RubyGems - cfn-nag - Versions diffs - 0.6.12 → 0.6.17 - Mend

cfn-nag 0.6.12 → 0.6.17

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

checksums.yaml +4 -4
data/lib/cfn-nag/custom_rules/DynamoDBBackupRule.rb +28 -0
data/lib/cfn-nag/custom_rules/ECRRepositoryScanOnPushRule.rb +28 -0
data/lib/cfn-nag/custom_rules/ElasticsearchDomainNodeToNodeEncryptionOptionsRule.rb +27 -0
data/lib/cfn-nag/custom_rules/LogsLogGroupEncryptedRule.rb +27 -0
data/lib/cfn-nag/custom_rules/LogsLogGroupRetentionRule.rb +27 -0
metadata +9 -3

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 774ba53c6603235a3e18b1a927caf17fe44a436fe4bb0ac0204959d2e36a0477
-  data.tar.gz: 7a10194e7fa4e349b184de19be96100dc34146ec029a76863c81557f14da6d4c
+  metadata.gz: 4a66afcd6ab5d1bdc31dc4e8fa97ba37c076bdf34a50d5142a060439998871c4
+  data.tar.gz: 31342a9596c899f8c6a6eecd112a9c9d3abf7a159e748c3ffa7ab6830d67330d
 SHA512:
-  metadata.gz: 4e0944f0b13ae40026a04ededc670a5dc6c585ec5171108dfc228df65468fcad7124d8f44c2a6420e626ed004fbaa267ba81a74bb7c67833cafcd85f4293534d
-  data.tar.gz: 7080ec9d6ef807c322d6c8e1c41ba4130b19a554d292a9515d7de98fd2148339e82b01b000e5204fc445a5b837a6f69ccbe99c97542fc189b5ffa97cee82f341
+  metadata.gz: fc28b0a404b8c110ce83379e4306ec3ad70beb26f5d379e92eb97764003b157072ce0a0a5a165ad31ab310276929aa551668ae915fc279d2b5ec829050867dee
+  data.tar.gz: e9d0bc21b3abef53cd32c36142266418d13d7b61f715db8e2a92e43fcbc48a71147f3645cf3c3b8cd050198eb3f2ef92632c8ef97b0860a5a26672ef266b581f

data/lib/cfn-nag/custom_rules/DynamoDBBackupRule.rb ADDED

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+require 'cfn-nag/violation'
+require 'cfn-nag/util/truthy'
+require_relative 'base'
+class DynamoDBBackupRule < BaseRule
+  def rule_text
+    'DynamoDB table should have backup enabled, should be set using PointInTimeRecoveryEnabled'
+  end
+  def rule_type
+    Violation::WARNING
+  end
+  def rule_id
+    'W78'
+  end
+  def audit_impl(cfn_model)
+    violating_ddb_tables = cfn_model.resources_by_type('AWS::DynamoDB::Table').select do |table|
+      table.pointInTimeRecoverySpecification.nil? ||
+        !truthy?(table.pointInTimeRecoverySpecification['PointInTimeRecoveryEnabled'].to_s)
+    end
+    violating_ddb_tables.map(&:logical_resource_id)
+  end
+end

data/lib/cfn-nag/custom_rules/ECRRepositoryScanOnPushRule.rb ADDED

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+require 'cfn-nag/violation'
+require 'cfn-nag/util/truthy'
+require_relative 'base'
+class ECRRepositoryScanOnPushRule < BaseRule
+  def rule_text
+    'ECR Repository should have scanOnPush enabled'
+  end
+  def rule_type
+    Violation::WARNING
+  end
+  def rule_id
+    'W79'
+  end
+  def audit_impl(cfn_model)
+    violating_ecr_registries = cfn_model.resources_by_type('AWS::ECR::Repository').select do |registry|
+      registry.imageScanningConfiguration.nil? ||
+        !truthy?(registry.imageScanningConfiguration['scanOnPush'].to_s)
+    end
+    violating_ecr_registries.map(&:logical_resource_id)
+  end
+end

data/lib/cfn-nag/custom_rules/ElasticsearchDomainNodeToNodeEncryptionOptionsRule.rb ADDED

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+require 'cfn-nag/util/truthy'
+require 'cfn-nag/violation'
+require_relative 'base'
+class ElasticsearchDomainNodeToNodeEncryptionOptionsRule < BaseRule
+  def rule_text
+    'ElasticsearchcDomain should have NodeToNodeEncryptionOptions enabled'
+  end
+  def rule_type
+    Violation::WARNING
+  end
+  def rule_id
+    'W85'
+  end
+  def audit_impl(cfn_model)
+    violating_domains = cfn_model.resources_by_type('AWS::Elasticsearch::Domain').select do |domain|
+      domain.nodeToNodeEncryptionOptions.nil? || not_truthy?(domain.nodeToNodeEncryptionOptions['Enabled'])
+    end
+    violating_domains.map(&:logical_resource_id)
+  end
+end

data/lib/cfn-nag/custom_rules/LogsLogGroupEncryptedRule.rb ADDED

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+require 'cfn-nag/violation'
+require 'cfn-nag/util/truthy'
+require_relative 'base'
+class LogsLogGroupEncryptedRule < BaseRule
+  def rule_text
+    'CloudWatchLogs LogGroup should specify a KMS Key Id to encrypt the log data'
+  end
+  def rule_type
+    Violation::WARNING
+  end
+  def rule_id
+    'W84'
+  end
+  def audit_impl(cfn_model)
+    violating_groups = cfn_model.resources_by_type('AWS::Logs::LogGroup').select do |group|
+      group.kmsKeyId.nil?
+    end
+    violating_groups.map(&:logical_resource_id)
+  end
+end

data/lib/cfn-nag/custom_rules/LogsLogGroupRetentionRule.rb ADDED

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+require 'cfn-nag/violation'
+require 'cfn-nag/util/truthy'
+require_relative 'base'
+class LogsLogGroupRetentionRule < BaseRule
+  def rule_text
+    'CloudWatchLogs LogGroup should specify RetentionInDays to expire the log data'
+  end
+  def rule_type
+    Violation::WARNING
+  end
+  def rule_id
+    'W86'
+  end
+  def audit_impl(cfn_model)
+    violating_groups = cfn_model.resources_by_type('AWS::Logs::LogGroup').select do |group|
+      group.retentionInDays.nil?
+    end
+    violating_groups.map(&:logical_resource_id)
+  end
+end

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cfn-nag
 version: !ruby/object:Gem::Version
-  version: 0.6.12
+  version: 0.6.17
 platform: ruby
 authors:
 - Eric Kascic
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-11-05 00:00:00.000000000 Z
+date: 2021-01-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -203,6 +203,7 @@ files:
 - lib/cfn-nag/custom_rules/DirectoryServiceMicrosoftADPasswordRule.rb
 - lib/cfn-nag/custom_rules/DirectoryServiceSimpleADPasswordRule.rb
 - lib/cfn-nag/custom_rules/DocDBDBClusterMasterUserPasswordRule.rb
+- lib/cfn-nag/custom_rules/DynamoDBBackupRule.rb
 - lib/cfn-nag/custom_rules/DynamoDBBillingModeRule.rb
 - lib/cfn-nag/custom_rules/DynamoDBEncryptionRule.rb
 - lib/cfn-nag/custom_rules/EC2NetworkAclEntryDuplicateRule.rb
@@ -211,6 +212,7 @@ files:
 - lib/cfn-nag/custom_rules/EC2NetworkAclEntryPortRangeRule.rb
 - lib/cfn-nag/custom_rules/EC2NetworkAclEntryProtocolRule.rb
 - lib/cfn-nag/custom_rules/EC2SubnetMapPublicIpOnLaunchRule.rb
+- lib/cfn-nag/custom_rules/ECRRepositoryScanOnPushRule.rb
 - lib/cfn-nag/custom_rules/EFSFileSystemEncryptedRule.rb
 - lib/cfn-nag/custom_rules/EMRClusterKerberosAttributesADDomainJoinPasswordRule.rb
 - lib/cfn-nag/custom_rules/EMRClusterKerberosAttributesCrossRealmTrustPrincipalPasswordRule.rb
@@ -227,6 +229,7 @@ files:
 - lib/cfn-nag/custom_rules/ElasticLoadBalancerV2ListenerProtocolRule.rb
 - lib/cfn-nag/custom_rules/ElasticLoadBalancerV2ListenerSslPolicyRule.rb
 - lib/cfn-nag/custom_rules/ElasticsearchDomainEncryptionAtRestOptionsRule.rb
+- lib/cfn-nag/custom_rules/ElasticsearchDomainNodeToNodeEncryptionOptionsRule.rb
 - lib/cfn-nag/custom_rules/GameLiftFleetInboundPortRangeRule.rb
 - lib/cfn-nag/custom_rules/IAMUserLoginProfilePasswordRule.rb
 - lib/cfn-nag/custom_rules/IamManagedPolicyNotActionRule.rb
@@ -261,6 +264,8 @@ files:
 - lib/cfn-nag/custom_rules/LambdaPermissionEventSourceTokenRule.rb
 - lib/cfn-nag/custom_rules/LambdaPermissionInvokeFunctionActionRule.rb
 - lib/cfn-nag/custom_rules/LambdaPermissionWildcardPrincipalRule.rb
+- lib/cfn-nag/custom_rules/LogsLogGroupEncryptedRule.rb
+- lib/cfn-nag/custom_rules/LogsLogGroupRetentionRule.rb
 - lib/cfn-nag/custom_rules/ManagedBlockchainMemberMemberFabricConfigurationAdminPasswordRule.rb
 - lib/cfn-nag/custom_rules/ManagedPolicyOnUserRule.rb
 - lib/cfn-nag/custom_rules/MissingBucketPolicyRule.rb
@@ -381,7 +386,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.4
+rubyforge_project:
+rubygems_version: 2.7.6
 signing_key:
 specification_version: 4
 summary: cfn-nag