cfn-nag 0.6.18 → 0.6.23
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 1c7606c36a3090b30bf520802dccc6b333605881e56618a60b12422517ad0068
|
|
4
|
+
data.tar.gz: bf80d7471ee01f6fb11f3439eea3f9dbbc7a35069b849dab0ad4c5ad3fab2b48
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: d4d3ac0f7e8f1196a98af8a0b366146f66bda4080a224cb0ca3130108b849a23ded6d3febbbf81807bee854ef4ca002b1b02c98f7376ed244066d9509aaf34e6
|
|
7
|
+
data.tar.gz: 7b33bd7abb7d9d37ed50ad5912fa7e718f5401c60781c5ab0ac4e878d7c5830ac8325fe73fcccf4dd8d1e772838d2bcee77cad140d2e90cfd5a32b3b9042da38
|
|
@@ -0,0 +1,37 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
require 'cfn-nag/violation'
|
|
4
|
+
require 'cfn-nag/util/truthy'
|
|
5
|
+
require_relative 'base'
|
|
6
|
+
|
|
7
|
+
class DLMLifecyclePolicyCrossRegionCopyEncryptionRule < BaseRule
|
|
8
|
+
def rule_text
|
|
9
|
+
'DLM LifecyclePolicy PolicyDetails Actions CrossRegionCopy EncryptionConfiguration should enable Encryption'
|
|
10
|
+
end
|
|
11
|
+
|
|
12
|
+
def rule_type
|
|
13
|
+
Violation::WARNING
|
|
14
|
+
end
|
|
15
|
+
|
|
16
|
+
def rule_id
|
|
17
|
+
'W81'
|
|
18
|
+
end
|
|
19
|
+
|
|
20
|
+
def audit_impl(cfn_model)
|
|
21
|
+
violating_policies = cfn_model.resources_by_type('AWS::DLM::LifecyclePolicy').select do |policy|
|
|
22
|
+
if policy.policyDetails['Actions'].nil?
|
|
23
|
+
false
|
|
24
|
+
else
|
|
25
|
+
violating_actions = policy.policyDetails['Actions'].select do |action|
|
|
26
|
+
violating_copies = action['CrossRegionCopy'].select do |copy|
|
|
27
|
+
!truthy?(copy['EncryptionConfiguration']['Encrypted'].to_s)
|
|
28
|
+
end
|
|
29
|
+
!violating_copies.empty?
|
|
30
|
+
end
|
|
31
|
+
!violating_actions.empty?
|
|
32
|
+
end
|
|
33
|
+
end
|
|
34
|
+
|
|
35
|
+
violating_policies.map(&:logical_resource_id)
|
|
36
|
+
end
|
|
37
|
+
end
|
|
@@ -0,0 +1,48 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
require 'cfn-nag/violation'
|
|
4
|
+
require_relative 'base'
|
|
5
|
+
|
|
6
|
+
class EKSClusterEncryptionRule < BaseRule
|
|
7
|
+
def rule_text
|
|
8
|
+
'EKS Cluster EncryptionConfig Provider should specify KeyArn to enable Encryption.'
|
|
9
|
+
end
|
|
10
|
+
|
|
11
|
+
def rule_type
|
|
12
|
+
Violation::WARNING
|
|
13
|
+
end
|
|
14
|
+
|
|
15
|
+
def rule_id
|
|
16
|
+
'W82'
|
|
17
|
+
end
|
|
18
|
+
|
|
19
|
+
def audit_impl(cfn_model)
|
|
20
|
+
violating_clusters = cfn_model.resources_by_type('AWS::EKS::Cluster').select do |cluster|
|
|
21
|
+
if cluster.encryptionConfig.nil?
|
|
22
|
+
true
|
|
23
|
+
elsif violating_configs?(cluster)
|
|
24
|
+
true
|
|
25
|
+
else
|
|
26
|
+
violating_providers?(cluster)
|
|
27
|
+
end
|
|
28
|
+
end
|
|
29
|
+
|
|
30
|
+
violating_clusters.map(&:logical_resource_id)
|
|
31
|
+
end
|
|
32
|
+
|
|
33
|
+
private
|
|
34
|
+
|
|
35
|
+
def violating_configs?(cluster)
|
|
36
|
+
violating_config = cluster.encryptionConfig.select do |config|
|
|
37
|
+
config['Provider'].nil?
|
|
38
|
+
end
|
|
39
|
+
!violating_config.empty?
|
|
40
|
+
end
|
|
41
|
+
|
|
42
|
+
def violating_providers?(cluster)
|
|
43
|
+
violating_provider = cluster.encryptionConfig.select do |config|
|
|
44
|
+
config['Provider']['KeyArn'].empty?
|
|
45
|
+
end
|
|
46
|
+
!violating_provider.empty?
|
|
47
|
+
end
|
|
48
|
+
end
|
|
@@ -0,0 +1,27 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
require 'cfn-nag/violation'
|
|
4
|
+
require_relative 'base'
|
|
5
|
+
|
|
6
|
+
class KendraIndexServerSideEncryptionConfigurationKmsKeyIdRule < BaseRule
|
|
7
|
+
def rule_text
|
|
8
|
+
'Kendra Index ServerSideEncryptionConfiguration should specify a KmsKeyId value.'
|
|
9
|
+
end
|
|
10
|
+
|
|
11
|
+
def rule_type
|
|
12
|
+
Violation::WARNING
|
|
13
|
+
end
|
|
14
|
+
|
|
15
|
+
def rule_id
|
|
16
|
+
'W80'
|
|
17
|
+
end
|
|
18
|
+
|
|
19
|
+
def audit_impl(cfn_model)
|
|
20
|
+
violating_indices = cfn_model.resources_by_type('AWS::Kendra::Index').select do |index|
|
|
21
|
+
index.serverSideEncryptionConfiguration.nil? ||
|
|
22
|
+
index.serverSideEncryptionConfiguration['KmsKeyId'].nil?
|
|
23
|
+
end
|
|
24
|
+
|
|
25
|
+
violating_indices.map(&:logical_resource_id)
|
|
26
|
+
end
|
|
27
|
+
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: cfn-nag
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.6.
|
|
4
|
+
version: 0.6.23
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Eric Kascic
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2021-01-
|
|
11
|
+
date: 2021-01-19 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rake
|
|
@@ -199,6 +199,7 @@ files:
|
|
|
199
199
|
- lib/cfn-nag/custom_rules/CognitoIdentityPoolAllowUnauthenticatedIdentitiesRule.rb
|
|
200
200
|
- lib/cfn-nag/custom_rules/CognitoUserPoolMfaConfigurationOnorOptionalRule.rb
|
|
201
201
|
- lib/cfn-nag/custom_rules/DAXClusterEncryptionRule.rb
|
|
202
|
+
- lib/cfn-nag/custom_rules/DLMLifecyclePolicyCrossRegionCopyEncryptionRule.rb
|
|
202
203
|
- lib/cfn-nag/custom_rules/DMSEndpointMongoDbSettingsPasswordRule.rb
|
|
203
204
|
- lib/cfn-nag/custom_rules/DMSEndpointPasswordRule.rb
|
|
204
205
|
- lib/cfn-nag/custom_rules/DirectoryServiceMicrosoftADPasswordRule.rb
|
|
@@ -215,6 +216,7 @@ files:
|
|
|
215
216
|
- lib/cfn-nag/custom_rules/EC2SubnetMapPublicIpOnLaunchRule.rb
|
|
216
217
|
- lib/cfn-nag/custom_rules/ECRRepositoryScanOnPushRule.rb
|
|
217
218
|
- lib/cfn-nag/custom_rules/EFSFileSystemEncryptedRule.rb
|
|
219
|
+
- lib/cfn-nag/custom_rules/EKSClusterEncryptionRule.rb
|
|
218
220
|
- lib/cfn-nag/custom_rules/EMRClusterKerberosAttributesADDomainJoinPasswordRule.rb
|
|
219
221
|
- lib/cfn-nag/custom_rules/EMRClusterKerberosAttributesCrossRealmTrustPrincipalPasswordRule.rb
|
|
220
222
|
- lib/cfn-nag/custom_rules/EMRClusterKerberosAttributesKdcAdminPasswordRule.rb
|
|
@@ -258,6 +260,7 @@ files:
|
|
|
258
260
|
- lib/cfn-nag/custom_rules/IotPolicyWildcardResourceRule.rb
|
|
259
261
|
- lib/cfn-nag/custom_rules/KMSKeyRotationRule.rb
|
|
260
262
|
- lib/cfn-nag/custom_rules/KMSKeyWildcardPrincipalRule.rb
|
|
263
|
+
- lib/cfn-nag/custom_rules/KendraIndexServerSideEncryptionConfigurationKmsKeyIdRule.rb
|
|
261
264
|
- lib/cfn-nag/custom_rules/KinesisFirehoseDeliveryStreamRedshiftDestinationConfigurationPasswordRule.rb
|
|
262
265
|
- lib/cfn-nag/custom_rules/KinesisFirehoseDeliveryStreamSplunkDestinationConfigurationHECTokenRule.rb
|
|
263
266
|
- lib/cfn-nag/custom_rules/KinesisStreamStreamEncryptionRule.rb
|