cfn-nag 0.6.15 → 0.6.20

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 16861651aa50f0df55c1f09ab3ee2b6805a5bbe5df2553509f1728922809d878
-  data.tar.gz: ecf3c006adc7f35cd5f01246b2cb9315c029c7b86055d5ee5438fa2eeb44b68c
+  metadata.gz: acfa4c8d862bf691a56f99ded65fcfab7f5ca114f91a11aa3d453776093fd862
+  data.tar.gz: b125a02a79b010e02eee085d7421b359aeefb43de345f5ff8a2ab009c3528c44
 SHA512:
-  metadata.gz: 640dcd9fe284f48ddcc714fc8573115062547e4e81c7b73500f7369e37392b7c4e06666ec1ac0d294d6f737d31f62be0062eaf745a1e5b640401b79ccafbf4cd
-  data.tar.gz: df569ee1ad3089fd480dd9957cc7dbca4a0d4ec469aadc81048d143f9584369987ce3de53798e3ebd2b986a1ae44f6844c32b3e9e30b242ed7938f8edf2b1799
+  metadata.gz: 6d52ca5b92b8f8dce9034c493adb4a7c81cebc40211ba524dd8060ce9efdabea09d129d80db2eca2e4560239972d0192302f9027c53bd660139178697e4eb7ed
+  data.tar.gz: 5198f37c1c20d290d3c2073928f1509bca083dee22b03b099b456406f2bcbcc9f146a00d59d4fd57ef3bf5f44fb2a3753eddf0a0615544ef1374754c75f509d2

data/lib/cfn-nag/custom_rules/DAXClusterEncryptionRule.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+require 'cfn-nag/violation'
+require 'cfn-nag/util/truthy'
+require_relative 'base'
+
+class DAXClusterEncryptionRule < BaseRule
+  def rule_text
+    'DynamoDB Accelerator (DAX) Cluster should have encryption enabled'
+  end
+
+  def rule_type
+    Violation::WARNING
+  end
+
+  def rule_id
+    'W83'
+  end
+
+  def audit_impl(cfn_model)
+    violating_clusters = cfn_model.resources_by_type('AWS::DAX::Cluster').select do |cluster|
+      cluster.sSESpecification.nil? || !truthy?(cluster.sSESpecification['SSEEnabled'].to_s)
+    end
+
+    violating_clusters.map(&:logical_resource_id)
+  end
+end

data/lib/cfn-nag/custom_rules/DLMLifecyclePolicyCrossRegionCopyEncryptionRule.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+require 'cfn-nag/violation'
+require 'cfn-nag/util/truthy'
+require_relative 'base'
+
+class DLMLifecyclePolicyCrossRegionCopyEncryptionRule < BaseRule
+  def rule_text
+    'DLM LifecyclePolicy PolicyDetails Actions CrossRegionCopy EncryptionConfiguration should enable Encryption'
+  end
+
+  def rule_type
+    Violation::WARNING
+  end
+
+  def rule_id
+    'W81'
+  end
+
+  def audit_impl(cfn_model)
+    violating_policies = cfn_model.resources_by_type('AWS::DLM::LifecyclePolicy').select do |policy|
+      if policy.policyDetails['Actions'].nil?
+        false
+      else
+        violating_actions = policy.policyDetails['Actions'].select do |action|
+          violating_copies = action['CrossRegionCopy'].select do |copy|
+            !truthy?(copy['EncryptionConfiguration']['Encrypted'].to_s)
+          end
+          !violating_copies.empty?
+        end
+        !violating_actions.empty?
+      end
+    end
+
+    violating_policies.map(&:logical_resource_id)
+  end
+end

data/lib/cfn-nag/custom_rules/EKSClusterEncryptionRule.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+require 'cfn-nag/violation'
+require_relative 'base'
+
+class EKSClusterEncryptionRule < BaseRule
+  def rule_text
+    'EKS Cluster EncryptionConfig Provider should specify KeyArn to enable Encryption.'
+  end
+
+  def rule_type
+    Violation::WARNING
+  end
+
+  def rule_id
+    'W82'
+  end
+
+  def audit_impl(cfn_model)
+    violating_clusters = cfn_model.resources_by_type('AWS::EKS::Cluster').select do |cluster|
+      if cluster.encryptionConfig.nil?
+        true
+      elsif violating_configs?(cluster)
+        true
+      else
+        violating_providers?(cluster)
+      end
+    end
+
+    violating_clusters.map(&:logical_resource_id)
+  end
+
+  private
+
+  def violating_configs?(cluster)
+    violating_config = cluster.encryptionConfig.select do |config|
+      config['Provider'].nil?
+    end
+    !violating_config.empty?
+  end
+
+  def violating_providers?(cluster)
+    violating_provider = cluster.encryptionConfig.select do |config|
+      config['Provider']['KeyArn'].empty?
+    end
+    !violating_provider.empty?
+  end
+end

data/lib/cfn-nag/custom_rules/ElasticsearchDomainNodeToNodeEncryptionOptionsRule.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+require 'cfn-nag/util/truthy'
+require 'cfn-nag/violation'
+require_relative 'base'
+
+class ElasticsearchDomainNodeToNodeEncryptionOptionsRule < BaseRule
+  def rule_text
+    'ElasticsearchcDomain should have NodeToNodeEncryptionOptions enabled'
+  end
+
+  def rule_type
+    Violation::WARNING
+  end
+
+  def rule_id
+    'W85'
+  end
+
+  def audit_impl(cfn_model)
+    violating_domains = cfn_model.resources_by_type('AWS::Elasticsearch::Domain').select do |domain|
+      domain.nodeToNodeEncryptionOptions.nil? || not_truthy?(domain.nodeToNodeEncryptionOptions['Enabled'])
+    end
+
+    violating_domains.map(&:logical_resource_id)
+  end
+end

data/lib/cfn-nag/custom_rules/LogsLogGroupEncryptedRule.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+require 'cfn-nag/violation'
+require 'cfn-nag/util/truthy'
+require_relative 'base'
+
+class LogsLogGroupEncryptedRule < BaseRule
+  def rule_text
+    'CloudWatchLogs LogGroup should specify a KMS Key Id to encrypt the log data'
+  end
+
+  def rule_type
+    Violation::WARNING
+  end
+
+  def rule_id
+    'W84'
+  end
+
+  def audit_impl(cfn_model)
+    violating_groups = cfn_model.resources_by_type('AWS::Logs::LogGroup').select do |group|
+      group.kmsKeyId.nil?
+    end
+
+    violating_groups.map(&:logical_resource_id)
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: cfn-nag
 version: !ruby/object:Gem::Version
-  version: 0.6.15
+  version: 0.6.20
 platform: ruby
 authors:
 - Eric Kascic
@@ -198,6 +198,8 @@ files:
 - lib/cfn-nag/custom_rules/CodePipelineWebhookAuthenticationConfigurationSecretTokenRule.rb
 - lib/cfn-nag/custom_rules/CognitoIdentityPoolAllowUnauthenticatedIdentitiesRule.rb
 - lib/cfn-nag/custom_rules/CognitoUserPoolMfaConfigurationOnorOptionalRule.rb
+- lib/cfn-nag/custom_rules/DAXClusterEncryptionRule.rb
+- lib/cfn-nag/custom_rules/DLMLifecyclePolicyCrossRegionCopyEncryptionRule.rb
 - lib/cfn-nag/custom_rules/DMSEndpointMongoDbSettingsPasswordRule.rb
 - lib/cfn-nag/custom_rules/DMSEndpointPasswordRule.rb
 - lib/cfn-nag/custom_rules/DirectoryServiceMicrosoftADPasswordRule.rb
@@ -214,6 +216,7 @@ files:
 - lib/cfn-nag/custom_rules/EC2SubnetMapPublicIpOnLaunchRule.rb
 - lib/cfn-nag/custom_rules/ECRRepositoryScanOnPushRule.rb
 - lib/cfn-nag/custom_rules/EFSFileSystemEncryptedRule.rb
+- lib/cfn-nag/custom_rules/EKSClusterEncryptionRule.rb
 - lib/cfn-nag/custom_rules/EMRClusterKerberosAttributesADDomainJoinPasswordRule.rb
 - lib/cfn-nag/custom_rules/EMRClusterKerberosAttributesCrossRealmTrustPrincipalPasswordRule.rb
 - lib/cfn-nag/custom_rules/EMRClusterKerberosAttributesKdcAdminPasswordRule.rb
@@ -229,6 +232,7 @@ files:
 - lib/cfn-nag/custom_rules/ElasticLoadBalancerV2ListenerProtocolRule.rb
 - lib/cfn-nag/custom_rules/ElasticLoadBalancerV2ListenerSslPolicyRule.rb
 - lib/cfn-nag/custom_rules/ElasticsearchDomainEncryptionAtRestOptionsRule.rb
+- lib/cfn-nag/custom_rules/ElasticsearchDomainNodeToNodeEncryptionOptionsRule.rb
 - lib/cfn-nag/custom_rules/GameLiftFleetInboundPortRangeRule.rb
 - lib/cfn-nag/custom_rules/IAMUserLoginProfilePasswordRule.rb
 - lib/cfn-nag/custom_rules/IamManagedPolicyNotActionRule.rb
@@ -263,6 +267,7 @@ files:
 - lib/cfn-nag/custom_rules/LambdaPermissionEventSourceTokenRule.rb
 - lib/cfn-nag/custom_rules/LambdaPermissionInvokeFunctionActionRule.rb
 - lib/cfn-nag/custom_rules/LambdaPermissionWildcardPrincipalRule.rb
+- lib/cfn-nag/custom_rules/LogsLogGroupEncryptedRule.rb
 - lib/cfn-nag/custom_rules/LogsLogGroupRetentionRule.rb
 - lib/cfn-nag/custom_rules/ManagedBlockchainMemberMemberFabricConfigurationAdminPasswordRule.rb
 - lib/cfn-nag/custom_rules/ManagedPolicyOnUserRule.rb