cfn-nag 0.0.15 → 0.0.16
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/json_rules/basic_rules.rb +4 -1
- data/lib/json_rules/iam_policy_rules.rb +30 -8
- data/lib/json_rules/s3_bucket_rules.rb +40 -1
- data/lib/json_rules/sns_rules.rb +27 -0
- data/lib/json_rules/sqs_rules.rb +23 -0
- metadata +4 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 3c770e0365059a4da534e9dd5c6cf5ccd9e7bdfc
|
|
4
|
+
data.tar.gz: 8f930ab8307b6248ae4940a17f8d9b4ed85b4e92
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: cd100b68be2758194ecd45141e821fcbc6845e4f56204dbee2444913524714ecd317a8c41af36cca9fc35aaa59dff5488b3946d819b1dabaaaa9cca562a078d2
|
|
7
|
+
data.tar.gz: 464fad5e55f3d090078ed7a520304fc392d3f2106497b01bfaa2c6e4440fd3d328de5b4022dcdf8639e4e83cd4324894ceb5dac754d212e124dbf32e85a6edd6
|
|
@@ -6,6 +6,9 @@ raw_fatal_assertion jq: '.Resources|length > 0',
|
|
|
6
6
|
AWS::IAM::Role
|
|
7
7
|
AWS::IAM::Policy
|
|
8
8
|
AWS::IAM::ManagedPolicy
|
|
9
|
+
AWS::S3::BucketPolicy
|
|
10
|
+
AWS::SQS::QueuePolicy
|
|
11
|
+
AWS::SNS::TopicPolicy
|
|
9
12
|
AWS::IAM::UserToGroupAddition
|
|
10
13
|
AWS::EC2::SecurityGroup
|
|
11
14
|
AWS::EC2::SecurityGroupIngress
|
|
@@ -22,7 +25,7 @@ missing_reference_jq = <<END
|
|
|
22
25
|
)
|
|
23
26
|
-
|
|
24
27
|
(
|
|
25
|
-
["AWS::AccountId","AWS::StackName","AWS::Region","AWS::StackId","AWS::NoValue"] +
|
|
28
|
+
["AWS::AccountId","AWS::StackName","AWS::Region","AWS::StackId","AWS::NoValue","AWS::NotificationARNs"] +
|
|
26
29
|
([.Resources|keys]|flatten) +
|
|
27
30
|
(if .Parameters? then ([.Parameters|keys]|flatten) else [] end)
|
|
28
31
|
)
|
|
@@ -1,8 +1,8 @@
|
|
|
1
1
|
wildcard_action_filter = <<END
|
|
2
2
|
def wildcard_action:
|
|
3
3
|
if .Statement|type == "object"
|
|
4
|
-
then select(.Statement.Effect == "Allow" and
|
|
5
|
-
else select(.Statement[]
|
|
4
|
+
then select(.Statement.Effect == "Allow" and (if .Statement.Action|type=="string" then (.Statement.Action == "*") else (.Statement.Action|indices("*")|length > 0) end))
|
|
5
|
+
else select(.Statement[]|.Effect == "Allow" and (if .Action|type=="string" then (.Action == "*") else (.Action|indices("*")|length > 0) end))
|
|
6
6
|
end;
|
|
7
7
|
END
|
|
8
8
|
|
|
@@ -24,12 +24,11 @@ violation jq: wildcard_action_filter +
|
|
|
24
24
|
"[#{resources_by_type('AWS::IAM::ManagedPolicy')}|select(.Properties.PolicyDocument|wildcard_action)]|map(.LogicalResourceId) ",
|
|
25
25
|
message: 'IAM managed policy should not allow * action'
|
|
26
26
|
|
|
27
|
-
|
|
28
27
|
wildcard_resource_filter = <<END
|
|
29
28
|
def wildcard_resource:
|
|
30
29
|
if .Statement|type == "object"
|
|
31
|
-
then select(.Statement.Effect == "Allow" and
|
|
32
|
-
else select(.Statement[]
|
|
30
|
+
then select(.Statement.Effect == "Allow" and (if .Statement.Resource|type=="string" then (.Statement.Resource == "*") else (.Statement.Resource|indices("*")|length > 0) end))
|
|
31
|
+
else select(.Statement[]|.Effect == "Allow" and (if .Resource|type=="string" then (.Resource == "*") else (.Statement.Resource|indices("*")|length > 0) end))
|
|
33
32
|
end;
|
|
34
33
|
END
|
|
35
34
|
|
|
@@ -50,7 +49,7 @@ allow_not_action_filter = <<END
|
|
|
50
49
|
def allow_not_action:
|
|
51
50
|
if .Statement|type == "object"
|
|
52
51
|
then select(.Statement.Effect == "Allow" and .Statement.NotAction != null)
|
|
53
|
-
else select(.Statement[]|
|
|
52
|
+
else select(.Statement[]|(.Effect == "Allow" and .NotAction != null))
|
|
54
53
|
end;
|
|
55
54
|
END
|
|
56
55
|
|
|
@@ -73,12 +72,23 @@ warning jq: allow_not_action_filter +
|
|
|
73
72
|
"[#{resources_by_type('AWS::IAM::ManagedPolicy')}|select(.Properties.PolicyDocument|allow_not_action)]|map(.LogicalResourceId)",
|
|
74
73
|
message: 'IAM managed policy should not allow Allow+NotAction'
|
|
75
74
|
|
|
75
|
+
warning jq: allow_not_action_filter +
|
|
76
|
+
"[#{resources_by_type('AWS::SQS::QueuePolicy')}|select(.Properties.PolicyDocument|allow_not_action)]|map(.LogicalResourceId)",
|
|
77
|
+
message: 'SQS Queue policy should not allow Allow+NotAction'
|
|
78
|
+
|
|
79
|
+
warning jq: allow_not_action_filter +
|
|
80
|
+
"[#{resources_by_type('AWS::SNS::TopicPolicy')}|select(.Properties.PolicyDocument|allow_not_action)]|map(.LogicalResourceId)",
|
|
81
|
+
message: 'SNS Topic policy should not allow Allow+NotAction'
|
|
82
|
+
|
|
83
|
+
warning jq: allow_not_action_filter +
|
|
84
|
+
"[#{resources_by_type('AWS::S3::BucketPolicy')}|select(.Properties.PolicyDocument|allow_not_action)]|map(.LogicalResourceId)",
|
|
85
|
+
message: 'S3 Bucket policy should not allow Allow+NotAction'
|
|
76
86
|
|
|
77
87
|
allow_not_resource_filter = <<END
|
|
78
88
|
def allow_not_resource:
|
|
79
89
|
if .Statement|type == "object"
|
|
80
90
|
then select(.Statement.Effect == "Allow" and .Statement.NotResource != null)
|
|
81
|
-
else select(.Statement[]|
|
|
91
|
+
else select(.Statement[]|(.Effect == "Allow" and .NotResource != null))
|
|
82
92
|
end;
|
|
83
93
|
END
|
|
84
94
|
|
|
@@ -101,10 +111,22 @@ allow_not_principal_filter = <<END
|
|
|
101
111
|
def allow_not_principal:
|
|
102
112
|
if .Statement|type == "object"
|
|
103
113
|
then select(.Statement.Effect == "Allow" and .Statement.NotPrincipal != null)
|
|
104
|
-
else select(.Statement[]|
|
|
114
|
+
else select(.Statement[]|(.Effect == "Allow" and .NotPrincipal != null))
|
|
105
115
|
end;
|
|
106
116
|
END
|
|
107
117
|
|
|
108
118
|
violation jq: allow_not_principal_filter +
|
|
109
119
|
"[#{resources_by_type('AWS::IAM::Role')}|select(.Properties.AssumeRolePolicyDocument|allow_not_principal)]|map(.LogicalResourceId)",
|
|
110
120
|
message: 'IAM role should not allow Allow+NotPrincipal in its trust policy'
|
|
121
|
+
|
|
122
|
+
violation jq: allow_not_principal_filter +
|
|
123
|
+
"[#{resources_by_type('AWS::SQS::QueuePolicy')}|select(.Properties.PolicyDocument|allow_not_principal)]|map(.LogicalResourceId)",
|
|
124
|
+
message: 'SQS Queue policy should not allow Allow+NotPrincipal'
|
|
125
|
+
|
|
126
|
+
violation jq: allow_not_principal_filter +
|
|
127
|
+
"[#{resources_by_type('AWS::SNS::TopicPolicy')}|select(.Properties.PolicyDocument|allow_not_principal)]|map(.LogicalResourceId)",
|
|
128
|
+
message: 'SNS Topic policy should not allow Allow+NotPrincipal'
|
|
129
|
+
|
|
130
|
+
violation jq: allow_not_principal_filter +
|
|
131
|
+
"[#{resources_by_type('AWS::S3::BucketPolicy')}|select(.Properties.PolicyDocument|allow_not_principal)]|map(.LogicalResourceId)",
|
|
132
|
+
message: 'S3 Bucket policy should not allow Allow+NotPrincipal'
|
|
@@ -4,4 +4,43 @@ warning jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | selec
|
|
|
4
4
|
|
|
5
5
|
violation jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Type == "AWS::S3::Bucket")|'\
|
|
6
6
|
'select(.Properties.AccessControl? == "PublicReadWrite")]|map(.LogicalResourceId) ',
|
|
7
|
-
message: 'S3 Bucket should not have a public read-write acl'
|
|
7
|
+
message: 'S3 Bucket should not have a public read-write acl'
|
|
8
|
+
|
|
9
|
+
|
|
10
|
+
|
|
11
|
+
s3_wildcard_action_filter = <<END
|
|
12
|
+
def s3_wildcard_action:
|
|
13
|
+
if .Statement|type == "object"
|
|
14
|
+
then select(.Statement.Effect == "Allow" and (if .Statement.Action|type=="string" then (.Statement.Action == "s3:*" or .Statement.Action == "*") else ((.Statement.Action|indices("s3:*")|length > 0) or (.Statement.Action|indices("*")|length > 0)) end))
|
|
15
|
+
else select(.Statement[]|.Effect == "Allow" and (if .Action|type=="string" then (.Action == "s3:*" or .Action == "*") else ((.Action|indices("s3:*")|length > 0) or (.Action|indices("*")|length > 0)) end))
|
|
16
|
+
end;
|
|
17
|
+
END
|
|
18
|
+
|
|
19
|
+
s3_wildcard_principal_filter = <<END
|
|
20
|
+
def s3_wildcard_principal:
|
|
21
|
+
if .Statement|type == "object"
|
|
22
|
+
then select(.Statement.Effect == "Allow" and (.Statement.Principal?|type=="string") and (.Statement.Principal == "*") )
|
|
23
|
+
else select(.Statement[]|.Effect == "Allow" and ((.Principal?|type=="string") and (.Principal == "*")) )
|
|
24
|
+
end;
|
|
25
|
+
END
|
|
26
|
+
|
|
27
|
+
s3_wildcard_aws_principal_filter = <<END
|
|
28
|
+
def s3_wildcard_aws_principal:
|
|
29
|
+
if .Statement|type == "object"
|
|
30
|
+
then select(.Statement.Effect == "Allow" and (.Statement.Principal?|type=="object") and (.Statement.Principal.AWS == "*"))
|
|
31
|
+
else select(.Statement[]|(.Effect == "Allow" and (.Principal?|type=="object") and (.Principal.AWS == "*")))
|
|
32
|
+
end;
|
|
33
|
+
END
|
|
34
|
+
|
|
35
|
+
|
|
36
|
+
violation jq: s3_wildcard_action_filter +
|
|
37
|
+
"[#{resources_by_type('AWS::S3::BucketPolicy')}|select(.Properties.PolicyDocument|s3_wildcard_action)]|map(.LogicalResourceId) ",
|
|
38
|
+
message: 'S3 Bucket policy should not allow * action'
|
|
39
|
+
|
|
40
|
+
violation jq: s3_wildcard_principal_filter +
|
|
41
|
+
"[#{resources_by_type('AWS::S3::BucketPolicy')}|select(.Properties.PolicyDocument|s3_wildcard_principal)]|map(.LogicalResourceId) ",
|
|
42
|
+
message: 'S3 Bucket policy should not allow * principal'
|
|
43
|
+
|
|
44
|
+
violation jq: s3_wildcard_aws_principal_filter +
|
|
45
|
+
"[#{resources_by_type('AWS::S3::BucketPolicy')}|select(.Properties.PolicyDocument|s3_wildcard_aws_principal)]|map(.LogicalResourceId) ",
|
|
46
|
+
message: 'S3 Bucket policy should not allow * AWS principal'
|
|
@@ -0,0 +1,27 @@
|
|
|
1
|
+
sns_wildcard_principal_filter = <<END
|
|
2
|
+
def sns_wildcard_principal:
|
|
3
|
+
if .Statement|type == "object"
|
|
4
|
+
then select(.Statement.Effect == "Allow" and (.Statement.Principal?|type=="string") and (.Statement.Principal == "*"))
|
|
5
|
+
else select(.Statement[]|(.Effect == "Allow" and (.Principal?|type=="string") and (.Principal == "*")))
|
|
6
|
+
end;
|
|
7
|
+
END
|
|
8
|
+
|
|
9
|
+
sns_wildcard_aws_principal_filter = <<END
|
|
10
|
+
def sns_wildcard_aws_principal:
|
|
11
|
+
if .Statement|type == "object"
|
|
12
|
+
then select(.Statement.Effect == "Allow" and (.Statement.Principal?|type=="object") and (.Statement.Principal.AWS == "*"))
|
|
13
|
+
else select(.Statement[]|(.Effect == "Allow" and (.Principal?|type=="object") and (.Principal.AWS == "*")))
|
|
14
|
+
end;
|
|
15
|
+
END
|
|
16
|
+
|
|
17
|
+
# i guess we could have principal "AWS": ["1111111111", "*", "222222222222"]... or ["*","arn:..."]
|
|
18
|
+
|
|
19
|
+
#sns action wildcard doesnt seem to be accepted by sns so dont sweat it
|
|
20
|
+
|
|
21
|
+
violation jq: sns_wildcard_principal_filter +
|
|
22
|
+
"[#{resources_by_type('AWS::SNS::TopicPolicy')}|select(.Properties.PolicyDocument|sns_wildcard_principal)]|map(.LogicalResourceId) ",
|
|
23
|
+
message: 'SNS topic policy should not allow * principal'
|
|
24
|
+
|
|
25
|
+
violation jq: sns_wildcard_aws_principal_filter +
|
|
26
|
+
"[#{resources_by_type('AWS::SNS::TopicPolicy')}|select(.Properties.PolicyDocument|sns_wildcard_aws_principal)]|map(.LogicalResourceId) ",
|
|
27
|
+
message: 'SNS topic policy should not allow * AWS principal'
|
|
@@ -0,0 +1,23 @@
|
|
|
1
|
+
sqs_wildcard_action_filter = <<END
|
|
2
|
+
def sqs_wildcard_action:
|
|
3
|
+
if .Statement|type == "object"
|
|
4
|
+
then select(.Statement.Effect == "Allow" and (if .Statement.Action|type=="string" then (.Statement.Action == "sqs:*") else (.Statement.Action|indices("sqs:*")|length > 0) end))
|
|
5
|
+
else select(.Statement[]|.Effect == "Allow" and (if .Action|type=="string" then (.Action == "sqs:*") else (.Action|indices("sqs:*")|length > 0) end))
|
|
6
|
+
end;
|
|
7
|
+
END
|
|
8
|
+
|
|
9
|
+
sqs_wildcard_principal_filter = <<END
|
|
10
|
+
def sqs_wildcard_principal:
|
|
11
|
+
if .Statement|type == "object"
|
|
12
|
+
then select(.Statement.Effect == "Allow" and (.Statement.Principal?|type=="string") and (.Statement.Principal == "*") )
|
|
13
|
+
else select(.Statement[]|.Effect == "Allow" and ((.Principal?|type=="string") and (.Principal == "*")) )
|
|
14
|
+
end;
|
|
15
|
+
END
|
|
16
|
+
|
|
17
|
+
violation jq: sqs_wildcard_action_filter +
|
|
18
|
+
"[#{resources_by_type('AWS::SQS::QueuePolicy')}|select(.Properties.PolicyDocument|sqs_wildcard_action)]|map(.LogicalResourceId) ",
|
|
19
|
+
message: 'SQS Queue policy should not allow * action'
|
|
20
|
+
|
|
21
|
+
violation jq: sqs_wildcard_principal_filter +
|
|
22
|
+
"[#{resources_by_type('AWS::SQS::QueuePolicy')}|select(.Properties.PolicyDocument|sqs_wildcard_principal)]|map(.LogicalResourceId) ",
|
|
23
|
+
message: 'SQS Queue policy should not allow * principal'
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: cfn-nag
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.0.
|
|
4
|
+
version: 0.0.16
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- someguy
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2016-
|
|
11
|
+
date: 2016-03-01 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: logging
|
|
@@ -60,6 +60,8 @@ files:
|
|
|
60
60
|
- lib/json_rules/loadbalancer_rules.rb
|
|
61
61
|
- lib/json_rules/port_rules.rb
|
|
62
62
|
- lib/json_rules/s3_bucket_rules.rb
|
|
63
|
+
- lib/json_rules/sns_rules.rb
|
|
64
|
+
- lib/json_rules/sqs_rules.rb
|
|
63
65
|
- lib/model/cfn_model.rb
|
|
64
66
|
- lib/model/iam_user_parser.rb
|
|
65
67
|
- lib/model/security_group_parser.rb
|