RubyGems - cfn-nag - Versions diffs - 0.6.18 → 0.6.23 - Mend

cfn-nag 0.6.18 → 0.6.23

Files changed (5) hide show

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8a3fc1115d0e9a1739ac2a1fdddbd6ee693450fbf292f512e2554570293cbb01
-  data.tar.gz: 21fcfbd6d9deba76d3764b5170d382a1642d79a0322d49eb71805c7b15c41ae5
+  metadata.gz: 1c7606c36a3090b30bf520802dccc6b333605881e56618a60b12422517ad0068
+  data.tar.gz: bf80d7471ee01f6fb11f3439eea3f9dbbc7a35069b849dab0ad4c5ad3fab2b48
 SHA512:
-  metadata.gz: 6c18afb97fcb0df30296eb6660e6c07bdb4e7e241148529edb68e11bd0ef8bd3dbb5bbf065be4d6ff554eb025059a7da5f53185481bcca75d0540447703838da
-  data.tar.gz: c42ed45e2cc5177e8e26acd0f503682b6deb6f0f172c31214753654ac31425e609f17b0cbf60050002fa40a628fd53f7048ab7831b5f211b2cf4908e5a17f8b0
+  metadata.gz: d4d3ac0f7e8f1196a98af8a0b366146f66bda4080a224cb0ca3130108b849a23ded6d3febbbf81807bee854ef4ca002b1b02c98f7376ed244066d9509aaf34e6
+  data.tar.gz: 7b33bd7abb7d9d37ed50ad5912fa7e718f5401c60781c5ab0ac4e878d7c5830ac8325fe73fcccf4dd8d1e772838d2bcee77cad140d2e90cfd5a32b3b9042da38

data/lib/cfn-nag/custom_rules/DLMLifecyclePolicyCrossRegionCopyEncryptionRule.rb ADDED

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+require 'cfn-nag/violation'
+require 'cfn-nag/util/truthy'
+require_relative 'base'
+class DLMLifecyclePolicyCrossRegionCopyEncryptionRule < BaseRule
+  def rule_text
+    'DLM LifecyclePolicy PolicyDetails Actions CrossRegionCopy EncryptionConfiguration should enable Encryption'
+  end
+  def rule_type
+    Violation::WARNING
+  end
+  def rule_id
+    'W81'
+  end
+  def audit_impl(cfn_model)
+    violating_policies = cfn_model.resources_by_type('AWS::DLM::LifecyclePolicy').select do |policy|
+      if policy.policyDetails['Actions'].nil?
+        false
+      else
+        violating_actions = policy.policyDetails['Actions'].select do |action|
+          violating_copies = action['CrossRegionCopy'].select do |copy|
+            !truthy?(copy['EncryptionConfiguration']['Encrypted'].to_s)
+          end
+          !violating_copies.empty?
+        end
+        !violating_actions.empty?
+      end
+    end
+    violating_policies.map(&:logical_resource_id)
+  end
+end

data/lib/cfn-nag/custom_rules/EKSClusterEncryptionRule.rb ADDED

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+require 'cfn-nag/violation'
+require_relative 'base'
+class EKSClusterEncryptionRule < BaseRule
+  def rule_text
+    'EKS Cluster EncryptionConfig Provider should specify KeyArn to enable Encryption.'
+  end
+  def rule_type
+    Violation::WARNING
+  end
+  def rule_id
+    'W82'
+  end
+  def audit_impl(cfn_model)
+    violating_clusters = cfn_model.resources_by_type('AWS::EKS::Cluster').select do |cluster|
+      if cluster.encryptionConfig.nil?
+        true
+      elsif violating_configs?(cluster)
+        true
+      else
+        violating_providers?(cluster)
+      end
+    end
+    violating_clusters.map(&:logical_resource_id)
+  end
+  private
+  def violating_configs?(cluster)
+    violating_config = cluster.encryptionConfig.select do |config|
+      config['Provider'].nil?
+    end
+    !violating_config.empty?
+  end
+  def violating_providers?(cluster)
+    violating_provider = cluster.encryptionConfig.select do |config|
+      config['Provider']['KeyArn'].empty?
+    end
+    !violating_provider.empty?
+  end
+end

data/lib/cfn-nag/custom_rules/KendraIndexServerSideEncryptionConfigurationKmsKeyIdRule.rb ADDED

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+require 'cfn-nag/violation'
+require_relative 'base'
+class KendraIndexServerSideEncryptionConfigurationKmsKeyIdRule < BaseRule
+  def rule_text
+    'Kendra Index ServerSideEncryptionConfiguration should specify a KmsKeyId value.'
+  end
+  def rule_type
+    Violation::WARNING
+  end
+  def rule_id
+    'W80'
+  end
+  def audit_impl(cfn_model)
+    violating_indices = cfn_model.resources_by_type('AWS::Kendra::Index').select do |index|
+      index.serverSideEncryptionConfiguration.nil? ||
+        index.serverSideEncryptionConfiguration['KmsKeyId'].nil?
+    end
+    violating_indices.map(&:logical_resource_id)
+  end
+end

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cfn-nag
 version: !ruby/object:Gem::Version
-  version: 0.6.18
+  version: 0.6.23
 platform: ruby
 authors:
 - Eric Kascic
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-01-18 00:00:00.000000000 Z
+date: 2021-01-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -199,6 +199,7 @@ files:
 - lib/cfn-nag/custom_rules/CognitoIdentityPoolAllowUnauthenticatedIdentitiesRule.rb
 - lib/cfn-nag/custom_rules/CognitoUserPoolMfaConfigurationOnorOptionalRule.rb
 - lib/cfn-nag/custom_rules/DAXClusterEncryptionRule.rb
+- lib/cfn-nag/custom_rules/DLMLifecyclePolicyCrossRegionCopyEncryptionRule.rb
 - lib/cfn-nag/custom_rules/DMSEndpointMongoDbSettingsPasswordRule.rb
 - lib/cfn-nag/custom_rules/DMSEndpointPasswordRule.rb
 - lib/cfn-nag/custom_rules/DirectoryServiceMicrosoftADPasswordRule.rb
@@ -215,6 +216,7 @@ files:
 - lib/cfn-nag/custom_rules/EC2SubnetMapPublicIpOnLaunchRule.rb
 - lib/cfn-nag/custom_rules/ECRRepositoryScanOnPushRule.rb
 - lib/cfn-nag/custom_rules/EFSFileSystemEncryptedRule.rb
+- lib/cfn-nag/custom_rules/EKSClusterEncryptionRule.rb
 - lib/cfn-nag/custom_rules/EMRClusterKerberosAttributesADDomainJoinPasswordRule.rb
 - lib/cfn-nag/custom_rules/EMRClusterKerberosAttributesCrossRealmTrustPrincipalPasswordRule.rb
 - lib/cfn-nag/custom_rules/EMRClusterKerberosAttributesKdcAdminPasswordRule.rb
@@ -258,6 +260,7 @@ files:
 - lib/cfn-nag/custom_rules/IotPolicyWildcardResourceRule.rb
 - lib/cfn-nag/custom_rules/KMSKeyRotationRule.rb
 - lib/cfn-nag/custom_rules/KMSKeyWildcardPrincipalRule.rb
+- lib/cfn-nag/custom_rules/KendraIndexServerSideEncryptionConfigurationKmsKeyIdRule.rb
 - lib/cfn-nag/custom_rules/KinesisFirehoseDeliveryStreamRedshiftDestinationConfigurationPasswordRule.rb
 - lib/cfn-nag/custom_rules/KinesisFirehoseDeliveryStreamSplunkDestinationConfigurationHECTokenRule.rb
 - lib/cfn-nag/custom_rules/KinesisStreamStreamEncryptionRule.rb