cfn-nag 0.7.13 → 0.8.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/bin/cfn_nag_rules +2 -2
- data/bin/spcm_scan +1 -1
- data/lib/cfn-nag/cfn_nag.rb +11 -11
- data/lib/cfn-nag/cfn_nag_config.rb +3 -3
- data/lib/cfn-nag/cfn_nag_executor.rb +5 -5
- data/lib/cfn-nag/cli_options.rb +15 -5
- data/lib/cfn-nag/custom_rules/AlexaASKSkillAuthenticationConfigurationClientSecretRule.rb +1 -1
- data/lib/cfn-nag/custom_rules/AlexaASKSkillAuthenticationConfigurationRefreshTokenRule.rb +1 -1
- data/lib/cfn-nag/custom_rules/AmazonMQBrokerUsersPasswordRule.rb +1 -1
- data/lib/cfn-nag/custom_rules/AmplifyAppAccessTokenRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/AmplifyAppBasicAuthConfigPasswordRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/AmplifyAppOauthTokenRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/AmplifyBranchBasicAuthConfigPasswordRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/ApiGatewayAccessLoggingRule.rb +1 -1
- data/lib/cfn-nag/custom_rules/ApiGatewayCacheEncryptedRule.rb +1 -1
- data/lib/cfn-nag/custom_rules/ApiGatewayMethodAuthorizationTypeRule.rb +1 -1
- data/lib/cfn-nag/custom_rules/AppStreamDirectoryConfigServiceAccountCredentialsAccountPasswordRule.rb +3 -3
- data/lib/cfn-nag/custom_rules/CodePipelineWebhookAuthenticationConfigurationSecretTokenRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/CognitoIdentityPoolAllowUnauthenticatedIdentitiesRule.rb +1 -1
- data/lib/cfn-nag/custom_rules/DMSEndpointMongoDbSettingsPasswordRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/DMSEndpointPasswordRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/DirectoryServiceMicrosoftADPasswordRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/DirectoryServiceSimpleADPasswordRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/DocDBDBClusterMasterUserPasswordRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/EC2NetworkAclEntryProtocolRule.rb +3 -7
- data/lib/cfn-nag/custom_rules/EKSClusterEncryptionRule.rb +1 -3
- data/lib/cfn-nag/custom_rules/EMRClusterKerberosAttributesADDomainJoinPasswordRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/EMRClusterKerberosAttributesCrossRealmTrustPrincipalPasswordRule.rb +3 -3
- data/lib/cfn-nag/custom_rules/EMRClusterKerberosAttributesKdcAdminPasswordRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/ElastiCacheReplicationGroupAuthTokenRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/GameLiftFleetInboundPortRangeRule.rb +2 -0
- data/lib/cfn-nag/custom_rules/IAMUserLoginProfilePasswordRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/IamUserLoginProfilePasswordResetRule.rb +4 -6
- data/lib/cfn-nag/custom_rules/KMSKeyWildcardPrincipalRule.rb +1 -1
- data/lib/cfn-nag/custom_rules/KinesisFirehoseDeliveryStreamRedshiftDestinationConfigurationPasswordRule.rb +3 -3
- data/lib/cfn-nag/custom_rules/KinesisFirehoseDeliveryStreamSplunkDestinationConfigurationHECTokenRule.rb +3 -3
- data/lib/cfn-nag/custom_rules/KinesisStreamStreamEncryptionRule.rb +3 -5
- data/lib/cfn-nag/custom_rules/LambdaPermissionEventSourceTokenRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/LambdaPermissionInvokeFunctionActionRule.rb +1 -1
- data/lib/cfn-nag/custom_rules/ManagedBlockchainMemberMemberFabricConfigurationAdminPasswordRule.rb +4 -7
- data/lib/cfn-nag/custom_rules/OpsWorksAppAppSourcePasswordRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/OpsWorksAppSslConfigurationPrivateKeyRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/OpsWorksStackCustomCookbooksSourcePasswordRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/OpsWorksStackRdsDbInstancesDbPasswordRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/PinpointAPNSChannelPrivateKeyRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/PinpointAPNSChannelTokenKeyRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/PinpointAPNSSandboxChannelPrivateKeyRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/PinpointAPNSSandboxChannelTokenKeyRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/PinpointAPNSVoipChannelPrivateKeyRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/PinpointAPNSVoipChannelTokenKeyRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/PinpointAPNSVoipSandboxChannelPrivateKeyRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/PinpointAPNSVoipSandboxChannelTokenKeyRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/RDSDBClusterMasterUserPasswordRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/RDSDBInstanceMasterUserPasswordRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/RDSDBInstanceMasterUsernameRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/RedshiftClusterMasterUserPasswordRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/ResourceWithExplicitNameRule.rb +1 -1
- data/lib/cfn-nag/custom_rules/SecretsManagerSecretKmsKeyIdRule.rb +1 -1
- data/lib/cfn-nag/custom_rules/SecurityGroupIngressOpenToWorldRule.rb +1 -1
- data/lib/cfn-nag/custom_rules/SecurityGroupIngressPortRangeRule.rb +1 -1
- data/lib/cfn-nag/custom_rules/SecurityGroupMissingEgressRule.rb +1 -1
- data/lib/cfn-nag/custom_rules/SecurityGroupRuleDescriptionRule.rb +2 -2
- data/lib/cfn-nag/deny_list_loader.rb +43 -0
- data/lib/cfn-nag/iam_complexity_metric/spcm.rb +3 -3
- data/lib/cfn-nag/util/enforce_reference_parameter.rb +1 -1
- data/lib/cfn-nag/violation_filtering.rb +9 -9
- metadata +9 -9
- data/lib/cfn-nag/blacklist_loader.rb +0 -43
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: e4c41df0b3f754ff3eed8026a43244578095abe1ce06be4c89a2457af83c718b
|
|
4
|
+
data.tar.gz: 7c648f6838985bc45f6bb2a4f600ea93c05b8f10b1078a0e83b936c7e7449e59
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 1e90784cea9ee178aed35ae2f0bc27ecaeb3115307bd21553a45b2504dcd2e02aa561d9dd6150fdc7f2e1ee96632488bc6160422df7c7a1a7a466e1e5ceed585
|
|
7
|
+
data.tar.gz: d2937c0bf6c1b4d2326b6ab11ea68149c8635de02722d93ac4d6c5824d8fa1b885ce2691d30901044a3f889019227956faaaec489609178d4e1f63812e036de9
|
data/bin/cfn_nag_rules
CHANGED
|
@@ -27,12 +27,12 @@ end
|
|
|
27
27
|
|
|
28
28
|
profile_definition = nil
|
|
29
29
|
unless opts[:profile_path].nil?
|
|
30
|
-
profile_definition =
|
|
30
|
+
profile_definition = File.read(opts[:profile_path])
|
|
31
31
|
end
|
|
32
32
|
|
|
33
33
|
rule_repository_definitions = []
|
|
34
34
|
opts[:rule_repository]&.each do |rule_repository|
|
|
35
|
-
rule_repository_definitions <<
|
|
35
|
+
rule_repository_definitions << File.read(rule_repository)
|
|
36
36
|
end
|
|
37
37
|
|
|
38
38
|
rule_dumper = CfnNagRuleDumper.new(profile_definition: profile_definition,
|
data/bin/spcm_scan
CHANGED
data/lib/cfn-nag/cfn_nag.rb
CHANGED
|
@@ -55,8 +55,8 @@ class CfnNag
|
|
|
55
55
|
parameter_values_path: nil,
|
|
56
56
|
condition_values_path: nil,
|
|
57
57
|
template_pattern: DEFAULT_TEMPLATE_PATTERN)
|
|
58
|
-
parameter_values_string = parameter_values_path.nil? ? nil :
|
|
59
|
-
condition_values_string = condition_values_path.nil? ? nil :
|
|
58
|
+
parameter_values_string = parameter_values_path.nil? ? nil : File.read(parameter_values_path)
|
|
59
|
+
condition_values_string = condition_values_path.nil? ? nil : File.read(condition_values_path)
|
|
60
60
|
|
|
61
61
|
templates = TemplateDiscovery.new.discover_templates(input_json_path: input_path,
|
|
62
62
|
template_pattern: template_pattern)
|
|
@@ -64,7 +64,7 @@ class CfnNag
|
|
|
64
64
|
templates.each do |template|
|
|
65
65
|
aggregate_results << {
|
|
66
66
|
filename: template,
|
|
67
|
-
file_results: audit(cloudformation_string:
|
|
67
|
+
file_results: audit(cloudformation_string: File.read(template),
|
|
68
68
|
parameter_values_string: parameter_values_string,
|
|
69
69
|
condition_values_string: condition_values_string)
|
|
70
70
|
}
|
|
@@ -93,7 +93,7 @@ class CfnNag
|
|
|
93
93
|
@config.custom_rule_loader.rule_definitions
|
|
94
94
|
)
|
|
95
95
|
|
|
96
|
-
violations =
|
|
96
|
+
violations = filter_violations_by_deny_list_and_profile(violations)
|
|
97
97
|
violations = mark_line_numbers(violations, cfn_model)
|
|
98
98
|
rescue RuleRepoException, Psych::SyntaxError, ParserError => fatal_error
|
|
99
99
|
violations << fatal_violation(fatal_error.to_s)
|
|
@@ -107,7 +107,7 @@ class CfnNag
|
|
|
107
107
|
end
|
|
108
108
|
|
|
109
109
|
def prune_fatal_violations(violations)
|
|
110
|
-
violations.reject { |violation| violation.
|
|
110
|
+
violations.reject { |violation| violation.id == 'FATAL' }
|
|
111
111
|
end
|
|
112
112
|
|
|
113
113
|
def render_results(aggregate_results:,
|
|
@@ -127,21 +127,21 @@ class CfnNag
|
|
|
127
127
|
violations
|
|
128
128
|
end
|
|
129
129
|
|
|
130
|
-
def
|
|
130
|
+
def filter_violations_by_deny_list_and_profile(violations)
|
|
131
131
|
violations = filter_violations_by_profile(
|
|
132
132
|
profile_definition: @config.profile_definition,
|
|
133
133
|
rule_definitions: @config.custom_rule_loader.rule_definitions,
|
|
134
134
|
violations: violations
|
|
135
135
|
)
|
|
136
136
|
|
|
137
|
-
# this must come after -
|
|
138
|
-
|
|
139
|
-
|
|
137
|
+
# this must come after - deny list should always win
|
|
138
|
+
filter_violations_by_deny_list(
|
|
139
|
+
deny_list_definition: @config.deny_list_definition,
|
|
140
140
|
rule_definitions: @config.custom_rule_loader.rule_definitions,
|
|
141
141
|
violations: violations
|
|
142
142
|
)
|
|
143
|
-
rescue StandardError =>
|
|
144
|
-
violations << fatal_violation(
|
|
143
|
+
rescue StandardError => deny_list_or_profile_parse_error
|
|
144
|
+
violations << fatal_violation(deny_list_or_profile_parse_error.to_s)
|
|
145
145
|
violations
|
|
146
146
|
end
|
|
147
147
|
|
|
@@ -3,7 +3,7 @@
|
|
|
3
3
|
class CfnNagConfig
|
|
4
4
|
# rubocop:disable Metrics/ParameterLists
|
|
5
5
|
def initialize(profile_definition: nil,
|
|
6
|
-
|
|
6
|
+
deny_list_definition: nil,
|
|
7
7
|
rule_directory: nil,
|
|
8
8
|
allow_suppression: true,
|
|
9
9
|
print_suppression: false,
|
|
@@ -21,7 +21,7 @@ class CfnNagConfig
|
|
|
21
21
|
rule_repository_definitions: rule_repository_definitions
|
|
22
22
|
)
|
|
23
23
|
@profile_definition = profile_definition
|
|
24
|
-
@
|
|
24
|
+
@deny_list_definition = deny_list_definition
|
|
25
25
|
@fail_on_warnings = fail_on_warnings
|
|
26
26
|
@rule_repositories = rule_repositories
|
|
27
27
|
@rule_arguments = rule_arguments
|
|
@@ -29,6 +29,6 @@ class CfnNagConfig
|
|
|
29
29
|
end
|
|
30
30
|
# rubocop:enable Metrics/ParameterLists
|
|
31
31
|
|
|
32
|
-
attr_reader :rule_arguments, :rule_directory, :custom_rule_loader, :profile_definition, :
|
|
32
|
+
attr_reader :rule_arguments, :rule_directory, :custom_rule_loader, :profile_definition, :deny_list_definition, \
|
|
33
33
|
:fail_on_warnings, :rule_repositories, :ignore_fatal
|
|
34
34
|
end
|
|
@@ -7,7 +7,7 @@ require 'cfn-nag/cfn_nag_config'
|
|
|
7
7
|
class CfnNagExecutor
|
|
8
8
|
def initialize
|
|
9
9
|
@profile_definition = nil
|
|
10
|
-
@
|
|
10
|
+
@deny_list_definition = nil
|
|
11
11
|
@parameter_values_string = nil
|
|
12
12
|
@condition_values_string = nil
|
|
13
13
|
@rule_repository_definitions = []
|
|
@@ -89,7 +89,7 @@ class CfnNagExecutor
|
|
|
89
89
|
def execute_io_options(opts)
|
|
90
90
|
@profile_definition = read_conditionally(opts[:profile_path])
|
|
91
91
|
|
|
92
|
-
@
|
|
92
|
+
@deny_list_definition = read_conditionally(opts[:deny_list_path]) || read_conditionally(opts[:blacklist_path])
|
|
93
93
|
|
|
94
94
|
@parameter_values_string = read_conditionally(opts[:parameter_values_path])
|
|
95
95
|
|
|
@@ -98,13 +98,13 @@ class CfnNagExecutor
|
|
|
98
98
|
@rule_arguments_string = read_conditionally(opts[:rule_arguments_path])
|
|
99
99
|
|
|
100
100
|
opts[:rule_repository]&.each do |rule_repository|
|
|
101
|
-
@rule_repository_definitions <<
|
|
101
|
+
@rule_repository_definitions << File.read(rule_repository)
|
|
102
102
|
end
|
|
103
103
|
end
|
|
104
104
|
|
|
105
105
|
def read_conditionally(path)
|
|
106
106
|
unless path.nil?
|
|
107
|
-
|
|
107
|
+
File.read(path)
|
|
108
108
|
end
|
|
109
109
|
end
|
|
110
110
|
|
|
@@ -122,7 +122,7 @@ class CfnNagExecutor
|
|
|
122
122
|
def cfn_nag_config(opts)
|
|
123
123
|
CfnNagConfig.new(
|
|
124
124
|
profile_definition: @profile_definition,
|
|
125
|
-
|
|
125
|
+
deny_list_definition: @deny_list_definition,
|
|
126
126
|
rule_directory: opts[:rule_directory],
|
|
127
127
|
allow_suppression: opts[:allow_suppression],
|
|
128
128
|
print_suppression: opts[:print_suppression],
|
data/lib/cfn-nag/cli_options.rb
CHANGED
|
@@ -5,8 +5,8 @@ require 'optimist'
|
|
|
5
5
|
# rubocop:disable Metrics/ClassLength
|
|
6
6
|
class Options
|
|
7
7
|
@custom_rule_exceptions_message = 'Isolate custom rule exceptions - just ' \
|
|
8
|
-
|
|
9
|
-
|
|
8
|
+
'emit the exception without stack trace ' \
|
|
9
|
+
'and keep chugging'
|
|
10
10
|
|
|
11
11
|
@version = Gem::Specification.find_by_name('cfn-nag').version
|
|
12
12
|
|
|
@@ -25,7 +25,7 @@ class Options
|
|
|
25
25
|
# rubocop:disable Metrics/MethodLength
|
|
26
26
|
def self.file_options
|
|
27
27
|
options_message = '[options] <cloudformation template path ...>|' \
|
|
28
|
-
|
|
28
|
+
'<cloudformation template in STDIN>'
|
|
29
29
|
custom_rule_exceptions_message = @custom_rule_exceptions_message
|
|
30
30
|
version = @version
|
|
31
31
|
|
|
@@ -58,8 +58,13 @@ class Options
|
|
|
58
58
|
type: :string,
|
|
59
59
|
required: false,
|
|
60
60
|
default: nil
|
|
61
|
+
opt :deny_list_path,
|
|
62
|
+
'Path to a deny list file',
|
|
63
|
+
type: :string,
|
|
64
|
+
required: false,
|
|
65
|
+
default: nil
|
|
61
66
|
opt :blacklist_path,
|
|
62
|
-
'Path to a
|
|
67
|
+
'(Deprecated) Path to a deny list file',
|
|
63
68
|
type: :string,
|
|
64
69
|
required: false,
|
|
65
70
|
default: nil
|
|
@@ -145,8 +150,13 @@ class Options
|
|
|
145
150
|
type: :string,
|
|
146
151
|
required: false,
|
|
147
152
|
default: nil
|
|
153
|
+
opt :deny_list_path,
|
|
154
|
+
'Path to a deny list file',
|
|
155
|
+
type: :string,
|
|
156
|
+
required: false,
|
|
157
|
+
default: nil
|
|
148
158
|
opt :blacklist_path,
|
|
149
|
-
'Path to a
|
|
159
|
+
'(Deprecated) Path to a deny list file',
|
|
150
160
|
type: :string,
|
|
151
161
|
required: false,
|
|
152
162
|
default: nil
|
|
@@ -8,7 +8,7 @@ require_relative 'base'
|
|
|
8
8
|
class AlexaASKSkillAuthenticationConfigurationClientSecretRule < BaseRule
|
|
9
9
|
def rule_text
|
|
10
10
|
'Alexa ASK Skill AuthenticationConfiguration ClientSecret must not be ' \
|
|
11
|
-
|
|
11
|
+
'a plaintext string or a Ref to a NoEcho Parameter with a Default value.'
|
|
12
12
|
end
|
|
13
13
|
|
|
14
14
|
def rule_type
|
|
@@ -8,7 +8,7 @@ require_relative 'base'
|
|
|
8
8
|
class AlexaASKSkillAuthenticationConfigurationRefreshTokenRule < BaseRule
|
|
9
9
|
def rule_text
|
|
10
10
|
'Alexa ASK Skill AuthenticationConfiguration RefreshToken must not be ' \
|
|
11
|
-
|
|
11
|
+
'a plaintext string or a Ref to a NoEcho Parameter with a Default value.'
|
|
12
12
|
end
|
|
13
13
|
|
|
14
14
|
def rule_type
|
|
@@ -6,7 +6,7 @@ require_relative 'sub_property_with_list_password_base_rule'
|
|
|
6
6
|
class AmazonMQBrokerUsersPasswordRule < SubPropertyWithListPasswordBaseRule
|
|
7
7
|
def rule_text
|
|
8
8
|
'AmazonMQ Broker Users Password must not be a plaintext string or a Ref to a Parameter with a Default value. ' \
|
|
9
|
-
|
|
9
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
|
|
10
10
|
end
|
|
11
11
|
|
|
12
12
|
def rule_type
|
|
@@ -6,8 +6,8 @@ require_relative 'password_base_rule'
|
|
|
6
6
|
class AmplifyAppAccessTokenRule < PasswordBaseRule
|
|
7
7
|
def rule_text
|
|
8
8
|
'Amplify App AccessToken must not be a plaintext string ' \
|
|
9
|
-
|
|
10
|
-
|
|
9
|
+
'or a Ref to a Parameter with a Default value. ' \
|
|
10
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
|
|
11
11
|
end
|
|
12
12
|
|
|
13
13
|
def rule_type
|
|
@@ -6,8 +6,8 @@ require_relative 'password_base_rule'
|
|
|
6
6
|
class AmplifyAppBasicAuthConfigPasswordRule < PasswordBaseRule
|
|
7
7
|
def rule_text
|
|
8
8
|
'Amplify App BasicAuthConfig Password must not be a plaintext string ' \
|
|
9
|
-
|
|
10
|
-
|
|
9
|
+
'or a Ref to a Parameter with a Default value. ' \
|
|
10
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
|
|
11
11
|
end
|
|
12
12
|
|
|
13
13
|
def rule_type
|
|
@@ -6,8 +6,8 @@ require_relative 'password_base_rule'
|
|
|
6
6
|
class AmplifyAppOauthTokenRule < PasswordBaseRule
|
|
7
7
|
def rule_text
|
|
8
8
|
'Amplify App OauthToken must not be a plaintext string ' \
|
|
9
|
-
|
|
10
|
-
|
|
9
|
+
'or a Ref to a Parameter with a Default value. ' \
|
|
10
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
|
|
11
11
|
end
|
|
12
12
|
|
|
13
13
|
def rule_type
|
|
@@ -6,8 +6,8 @@ require_relative 'password_base_rule'
|
|
|
6
6
|
class AmplifyBranchBasicAuthConfigPasswordRule < PasswordBaseRule
|
|
7
7
|
def rule_text
|
|
8
8
|
'Amplify Branch BasicAuthConfig Password must not be a plaintext ' \
|
|
9
|
-
|
|
10
|
-
|
|
9
|
+
'string or a Ref to a Parameter with a Default value. ' \
|
|
10
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
|
|
11
11
|
end
|
|
12
12
|
|
|
13
13
|
def rule_type
|
|
@@ -6,7 +6,7 @@ require_relative 'base'
|
|
|
6
6
|
class ApiGatewayAccessLoggingRule < BaseRule
|
|
7
7
|
def rule_text
|
|
8
8
|
'ApiGateway Deployment resource should have AccessLogSetting property configured when creating an ' \
|
|
9
|
-
|
|
9
|
+
'API Stage itself (through specifying the StageName and StageDescription properties).'
|
|
10
10
|
end
|
|
11
11
|
|
|
12
12
|
def rule_type
|
|
@@ -6,7 +6,7 @@ require_relative 'base'
|
|
|
6
6
|
class ApiGatewayCacheEncryptedRule < BaseRule
|
|
7
7
|
def rule_text
|
|
8
8
|
'ApiGateway Deployment should have cache data encryption enabled when caching is enabled' \
|
|
9
|
-
|
|
9
|
+
' in StageDescription properties'
|
|
10
10
|
end
|
|
11
11
|
|
|
12
12
|
def rule_type
|
|
@@ -6,7 +6,7 @@ require_relative 'base'
|
|
|
6
6
|
class ApiGatewayMethodAuthorizationTypeRule < BaseRule
|
|
7
7
|
def rule_text
|
|
8
8
|
"AWS::ApiGateway::Method should not have AuthorizationType set to 'NONE' unless it is of " \
|
|
9
|
-
|
|
9
|
+
'HttpMethod: OPTIONS.'
|
|
10
10
|
end
|
|
11
11
|
|
|
12
12
|
def rule_type
|
|
@@ -6,9 +6,9 @@ require_relative 'password_base_rule'
|
|
|
6
6
|
class AppStreamDirectoryConfigServiceAccountCredentialsAccountPasswordRule < PasswordBaseRule
|
|
7
7
|
def rule_text
|
|
8
8
|
'AppStream DirectoryConfig ServiceAccountCredentials AccountPassword ' \
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
9
|
+
'must not be a plaintext string or a Ref to a Parameter ' \
|
|
10
|
+
'with a Default value. ' \
|
|
11
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
|
|
12
12
|
end
|
|
13
13
|
|
|
14
14
|
def rule_type
|
data/lib/cfn-nag/custom_rules/CodePipelineWebhookAuthenticationConfigurationSecretTokenRule.rb
CHANGED
|
@@ -6,8 +6,8 @@ require_relative 'password_base_rule'
|
|
|
6
6
|
class CodePipelineWebhookAuthenticationConfigurationSecretTokenRule < PasswordBaseRule
|
|
7
7
|
def rule_text
|
|
8
8
|
'CodePipeline Webhook AuthenticationConfiguration SecretToken must not be ' \
|
|
9
|
-
|
|
10
|
-
|
|
9
|
+
'a plaintext string or a Ref to a Parameter with a Default value. ' \
|
|
10
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
|
|
11
11
|
end
|
|
12
12
|
|
|
13
13
|
def rule_type
|
|
@@ -7,7 +7,7 @@ require_relative 'base'
|
|
|
7
7
|
class CognitoIdentityPoolAllowUnauthenticatedIdentitiesRule < BaseRule
|
|
8
8
|
def rule_text
|
|
9
9
|
'AWS::Cognito::IdentityPool AllowUnauthenticatedIdentities property should be false ' \
|
|
10
|
-
|
|
10
|
+
'but CAN be true if proper restrictive IAM roles and permissions are established for unauthenticated users.'
|
|
11
11
|
end
|
|
12
12
|
|
|
13
13
|
def rule_type
|
|
@@ -6,8 +6,8 @@ require_relative 'password_base_rule'
|
|
|
6
6
|
class DMSEndpointMongoDbSettingsPasswordRule < PasswordBaseRule
|
|
7
7
|
def rule_text
|
|
8
8
|
'DMS Endpoint MongoDbSettings Password must not be a plaintext string ' \
|
|
9
|
-
|
|
10
|
-
|
|
9
|
+
'or a Ref to a Parameter with a Default value. ' \
|
|
10
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
|
|
11
11
|
end
|
|
12
12
|
|
|
13
13
|
def rule_type
|
|
@@ -6,8 +6,8 @@ require_relative 'password_base_rule'
|
|
|
6
6
|
class DMSEndpointPasswordRule < PasswordBaseRule
|
|
7
7
|
def rule_text
|
|
8
8
|
'DMS Endpoint password must not be a plaintext string ' \
|
|
9
|
-
|
|
10
|
-
|
|
9
|
+
'or a Ref to a Parameter with a Default value. ' \
|
|
10
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
|
|
11
11
|
end
|
|
12
12
|
|
|
13
13
|
def rule_type
|
|
@@ -7,8 +7,8 @@ require_relative 'password_base_rule'
|
|
|
7
7
|
class DirectoryServiceMicrosoftADPasswordRule < PasswordBaseRule
|
|
8
8
|
def rule_text
|
|
9
9
|
'Directory Service Microsoft AD password must not be a plaintext string ' \
|
|
10
|
-
|
|
11
|
-
|
|
10
|
+
'or a Ref to a Parameter with a Default value. ' \
|
|
11
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.'
|
|
12
12
|
end
|
|
13
13
|
|
|
14
14
|
def rule_type
|
|
@@ -7,8 +7,8 @@ require_relative 'password_base_rule'
|
|
|
7
7
|
class DirectoryServiceSimpleADPasswordRule < PasswordBaseRule
|
|
8
8
|
def rule_text
|
|
9
9
|
'DirectoryService SimpleAD password must not be a plaintext string ' \
|
|
10
|
-
|
|
11
|
-
|
|
10
|
+
'or a Ref to a Parameter with a Default value. ' \
|
|
11
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.'
|
|
12
12
|
end
|
|
13
13
|
|
|
14
14
|
def rule_type
|
|
@@ -6,8 +6,8 @@ require_relative 'password_base_rule'
|
|
|
6
6
|
class DocDBDBClusterMasterUserPasswordRule < PasswordBaseRule
|
|
7
7
|
def rule_text
|
|
8
8
|
'DocDB DB Cluster master user password must not be a plaintext string ' \
|
|
9
|
-
|
|
10
|
-
|
|
9
|
+
'or a Ref to a Parameter with a Default value. ' \
|
|
10
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
|
|
11
11
|
end
|
|
12
12
|
|
|
13
13
|
def rule_type
|
|
@@ -6,7 +6,7 @@ require_relative 'base'
|
|
|
6
6
|
class EC2NetworkAclEntryProtocolRule < BaseRule
|
|
7
7
|
def rule_text
|
|
8
8
|
'To avoid opening all ports for Allow rules, EC2 NetworkACL Entry Protocol should be either 6 (for TCP), 17 ' \
|
|
9
|
-
|
|
9
|
+
'(for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code).'
|
|
10
10
|
end
|
|
11
11
|
|
|
12
12
|
def rule_type
|
|
@@ -53,12 +53,8 @@ class EC2NetworkAclEntryProtocolRule < BaseRule
|
|
|
53
53
|
|
|
54
54
|
def violating_network_acl_entries?(network_acl_entry)
|
|
55
55
|
if rule_action_allow?(network_acl_entry)
|
|
56
|
-
|
|
57
|
-
icmpv6_protocol?(network_acl_entry)
|
|
58
|
-
false
|
|
59
|
-
else
|
|
60
|
-
true
|
|
61
|
-
end
|
|
56
|
+
!(tcp_udp_icmp_protocol?(network_acl_entry) ||
|
|
57
|
+
icmpv6_protocol?(network_acl_entry))
|
|
62
58
|
end
|
|
63
59
|
end
|
|
64
60
|
end
|
|
@@ -18,9 +18,7 @@ class EKSClusterEncryptionRule < BaseRule
|
|
|
18
18
|
|
|
19
19
|
def audit_impl(cfn_model)
|
|
20
20
|
violating_clusters = cfn_model.resources_by_type('AWS::EKS::Cluster').select do |cluster|
|
|
21
|
-
if cluster.encryptionConfig.nil?
|
|
22
|
-
true
|
|
23
|
-
elsif violating_configs?(cluster)
|
|
21
|
+
if cluster.encryptionConfig.nil? || violating_configs?(cluster)
|
|
24
22
|
true
|
|
25
23
|
else
|
|
26
24
|
violating_providers?(cluster)
|
|
@@ -6,8 +6,8 @@ require_relative 'password_base_rule'
|
|
|
6
6
|
class EMRClusterKerberosAttributesADDomainJoinPasswordRule < PasswordBaseRule
|
|
7
7
|
def rule_text
|
|
8
8
|
'EMR Cluster KerberosAttributes AD Domain JoinPassword must not be a ' \
|
|
9
|
-
|
|
10
|
-
|
|
9
|
+
'plaintext string or a Ref to a Parameter with a Default value. ' \
|
|
10
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
|
|
11
11
|
end
|
|
12
12
|
|
|
13
13
|
def rule_type
|
data/lib/cfn-nag/custom_rules/EMRClusterKerberosAttributesCrossRealmTrustPrincipalPasswordRule.rb
CHANGED
|
@@ -6,9 +6,9 @@ require_relative 'password_base_rule'
|
|
|
6
6
|
class EMRClusterKerberosAttributesCrossRealmTrustPrincipalPasswordRule < PasswordBaseRule
|
|
7
7
|
def rule_text
|
|
8
8
|
'EMR Cluster KerberosAttributes CrossRealmTrustPrincipal Password must ' \
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
9
|
+
'not be a plaintext string or a Ref to a Parameter with a ' \
|
|
10
|
+
'Default value. ' \
|
|
11
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
|
|
12
12
|
end
|
|
13
13
|
|
|
14
14
|
def rule_type
|
|
@@ -6,8 +6,8 @@ require_relative 'password_base_rule'
|
|
|
6
6
|
class EMRClusterKerberosAttributesKdcAdminPasswordRule < PasswordBaseRule
|
|
7
7
|
def rule_text
|
|
8
8
|
'EMR Cluster KerberosAttributes KdcAdmin Password must not be a ' \
|
|
9
|
-
|
|
10
|
-
|
|
9
|
+
'plaintext string or a Ref to a Parameter with a Default value. ' \
|
|
10
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
|
|
11
11
|
end
|
|
12
12
|
|
|
13
13
|
def rule_type
|
|
@@ -6,8 +6,8 @@ require_relative 'password_base_rule'
|
|
|
6
6
|
class ElastiCacheReplicationGroupAuthTokenRule < PasswordBaseRule
|
|
7
7
|
def rule_text
|
|
8
8
|
'ElastiCache ReplicationGroup AuthToken must not be a plaintext string ' \
|
|
9
|
-
|
|
10
|
-
|
|
9
|
+
'or a Ref to a Parameter with a Default value. ' \
|
|
10
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.'
|
|
11
11
|
end
|
|
12
12
|
|
|
13
13
|
def rule_type
|
|
@@ -18,6 +18,8 @@ class GameLiftFleetInboundPortRangeRule < BaseRule
|
|
|
18
18
|
|
|
19
19
|
def audit_impl(cfn_model)
|
|
20
20
|
violating_gamelift_fleets = cfn_model.resources_by_type('AWS::GameLift::Fleet').select do |gamelift_fleet|
|
|
21
|
+
next false if gamelift_fleet.eC2InboundPermissions.nil?
|
|
22
|
+
|
|
21
23
|
violating_permissions = gamelift_fleet.eC2InboundPermissions.select do |permission|
|
|
22
24
|
# Cast to strings incase template provided mixed types
|
|
23
25
|
permission['FromPort'].to_s != permission['ToPort'].to_s
|
|
@@ -6,8 +6,8 @@ require_relative 'password_base_rule'
|
|
|
6
6
|
class IAMUserLoginProfilePasswordRule < PasswordBaseRule
|
|
7
7
|
def rule_text
|
|
8
8
|
'IAM User LoginProfile Password must not be a plaintext string or ' \
|
|
9
|
-
|
|
10
|
-
|
|
9
|
+
'a Ref to a Parameter with a Default value. ' \
|
|
10
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
|
|
11
11
|
end
|
|
12
12
|
|
|
13
13
|
def rule_type
|
|
@@ -29,9 +29,7 @@ class IamUserLoginProfilePasswordResetRule < BaseRule
|
|
|
29
29
|
|
|
30
30
|
def iam_user_password_reset_required_key?(login_profile)
|
|
31
31
|
if login_profile.key? 'PasswordResetRequired'
|
|
32
|
-
if login_profile['PasswordResetRequired'].nil?
|
|
33
|
-
true
|
|
34
|
-
elsif not_truthy?(login_profile['PasswordResetRequired'])
|
|
32
|
+
if login_profile['PasswordResetRequired'].nil? || not_truthy?(login_profile['PasswordResetRequired'])
|
|
35
33
|
true
|
|
36
34
|
end
|
|
37
35
|
else
|
|
@@ -40,10 +38,10 @@ class IamUserLoginProfilePasswordResetRule < BaseRule
|
|
|
40
38
|
end
|
|
41
39
|
|
|
42
40
|
def violating_iam_users?(iam_user)
|
|
43
|
-
if
|
|
44
|
-
iam_user_password_reset_required_key?(iam_user.loginProfile)
|
|
45
|
-
else
|
|
41
|
+
if iam_user.loginProfile.nil?
|
|
46
42
|
false
|
|
43
|
+
else
|
|
44
|
+
iam_user_password_reset_required_key?(iam_user.loginProfile)
|
|
47
45
|
end
|
|
48
46
|
end
|
|
49
47
|
end
|
|
@@ -6,7 +6,7 @@ require_relative 'base'
|
|
|
6
6
|
class KMSKeyWildcardPrincipalRule < BaseRule
|
|
7
7
|
def rule_text
|
|
8
8
|
'KMS key should not allow * principal ' \
|
|
9
|
-
|
|
9
|
+
'(https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html)'
|
|
10
10
|
end
|
|
11
11
|
|
|
12
12
|
def rule_type
|
|
@@ -6,9 +6,9 @@ require_relative 'password_base_rule'
|
|
|
6
6
|
class KinesisFirehoseDeliveryStreamRedshiftDestinationConfigurationPasswordRule < PasswordBaseRule
|
|
7
7
|
def rule_text
|
|
8
8
|
'Kinesis Firehose DeliveryStream RedshiftDestinationConfiguration Password ' \
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
9
|
+
'must not be a plaintext string or a Ref to a Parameter with a ' \
|
|
10
|
+
'Default value. ' \
|
|
11
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value.'
|
|
12
12
|
end
|
|
13
13
|
|
|
14
14
|
def rule_type
|
|
@@ -6,9 +6,9 @@ require_relative 'password_base_rule'
|
|
|
6
6
|
class KinesisFirehoseDeliveryStreamSplunkDestinationConfigurationHECTokenRule < PasswordBaseRule
|
|
7
7
|
def rule_text
|
|
8
8
|
'Kinesis Firehose DeliveryStream SplunkDestinationConfiguration HECToken ' \
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
9
|
+
'must not be a plaintext string or a Ref to a Parameter with a ' \
|
|
10
|
+
'Default value. ' \
|
|
11
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
|
|
12
12
|
end
|
|
13
13
|
|
|
14
14
|
def rule_type
|
|
@@ -27,11 +27,9 @@ class KinesisStreamStreamEncryptionRule < BaseRule
|
|
|
27
27
|
private
|
|
28
28
|
|
|
29
29
|
def violating_kinesis_streams?(kinesis_stream)
|
|
30
|
-
if kinesis_stream.streamEncryption.nil?
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
true
|
|
34
|
-
elsif kinesis_stream.streamEncryption['KeyId'].nil?
|
|
30
|
+
if kinesis_stream.streamEncryption.nil? ||
|
|
31
|
+
kinesis_stream.streamEncryption['EncryptionType'].nil? ||
|
|
32
|
+
kinesis_stream.streamEncryption['KeyId'].nil?
|
|
35
33
|
true
|
|
36
34
|
else
|
|
37
35
|
kinesis_stream.streamEncryption['EncryptionType'] == 'NONE'
|
|
@@ -6,8 +6,8 @@ require_relative 'password_base_rule'
|
|
|
6
6
|
class LambdaPermissionEventSourceTokenRule < PasswordBaseRule
|
|
7
7
|
def rule_text
|
|
8
8
|
'Lambda Permission EventSourceToken must not be a plaintext string ' \
|
|
9
|
-
|
|
10
|
-
|
|
9
|
+
'or a Ref to a Parameter with a Default value. ' \
|
|
10
|
+
'Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value.'
|
|
11
11
|
end
|
|
12
12
|
|
|
13
13
|
def rule_type
|