cfn-nag 0.7.3 → 0.7.8
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/cfn-nag/custom_rules/CloudfrontMinimumProtocolVersionRule.rb +4 -3
- data/lib/cfn-nag/custom_rules/DMSReplicationInstanceNotPublicRule.rb +27 -0
- data/lib/cfn-nag/custom_rules/ECRRepositoryScanOnPushRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/ElasticsearchDomainInsideVPCRule.rb +26 -0
- data/lib/cfn-nag/custom_rules/LambdaFunctionInsideVPCRule.rb +27 -0
- metadata +5 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 687faf1b1a2510a790d5c225ea91dcaa18d3384bfc053279e6b4df606a21172a
|
|
4
|
+
data.tar.gz: 99cb292f48d8c2cada20d5fae525a7f23491903bfd79cffe2aeaf43326cbfd70
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: e3700d6df829ab53c3255499d4487badba2fba8ce83cd7af6c1455b6025aaca5156b1ae90c2e663eefad2ea2fb16d544e4dadd8b03443aa674185492a8be5d47
|
|
7
|
+
data.tar.gz: ee20bb214f2dbe6f97ea275cb07a6b5352c0c61bc9c1050e39a6c5c93f4e932103cbe9d103d8cb633513d71403a8863061a2689574e72b1466be32e35bffde1e
|
|
@@ -28,11 +28,12 @@ class CloudfrontMinimumProtocolVersionRule < BaseRule
|
|
|
28
28
|
private
|
|
29
29
|
|
|
30
30
|
def tls_version?(viewer_certificate)
|
|
31
|
-
cert_has_bad_tls_version?(viewer_certificate) || override_tls_config?(viewer_certificate)
|
|
31
|
+
cert_has_bad_tls_version?(viewer_certificate['MinimumProtocolVersion']) || override_tls_config?(viewer_certificate)
|
|
32
32
|
end
|
|
33
33
|
|
|
34
|
-
def cert_has_bad_tls_version?(
|
|
35
|
-
|
|
34
|
+
def cert_has_bad_tls_version?(min_protocol_version)
|
|
35
|
+
min_protocol_version.nil? ||
|
|
36
|
+
(min_protocol_version.is_a?(String) && !min_protocol_version.start_with?('TLSv1.2'))
|
|
36
37
|
end
|
|
37
38
|
|
|
38
39
|
def override_tls_config?(viewer_certificate)
|
|
@@ -0,0 +1,27 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
require 'cfn-nag/util/truthy'
|
|
4
|
+
require 'cfn-nag/violation'
|
|
5
|
+
require_relative 'base'
|
|
6
|
+
|
|
7
|
+
class DMSReplicationInstanceNotPublicRule < BaseRule
|
|
8
|
+
def rule_text
|
|
9
|
+
'Database Migration Service replication instances are public, property PubliclyAccessible should be set to false'
|
|
10
|
+
end
|
|
11
|
+
|
|
12
|
+
def rule_type
|
|
13
|
+
Violation::WARNING
|
|
14
|
+
end
|
|
15
|
+
|
|
16
|
+
def rule_id
|
|
17
|
+
'W91'
|
|
18
|
+
end
|
|
19
|
+
|
|
20
|
+
def audit_impl(cfn_model)
|
|
21
|
+
violating_replications = cfn_model.resources_by_type('AWS::DMS::ReplicationInstance').select do |replication|
|
|
22
|
+
replication.publiclyAccessible.nil? || truthy?(replication.publiclyAccessible)
|
|
23
|
+
end
|
|
24
|
+
|
|
25
|
+
violating_replications.map(&:logical_resource_id)
|
|
26
|
+
end
|
|
27
|
+
end
|
|
@@ -6,7 +6,7 @@ require_relative 'base'
|
|
|
6
6
|
|
|
7
7
|
class ECRRepositoryScanOnPushRule < BaseRule
|
|
8
8
|
def rule_text
|
|
9
|
-
'ECR Repository should have
|
|
9
|
+
'ECR Repository should have ScanOnPush enabled'
|
|
10
10
|
end
|
|
11
11
|
|
|
12
12
|
def rule_type
|
|
@@ -20,7 +20,7 @@ class ECRRepositoryScanOnPushRule < BaseRule
|
|
|
20
20
|
def audit_impl(cfn_model)
|
|
21
21
|
violating_ecr_registries = cfn_model.resources_by_type('AWS::ECR::Repository').select do |registry|
|
|
22
22
|
registry.imageScanningConfiguration.nil? ||
|
|
23
|
-
!truthy?(registry.imageScanningConfiguration['
|
|
23
|
+
!truthy?(registry.imageScanningConfiguration['ScanOnPush'].to_s)
|
|
24
24
|
end
|
|
25
25
|
|
|
26
26
|
violating_ecr_registries.map(&:logical_resource_id)
|
|
@@ -0,0 +1,26 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
require 'cfn-nag/violation'
|
|
4
|
+
require_relative 'base'
|
|
5
|
+
|
|
6
|
+
class ElasticsearchDomainInsideVPCRule < BaseRule
|
|
7
|
+
def rule_text
|
|
8
|
+
'ElasticsearchcDomain should be inside vpc, should specify VPCOptions'
|
|
9
|
+
end
|
|
10
|
+
|
|
11
|
+
def rule_type
|
|
12
|
+
Violation::WARNING
|
|
13
|
+
end
|
|
14
|
+
|
|
15
|
+
def rule_id
|
|
16
|
+
'W90'
|
|
17
|
+
end
|
|
18
|
+
|
|
19
|
+
def audit_impl(cfn_model)
|
|
20
|
+
violating_domains = cfn_model.resources_by_type('AWS::Elasticsearch::Domain').select do |domain|
|
|
21
|
+
domain.vPCOptions.nil?
|
|
22
|
+
end
|
|
23
|
+
|
|
24
|
+
violating_domains.map(&:logical_resource_id)
|
|
25
|
+
end
|
|
26
|
+
end
|
|
@@ -0,0 +1,27 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
require 'cfn-nag/violation'
|
|
4
|
+
require_relative 'base'
|
|
5
|
+
|
|
6
|
+
class LambdaFunctionInsideVPCRule < BaseRule
|
|
7
|
+
def rule_text
|
|
8
|
+
'Lambda functions should be deployed inside a VPC'
|
|
9
|
+
end
|
|
10
|
+
|
|
11
|
+
def rule_type
|
|
12
|
+
Violation::WARNING
|
|
13
|
+
end
|
|
14
|
+
|
|
15
|
+
def rule_id
|
|
16
|
+
'W89'
|
|
17
|
+
end
|
|
18
|
+
|
|
19
|
+
def audit_impl(cfn_model)
|
|
20
|
+
lambda_functions = cfn_model.resources_by_type('AWS::Lambda::Function')
|
|
21
|
+
violating_lambda_functions = lambda_functions.select do |lambda_function|
|
|
22
|
+
lambda_function.vpcConfig.nil?
|
|
23
|
+
end
|
|
24
|
+
|
|
25
|
+
violating_lambda_functions.map(&:logical_resource_id)
|
|
26
|
+
end
|
|
27
|
+
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: cfn-nag
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.7.
|
|
4
|
+
version: 0.7.8
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Eric Kascic
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2021-
|
|
11
|
+
date: 2021-04-05 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rake
|
|
@@ -217,6 +217,7 @@ files:
|
|
|
217
217
|
- lib/cfn-nag/custom_rules/DLMLifecyclePolicyCrossRegionCopyEncryptionRule.rb
|
|
218
218
|
- lib/cfn-nag/custom_rules/DMSEndpointMongoDbSettingsPasswordRule.rb
|
|
219
219
|
- lib/cfn-nag/custom_rules/DMSEndpointPasswordRule.rb
|
|
220
|
+
- lib/cfn-nag/custom_rules/DMSReplicationInstanceNotPublicRule.rb
|
|
220
221
|
- lib/cfn-nag/custom_rules/DirectoryServiceMicrosoftADPasswordRule.rb
|
|
221
222
|
- lib/cfn-nag/custom_rules/DirectoryServiceSimpleADPasswordRule.rb
|
|
222
223
|
- lib/cfn-nag/custom_rules/DocDBDBClusterMasterUserPasswordRule.rb
|
|
@@ -247,6 +248,7 @@ files:
|
|
|
247
248
|
- lib/cfn-nag/custom_rules/ElasticLoadBalancerV2ListenerProtocolRule.rb
|
|
248
249
|
- lib/cfn-nag/custom_rules/ElasticLoadBalancerV2ListenerSslPolicyRule.rb
|
|
249
250
|
- lib/cfn-nag/custom_rules/ElasticsearchDomainEncryptionAtRestOptionsRule.rb
|
|
251
|
+
- lib/cfn-nag/custom_rules/ElasticsearchDomainInsideVPCRule.rb
|
|
250
252
|
- lib/cfn-nag/custom_rules/ElasticsearchDomainNodeToNodeEncryptionOptionsRule.rb
|
|
251
253
|
- lib/cfn-nag/custom_rules/GameLiftFleetInboundPortRangeRule.rb
|
|
252
254
|
- lib/cfn-nag/custom_rules/IAMUserLoginProfilePasswordRule.rb
|
|
@@ -281,6 +283,7 @@ files:
|
|
|
281
283
|
- lib/cfn-nag/custom_rules/KinesisFirehoseDeliveryStreamSplunkDestinationConfigurationHECTokenRule.rb
|
|
282
284
|
- lib/cfn-nag/custom_rules/KinesisStreamStreamEncryptionRule.rb
|
|
283
285
|
- lib/cfn-nag/custom_rules/LambdaFunctionCloudWatchLogsRule.rb
|
|
286
|
+
- lib/cfn-nag/custom_rules/LambdaFunctionInsideVPCRule.rb
|
|
284
287
|
- lib/cfn-nag/custom_rules/LambdaPermissionEventSourceTokenRule.rb
|
|
285
288
|
- lib/cfn-nag/custom_rules/LambdaPermissionInvokeFunctionActionRule.rb
|
|
286
289
|
- lib/cfn-nag/custom_rules/LambdaPermissionWildcardPrincipalRule.rb
|