cfn-nag 0.6.17 → 0.6.22

Sign up to get free protection for your applications and to get access to all the features.
Files changed (6) hide show
  1. checksums.yaml +4 -4
  2. data/lib/cfn-nag/custom_rules/DAXClusterEncryptionRule.rb +27 -0
  3. data/lib/cfn-nag/custom_rules/DLMLifecyclePolicyCrossRegionCopyEncryptionRule.rb +37 -0
  4. data/lib/cfn-nag/custom_rules/EKSClusterEncryptionRule.rb +48 -0
  5. data/lib/cfn-nag/custom_rules/KendraIndexServerSideEncryptionConfigurationKmsKeyIdRule.rb +27 -0
  6. metadata +6 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 4a66afcd6ab5d1bdc31dc4e8fa97ba37c076bdf34a50d5142a060439998871c4
4
- data.tar.gz: 31342a9596c899f8c6a6eecd112a9c9d3abf7a159e748c3ffa7ab6830d67330d
3
+ metadata.gz: 88ea450e5973241adca4e1dd5ebf216a90f4bbdf4ca5cf1f2e1cd361998d99c3
4
+ data.tar.gz: 6c7c613c505fe82f11fb3438350a89649265f773656a80619c4d3019e3a45ee6
5
5
  SHA512:
6
- metadata.gz: fc28b0a404b8c110ce83379e4306ec3ad70beb26f5d379e92eb97764003b157072ce0a0a5a165ad31ab310276929aa551668ae915fc279d2b5ec829050867dee
7
- data.tar.gz: e9d0bc21b3abef53cd32c36142266418d13d7b61f715db8e2a92e43fcbc48a71147f3645cf3c3b8cd050198eb3f2ef92632c8ef97b0860a5a26672ef266b581f
6
+ metadata.gz: d993ae8aa1c6e20bdf2806a4b3d61d40c746752ef307bcf545ffd205d6f7d8fc9812a0e08de5bbaddd49da9bc5776f1cdfe0d6201615f6d9f3041a04f89cdfbb
7
+ data.tar.gz: 4fddb4af6b93aeefe469d7fbda76928189398fcd0fc6499777f8778fd3e747cd1fadb0fef7450263cac651c5cdee7d45fd148ac4e51a33d843b5e47fd15b9925
data/lib/cfn-nag/custom_rules/DAXClusterEncryptionRule.rb ADDED
@@ -0,0 +1,27 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'cfn-nag/violation'
4
+ require 'cfn-nag/util/truthy'
5
+ require_relative 'base'
6
+
7
+ class DAXClusterEncryptionRule < BaseRule
8
+ def rule_text
9
+ 'DynamoDB Accelerator (DAX) Cluster should have encryption enabled'
10
+ end
11
+
12
+ def rule_type
13
+ Violation::WARNING
14
+ end
15
+
16
+ def rule_id
17
+ 'W83'
18
+ end
19
+
20
+ def audit_impl(cfn_model)
21
+ violating_clusters = cfn_model.resources_by_type('AWS::DAX::Cluster').select do |cluster|
22
+ cluster.sSESpecification.nil? || !truthy?(cluster.sSESpecification['SSEEnabled'].to_s)
23
+ end
24
+
25
+ violating_clusters.map(&:logical_resource_id)
26
+ end
27
+ end
data/lib/cfn-nag/custom_rules/DLMLifecyclePolicyCrossRegionCopyEncryptionRule.rb ADDED
@@ -0,0 +1,37 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'cfn-nag/violation'
4
+ require 'cfn-nag/util/truthy'
5
+ require_relative 'base'
6
+
7
+ class DLMLifecyclePolicyCrossRegionCopyEncryptionRule < BaseRule
8
+ def rule_text
9
+ 'DLM LifecyclePolicy PolicyDetails Actions CrossRegionCopy EncryptionConfiguration should enable Encryption'
10
+ end
11
+
12
+ def rule_type
13
+ Violation::WARNING
14
+ end
15
+
16
+ def rule_id
17
+ 'W81'
18
+ end
19
+
20
+ def audit_impl(cfn_model)
21
+ violating_policies = cfn_model.resources_by_type('AWS::DLM::LifecyclePolicy').select do |policy|
22
+ if policy.policyDetails['Actions'].nil?
23
+ false
24
+ else
25
+ violating_actions = policy.policyDetails['Actions'].select do |action|
26
+ violating_copies = action['CrossRegionCopy'].select do |copy|
27
+ !truthy?(copy['EncryptionConfiguration']['Encrypted'].to_s)
28
+ end
29
+ !violating_copies.empty?
30
+ end
31
+ !violating_actions.empty?
32
+ end
33
+ end
34
+
35
+ violating_policies.map(&:logical_resource_id)
36
+ end
37
+ end
data/lib/cfn-nag/custom_rules/EKSClusterEncryptionRule.rb ADDED
@@ -0,0 +1,48 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'cfn-nag/violation'
4
+ require_relative 'base'
5
+
6
+ class EKSClusterEncryptionRule < BaseRule
7
+ def rule_text
8
+ 'EKS Cluster EncryptionConfig Provider should specify KeyArn to enable Encryption.'
9
+ end
10
+
11
+ def rule_type
12
+ Violation::WARNING
13
+ end
14
+
15
+ def rule_id
16
+ 'W82'
17
+ end
18
+
19
+ def audit_impl(cfn_model)
20
+ violating_clusters = cfn_model.resources_by_type('AWS::EKS::Cluster').select do |cluster|
21
+ if cluster.encryptionConfig.nil?
22
+ true
23
+ elsif violating_configs?(cluster)
24
+ true
25
+ else
26
+ violating_providers?(cluster)
27
+ end
28
+ end
29
+
30
+ violating_clusters.map(&:logical_resource_id)
31
+ end
32
+
33
+ private
34
+
35
+ def violating_configs?(cluster)
36
+ violating_config = cluster.encryptionConfig.select do |config|
37
+ config['Provider'].nil?
38
+ end
39
+ !violating_config.empty?
40
+ end
41
+
42
+ def violating_providers?(cluster)
43
+ violating_provider = cluster.encryptionConfig.select do |config|
44
+ config['Provider']['KeyArn'].empty?
45
+ end
46
+ !violating_provider.empty?
47
+ end
48
+ end
data/lib/cfn-nag/custom_rules/KendraIndexServerSideEncryptionConfigurationKmsKeyIdRule.rb ADDED
@@ -0,0 +1,27 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'cfn-nag/violation'
4
+ require_relative 'base'
5
+
6
+ class KendraIndexServerSideEncryptionConfigurationKmsKeyIdRule < BaseRule
7
+ def rule_text
8
+ 'Kendra Index ServerSideEncryptionConfiguration should specify a KmsKeyId value.'
9
+ end
10
+
11
+ def rule_type
12
+ Violation::WARNING
13
+ end
14
+
15
+ def rule_id
16
+ 'W80'
17
+ end
18
+
19
+ def audit_impl(cfn_model)
20
+ violating_indices = cfn_model.resources_by_type('AWS::Kendra::Index').select do |index|
21
+ index.serverSideEncryptionConfiguration.nil? ||
22
+ index.serverSideEncryptionConfiguration['KmsKeyId'].nil?
23
+ end
24
+
25
+ violating_indices.map(&:logical_resource_id)
26
+ end
27
+ end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: cfn-nag
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.6.17
4
+ version: 0.6.22
5
5
  platform: ruby
6
6
  authors:
7
7
  - Eric Kascic
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2021-01-18 00:00:00.000000000 Z
11
+ date: 2021-01-19 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rake
@@ -198,6 +198,8 @@ files:
198
198
  - lib/cfn-nag/custom_rules/CodePipelineWebhookAuthenticationConfigurationSecretTokenRule.rb
199
199
  - lib/cfn-nag/custom_rules/CognitoIdentityPoolAllowUnauthenticatedIdentitiesRule.rb
200
200
  - lib/cfn-nag/custom_rules/CognitoUserPoolMfaConfigurationOnorOptionalRule.rb
201
+ - lib/cfn-nag/custom_rules/DAXClusterEncryptionRule.rb
202
+ - lib/cfn-nag/custom_rules/DLMLifecyclePolicyCrossRegionCopyEncryptionRule.rb
201
203
  - lib/cfn-nag/custom_rules/DMSEndpointMongoDbSettingsPasswordRule.rb
202
204
  - lib/cfn-nag/custom_rules/DMSEndpointPasswordRule.rb
203
205
  - lib/cfn-nag/custom_rules/DirectoryServiceMicrosoftADPasswordRule.rb
@@ -214,6 +216,7 @@ files:
214
216
  - lib/cfn-nag/custom_rules/EC2SubnetMapPublicIpOnLaunchRule.rb
215
217
  - lib/cfn-nag/custom_rules/ECRRepositoryScanOnPushRule.rb
216
218
  - lib/cfn-nag/custom_rules/EFSFileSystemEncryptedRule.rb
219
+ - lib/cfn-nag/custom_rules/EKSClusterEncryptionRule.rb
217
220
  - lib/cfn-nag/custom_rules/EMRClusterKerberosAttributesADDomainJoinPasswordRule.rb
218
221
  - lib/cfn-nag/custom_rules/EMRClusterKerberosAttributesCrossRealmTrustPrincipalPasswordRule.rb
219
222
  - lib/cfn-nag/custom_rules/EMRClusterKerberosAttributesKdcAdminPasswordRule.rb
@@ -257,6 +260,7 @@ files:
257
260
  - lib/cfn-nag/custom_rules/IotPolicyWildcardResourceRule.rb
258
261
  - lib/cfn-nag/custom_rules/KMSKeyRotationRule.rb
259
262
  - lib/cfn-nag/custom_rules/KMSKeyWildcardPrincipalRule.rb
263
+ - lib/cfn-nag/custom_rules/KendraIndexServerSideEncryptionConfigurationKmsKeyIdRule.rb
260
264
  - lib/cfn-nag/custom_rules/KinesisFirehoseDeliveryStreamRedshiftDestinationConfigurationPasswordRule.rb
261
265
  - lib/cfn-nag/custom_rules/KinesisFirehoseDeliveryStreamSplunkDestinationConfigurationHECTokenRule.rb
262
266
  - lib/cfn-nag/custom_rules/KinesisStreamStreamEncryptionRule.rb