cfn-nag 0.6.14 → 0.6.19

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 834f2a3fa72ba8263f6c1c6602da439ffd63f2e5dbdff3c5ca7828d08e805e7b
-  data.tar.gz: 805de39301a8a7972ceb6acb27911e0e551d3cd236501d54608af9ec84210ddb
+  metadata.gz: 28cde1a5e7484f6b0f2d63097071e68ef162a97de6d5e957cd5638d08aa420ce
+  data.tar.gz: a325b62b2f79bbb4b4ae2beec6a5beec6c0e40ba53cd1bb10b11a9c26f78e72a
 SHA512:
-  metadata.gz: 45a8a649e813676a3299a69292981065b3f41b0aed19377b4c84b20876aa6f84e0473721967d4c689207b90ba5c51d70816e9226af89962409c4dad960de8227
-  data.tar.gz: 86c3bd27996e14a73a26a4e5fb8bb16360da8caf9a320c00517a61ba42eff7ce257643a7e7ed86a3661ea7c406604484ef915198e40d57b0031150d490e6fa6c
+  metadata.gz: 50d18a321a5a0f9050523c657d0f8eee055555fce4e62547738760c5dae59e603ed7ef49e85a4618e51d64fbe30eafd7439e112516c2f7adc021db34b40cacbe
+  data.tar.gz: b44e85f191a4c3710491cfd2ed9e81e6107b641c28414656f19163ee3cf66b547a19296d28836e6fbface9a1087ccb03bfb037dc72e21a242899d0ee70e07b12

data/lib/cfn-nag/custom_rules/DAXClusterEncryptionRule.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+require 'cfn-nag/violation'
+require 'cfn-nag/util/truthy'
+require_relative 'base'
+
+class DAXClusterEncryptionRule < BaseRule
+  def rule_text
+    'DynamoDB Accelerator (DAX) Cluster should have encryption enabled'
+  end
+
+  def rule_type
+    Violation::WARNING
+  end
+
+  def rule_id
+    'W83'
+  end
+
+  def audit_impl(cfn_model)
+    violating_clusters = cfn_model.resources_by_type('AWS::DAX::Cluster').select do |cluster|
+      cluster.sSESpecification.nil? || !truthy?(cluster.sSESpecification['SSEEnabled'].to_s)
+    end
+
+    violating_clusters.map(&:logical_resource_id)
+  end
+end

data/lib/cfn-nag/custom_rules/EKSClusterEncryptionRule.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+require 'cfn-nag/violation'
+require_relative 'base'
+
+class EKSClusterEncryptionRule < BaseRule
+  def rule_text
+    'EKS Cluster EncryptionConfig Provider should specify KeyArn to enable Encryption.'
+  end
+
+  def rule_type
+    Violation::WARNING
+  end
+
+  def rule_id
+    'W82'
+  end
+
+  def audit_impl(cfn_model)
+    violating_clusters = cfn_model.resources_by_type('AWS::EKS::Cluster').select do |cluster|
+      if cluster.encryptionConfig.nil?
+        true
+      elsif violating_configs?(cluster)
+        true
+      else
+        violating_providers?(cluster)
+      end
+    end
+
+    violating_clusters.map(&:logical_resource_id)
+  end
+
+  private
+
+  def violating_configs?(cluster)
+    violating_config = cluster.encryptionConfig.select do |config|
+      config['Provider'].nil?
+    end
+    !violating_config.empty?
+  end
+
+  def violating_providers?(cluster)
+    violating_provider = cluster.encryptionConfig.select do |config|
+      config['Provider']['KeyArn'].empty?
+    end
+    !violating_provider.empty?
+  end
+end

data/lib/cfn-nag/custom_rules/ElasticsearchDomainNodeToNodeEncryptionOptionsRule.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+require 'cfn-nag/util/truthy'
+require 'cfn-nag/violation'
+require_relative 'base'
+
+class ElasticsearchDomainNodeToNodeEncryptionOptionsRule < BaseRule
+  def rule_text
+    'ElasticsearchcDomain should have NodeToNodeEncryptionOptions enabled'
+  end
+
+  def rule_type
+    Violation::WARNING
+  end
+
+  def rule_id
+    'W85'
+  end
+
+  def audit_impl(cfn_model)
+    violating_domains = cfn_model.resources_by_type('AWS::Elasticsearch::Domain').select do |domain|
+      domain.nodeToNodeEncryptionOptions.nil? || not_truthy?(domain.nodeToNodeEncryptionOptions['Enabled'])
+    end
+
+    violating_domains.map(&:logical_resource_id)
+  end
+end

data/lib/cfn-nag/custom_rules/LogsLogGroupEncryptedRule.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+require 'cfn-nag/violation'
+require 'cfn-nag/util/truthy'
+require_relative 'base'
+
+class LogsLogGroupEncryptedRule < BaseRule
+  def rule_text
+    'CloudWatchLogs LogGroup should specify a KMS Key Id to encrypt the log data'
+  end
+
+  def rule_type
+    Violation::WARNING
+  end
+
+  def rule_id
+    'W84'
+  end
+
+  def audit_impl(cfn_model)
+    violating_groups = cfn_model.resources_by_type('AWS::Logs::LogGroup').select do |group|
+      group.kmsKeyId.nil?
+    end
+
+    violating_groups.map(&:logical_resource_id)
+  end
+end

data/lib/cfn-nag/custom_rules/LogsLogGroupRetentionRule.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+require 'cfn-nag/violation'
+require 'cfn-nag/util/truthy'
+require_relative 'base'
+
+class LogsLogGroupRetentionRule < BaseRule
+  def rule_text
+    'CloudWatchLogs LogGroup should specify RetentionInDays to expire the log data'
+  end
+
+  def rule_type
+    Violation::WARNING
+  end
+
+  def rule_id
+    'W86'
+  end
+
+  def audit_impl(cfn_model)
+    violating_groups = cfn_model.resources_by_type('AWS::Logs::LogGroup').select do |group|
+      group.retentionInDays.nil?
+    end
+
+    violating_groups.map(&:logical_resource_id)
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cfn-nag
 version: !ruby/object:Gem::Version
-  version: 0.6.14
+  version: 0.6.19
 platform: ruby
 authors:
 - Eric Kascic
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-12-31 00:00:00.000000000 Z
+date: 2021-01-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -198,6 +198,7 @@ files:
 - lib/cfn-nag/custom_rules/CodePipelineWebhookAuthenticationConfigurationSecretTokenRule.rb
 - lib/cfn-nag/custom_rules/CognitoIdentityPoolAllowUnauthenticatedIdentitiesRule.rb
 - lib/cfn-nag/custom_rules/CognitoUserPoolMfaConfigurationOnorOptionalRule.rb
+- lib/cfn-nag/custom_rules/DAXClusterEncryptionRule.rb
 - lib/cfn-nag/custom_rules/DMSEndpointMongoDbSettingsPasswordRule.rb
 - lib/cfn-nag/custom_rules/DMSEndpointPasswordRule.rb
 - lib/cfn-nag/custom_rules/DirectoryServiceMicrosoftADPasswordRule.rb
@@ -214,6 +215,7 @@ files:
 - lib/cfn-nag/custom_rules/EC2SubnetMapPublicIpOnLaunchRule.rb
 - lib/cfn-nag/custom_rules/ECRRepositoryScanOnPushRule.rb
 - lib/cfn-nag/custom_rules/EFSFileSystemEncryptedRule.rb
+- lib/cfn-nag/custom_rules/EKSClusterEncryptionRule.rb
 - lib/cfn-nag/custom_rules/EMRClusterKerberosAttributesADDomainJoinPasswordRule.rb
 - lib/cfn-nag/custom_rules/EMRClusterKerberosAttributesCrossRealmTrustPrincipalPasswordRule.rb
 - lib/cfn-nag/custom_rules/EMRClusterKerberosAttributesKdcAdminPasswordRule.rb
@@ -229,6 +231,7 @@ files:
 - lib/cfn-nag/custom_rules/ElasticLoadBalancerV2ListenerProtocolRule.rb
 - lib/cfn-nag/custom_rules/ElasticLoadBalancerV2ListenerSslPolicyRule.rb
 - lib/cfn-nag/custom_rules/ElasticsearchDomainEncryptionAtRestOptionsRule.rb
+- lib/cfn-nag/custom_rules/ElasticsearchDomainNodeToNodeEncryptionOptionsRule.rb
 - lib/cfn-nag/custom_rules/GameLiftFleetInboundPortRangeRule.rb
 - lib/cfn-nag/custom_rules/IAMUserLoginProfilePasswordRule.rb
 - lib/cfn-nag/custom_rules/IamManagedPolicyNotActionRule.rb
@@ -263,6 +266,8 @@ files:
 - lib/cfn-nag/custom_rules/LambdaPermissionEventSourceTokenRule.rb
 - lib/cfn-nag/custom_rules/LambdaPermissionInvokeFunctionActionRule.rb
 - lib/cfn-nag/custom_rules/LambdaPermissionWildcardPrincipalRule.rb
+- lib/cfn-nag/custom_rules/LogsLogGroupEncryptedRule.rb
+- lib/cfn-nag/custom_rules/LogsLogGroupRetentionRule.rb
 - lib/cfn-nag/custom_rules/ManagedBlockchainMemberMemberFabricConfigurationAdminPasswordRule.rb
 - lib/cfn-nag/custom_rules/ManagedPolicyOnUserRule.rb
 - lib/cfn-nag/custom_rules/MissingBucketPolicyRule.rb