]&.each do |rule_argument|
|
115
|
+
name = rule_argument.split(':')[0]
|
116
|
+
value = rule_argument.split(':')[1]
|
117
|
+
rule_arguments[name] = value
|
118
|
+
end
|
119
|
+
rule_arguments
|
120
|
+
end
|
121
|
+
|
102
122
|
def cfn_nag_config(opts)
|
103
123
|
CfnNagConfig.new(
|
104
124
|
profile_definition: @profile_definition,
|
@@ -108,7 +128,8 @@ class CfnNagExecutor
|
|
108
128
|
print_suppression: opts[:print_suppression],
|
109
129
|
isolate_custom_rule_exceptions: opts[:isolate_custom_rule_exceptions],
|
110
130
|
fail_on_warnings: opts[:fail_on_warnings],
|
111
|
-
rule_repository_definitions: @rule_repository_definitions
|
131
|
+
rule_repository_definitions: @rule_repository_definitions,
|
132
|
+
rule_arguments: merge_rule_arguments(opts)
|
112
133
|
)
|
113
134
|
end
|
114
135
|
|
data/lib/cfn-nag/cli_options.rb
CHANGED
@@ -91,6 +91,15 @@ class Options
|
|
91
91
|
'Path(s) to a rule repository to include in rule discovery',
|
92
92
|
type: :strings,
|
93
93
|
required: false
|
94
|
+
opt :rule_arguments,
|
95
|
+
'Rule arguments to inject into interested rules',
|
96
|
+
type: :strings,
|
97
|
+
required: false
|
98
|
+
opt :rule_arguments_path,
|
99
|
+
'Path to a rule arguments to inject into interested rules',
|
100
|
+
type: :string,
|
101
|
+
required: false,
|
102
|
+
default: nil
|
94
103
|
end
|
95
104
|
end
|
96
105
|
|
@@ -175,6 +184,15 @@ class Options
|
|
175
184
|
'Path(s)s to rule repository to include in rule discovery',
|
176
185
|
type: :strings,
|
177
186
|
required: false
|
187
|
+
opt :rule_arguments,
|
188
|
+
'Rule arguments to inject into interested rules',
|
189
|
+
type: :strings,
|
190
|
+
required: false
|
191
|
+
opt :rule_arguments_path,
|
192
|
+
'Path to a rule arguments to inject into interested rules',
|
193
|
+
type: :string,
|
194
|
+
required: false,
|
195
|
+
default: nil
|
178
196
|
end
|
179
197
|
end
|
180
198
|
# rubocop:enable Metrics/BlockLength
|
@@ -7,12 +7,22 @@ require_relative 'rule_repos/file_based_rule_repo'
|
|
7
7
|
require_relative 'rule_repos/gem_based_rule_repo'
|
8
8
|
require_relative 'rule_repos/s3_based_rule_repo'
|
9
9
|
require_relative 'rule_repository_loader'
|
10
|
+
require_relative 'metadata'
|
10
11
|
|
11
12
|
##
|
12
13
|
# This object can discover the internal and custom user-provided rules and
|
13
14
|
# apply these rules to a CfnModel object
|
14
15
|
#
|
15
16
|
class CustomRuleLoader
|
17
|
+
include Metadata
|
18
|
+
|
19
|
+
# k,v for injection into rules that can respond to k
|
20
|
+
@rule_arguments = {}
|
21
|
+
|
22
|
+
class << self
|
23
|
+
attr_accessor :rule_arguments
|
24
|
+
end
|
25
|
+
|
16
26
|
def initialize(rule_directory: nil,
|
17
27
|
allow_suppression: true,
|
18
28
|
print_suppression: false,
|
@@ -58,6 +68,14 @@ class CustomRuleLoader
|
|
58
68
|
|
59
69
|
private
|
60
70
|
|
71
|
+
def inject_rule_arguments_into_rule(rule)
|
72
|
+
self.class.rule_arguments.each do |rule_argument_name, rule_argument_value|
|
73
|
+
if rule.respond_to?("#{rule_argument_name}=".to_sym)
|
74
|
+
rule.send "#{rule_argument_name}=".to_sym, rule_argument_value
|
75
|
+
end
|
76
|
+
end
|
77
|
+
end
|
78
|
+
|
61
79
|
# rubocop:disable Style/RedundantBegin
|
62
80
|
def filter_rule_classes(cfn_model, violations, rules_registry)
|
63
81
|
rules_registry.rule_classes.each do |rule_class|
|
@@ -65,9 +83,12 @@ class CustomRuleLoader
|
|
65
83
|
filtered_cfn_model = cfn_model_with_suppressed_resources_removed(
|
66
84
|
cfn_model: cfn_model,
|
67
85
|
rule_id: rule_class.new.rule_id,
|
68
|
-
allow_suppression: @allow_suppression
|
86
|
+
allow_suppression: @allow_suppression,
|
87
|
+
print_suppression: @print_suppression
|
69
88
|
)
|
70
|
-
|
89
|
+
rule = rule_class.new
|
90
|
+
inject_rule_arguments_into_rule(rule)
|
91
|
+
audit_result = rule.audit(filtered_cfn_model)
|
71
92
|
violations << audit_result unless audit_result.nil?
|
72
93
|
rescue ScriptError, StandardError => rule_error
|
73
94
|
raise rule_error unless @isolate_custom_rule_exceptions
|
@@ -77,74 +98,4 @@ class CustomRuleLoader
|
|
77
98
|
end
|
78
99
|
end
|
79
100
|
# rubocop:enable Style/RedundantBegin
|
80
|
-
|
81
|
-
def rules_to_suppress(resource)
|
82
|
-
if resource.metadata &&
|
83
|
-
resource.metadata['cfn_nag'] &&
|
84
|
-
resource.metadata['cfn_nag']['rules_to_suppress']
|
85
|
-
|
86
|
-
resource.metadata['cfn_nag']['rules_to_suppress']
|
87
|
-
end
|
88
|
-
end
|
89
|
-
|
90
|
-
def collect_mangled_metadata(cfn_model)
|
91
|
-
mangled_metadatas = []
|
92
|
-
cfn_model.resources.each do |logical_resource_id, resource|
|
93
|
-
resource_rules_to_suppress = rules_to_suppress resource
|
94
|
-
next if resource_rules_to_suppress.nil?
|
95
|
-
|
96
|
-
mangled_rules = resource_rules_to_suppress.select do |rule_to_suppress|
|
97
|
-
rule_to_suppress['id'].nil?
|
98
|
-
end
|
99
|
-
unless mangled_rules.empty?
|
100
|
-
mangled_metadatas << [logical_resource_id, mangled_rules]
|
101
|
-
end
|
102
|
-
end
|
103
|
-
mangled_metadatas
|
104
|
-
end
|
105
|
-
|
106
|
-
# XXX given mangled_metadatas is never used or returned,
|
107
|
-
# STDERR emit can be moved to unless block
|
108
|
-
def validate_cfn_nag_metadata(cfn_model)
|
109
|
-
mangled_metadatas = collect_mangled_metadata(cfn_model)
|
110
|
-
mangled_metadatas.each do |mangled_metadata|
|
111
|
-
logical_resource_id = mangled_metadata.first
|
112
|
-
mangled_rules = mangled_metadata[1]
|
113
|
-
|
114
|
-
STDERR.puts "#{logical_resource_id} has missing cfn_nag suppression " \
|
115
|
-
"rule id: #{mangled_rules}"
|
116
|
-
end
|
117
|
-
end
|
118
|
-
|
119
|
-
def suppress_resource?(rules_to_suppress, rule_id, logical_resource_id)
|
120
|
-
found_suppression_rule = rules_to_suppress.find do |rule_to_suppress|
|
121
|
-
next if rule_to_suppress['id'].nil?
|
122
|
-
|
123
|
-
rule_to_suppress['id'] == rule_id
|
124
|
-
end
|
125
|
-
if found_suppression_rule && @print_suppression
|
126
|
-
message = "Suppressing #{rule_id} on #{logical_resource_id} for " \
|
127
|
-
"reason: #{found_suppression_rule['reason']}"
|
128
|
-
STDERR.puts message
|
129
|
-
end
|
130
|
-
!found_suppression_rule.nil?
|
131
|
-
end
|
132
|
-
|
133
|
-
def cfn_model_with_suppressed_resources_removed(cfn_model:,
|
134
|
-
rule_id:,
|
135
|
-
allow_suppression:)
|
136
|
-
return cfn_model unless allow_suppression
|
137
|
-
|
138
|
-
cfn_model = cfn_model.copy
|
139
|
-
|
140
|
-
cfn_model.resources.delete_if do |logical_resource_id, resource|
|
141
|
-
rules_to_suppress = rules_to_suppress resource
|
142
|
-
if rules_to_suppress.nil?
|
143
|
-
false
|
144
|
-
else
|
145
|
-
suppress_resource?(rules_to_suppress, rule_id, logical_resource_id)
|
146
|
-
end
|
147
|
-
end
|
148
|
-
cfn_model
|
149
|
-
end
|
150
101
|
end
|
@@ -5,8 +5,8 @@ require_relative 'sub_property_with_list_password_base_rule'
|
|
5
5
|
|
6
6
|
class AmazonMQBrokerUsersPasswordRule < SubPropertyWithListPasswordBaseRule
|
7
7
|
def rule_text
|
8
|
-
'AmazonMQ Broker Users Password must not be a plaintext ' \
|
9
|
-
'
|
8
|
+
'AmazonMQ Broker Users Password must not be a plaintext string or a Ref to a Parameter with a Default value. ' \
|
9
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
|
10
10
|
end
|
11
11
|
|
12
12
|
def rule_type
|
@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
|
|
6
6
|
class AmplifyAppAccessTokenRule < PasswordBaseRule
|
7
7
|
def rule_text
|
8
8
|
'Amplify App AccessToken must not be a plaintext string ' \
|
9
|
-
'or a Ref to a
|
9
|
+
'or a Ref to a Parameter with a Default value. ' \
|
10
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
|
10
11
|
end
|
11
12
|
|
12
13
|
def rule_type
|
@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
|
|
6
6
|
class AmplifyAppBasicAuthConfigPasswordRule < PasswordBaseRule
|
7
7
|
def rule_text
|
8
8
|
'Amplify App BasicAuthConfig Password must not be a plaintext string ' \
|
9
|
-
'or a Ref to a
|
9
|
+
'or a Ref to a Parameter with a Default value. ' \
|
10
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
|
10
11
|
end
|
11
12
|
|
12
13
|
def rule_type
|
@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
|
|
6
6
|
class AmplifyAppOauthTokenRule < PasswordBaseRule
|
7
7
|
def rule_text
|
8
8
|
'Amplify App OauthToken must not be a plaintext string ' \
|
9
|
-
'or a Ref to a
|
9
|
+
'or a Ref to a Parameter with a Default value. ' \
|
10
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
|
10
11
|
end
|
11
12
|
|
12
13
|
def rule_type
|
@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
|
|
6
6
|
class AmplifyBranchBasicAuthConfigPasswordRule < PasswordBaseRule
|
7
7
|
def rule_text
|
8
8
|
'Amplify Branch BasicAuthConfig Password must not be a plaintext ' \
|
9
|
-
'string or a Ref to a
|
9
|
+
'string or a Ref to a Parameter with a Default value. ' \
|
10
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
|
10
11
|
end
|
11
12
|
|
12
13
|
def rule_type
|
@@ -6,8 +6,9 @@ require_relative 'password_base_rule'
|
|
6
6
|
class AppStreamDirectoryConfigServiceAccountCredentialsAccountPasswordRule < PasswordBaseRule
|
7
7
|
def rule_text
|
8
8
|
'AppStream DirectoryConfig ServiceAccountCredentials AccountPassword ' \
|
9
|
-
'must not be a plaintext string or a Ref to a
|
10
|
-
'with a Default value.'
|
9
|
+
'must not be a plaintext string or a Ref to a Parameter ' \
|
10
|
+
'with a Default value. ' \
|
11
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
|
11
12
|
end
|
12
13
|
|
13
14
|
def rule_type
|
data/lib/cfn-nag/custom_rules/CodePipelineWebhookAuthenticationConfigurationSecretTokenRule.rb
CHANGED
@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
|
|
6
6
|
class CodePipelineWebhookAuthenticationConfigurationSecretTokenRule < PasswordBaseRule
|
7
7
|
def rule_text
|
8
8
|
'CodePipeline Webhook AuthenticationConfiguration SecretToken must not be ' \
|
9
|
-
'a plaintext string or a Ref to a
|
9
|
+
'a plaintext string or a Ref to a Parameter with a Default value. ' \
|
10
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
|
10
11
|
end
|
11
12
|
|
12
13
|
def rule_type
|
@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
|
|
6
6
|
class DMSEndpointMongoDbSettingsPasswordRule < PasswordBaseRule
|
7
7
|
def rule_text
|
8
8
|
'DMS Endpoint MongoDbSettings Password must not be a plaintext string ' \
|
9
|
-
'or a Ref to a
|
9
|
+
'or a Ref to a Parameter with a Default value. ' \
|
10
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
|
10
11
|
end
|
11
12
|
|
12
13
|
def rule_type
|
@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
|
|
6
6
|
class DMSEndpointPasswordRule < PasswordBaseRule
|
7
7
|
def rule_text
|
8
8
|
'DMS Endpoint password must not be a plaintext string ' \
|
9
|
-
'or a Ref to a
|
9
|
+
'or a Ref to a Parameter with a Default value. ' \
|
10
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
|
10
11
|
end
|
11
12
|
|
12
13
|
def rule_type
|
@@ -7,7 +7,8 @@ require_relative 'password_base_rule'
|
|
7
7
|
class DirectoryServiceMicrosoftADPasswordRule < PasswordBaseRule
|
8
8
|
def rule_text
|
9
9
|
'Directory Service Microsoft AD password must not be a plaintext string ' \
|
10
|
-
'or a Ref to a
|
10
|
+
'or a Ref to a Parameter with a Default value. ' \
|
11
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.'
|
11
12
|
end
|
12
13
|
|
13
14
|
def rule_type
|
@@ -7,7 +7,8 @@ require_relative 'password_base_rule'
|
|
7
7
|
class DirectoryServiceSimpleADPasswordRule < PasswordBaseRule
|
8
8
|
def rule_text
|
9
9
|
'DirectoryService SimpleAD password must not be a plaintext string ' \
|
10
|
-
'or a Ref to a
|
10
|
+
'or a Ref to a Parameter with a Default value. ' \
|
11
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.'
|
11
12
|
end
|
12
13
|
|
13
14
|
def rule_type
|