cfn-nag 0.5.61 → 0.6.4

Sign up to get free protection for your applications and to get access to all the features.
Files changed (54) hide show
  1. checksums.yaml +4 -4
  2. data/bin/spcm_scan +69 -0
  3. data/lib/cfn-nag/cfn_nag.rb +1 -0
  4. data/lib/cfn-nag/cfn_nag_config.rb +4 -1
  5. data/lib/cfn-nag/cfn_nag_executor.rb +22 -1
  6. data/lib/cfn-nag/cli_options.rb +18 -0
  7. data/lib/cfn-nag/custom_rule_loader.rb +23 -72
  8. data/lib/cfn-nag/custom_rules/AmazonMQBrokerUsersPasswordRule.rb +2 -2
  9. data/lib/cfn-nag/custom_rules/AmplifyAppAccessTokenRule.rb +2 -1
  10. data/lib/cfn-nag/custom_rules/AmplifyAppBasicAuthConfigPasswordRule.rb +2 -1
  11. data/lib/cfn-nag/custom_rules/AmplifyAppOauthTokenRule.rb +2 -1
  12. data/lib/cfn-nag/custom_rules/AmplifyBranchBasicAuthConfigPasswordRule.rb +2 -1
  13. data/lib/cfn-nag/custom_rules/ApiGatewayV2AccessLoggingRule.rb +1 -1
  14. data/lib/cfn-nag/custom_rules/AppStreamDirectoryConfigServiceAccountCredentialsAccountPasswordRule.rb +3 -2
  15. data/lib/cfn-nag/custom_rules/CodePipelineWebhookAuthenticationConfigurationSecretTokenRule.rb +2 -1
  16. data/lib/cfn-nag/custom_rules/DMSEndpointMongoDbSettingsPasswordRule.rb +2 -1
  17. data/lib/cfn-nag/custom_rules/DMSEndpointPasswordRule.rb +2 -1
  18. data/lib/cfn-nag/custom_rules/DirectoryServiceMicrosoftADPasswordRule.rb +2 -1
  19. data/lib/cfn-nag/custom_rules/DirectoryServiceSimpleADPasswordRule.rb +2 -1
  20. data/lib/cfn-nag/custom_rules/DocDBDBClusterMasterUserPasswordRule.rb +2 -1
  21. data/lib/cfn-nag/custom_rules/EMRClusterKerberosAttributesADDomainJoinPasswordRule.rb +2 -1
  22. data/lib/cfn-nag/custom_rules/EMRClusterKerberosAttributesCrossRealmTrustPrincipalPasswordRule.rb +3 -2
  23. data/lib/cfn-nag/custom_rules/EMRClusterKerberosAttributesKdcAdminPasswordRule.rb +2 -1
  24. data/lib/cfn-nag/custom_rules/ElastiCacheReplicationGroupAuthTokenRule.rb +2 -1
  25. data/lib/cfn-nag/custom_rules/IAMUserLoginProfilePasswordRule.rb +2 -1
  26. data/lib/cfn-nag/custom_rules/KinesisFirehoseDeliveryStreamRedshiftDestinationConfigurationPasswordRule.rb +3 -2
  27. data/lib/cfn-nag/custom_rules/KinesisFirehoseDeliveryStreamSplunkDestinationConfigurationHECTokenRule.rb +3 -2
  28. data/lib/cfn-nag/custom_rules/LambdaPermissionEventSourceTokenRule.rb +2 -1
  29. data/lib/cfn-nag/custom_rules/OpsWorksAppAppSourcePasswordRule.rb +2 -1
  30. data/lib/cfn-nag/custom_rules/OpsWorksAppSslConfigurationPrivateKeyRule.rb +2 -1
  31. data/lib/cfn-nag/custom_rules/OpsWorksStackCustomCookbooksSourcePasswordRule.rb +2 -1
  32. data/lib/cfn-nag/custom_rules/OpsWorksStackRdsDbInstancesDbPasswordRule.rb +3 -2
  33. data/lib/cfn-nag/custom_rules/PinpointAPNSChannelPrivateKeyRule.rb +2 -1
  34. data/lib/cfn-nag/custom_rules/PinpointAPNSChannelTokenKeyRule.rb +2 -1
  35. data/lib/cfn-nag/custom_rules/PinpointAPNSSandboxChannelPrivateKeyRule.rb +2 -1
  36. data/lib/cfn-nag/custom_rules/PinpointAPNSSandboxChannelTokenKeyRule.rb +2 -1
  37. data/lib/cfn-nag/custom_rules/PinpointAPNSVoipChannelPrivateKeyRule.rb +2 -1
  38. data/lib/cfn-nag/custom_rules/PinpointAPNSVoipChannelTokenKeyRule.rb +2 -1
  39. data/lib/cfn-nag/custom_rules/PinpointAPNSVoipSandboxChannelPrivateKeyRule.rb +2 -1
  40. data/lib/cfn-nag/custom_rules/PinpointAPNSVoipSandboxChannelTokenKeyRule.rb +2 -1
  41. data/lib/cfn-nag/custom_rules/RDSDBClusterMasterUserPasswordRule.rb +2 -1
  42. data/lib/cfn-nag/custom_rules/RDSDBInstanceMasterUserPasswordRule.rb +2 -1
  43. data/lib/cfn-nag/custom_rules/RDSDBInstanceMasterUsernameRule.rb +2 -1
  44. data/lib/cfn-nag/custom_rules/RedshiftClusterMasterUserPasswordRule.rb +2 -1
  45. data/lib/cfn-nag/custom_rules/SPCMRule.rb +66 -0
  46. data/lib/cfn-nag/custom_rules/SecretsManagerSecretKmsKeyIdRule.rb +4 -3
  47. data/lib/cfn-nag/iam_complexity_metric/condition_metric.rb +85 -0
  48. data/lib/cfn-nag/iam_complexity_metric/html_results_renderer.rb +45 -0
  49. data/lib/cfn-nag/iam_complexity_metric/policy_document_metric.rb +11 -0
  50. data/lib/cfn-nag/iam_complexity_metric/spcm.rb +79 -0
  51. data/lib/cfn-nag/iam_complexity_metric/statement_metric.rb +104 -0
  52. data/lib/cfn-nag/iam_complexity_metric/weights.rb +22 -0
  53. data/lib/cfn-nag/metadata.rb +78 -0
  54. metadata +15 -5
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 9730b5f935f661789abf3aa45239a0f7715c35c95842644aeec25f98a7c3c6ce
4
- data.tar.gz: 4a2f9453cc6d9074f4e3ea19b78514fddcd5fc5d8d9269babe8187bebd549482
3
+ metadata.gz: fb0243f0a2f327d0408fe6524596d7bf9a0ce8214fb217e869a785983dc30b88
4
+ data.tar.gz: e9bc6213a3beb72d785abb9e58908460771d36b2127d72d0dde421c4c22b5daa
5
5
  SHA512:
6
- metadata.gz: 6dc61c128936866f2e0bf34e7e442e4a71366fa0f9b9c41fe972142aafffd51f7155e3aec488b5742ae5b019b484245a1fa7c6555979de3b709e68ab30081553
7
- data.tar.gz: 54431e5bc771b2ca296dfb94ddcb1202da16d7ced5f1c88c28a00bd2d9d7f3b36600edb6449f210244d6c55a22addfa6a293a6a0dc9ad2c5318eb047d74e03e1
6
+ metadata.gz: 99a21920685b6a2a6762060c18d7aeef9881a2527e78324f949582a03b4003adba0713c5421a2bd2040e94c78cb969b1230cd6cbf1e624b7e3056050385011c2
7
+ data.tar.gz: 3ffb6ec0595927f615efa3e653083fc9efa4bd60db1a20f48591205a06c20ebc07efcf7e6c8330aef0eaee9508cadae34becbbf73c8b3d4ffab25d7491579cba
@@ -0,0 +1,69 @@
1
+ #!/usr/bin/env ruby
2
+ # frozen_string_literal: true
3
+
4
+ require 'cfn-nag/iam_complexity_metric/spcm'
5
+ require 'cfn-nag/iam_complexity_metric/html_results_renderer'
6
+ require 'optimist'
7
+ require 'json'
8
+
9
+ # rubocop:disable Metrics/BlockLength
10
+ opts = Optimist.options do
11
+ opt :parameter_values_path,
12
+ 'Path to a JSON file to pull Parameter values from',
13
+ type: :string,
14
+ required: false,
15
+ default: nil
16
+ opt :condition_values_path,
17
+ 'Path to a JSON file to pull Condition values from',
18
+ type: :string,
19
+ required: false,
20
+ default: nil
21
+ opt :input_path,
22
+ 'CloudFormation template to measure SPCM on or directory of templates.',
23
+ type: :string,
24
+ required: true
25
+ opt :template_pattern,
26
+ 'Within the --input-path, match files to scan against this regular expression',
27
+ type: :string,
28
+ required: false,
29
+ default: '..*\.json|..*\.yaml|..*\.yml|..*\.template'
30
+ opt :ignore_templates_without_iam,
31
+ 'Within the --input-path ignore files without IAM role/policy resources',
32
+ type: :boolean,
33
+ required: false,
34
+ default: true
35
+ opt :output_format,
36
+ 'Format of results: [json, html]',
37
+ type: :string,
38
+ default: 'json'
39
+ end
40
+ # rubocop:enable Metrics/BlockLength
41
+
42
+ def read_conditionally(path)
43
+ unless path.nil?
44
+ IO.read(path)
45
+ end
46
+ end
47
+
48
+ parameter_values_string = read_conditionally(opts[:parameter_values_path])
49
+
50
+ condition_values_string = read_conditionally(opts[:condition_values_path])
51
+
52
+ metrics = SPCM.new.aggregate_metrics(
53
+ input_path: opts[:input_path],
54
+ parameter_values_path: parameter_values_string,
55
+ condition_values_path: condition_values_string,
56
+ template_pattern: opts[:template_pattern]
57
+ )
58
+
59
+ if opts[:ignore_templates_without_iam]
60
+ metrics = metrics.select do |metric|
61
+ metric[:file_results]['AWS::IAM::Role'] != {} || metric[:file_results]['AWS::IAM::Policy'] != {}
62
+ end
63
+ end
64
+
65
+ if opts[:output_format] == 'json'
66
+ puts JSON.generate(metrics)
67
+ else
68
+ puts HtmlRenderer.new.render(results: metrics)
69
+ end
@@ -87,6 +87,7 @@ class CfnNag
87
87
  parameter_values_string,
88
88
  true,
89
89
  condition_values_string
90
+ CustomRuleLoader.rule_arguments = @config.rule_arguments
90
91
  violations += @config.custom_rule_loader.execute_custom_rules(
91
92
  cfn_model,
92
93
  @config.custom_rule_loader.rule_definitions
@@ -9,7 +9,8 @@ class CfnNagConfig
9
9
  print_suppression: false,
10
10
  isolate_custom_rule_exceptions: false,
11
11
  fail_on_warnings: false,
12
- rule_repository_definitions: [])
12
+ rule_repository_definitions: [],
13
+ rule_arguments: {})
13
14
  @rule_directory = rule_directory
14
15
  @custom_rule_loader = CustomRuleLoader.new(
15
16
  rule_directory: rule_directory,
@@ -22,9 +23,11 @@ class CfnNagConfig
22
23
  @blacklist_definition = blacklist_definition
23
24
  @fail_on_warnings = fail_on_warnings
24
25
  @rule_repositories = rule_repositories
26
+ @rule_arguments = rule_arguments
25
27
  end
26
28
  # rubocop:enable Metrics/ParameterLists
27
29
 
30
+ attr_reader :rule_arguments
28
31
  attr_reader :rule_directory
29
32
  attr_reader :custom_rule_loader
30
33
  attr_reader :profile_definition
@@ -11,6 +11,7 @@ class CfnNagExecutor
11
11
  @parameter_values_string = nil
12
12
  @condition_values_string = nil
13
13
  @rule_repository_definitions = []
14
+ @rule_arguments_string = nil
14
15
  end
15
16
 
16
17
  def scan(options_type:)
@@ -77,6 +78,12 @@ class CfnNagExecutor
77
78
  Optimist.die(:output_format,
78
79
  'Must be colortxt, txt, or json')
79
80
  end
81
+
82
+ opts[:rule_arguments]&.each do |rule_argument|
83
+ unless rule_argument.include?(':')
84
+ Optimist.die(:rule_arguments, 'Must be of form name:value')
85
+ end
86
+ end
80
87
  end
81
88
 
82
89
  def execute_io_options(opts)
@@ -88,6 +95,8 @@ class CfnNagExecutor
88
95
 
89
96
  @condition_values_string = read_conditionally(opts[:condition_values_path])
90
97
 
98
+ @rule_arguments_string = read_conditionally(opts[:rule_arguments_path])
99
+
91
100
  opts[:rule_repository]&.each do |rule_repository|
92
101
  @rule_repository_definitions << IO.read(rule_repository)
93
102
  end
@@ -99,6 +108,17 @@ class CfnNagExecutor
99
108
  end
100
109
  end
101
110
 
111
+ def merge_rule_arguments(opts)
112
+ rule_arguments = {}
113
+ rule_arguments = JSON.parse(@rule_arguments_string) if @rule_arguments_string
114
+ opts[:rule_arguments]&.each do |rule_argument|
115
+ name = rule_argument.split(':')[0]
116
+ value = rule_argument.split(':')[1]
117
+ rule_arguments[name] = value
118
+ end
119
+ rule_arguments
120
+ end
121
+
102
122
  def cfn_nag_config(opts)
103
123
  CfnNagConfig.new(
104
124
  profile_definition: @profile_definition,
@@ -108,7 +128,8 @@ class CfnNagExecutor
108
128
  print_suppression: opts[:print_suppression],
109
129
  isolate_custom_rule_exceptions: opts[:isolate_custom_rule_exceptions],
110
130
  fail_on_warnings: opts[:fail_on_warnings],
111
- rule_repository_definitions: @rule_repository_definitions
131
+ rule_repository_definitions: @rule_repository_definitions,
132
+ rule_arguments: merge_rule_arguments(opts)
112
133
  )
113
134
  end
114
135
 
@@ -91,6 +91,15 @@ class Options
91
91
  'Path(s) to a rule repository to include in rule discovery',
92
92
  type: :strings,
93
93
  required: false
94
+ opt :rule_arguments,
95
+ 'Rule arguments to inject into interested rules',
96
+ type: :strings,
97
+ required: false
98
+ opt :rule_arguments_path,
99
+ 'Path to a rule arguments to inject into interested rules',
100
+ type: :string,
101
+ required: false,
102
+ default: nil
94
103
  end
95
104
  end
96
105
 
@@ -175,6 +184,15 @@ class Options
175
184
  'Path(s)s to rule repository to include in rule discovery',
176
185
  type: :strings,
177
186
  required: false
187
+ opt :rule_arguments,
188
+ 'Rule arguments to inject into interested rules',
189
+ type: :strings,
190
+ required: false
191
+ opt :rule_arguments_path,
192
+ 'Path to a rule arguments to inject into interested rules',
193
+ type: :string,
194
+ required: false,
195
+ default: nil
178
196
  end
179
197
  end
180
198
  # rubocop:enable Metrics/BlockLength
@@ -7,12 +7,22 @@ require_relative 'rule_repos/file_based_rule_repo'
7
7
  require_relative 'rule_repos/gem_based_rule_repo'
8
8
  require_relative 'rule_repos/s3_based_rule_repo'
9
9
  require_relative 'rule_repository_loader'
10
+ require_relative 'metadata'
10
11
 
11
12
  ##
12
13
  # This object can discover the internal and custom user-provided rules and
13
14
  # apply these rules to a CfnModel object
14
15
  #
15
16
  class CustomRuleLoader
17
+ include Metadata
18
+
19
+ # k,v for injection into rules that can respond to k
20
+ @rule_arguments = {}
21
+
22
+ class << self
23
+ attr_accessor :rule_arguments
24
+ end
25
+
16
26
  def initialize(rule_directory: nil,
17
27
  allow_suppression: true,
18
28
  print_suppression: false,
@@ -58,6 +68,14 @@ class CustomRuleLoader
58
68
 
59
69
  private
60
70
 
71
+ def inject_rule_arguments_into_rule(rule)
72
+ self.class.rule_arguments.each do |rule_argument_name, rule_argument_value|
73
+ if rule.respond_to?("#{rule_argument_name}=".to_sym)
74
+ rule.send "#{rule_argument_name}=".to_sym, rule_argument_value
75
+ end
76
+ end
77
+ end
78
+
61
79
  # rubocop:disable Style/RedundantBegin
62
80
  def filter_rule_classes(cfn_model, violations, rules_registry)
63
81
  rules_registry.rule_classes.each do |rule_class|
@@ -65,9 +83,12 @@ class CustomRuleLoader
65
83
  filtered_cfn_model = cfn_model_with_suppressed_resources_removed(
66
84
  cfn_model: cfn_model,
67
85
  rule_id: rule_class.new.rule_id,
68
- allow_suppression: @allow_suppression
86
+ allow_suppression: @allow_suppression,
87
+ print_suppression: @print_suppression
69
88
  )
70
- audit_result = rule_class.new.audit(filtered_cfn_model)
89
+ rule = rule_class.new
90
+ inject_rule_arguments_into_rule(rule)
91
+ audit_result = rule.audit(filtered_cfn_model)
71
92
  violations << audit_result unless audit_result.nil?
72
93
  rescue ScriptError, StandardError => rule_error
73
94
  raise rule_error unless @isolate_custom_rule_exceptions
@@ -77,74 +98,4 @@ class CustomRuleLoader
77
98
  end
78
99
  end
79
100
  # rubocop:enable Style/RedundantBegin
80
-
81
- def rules_to_suppress(resource)
82
- if resource.metadata &&
83
- resource.metadata['cfn_nag'] &&
84
- resource.metadata['cfn_nag']['rules_to_suppress']
85
-
86
- resource.metadata['cfn_nag']['rules_to_suppress']
87
- end
88
- end
89
-
90
- def collect_mangled_metadata(cfn_model)
91
- mangled_metadatas = []
92
- cfn_model.resources.each do |logical_resource_id, resource|
93
- resource_rules_to_suppress = rules_to_suppress resource
94
- next if resource_rules_to_suppress.nil?
95
-
96
- mangled_rules = resource_rules_to_suppress.select do |rule_to_suppress|
97
- rule_to_suppress['id'].nil?
98
- end
99
- unless mangled_rules.empty?
100
- mangled_metadatas << [logical_resource_id, mangled_rules]
101
- end
102
- end
103
- mangled_metadatas
104
- end
105
-
106
- # XXX given mangled_metadatas is never used or returned,
107
- # STDERR emit can be moved to unless block
108
- def validate_cfn_nag_metadata(cfn_model)
109
- mangled_metadatas = collect_mangled_metadata(cfn_model)
110
- mangled_metadatas.each do |mangled_metadata|
111
- logical_resource_id = mangled_metadata.first
112
- mangled_rules = mangled_metadata[1]
113
-
114
- STDERR.puts "#{logical_resource_id} has missing cfn_nag suppression " \
115
- "rule id: #{mangled_rules}"
116
- end
117
- end
118
-
119
- def suppress_resource?(rules_to_suppress, rule_id, logical_resource_id)
120
- found_suppression_rule = rules_to_suppress.find do |rule_to_suppress|
121
- next if rule_to_suppress['id'].nil?
122
-
123
- rule_to_suppress['id'] == rule_id
124
- end
125
- if found_suppression_rule && @print_suppression
126
- message = "Suppressing #{rule_id} on #{logical_resource_id} for " \
127
- "reason: #{found_suppression_rule['reason']}"
128
- STDERR.puts message
129
- end
130
- !found_suppression_rule.nil?
131
- end
132
-
133
- def cfn_model_with_suppressed_resources_removed(cfn_model:,
134
- rule_id:,
135
- allow_suppression:)
136
- return cfn_model unless allow_suppression
137
-
138
- cfn_model = cfn_model.copy
139
-
140
- cfn_model.resources.delete_if do |logical_resource_id, resource|
141
- rules_to_suppress = rules_to_suppress resource
142
- if rules_to_suppress.nil?
143
- false
144
- else
145
- suppress_resource?(rules_to_suppress, rule_id, logical_resource_id)
146
- end
147
- end
148
- cfn_model
149
- end
150
101
  end
@@ -5,8 +5,8 @@ require_relative 'sub_property_with_list_password_base_rule'
5
5
 
6
6
  class AmazonMQBrokerUsersPasswordRule < SubPropertyWithListPasswordBaseRule
7
7
  def rule_text
8
- 'AmazonMQ Broker Users Password must not be a plaintext ' \
9
- 'string or a Ref to a NoEcho Parameter with a Default value.'
8
+ 'AmazonMQ Broker Users Password must not be a plaintext string or a Ref to a Parameter with a Default value. ' \
9
+ 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
10
10
  end
11
11
 
12
12
  def rule_type
@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
6
6
  class AmplifyAppAccessTokenRule < PasswordBaseRule
7
7
  def rule_text
8
8
  'Amplify App AccessToken must not be a plaintext string ' \
9
- 'or a Ref to a NoEcho Parameter with a Default value.'
9
+ 'or a Ref to a Parameter with a Default value. ' \
10
+ 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
10
11
  end
11
12
 
12
13
  def rule_type
@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
6
6
  class AmplifyAppBasicAuthConfigPasswordRule < PasswordBaseRule
7
7
  def rule_text
8
8
  'Amplify App BasicAuthConfig Password must not be a plaintext string ' \
9
- 'or a Ref to a NoEcho Parameter with a Default value.'
9
+ 'or a Ref to a Parameter with a Default value. ' \
10
+ 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
10
11
  end
11
12
 
12
13
  def rule_type
@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
6
6
  class AmplifyAppOauthTokenRule < PasswordBaseRule
7
7
  def rule_text
8
8
  'Amplify App OauthToken must not be a plaintext string ' \
9
- 'or a Ref to a NoEcho Parameter with a Default value.'
9
+ 'or a Ref to a Parameter with a Default value. ' \
10
+ 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
10
11
  end
11
12
 
12
13
  def rule_type
@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
6
6
  class AmplifyBranchBasicAuthConfigPasswordRule < PasswordBaseRule
7
7
  def rule_text
8
8
  'Amplify Branch BasicAuthConfig Password must not be a plaintext ' \
9
- 'string or a Ref to a NoEcho Parameter with a Default value.' \
9
+ 'string or a Ref to a Parameter with a Default value. ' \
10
+ 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
10
11
  end
11
12
 
12
13
  def rule_type
@@ -18,7 +18,7 @@ class ApiGatewayV2AccessLoggingRule < BaseRule
18
18
 
19
19
  def audit_impl(cfn_model)
20
20
  violating_deployments = cfn_model.resources_by_type('AWS::ApiGatewayV2::Stage').select do |deployment|
21
- deployment.accessLogSetting.nil?
21
+ deployment.accessLogSettings.nil?
22
22
  end
23
23
 
24
24
  violating_deployments.map(&:logical_resource_id)
@@ -6,8 +6,9 @@ require_relative 'password_base_rule'
6
6
  class AppStreamDirectoryConfigServiceAccountCredentialsAccountPasswordRule < PasswordBaseRule
7
7
  def rule_text
8
8
  'AppStream DirectoryConfig ServiceAccountCredentials AccountPassword ' \
9
- 'must not be a plaintext string or a Ref to a NoEcho Parameter ' \
10
- 'with a Default value.'
9
+ 'must not be a plaintext string or a Ref to a Parameter ' \
10
+ 'with a Default value. ' \
11
+ 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
11
12
  end
12
13
 
13
14
  def rule_type
@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
6
6
  class CodePipelineWebhookAuthenticationConfigurationSecretTokenRule < PasswordBaseRule
7
7
  def rule_text
8
8
  'CodePipeline Webhook AuthenticationConfiguration SecretToken must not be ' \
9
- 'a plaintext string or a Ref to a NoEcho Parameter with a Default value.'
9
+ 'a plaintext string or a Ref to a Parameter with a Default value. ' \
10
+ 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
10
11
  end
11
12
 
12
13
  def rule_type
@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
6
6
  class DMSEndpointMongoDbSettingsPasswordRule < PasswordBaseRule
7
7
  def rule_text
8
8
  'DMS Endpoint MongoDbSettings Password must not be a plaintext string ' \
9
- 'or a Ref to a NoEcho Parameter with a Default value.'
9
+ 'or a Ref to a Parameter with a Default value. ' \
10
+ 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
10
11
  end
11
12
 
12
13
  def rule_type
@@ -6,7 +6,8 @@ require_relative 'password_base_rule'
6
6
  class DMSEndpointPasswordRule < PasswordBaseRule
7
7
  def rule_text
8
8
  'DMS Endpoint password must not be a plaintext string ' \
9
- 'or a Ref to a NoEcho Parameter with a Default value.'
9
+ 'or a Ref to a Parameter with a Default value. ' \
10
+ 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
10
11
  end
11
12
 
12
13
  def rule_type
@@ -7,7 +7,8 @@ require_relative 'password_base_rule'
7
7
  class DirectoryServiceMicrosoftADPasswordRule < PasswordBaseRule
8
8
  def rule_text
9
9
  'Directory Service Microsoft AD password must not be a plaintext string ' \
10
- 'or a Ref to a NoEcho Parameter with a Default value.'
10
+ 'or a Ref to a Parameter with a Default value. ' \
11
+ 'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.'
11
12
  end
12
13
 
13
14
  def rule_type