cfn-nag 0.6.17 → 0.6.22

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. checksums.yaml +4 -4
  2. data/lib/cfn-nag/custom_rules/DAXClusterEncryptionRule.rb +27 -0
  3. data/lib/cfn-nag/custom_rules/DLMLifecyclePolicyCrossRegionCopyEncryptionRule.rb +37 -0
  4. data/lib/cfn-nag/custom_rules/EKSClusterEncryptionRule.rb +48 -0
  5. data/lib/cfn-nag/custom_rules/KendraIndexServerSideEncryptionConfigurationKmsKeyIdRule.rb +27 -0
  6. metadata +6 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 4a66afcd6ab5d1bdc31dc4e8fa97ba37c076bdf34a50d5142a060439998871c4
4
- data.tar.gz: 31342a9596c899f8c6a6eecd112a9c9d3abf7a159e748c3ffa7ab6830d67330d
3
+ metadata.gz: 88ea450e5973241adca4e1dd5ebf216a90f4bbdf4ca5cf1f2e1cd361998d99c3
4
+ data.tar.gz: 6c7c613c505fe82f11fb3438350a89649265f773656a80619c4d3019e3a45ee6
5
5
  SHA512:
6
- metadata.gz: fc28b0a404b8c110ce83379e4306ec3ad70beb26f5d379e92eb97764003b157072ce0a0a5a165ad31ab310276929aa551668ae915fc279d2b5ec829050867dee
7
- data.tar.gz: e9d0bc21b3abef53cd32c36142266418d13d7b61f715db8e2a92e43fcbc48a71147f3645cf3c3b8cd050198eb3f2ef92632c8ef97b0860a5a26672ef266b581f
6
+ metadata.gz: d993ae8aa1c6e20bdf2806a4b3d61d40c746752ef307bcf545ffd205d6f7d8fc9812a0e08de5bbaddd49da9bc5776f1cdfe0d6201615f6d9f3041a04f89cdfbb
7
+ data.tar.gz: 4fddb4af6b93aeefe469d7fbda76928189398fcd0fc6499777f8778fd3e747cd1fadb0fef7450263cac651c5cdee7d45fd148ac4e51a33d843b5e47fd15b9925
data/lib/cfn-nag/custom_rules/DAXClusterEncryptionRule.rb ADDED
@@ -0,0 +1,27 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'cfn-nag/violation'
4
+ require 'cfn-nag/util/truthy'
5
+ require_relative 'base'
6
+
7
+ class DAXClusterEncryptionRule < BaseRule
8
+ def rule_text
9
+ 'DynamoDB Accelerator (DAX) Cluster should have encryption enabled'
10
+ end
11
+
12
+ def rule_type
13
+ Violation::WARNING
14
+ end
15
+
16
+ def rule_id
17
+ 'W83'
18
+ end
19
+
20
+ def audit_impl(cfn_model)
21
+ violating_clusters = cfn_model.resources_by_type('AWS::DAX::Cluster').select do |cluster|
22
+ cluster.sSESpecification.nil? || !truthy?(cluster.sSESpecification['SSEEnabled'].to_s)
23
+ end
24
+
25
+ violating_clusters.map(&:logical_resource_id)
26
+ end
27
+ end
data/lib/cfn-nag/custom_rules/DLMLifecyclePolicyCrossRegionCopyEncryptionRule.rb ADDED
@@ -0,0 +1,37 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'cfn-nag/violation'
4
+ require 'cfn-nag/util/truthy'
5
+ require_relative 'base'
6
+
7
+ class DLMLifecyclePolicyCrossRegionCopyEncryptionRule < BaseRule
8
+ def rule_text
9
+ 'DLM LifecyclePolicy PolicyDetails Actions CrossRegionCopy EncryptionConfiguration should enable Encryption'
10
+ end
11
+
12
+ def rule_type
13
+ Violation::WARNING
14
+ end
15
+
16
+ def rule_id
17
+ 'W81'
18
+ end
19
+
20
+ def audit_impl(cfn_model)
21
+ violating_policies = cfn_model.resources_by_type('AWS::DLM::LifecyclePolicy').select do |policy|
22
+ if policy.policyDetails['Actions'].nil?
23
+ false
24
+ else
25
+ violating_actions = policy.policyDetails['Actions'].select do |action|
26
+ violating_copies = action['CrossRegionCopy'].select do |copy|
27
+ !truthy?(copy['EncryptionConfiguration']['Encrypted'].to_s)
28
+ end
29
+ !violating_copies.empty?
30
+ end
31
+ !violating_actions.empty?
32
+ end
33
+ end
34
+
35
+ violating_policies.map(&:logical_resource_id)
36
+ end
37
+ end
data/lib/cfn-nag/custom_rules/EKSClusterEncryptionRule.rb ADDED
@@ -0,0 +1,48 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'cfn-nag/violation'
4
+ require_relative 'base'
5
+
6
+ class EKSClusterEncryptionRule < BaseRule
7
+ def rule_text
8
+ 'EKS Cluster EncryptionConfig Provider should specify KeyArn to enable Encryption.'
9
+ end
10
+
11
+ def rule_type
12
+ Violation::WARNING
13
+ end
14
+
15
+ def rule_id
16
+ 'W82'
17
+ end
18
+
19
+ def audit_impl(cfn_model)
20
+ violating_clusters = cfn_model.resources_by_type('AWS::EKS::Cluster').select do |cluster|
21
+ if cluster.encryptionConfig.nil?
22
+ true
23
+ elsif violating_configs?(cluster)
24
+ true
25
+ else
26
+ violating_providers?(cluster)
27
+ end
28
+ end
29
+
30
+ violating_clusters.map(&:logical_resource_id)
31
+ end
32
+
33
+ private
34
+
35
+ def violating_configs?(cluster)
36
+ violating_config = cluster.encryptionConfig.select do |config|
37
+ config['Provider'].nil?
38
+ end
39
+ !violating_config.empty?
40
+ end
41
+
42
+ def violating_providers?(cluster)
43
+ violating_provider = cluster.encryptionConfig.select do |config|
44
+ config['Provider']['KeyArn'].empty?
45
+ end
46
+ !violating_provider.empty?
47
+ end
48
+ end
data/lib/cfn-nag/custom_rules/KendraIndexServerSideEncryptionConfigurationKmsKeyIdRule.rb ADDED
@@ -0,0 +1,27 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'cfn-nag/violation'
4
+ require_relative 'base'
5
+
6
+ class KendraIndexServerSideEncryptionConfigurationKmsKeyIdRule < BaseRule
7
+ def rule_text
8
+ 'Kendra Index ServerSideEncryptionConfiguration should specify a KmsKeyId value.'
9
+ end
10
+
11
+ def rule_type
12
+ Violation::WARNING
13
+ end
14
+
15
+ def rule_id
16
+ 'W80'
17
+ end
18
+
19
+ def audit_impl(cfn_model)
20
+ violating_indices = cfn_model.resources_by_type('AWS::Kendra::Index').select do |index|
21
+ index.serverSideEncryptionConfiguration.nil? ||
22
+ index.serverSideEncryptionConfiguration['KmsKeyId'].nil?
23
+ end
24
+
25
+ violating_indices.map(&:logical_resource_id)
26
+ end
27
+ end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: cfn-nag
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.6.17
4
+ version: 0.6.22
5
5
  platform: ruby
6
6
  authors:
7
7
  - Eric Kascic
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2021-01-18 00:00:00.000000000 Z
11
+ date: 2021-01-19 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rake
@@ -198,6 +198,8 @@ files:
198
198
  - lib/cfn-nag/custom_rules/CodePipelineWebhookAuthenticationConfigurationSecretTokenRule.rb
199
199
  - lib/cfn-nag/custom_rules/CognitoIdentityPoolAllowUnauthenticatedIdentitiesRule.rb
200
200
  - lib/cfn-nag/custom_rules/CognitoUserPoolMfaConfigurationOnorOptionalRule.rb
201
+ - lib/cfn-nag/custom_rules/DAXClusterEncryptionRule.rb
202
+ - lib/cfn-nag/custom_rules/DLMLifecyclePolicyCrossRegionCopyEncryptionRule.rb
201
203
  - lib/cfn-nag/custom_rules/DMSEndpointMongoDbSettingsPasswordRule.rb
202
204
  - lib/cfn-nag/custom_rules/DMSEndpointPasswordRule.rb
203
205
  - lib/cfn-nag/custom_rules/DirectoryServiceMicrosoftADPasswordRule.rb
@@ -214,6 +216,7 @@ files:
214
216
  - lib/cfn-nag/custom_rules/EC2SubnetMapPublicIpOnLaunchRule.rb
215
217
  - lib/cfn-nag/custom_rules/ECRRepositoryScanOnPushRule.rb
216
218
  - lib/cfn-nag/custom_rules/EFSFileSystemEncryptedRule.rb
219
+ - lib/cfn-nag/custom_rules/EKSClusterEncryptionRule.rb
217
220
  - lib/cfn-nag/custom_rules/EMRClusterKerberosAttributesADDomainJoinPasswordRule.rb
218
221
  - lib/cfn-nag/custom_rules/EMRClusterKerberosAttributesCrossRealmTrustPrincipalPasswordRule.rb
219
222
  - lib/cfn-nag/custom_rules/EMRClusterKerberosAttributesKdcAdminPasswordRule.rb
@@ -257,6 +260,7 @@ files:
257
260
  - lib/cfn-nag/custom_rules/IotPolicyWildcardResourceRule.rb
258
261
  - lib/cfn-nag/custom_rules/KMSKeyRotationRule.rb
259
262
  - lib/cfn-nag/custom_rules/KMSKeyWildcardPrincipalRule.rb
263
+ - lib/cfn-nag/custom_rules/KendraIndexServerSideEncryptionConfigurationKmsKeyIdRule.rb
260
264
  - lib/cfn-nag/custom_rules/KinesisFirehoseDeliveryStreamRedshiftDestinationConfigurationPasswordRule.rb
261
265
  - lib/cfn-nag/custom_rules/KinesisFirehoseDeliveryStreamSplunkDestinationConfigurationHECTokenRule.rb
262
266
  - lib/cfn-nag/custom_rules/KinesisStreamStreamEncryptionRule.rb