RubyGems - cfn-nag - Versions diffs - 0.6.16 → 0.6.21 - Mend

cfn-nag 0.6.16 → 0.6.21

Files changed (7) hide show

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 215b03a8fda38b89cf524f415b3f1be170d3d5685e53cd60a0ed3f3344aaaf1f
-  data.tar.gz: a8e8f3f21fd037e78cc52ed127a3b93fb67fd3a57427a3ff7139ab339e37cc60
+  metadata.gz: 7e84a4629eb894586819c36a332fd3cdb5b8c25492098870133773b0fb424041
+  data.tar.gz: 43cd5feabbede6b48f57145cf9cc84083d35f1aa1d54c55525fdcd3c8c04199c
 SHA512:
-  metadata.gz: 93ab380b1c708698da719adee2a7f66140034802712b1e83ccb09c7f34b249f6c38264869ffa228caf233ba90ae360d855c0ef79929b758827c284356a3d5dd1
-  data.tar.gz: 78dac29ca0b9da7c2cd5352bc49094ccb39900d66ebab74b42d1a97b0f36535a378930db87bb0c8b847c79305c63aab1a6c1eaa5a0387b81a0adc2730a7b8797
+  metadata.gz: 2c77d62ea98c2ecba8368b62dc58ebe7e516bc21773116490a25c2d1acf30a8d67e637e392cac71977d4c45755e151c747fdaa391864a2a806af6a11c14a39e4
+  data.tar.gz: ad2af23d60af46fc28daf5157e8e8a2934564e5f102d4bce020249fd654c1c85338dd56bcfab91d0068d5d387ee965406a6771345ea72229397500782112967a

data/lib/cfn-nag/custom_rules/DAXClusterEncryptionRule.rb ADDED

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+require 'cfn-nag/violation'
+require 'cfn-nag/util/truthy'
+require_relative 'base'
+class DAXClusterEncryptionRule < BaseRule
+  def rule_text
+    'DynamoDB Accelerator (DAX) Cluster should have encryption enabled'
+  end
+  def rule_type
+    Violation::WARNING
+  end
+  def rule_id
+    'W83'
+  end
+  def audit_impl(cfn_model)
+    violating_clusters = cfn_model.resources_by_type('AWS::DAX::Cluster').select do |cluster|
+      cluster.sSESpecification.nil? || !truthy?(cluster.sSESpecification['SSEEnabled'].to_s)
+    end
+    violating_clusters.map(&:logical_resource_id)
+  end
+end

data/lib/cfn-nag/custom_rules/DLMLifecyclePolicyCrossRegionCopyEncryptionRule.rb ADDED

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+require 'cfn-nag/violation'
+require 'cfn-nag/util/truthy'
+require_relative 'base'
+class DLMLifecyclePolicyCrossRegionCopyEncryptionRule < BaseRule
+  def rule_text
+    'DLM LifecyclePolicy PolicyDetails Actions CrossRegionCopy EncryptionConfiguration should enable Encryption'
+  end
+  def rule_type
+    Violation::WARNING
+  end
+  def rule_id
+    'W81'
+  end
+  def audit_impl(cfn_model)
+    violating_policies = cfn_model.resources_by_type('AWS::DLM::LifecyclePolicy').select do |policy|
+      if policy.policyDetails['Actions'].nil?
+        false
+      else
+        violating_actions = policy.policyDetails['Actions'].select do |action|
+          violating_copies = action['CrossRegionCopy'].select do |copy|
+            !truthy?(copy['EncryptionConfiguration']['Encrypted'].to_s)
+          end
+          !violating_copies.empty?
+        end
+        !violating_actions.empty?
+      end
+    end
+    violating_policies.map(&:logical_resource_id)
+  end
+end

data/lib/cfn-nag/custom_rules/EKSClusterEncryptionRule.rb ADDED

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+require 'cfn-nag/violation'
+require_relative 'base'
+class EKSClusterEncryptionRule < BaseRule
+  def rule_text
+    'EKS Cluster EncryptionConfig Provider should specify KeyArn to enable Encryption.'
+  end
+  def rule_type
+    Violation::WARNING
+  end
+  def rule_id
+    'W82'
+  end
+  def audit_impl(cfn_model)
+    violating_clusters = cfn_model.resources_by_type('AWS::EKS::Cluster').select do |cluster|
+      if cluster.encryptionConfig.nil?
+        true
+      elsif violating_configs?(cluster)
+        true
+      else
+        violating_providers?(cluster)
+      end
+    end
+    violating_clusters.map(&:logical_resource_id)
+  end
+  private
+  def violating_configs?(cluster)
+    violating_config = cluster.encryptionConfig.select do |config|
+      config['Provider'].nil?
+    end
+    !violating_config.empty?
+  end
+  def violating_providers?(cluster)
+    violating_provider = cluster.encryptionConfig.select do |config|
+      config['Provider']['KeyArn'].empty?
+    end
+    !violating_provider.empty?
+  end
+end

data/lib/cfn-nag/custom_rules/KendraIndexServerSideEncryptionConfigurationKmsKeyIdRule.rb ADDED

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+require 'cfn-nag/violation'
+require_relative 'base'
+class KendraIndexServerSideEncryptionConfigurationKmsKeyIdRule < BaseRule
+  def rule_text
+    'Kendra Index ServerSideEncryptionConfiguration should specify a KmsKeyId value.'
+  end
+  def rule_type
+    Violation::WARNING
+  end
+  def rule_id
+    'W80'
+  end
+  def audit_impl(cfn_model)
+    violating_indices = cfn_model.resources_by_type('AWS::Kendra::Index').select do |index|
+      index.serverSideEncryptionConfiguration.nil? ||
+        index.serverSideEncryptionConfiguration['KmsKeyId'].nil?
+    end
+    violating_indices.map(&:logical_resource_id)
+  end
+end

data/lib/cfn-nag/custom_rules/LogsLogGroupEncryptedRule.rb ADDED

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+require 'cfn-nag/violation'
+require 'cfn-nag/util/truthy'
+require_relative 'base'
+class LogsLogGroupEncryptedRule < BaseRule
+  def rule_text
+    'CloudWatchLogs LogGroup should specify a KMS Key Id to encrypt the log data'
+  end
+  def rule_type
+    Violation::WARNING
+  end
+  def rule_id
+    'W84'
+  end
+  def audit_impl(cfn_model)
+    violating_groups = cfn_model.resources_by_type('AWS::Logs::LogGroup').select do |group|
+      group.kmsKeyId.nil?
+    end
+    violating_groups.map(&:logical_resource_id)
+  end
+end

metadata CHANGED

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: cfn-nag
 version: !ruby/object:Gem::Version
-  version: 0.6.16
+  version: 0.6.21
 platform: ruby
 authors:
 - Eric Kascic
@@ -198,6 +198,8 @@ files:
 - lib/cfn-nag/custom_rules/CodePipelineWebhookAuthenticationConfigurationSecretTokenRule.rb
 - lib/cfn-nag/custom_rules/CognitoIdentityPoolAllowUnauthenticatedIdentitiesRule.rb
 - lib/cfn-nag/custom_rules/CognitoUserPoolMfaConfigurationOnorOptionalRule.rb
+- lib/cfn-nag/custom_rules/DAXClusterEncryptionRule.rb
+- lib/cfn-nag/custom_rules/DLMLifecyclePolicyCrossRegionCopyEncryptionRule.rb
 - lib/cfn-nag/custom_rules/DMSEndpointMongoDbSettingsPasswordRule.rb
 - lib/cfn-nag/custom_rules/DMSEndpointPasswordRule.rb
 - lib/cfn-nag/custom_rules/DirectoryServiceMicrosoftADPasswordRule.rb
@@ -214,6 +216,7 @@ files:
 - lib/cfn-nag/custom_rules/EC2SubnetMapPublicIpOnLaunchRule.rb
 - lib/cfn-nag/custom_rules/ECRRepositoryScanOnPushRule.rb
 - lib/cfn-nag/custom_rules/EFSFileSystemEncryptedRule.rb
+- lib/cfn-nag/custom_rules/EKSClusterEncryptionRule.rb
 - lib/cfn-nag/custom_rules/EMRClusterKerberosAttributesADDomainJoinPasswordRule.rb
 - lib/cfn-nag/custom_rules/EMRClusterKerberosAttributesCrossRealmTrustPrincipalPasswordRule.rb
 - lib/cfn-nag/custom_rules/EMRClusterKerberosAttributesKdcAdminPasswordRule.rb
@@ -257,6 +260,7 @@ files:
 - lib/cfn-nag/custom_rules/IotPolicyWildcardResourceRule.rb
 - lib/cfn-nag/custom_rules/KMSKeyRotationRule.rb
 - lib/cfn-nag/custom_rules/KMSKeyWildcardPrincipalRule.rb
+- lib/cfn-nag/custom_rules/KendraIndexServerSideEncryptionConfigurationKmsKeyIdRule.rb
 - lib/cfn-nag/custom_rules/KinesisFirehoseDeliveryStreamRedshiftDestinationConfigurationPasswordRule.rb
 - lib/cfn-nag/custom_rules/KinesisFirehoseDeliveryStreamSplunkDestinationConfigurationHECTokenRule.rb
 - lib/cfn-nag/custom_rules/KinesisStreamStreamEncryptionRule.rb
@@ -264,6 +268,7 @@ files:
 - lib/cfn-nag/custom_rules/LambdaPermissionEventSourceTokenRule.rb
 - lib/cfn-nag/custom_rules/LambdaPermissionInvokeFunctionActionRule.rb
 - lib/cfn-nag/custom_rules/LambdaPermissionWildcardPrincipalRule.rb
+- lib/cfn-nag/custom_rules/LogsLogGroupEncryptedRule.rb
 - lib/cfn-nag/custom_rules/LogsLogGroupRetentionRule.rb
 - lib/cfn-nag/custom_rules/ManagedBlockchainMemberMemberFabricConfigurationAdminPasswordRule.rb
 - lib/cfn-nag/custom_rules/ManagedPolicyOnUserRule.rb