cfn-nag 0.6.13 → 0.6.18

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9b5274ea37c43e66281bd7e21513c650ca7dac661c5ce943e5fce39dad25506c
-  data.tar.gz: 22355ae1a48c603a4f4672d7887134f5087973aab0fda5eda92bcb794f975fbe
+  metadata.gz: 8a3fc1115d0e9a1739ac2a1fdddbd6ee693450fbf292f512e2554570293cbb01
+  data.tar.gz: 21fcfbd6d9deba76d3764b5170d382a1642d79a0322d49eb71805c7b15c41ae5
 SHA512:
-  metadata.gz: c8d30927728b0b9ea80774a83c937629ede960143b02b69e51ad6a55ce770e15805e6b8adb733d5c461a346d66b4c11c6fc19fd59f90bf0ee614718375c1ac22
-  data.tar.gz: 4043b47cd7b3b9c19a5d1259134346768febabd2418a96c160a27f644e09cdb7a630f57013828e0d5d8bd1d49f3b19b414b6893bd1082e8ad9cfd4f9e27c6bcd
+  metadata.gz: 6c18afb97fcb0df30296eb6660e6c07bdb4e7e241148529edb68e11bd0ef8bd3dbb5bbf065be4d6ff554eb025059a7da5f53185481bcca75d0540447703838da
+  data.tar.gz: c42ed45e2cc5177e8e26acd0f503682b6deb6f0f172c31214753654ac31425e609f17b0cbf60050002fa40a628fd53f7048ab7831b5f211b2cf4908e5a17f8b0

data/lib/cfn-nag/custom_rules/DAXClusterEncryptionRule.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+require 'cfn-nag/violation'
+require 'cfn-nag/util/truthy'
+require_relative 'base'
+
+class DAXClusterEncryptionRule < BaseRule
+  def rule_text
+    'DynamoDB Accelerator (DAX) Cluster should have encryption enabled'
+  end
+
+  def rule_type
+    Violation::WARNING
+  end
+
+  def rule_id
+    'W83'
+  end
+
+  def audit_impl(cfn_model)
+    violating_clusters = cfn_model.resources_by_type('AWS::DAX::Cluster').select do |cluster|
+      cluster.sSESpecification.nil? || !truthy?(cluster.sSESpecification['SSEEnabled'].to_s)
+    end
+
+    violating_clusters.map(&:logical_resource_id)
+  end
+end

data/lib/cfn-nag/custom_rules/ECRRepositoryScanOnPushRule.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+require 'cfn-nag/violation'
+require 'cfn-nag/util/truthy'
+require_relative 'base'
+
+class ECRRepositoryScanOnPushRule < BaseRule
+  def rule_text
+    'ECR Repository should have scanOnPush enabled'
+  end
+
+  def rule_type
+    Violation::WARNING
+  end
+
+  def rule_id
+    'W79'
+  end
+
+  def audit_impl(cfn_model)
+    violating_ecr_registries = cfn_model.resources_by_type('AWS::ECR::Repository').select do |registry|
+      registry.imageScanningConfiguration.nil? ||
+        !truthy?(registry.imageScanningConfiguration['scanOnPush'].to_s)
+    end
+
+    violating_ecr_registries.map(&:logical_resource_id)
+  end
+end

data/lib/cfn-nag/custom_rules/ElasticsearchDomainNodeToNodeEncryptionOptionsRule.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+require 'cfn-nag/util/truthy'
+require 'cfn-nag/violation'
+require_relative 'base'
+
+class ElasticsearchDomainNodeToNodeEncryptionOptionsRule < BaseRule
+  def rule_text
+    'ElasticsearchcDomain should have NodeToNodeEncryptionOptions enabled'
+  end
+
+  def rule_type
+    Violation::WARNING
+  end
+
+  def rule_id
+    'W85'
+  end
+
+  def audit_impl(cfn_model)
+    violating_domains = cfn_model.resources_by_type('AWS::Elasticsearch::Domain').select do |domain|
+      domain.nodeToNodeEncryptionOptions.nil? || not_truthy?(domain.nodeToNodeEncryptionOptions['Enabled'])
+    end
+
+    violating_domains.map(&:logical_resource_id)
+  end
+end

data/lib/cfn-nag/custom_rules/LogsLogGroupEncryptedRule.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+require 'cfn-nag/violation'
+require 'cfn-nag/util/truthy'
+require_relative 'base'
+
+class LogsLogGroupEncryptedRule < BaseRule
+  def rule_text
+    'CloudWatchLogs LogGroup should specify a KMS Key Id to encrypt the log data'
+  end
+
+  def rule_type
+    Violation::WARNING
+  end
+
+  def rule_id
+    'W84'
+  end
+
+  def audit_impl(cfn_model)
+    violating_groups = cfn_model.resources_by_type('AWS::Logs::LogGroup').select do |group|
+      group.kmsKeyId.nil?
+    end
+
+    violating_groups.map(&:logical_resource_id)
+  end
+end

data/lib/cfn-nag/custom_rules/LogsLogGroupRetentionRule.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+require 'cfn-nag/violation'
+require 'cfn-nag/util/truthy'
+require_relative 'base'
+
+class LogsLogGroupRetentionRule < BaseRule
+  def rule_text
+    'CloudWatchLogs LogGroup should specify RetentionInDays to expire the log data'
+  end
+
+  def rule_type
+    Violation::WARNING
+  end
+
+  def rule_id
+    'W86'
+  end
+
+  def audit_impl(cfn_model)
+    violating_groups = cfn_model.resources_by_type('AWS::Logs::LogGroup').select do |group|
+      group.retentionInDays.nil?
+    end
+
+    violating_groups.map(&:logical_resource_id)
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cfn-nag
 version: !ruby/object:Gem::Version
-  version: 0.6.13
+  version: 0.6.18
 platform: ruby
 authors:
 - Eric Kascic
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-11-25 00:00:00.000000000 Z
+date: 2021-01-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -198,6 +198,7 @@ files:
 - lib/cfn-nag/custom_rules/CodePipelineWebhookAuthenticationConfigurationSecretTokenRule.rb
 - lib/cfn-nag/custom_rules/CognitoIdentityPoolAllowUnauthenticatedIdentitiesRule.rb
 - lib/cfn-nag/custom_rules/CognitoUserPoolMfaConfigurationOnorOptionalRule.rb
+- lib/cfn-nag/custom_rules/DAXClusterEncryptionRule.rb
 - lib/cfn-nag/custom_rules/DMSEndpointMongoDbSettingsPasswordRule.rb
 - lib/cfn-nag/custom_rules/DMSEndpointPasswordRule.rb
 - lib/cfn-nag/custom_rules/DirectoryServiceMicrosoftADPasswordRule.rb
@@ -212,6 +213,7 @@ files:
 - lib/cfn-nag/custom_rules/EC2NetworkAclEntryPortRangeRule.rb
 - lib/cfn-nag/custom_rules/EC2NetworkAclEntryProtocolRule.rb
 - lib/cfn-nag/custom_rules/EC2SubnetMapPublicIpOnLaunchRule.rb
+- lib/cfn-nag/custom_rules/ECRRepositoryScanOnPushRule.rb
 - lib/cfn-nag/custom_rules/EFSFileSystemEncryptedRule.rb
 - lib/cfn-nag/custom_rules/EMRClusterKerberosAttributesADDomainJoinPasswordRule.rb
 - lib/cfn-nag/custom_rules/EMRClusterKerberosAttributesCrossRealmTrustPrincipalPasswordRule.rb
@@ -228,6 +230,7 @@ files:
 - lib/cfn-nag/custom_rules/ElasticLoadBalancerV2ListenerProtocolRule.rb
 - lib/cfn-nag/custom_rules/ElasticLoadBalancerV2ListenerSslPolicyRule.rb
 - lib/cfn-nag/custom_rules/ElasticsearchDomainEncryptionAtRestOptionsRule.rb
+- lib/cfn-nag/custom_rules/ElasticsearchDomainNodeToNodeEncryptionOptionsRule.rb
 - lib/cfn-nag/custom_rules/GameLiftFleetInboundPortRangeRule.rb
 - lib/cfn-nag/custom_rules/IAMUserLoginProfilePasswordRule.rb
 - lib/cfn-nag/custom_rules/IamManagedPolicyNotActionRule.rb
@@ -262,6 +265,8 @@ files:
 - lib/cfn-nag/custom_rules/LambdaPermissionEventSourceTokenRule.rb
 - lib/cfn-nag/custom_rules/LambdaPermissionInvokeFunctionActionRule.rb
 - lib/cfn-nag/custom_rules/LambdaPermissionWildcardPrincipalRule.rb
+- lib/cfn-nag/custom_rules/LogsLogGroupEncryptedRule.rb
+- lib/cfn-nag/custom_rules/LogsLogGroupRetentionRule.rb
 - lib/cfn-nag/custom_rules/ManagedBlockchainMemberMemberFabricConfigurationAdminPasswordRule.rb
 - lib/cfn-nag/custom_rules/ManagedPolicyOnUserRule.rb
 - lib/cfn-nag/custom_rules/MissingBucketPolicyRule.rb
@@ -382,7 +387,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.4
+rubyforge_project: 
+rubygems_version: 2.7.6
 signing_key: 
 specification_version: 4
 summary: cfn-nag