RubyGems - cfn-nag - Versions diffs - 0.5.60 → 0.6.3 - Mend

cfn-nag 0.5.60 → 0.6.3

Files changed (53) hide show

data/lib/cfn-nag/custom_rules/DocDBDBClusterMasterUserPasswordRule.rb CHANGED

@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
 class DocDBDBClusterMasterUserPasswordRule < PasswordBaseRule
   def rule_text
     'DocDB DB Cluster master user password must not be a plaintext string ' \
-    'or a Ref to a NoEcho Parameter with a Default value.'
+    'or a Ref to a Parameter with a Default value.  ' \
+    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/EMRClusterKerberosAttributesADDomainJoinPasswordRule.rb CHANGED

@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
 class EMRClusterKerberosAttributesADDomainJoinPasswordRule < PasswordBaseRule
   def rule_text
     'EMR Cluster KerberosAttributes AD Domain JoinPassword must not be a ' \
-    'plaintext string or a Ref to a NoEcho Parameter with a Default value.'
+    'plaintext string or a Ref to a Parameter with a Default value.  ' \
+    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/EMRClusterKerberosAttributesCrossRealmTrustPrincipalPasswordRule.rb CHANGED

@@ -6,8 +6,9 @@ require_relative 'password_base_rule'
 class EMRClusterKerberosAttributesCrossRealmTrustPrincipalPasswordRule < PasswordBaseRule
   def rule_text
     'EMR Cluster KerberosAttributes CrossRealmTrustPrincipal Password must ' \
-    'not be a plaintext string or a Ref to a NoEcho Parameter with a ' \
-    'Default value.'
+    'not be a plaintext string or a Ref to a Parameter with a ' \
+    'Default value.  ' \
+    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/EMRClusterKerberosAttributesKdcAdminPasswordRule.rb CHANGED

@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
 class EMRClusterKerberosAttributesKdcAdminPasswordRule < PasswordBaseRule
   def rule_text
     'EMR Cluster KerberosAttributes KdcAdmin Password must not be a ' \
-    'plaintext string or a Ref to a NoEcho Parameter with a Default value.'
+    'plaintext string or a Ref to a Parameter with a Default value.  ' \
+    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/ElastiCacheReplicationGroupAuthTokenRule.rb CHANGED

@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
 class ElastiCacheReplicationGroupAuthTokenRule < PasswordBaseRule
   def rule_text
     'ElastiCache ReplicationGroup AuthToken must not be a plaintext string ' \
-    'or a Ref to a NoEcho Parameter with a Default value.'
+    'or a Ref to a Parameter with a Default value.  ' \
+    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/IAMUserLoginProfilePasswordRule.rb CHANGED

@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
 class IAMUserLoginProfilePasswordRule < PasswordBaseRule
   def rule_text
     'IAM User LoginProfile Password must not be a plaintext string or ' \
-    'a Ref to a NoEcho Parameter with a Default value.'
+    'a Ref to a Parameter with a Default value.  ' \
+    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/KinesisFirehoseDeliveryStreamRedshiftDestinationConfigurationPasswordRule.rb CHANGED

@@ -6,8 +6,9 @@ require_relative 'password_base_rule'
 class KinesisFirehoseDeliveryStreamRedshiftDestinationConfigurationPasswordRule < PasswordBaseRule
   def rule_text
     'Kinesis Firehose DeliveryStream RedshiftDestinationConfiguration Password ' \
-    'must not be a plaintext string or a Ref to a NoEcho Parameter with a ' \
-    'Default value.'
+    'must not be a plaintext string or a Ref to a Parameter with a ' \
+    'Default value.  ' \
+    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/KinesisFirehoseDeliveryStreamSplunkDestinationConfigurationHECTokenRule.rb CHANGED

@@ -6,8 +6,9 @@ require_relative 'password_base_rule'
 class KinesisFirehoseDeliveryStreamSplunkDestinationConfigurationHECTokenRule < PasswordBaseRule
   def rule_text
     'Kinesis Firehose DeliveryStream SplunkDestinationConfiguration HECToken ' \
-    'must not be a plaintext string or a Ref to a NoEcho Parameter with a ' \
-    'Default value.'
+    'must not be a plaintext string or a Ref to a Parameter with a ' \
+    'Default value.  ' \
+    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/LambdaPermissionEventSourceTokenRule.rb CHANGED

@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
 class LambdaPermissionEventSourceTokenRule < PasswordBaseRule
   def rule_text
     'Lambda Permission EventSourceToken must not be a plaintext string ' \
-    'or a Ref to a NoEcho Parameter with a Default value.'
+    'or a Ref to a Parameter with a Default value.  ' \
+    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/OpsWorksAppAppSourcePasswordRule.rb CHANGED

@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
 class OpsWorksAppAppSourcePasswordRule < PasswordBaseRule
   def rule_text
     'OpsWorks App AppSource Password must not be a plaintext ' \
-    'string or a Ref to a NoEcho Parameter with a Default value.' \
+    'string or a Ref to a Parameter with a Default value.  ' \
+    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/OpsWorksAppSslConfigurationPrivateKeyRule.rb CHANGED

@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
 class OpsWorksAppSslConfigurationPrivateKeyRule < PasswordBaseRule
   def rule_text
     'OpsWorks App SslConfiguration PrivateKey must not be a plaintext ' \
-    'string or a Ref to a NoEcho Parameter with a Default value.' \
+    'string or a Ref to a Parameter with a Default value.  ' \
+    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/OpsWorksStackCustomCookbooksSourcePasswordRule.rb CHANGED

@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
 class OpsWorksStackCustomCookbooksSourcePasswordRule < PasswordBaseRule
   def rule_text
     'OpsWorks Stack CustomCookbooksSource Password must not be a plaintext ' \
-    'string or a Ref to a NoEcho Parameter with a Default value.' \
+    'string or a Ref to a Parameter with a Default value.  ' \
+    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/OpsWorksStackRdsDbInstancesDbPasswordRule.rb CHANGED

@@ -5,8 +5,9 @@ require_relative 'sub_property_with_list_password_base_rule'
 class OpsWorksStackRdsDbInstancesDbPasswordRule < SubPropertyWithListPasswordBaseRule
   def rule_text
-    'OpsWorks Stack RDS DbInstance DbPassword must not be a plaintext ' \
-    'string or a Ref to a NoEcho Parameter with a Default value.' \
+    'OpsWorks Stack RDS DbInstance DbPassword must not be a plaintext string '\
+    'or a Ref to a Parameter with a Default value.  ' \
+    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/PinpointAPNSChannelPrivateKeyRule.rb CHANGED

@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
 class PinpointAPNSChannelPrivateKeyRule < PasswordBaseRule
   def rule_text
     'Pinpoint APNSChannel PrivateKey must not be a plaintext string ' \
-    'or a Ref to a NoEcho Parameter with a Default value.'
+    'or a Ref to a Parameter with a Default value.  ' \
+    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/PinpointAPNSChannelTokenKeyRule.rb CHANGED

@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
 class PinpointAPNSChannelTokenKeyRule < PasswordBaseRule
   def rule_text
     'Pinpoint APNSChannel TokenKey must not be a plaintext string ' \
-    'or a Ref to a NoEcho Parameter with a Default value.'
+    'or a Ref to a Parameter with a Default value.  ' \
+    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/PinpointAPNSSandboxChannelPrivateKeyRule.rb CHANGED

@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
 class PinpointAPNSSandboxChannelPrivateKeyRule < PasswordBaseRule
   def rule_text
     'Pinpoint APNSSandboxChannel PrivateKey must not be a plaintext string ' \
-    'or a Ref to a NoEcho Parameter with a Default value.'
+    'or a Ref to a Parameter with a Default value.  ' \
+    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/PinpointAPNSSandboxChannelTokenKeyRule.rb CHANGED

@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
 class PinpointAPNSSandboxChannelTokenKeyRule < PasswordBaseRule
   def rule_text
     'Pinpoint APNSSandboxChannel TokenKey must not be a plaintext string ' \
-    'or a Ref to a NoEcho Parameter with a Default value.'
+    'or a Ref to a Parameter with a Default value.  ' \
+    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/PinpointAPNSVoipChannelPrivateKeyRule.rb CHANGED

@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
 class PinpointAPNSVoipChannelPrivateKeyRule < PasswordBaseRule
   def rule_text
     'Pinpoint APNSVoipChannel PrivateKey must not be a plaintext string ' \
-    'or a Ref to a NoEcho Parameter with a Default value.'
+    'or a Ref to a Parameter with a Default value.  ' \
+    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/PinpointAPNSVoipChannelTokenKeyRule.rb CHANGED

@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
 class PinpointAPNSVoipChannelTokenKeyRule < PasswordBaseRule
   def rule_text
     'Pinpoint APNSChannel TokenKey must not be a plaintext string ' \
-    'or a Ref to a NoEcho Parameter with a Default value.'
+    'or a Ref to a Parameter with a Default value.  ' \
+    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/PinpointAPNSVoipSandboxChannelPrivateKeyRule.rb CHANGED

@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
 class PinpointAPNSVoipSandboxChannelPrivateKeyRule < PasswordBaseRule
   def rule_text
     'Pinpoint APNSVoipSandboxChannel PrivateKey must not be a plaintext ' \
-    'string or a Ref to a NoEcho Parameter with a Default value.'
+    'string or a Ref to a Parameter with a Default value.  ' \
+    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/PinpointAPNSVoipSandboxChannelTokenKeyRule.rb CHANGED

@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
 class PinpointAPNSVoipSandboxChannelTokenKeyRule < PasswordBaseRule
   def rule_text
     'Pinpoint APNSVoipSandboxChannel TokenKey must not be a plaintext string ' \
-    'or a Ref to a NoEcho Parameter with a Default value.'
+    'or a Ref to a Parameter with a Default value.  ' \
+    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/RDSDBClusterMasterUserPasswordRule.rb CHANGED

@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
 class RDSDBClusterMasterUserPasswordRule < PasswordBaseRule
   def rule_text
     'RDS DB Cluster master user password must not be a plaintext string ' \
-    'or a Ref to a NoEcho Parameter with a Default value.'
+    'or a Ref to a Parameter with a Default value.  ' \
+    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/RDSDBInstanceMasterUserPasswordRule.rb CHANGED

@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
 class RDSDBInstanceMasterUserPasswordRule < PasswordBaseRule
   def rule_text
     'RDS instance master user password must not be a plaintext string ' \
-    'or a Ref to a NoEcho Parameter with a Default value.'
+    'or a Ref to a Parameter with a Default value.  ' \
+    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/RDSDBInstanceMasterUsernameRule.rb CHANGED

@@ -7,7 +7,8 @@ require_relative 'password_base_rule'
 class RDSDBInstanceMasterUsernameRule < PasswordBaseRule
   def rule_text
     'RDS instance master username must not be a plaintext string ' \
-    'or a Ref to a NoEcho Parameter with a Default value.'
+    'or a Ref to a Parameter with a Default value.  ' \
+    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/RedshiftClusterMasterUserPasswordRule.rb CHANGED

@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
 class RedshiftClusterMasterUserPasswordRule < PasswordBaseRule
   def rule_text
     'Redshift Cluster master user password must not be a plaintext string ' \
-    'or a Ref to a NoEcho Parameter with a Default value.'
+    'or a Ref to a Parameter with a Default value.  ' \
+    'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.'
   end
   def rule_type

data/lib/cfn-nag/custom_rules/SPCMRule.rb ADDED

@@ -0,0 +1,66 @@
+# frozen_string_literal: true
+require 'cfn-nag/violation'
+require 'cfn-nag/iam_complexity_metric/spcm'
+require_relative 'base'
+class SPCMRule < BaseRule
+  attr_accessor :spcm_threshold
+  DEFAULT_THRESHOLD = 25
+  def rule_text
+    "SPCM for IAM policy document is higher than #{spcm_threshold || DEFAULT_THRESHOLD}"
+  end
+  def rule_type
+    Violation::WARNING
+  end
+  def rule_id
+    'W76'
+  end
+  def audit_impl(cfn_model)
+    logical_resource_ids = []
+    begin
+      policy_documents = SPCM.new.metric_impl(cfn_model)
+    rescue StandardError => catch_all_exception
+      puts "Experimental SPCM rule is failing. Please report #{catch_all_exception} with the violating template"
+      policy_documents = {}
+    end
+    threshold = spcm_threshold.nil? ? DEFAULT_THRESHOLD : spcm_threshold.to_i
+    logical_resource_ids += violating_policy_resources(policy_documents, threshold)
+    logical_resource_ids += violating_role_resources(policy_documents, threshold)
+    logical_resource_ids
+  end
+  private
+  def violating_role_resources(policy_documents, threshold)
+    logical_resource_ids = []
+    # unfortunately the line numbers will break if we don't return
+    # the logical resource id - so there isn't a good way to communicate
+    # the specific policy within the role that is offending
+    policy_documents['AWS::IAM::Role'].each do |logical_resource_id, policies|
+      policies.each do |_, metric|
+        if metric >= threshold
+          logical_resource_ids << logical_resource_id
+        end
+      end
+    end
+    logical_resource_ids
+  end
+  def violating_policy_resources(policy_documents, threshold)
+    logical_resource_ids = []
+    policy_documents['AWS::IAM::Policy'].each do |logical_resource_id, metric|
+      if metric >= threshold
+        logical_resource_ids << logical_resource_id
+      end
+    end
+    logical_resource_ids
+  end
+end

data/lib/cfn-nag/custom_rules/SecretsManagerSecretKmsKeyIdRule.rb CHANGED

@@ -5,15 +5,16 @@ require_relative 'boolean_base_rule'
 class SecretsManagerSecretKmsKeyIdRule < BooleanBaseRule
   def rule_text
-    'Secrets Manager Secret should explicitly specify KmsKeyId'
+    'Secrets Manager Secret should explicitly specify KmsKeyId.' \
+    ' Besides control of the key this will allow the secret to be shared cross-account'
   end
   def rule_type
-    Violation::FAILING_VIOLATION
+    Violation::WARNING
   end
   def rule_id
-    'F81'
+    'W77'
   end
   def resource_type

data/lib/cfn-nag/iam_complexity_metric/condition_metric.rb ADDED

@@ -0,0 +1,85 @@
+# frozen_string_literal: true
+require_relative 'weights'
+require 'set'
+class ConditionMetric
+  include Weights
+  # rubocop:disable Metrics/AbcSize
+  def metric(statement)
+    return 0 if statement.condition.nil?
+    aggregate = 0
+    aggregate += statement.condition.size * weights[:Condition]
+    aggregate += confusing_value_operators(statement.condition)
+    aggregate += if_exists_operators(statement.condition)
+    aggregate += weights[:Null] if null_operator?(statement.condition)
+    aggregate += values_with_policy_tags(statement.condition)
+    aggregate
+  end
+  # rubocop:enable Metrics/AbcSize
+  private
+  def values_with_policy_tags(conditions)
+    all_values(conditions).reduce(0) do |aggregate, value|
+      aggregate + (contains_policy_tag?(value) ? weights[:PolicyVariables] : 0)
+    end
+  end
+  def contains_policy_tag?(value)
+    strip_special_characters(value).match(/.*\$\{.+\}.*/)
+  end
+  def strip_special_characters(value)
+    special_characters.each do |special_character|
+      value = value.gsub("${#{special_character}}", '')
+    end
+    value
+  end
+  def all_values(conditions)
+    result = []
+    conditions.each do |_, expression|
+      expression.each do |_, value|
+        if value.is_a? String
+          result << value
+        elsif value.is_a? Array
+          result += value
+        end
+      end
+    end
+    result
+  end
+  def special_characters
+    %w[$ * ?]
+  end
+  def null_operator?(conditions)
+    conditions.find { |operator, _| operator == 'Null' }
+  end
+  def if_exists_operators(conditions)
+    conditions.reduce(0) do |aggregate, condition|
+      operator = condition[0]
+      aggregate + (if_exists_operator?(operator) ? weights[:IfExists] : 0)
+    end
+  end
+  def if_exists_operator?(operator)
+    operator.end_with? 'IfExists'
+  end
+  def confusing_value_operators(conditions)
+    conditions.reduce(0) do |aggregate, condition|
+      operator = condition[0]
+      aggregate + (confusing_value_operator?(operator) ? weights[:Condition] : 0)
+    end
+  end
+  def confusing_value_operator?(operator)
+    %w[ForAllValues ForAnyValues].find { |prefix| operator.start_with? prefix }
+  end
+end