cfn-nag 0.0.15 → 0.0.16
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/json_rules/basic_rules.rb +4 -1
- data/lib/json_rules/iam_policy_rules.rb +30 -8
- data/lib/json_rules/s3_bucket_rules.rb +40 -1
- data/lib/json_rules/sns_rules.rb +27 -0
- data/lib/json_rules/sqs_rules.rb +23 -0
- metadata +4 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 3c770e0365059a4da534e9dd5c6cf5ccd9e7bdfc
|
|
4
|
+
data.tar.gz: 8f930ab8307b6248ae4940a17f8d9b4ed85b4e92
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: cd100b68be2758194ecd45141e821fcbc6845e4f56204dbee2444913524714ecd317a8c41af36cca9fc35aaa59dff5488b3946d819b1dabaaaa9cca562a078d2
|
|
7
|
+
data.tar.gz: 464fad5e55f3d090078ed7a520304fc392d3f2106497b01bfaa2c6e4440fd3d328de5b4022dcdf8639e4e83cd4324894ceb5dac754d212e124dbf32e85a6edd6
|
|
@@ -6,6 +6,9 @@ raw_fatal_assertion jq: '.Resources|length > 0',
|
|
|
6
6
|
AWS::IAM::Role
|
|
7
7
|
AWS::IAM::Policy
|
|
8
8
|
AWS::IAM::ManagedPolicy
|
|
9
|
+
AWS::S3::BucketPolicy
|
|
10
|
+
AWS::SQS::QueuePolicy
|
|
11
|
+
AWS::SNS::TopicPolicy
|
|
9
12
|
AWS::IAM::UserToGroupAddition
|
|
10
13
|
AWS::EC2::SecurityGroup
|
|
11
14
|
AWS::EC2::SecurityGroupIngress
|
|
@@ -22,7 +25,7 @@ missing_reference_jq = <<END
|
|
|
22
25
|
)
|
|
23
26
|
-
|
|
24
27
|
(
|
|
25
|
-
["AWS::AccountId","AWS::StackName","AWS::Region","AWS::StackId","AWS::NoValue"] +
|
|
28
|
+
["AWS::AccountId","AWS::StackName","AWS::Region","AWS::StackId","AWS::NoValue","AWS::NotificationARNs"] +
|
|
26
29
|
([.Resources|keys]|flatten) +
|
|
27
30
|
(if .Parameters? then ([.Parameters|keys]|flatten) else [] end)
|
|
28
31
|
)
|
|
@@ -1,8 +1,8 @@
|
|
|
1
1
|
wildcard_action_filter = <<END
|
|
2
2
|
def wildcard_action:
|
|
3
3
|
if .Statement|type == "object"
|
|
4
|
-
then select(.Statement.Effect == "Allow" and
|
|
5
|
-
else select(.Statement[]
|
|
4
|
+
then select(.Statement.Effect == "Allow" and (if .Statement.Action|type=="string" then (.Statement.Action == "*") else (.Statement.Action|indices("*")|length > 0) end))
|
|
5
|
+
else select(.Statement[]|.Effect == "Allow" and (if .Action|type=="string" then (.Action == "*") else (.Action|indices("*")|length > 0) end))
|
|
6
6
|
end;
|
|
7
7
|
END
|
|
8
8
|
|
|
@@ -24,12 +24,11 @@ violation jq: wildcard_action_filter +
|
|
|
24
24
|
"[#{resources_by_type('AWS::IAM::ManagedPolicy')}|select(.Properties.PolicyDocument|wildcard_action)]|map(.LogicalResourceId) ",
|
|
25
25
|
message: 'IAM managed policy should not allow * action'
|
|
26
26
|
|
|
27
|
-
|
|
28
27
|
wildcard_resource_filter = <<END
|
|
29
28
|
def wildcard_resource:
|
|
30
29
|
if .Statement|type == "object"
|
|
31
|
-
then select(.Statement.Effect == "Allow" and
|
|
32
|
-
else select(.Statement[]
|
|
30
|
+
then select(.Statement.Effect == "Allow" and (if .Statement.Resource|type=="string" then (.Statement.Resource == "*") else (.Statement.Resource|indices("*")|length > 0) end))
|
|
31
|
+
else select(.Statement[]|.Effect == "Allow" and (if .Resource|type=="string" then (.Resource == "*") else (.Statement.Resource|indices("*")|length > 0) end))
|
|
33
32
|
end;
|
|
34
33
|
END
|
|
35
34
|
|
|
@@ -50,7 +49,7 @@ allow_not_action_filter = <<END
|
|
|
50
49
|
def allow_not_action:
|
|
51
50
|
if .Statement|type == "object"
|
|
52
51
|
then select(.Statement.Effect == "Allow" and .Statement.NotAction != null)
|
|
53
|
-
else select(.Statement[]|
|
|
52
|
+
else select(.Statement[]|(.Effect == "Allow" and .NotAction != null))
|
|
54
53
|
end;
|
|
55
54
|
END
|
|
56
55
|
|
|
@@ -73,12 +72,23 @@ warning jq: allow_not_action_filter +
|
|
|
73
72
|
"[#{resources_by_type('AWS::IAM::ManagedPolicy')}|select(.Properties.PolicyDocument|allow_not_action)]|map(.LogicalResourceId)",
|
|
74
73
|
message: 'IAM managed policy should not allow Allow+NotAction'
|
|
75
74
|
|
|
75
|
+
warning jq: allow_not_action_filter +
|
|
76
|
+
"[#{resources_by_type('AWS::SQS::QueuePolicy')}|select(.Properties.PolicyDocument|allow_not_action)]|map(.LogicalResourceId)",
|
|
77
|
+
message: 'SQS Queue policy should not allow Allow+NotAction'
|
|
78
|
+
|
|
79
|
+
warning jq: allow_not_action_filter +
|
|
80
|
+
"[#{resources_by_type('AWS::SNS::TopicPolicy')}|select(.Properties.PolicyDocument|allow_not_action)]|map(.LogicalResourceId)",
|
|
81
|
+
message: 'SNS Topic policy should not allow Allow+NotAction'
|
|
82
|
+
|
|
83
|
+
warning jq: allow_not_action_filter +
|
|
84
|
+
"[#{resources_by_type('AWS::S3::BucketPolicy')}|select(.Properties.PolicyDocument|allow_not_action)]|map(.LogicalResourceId)",
|
|
85
|
+
message: 'S3 Bucket policy should not allow Allow+NotAction'
|
|
76
86
|
|
|
77
87
|
allow_not_resource_filter = <<END
|
|
78
88
|
def allow_not_resource:
|
|
79
89
|
if .Statement|type == "object"
|
|
80
90
|
then select(.Statement.Effect == "Allow" and .Statement.NotResource != null)
|
|
81
|
-
else select(.Statement[]|
|
|
91
|
+
else select(.Statement[]|(.Effect == "Allow" and .NotResource != null))
|
|
82
92
|
end;
|
|
83
93
|
END
|
|
84
94
|
|
|
@@ -101,10 +111,22 @@ allow_not_principal_filter = <<END
|
|
|
101
111
|
def allow_not_principal:
|
|
102
112
|
if .Statement|type == "object"
|
|
103
113
|
then select(.Statement.Effect == "Allow" and .Statement.NotPrincipal != null)
|
|
104
|
-
else select(.Statement[]|
|
|
114
|
+
else select(.Statement[]|(.Effect == "Allow" and .NotPrincipal != null))
|
|
105
115
|
end;
|
|
106
116
|
END
|
|
107
117
|
|
|
108
118
|
violation jq: allow_not_principal_filter +
|
|
109
119
|
"[#{resources_by_type('AWS::IAM::Role')}|select(.Properties.AssumeRolePolicyDocument|allow_not_principal)]|map(.LogicalResourceId)",
|
|
110
120
|
message: 'IAM role should not allow Allow+NotPrincipal in its trust policy'
|
|
121
|
+
|
|
122
|
+
violation jq: allow_not_principal_filter +
|
|
123
|
+
"[#{resources_by_type('AWS::SQS::QueuePolicy')}|select(.Properties.PolicyDocument|allow_not_principal)]|map(.LogicalResourceId)",
|
|
124
|
+
message: 'SQS Queue policy should not allow Allow+NotPrincipal'
|
|
125
|
+
|
|
126
|
+
violation jq: allow_not_principal_filter +
|
|
127
|
+
"[#{resources_by_type('AWS::SNS::TopicPolicy')}|select(.Properties.PolicyDocument|allow_not_principal)]|map(.LogicalResourceId)",
|
|
128
|
+
message: 'SNS Topic policy should not allow Allow+NotPrincipal'
|
|
129
|
+
|
|
130
|
+
violation jq: allow_not_principal_filter +
|
|
131
|
+
"[#{resources_by_type('AWS::S3::BucketPolicy')}|select(.Properties.PolicyDocument|allow_not_principal)]|map(.LogicalResourceId)",
|
|
132
|
+
message: 'S3 Bucket policy should not allow Allow+NotPrincipal'
|
|
@@ -4,4 +4,43 @@ warning jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | selec
|
|
|
4
4
|
|
|
5
5
|
violation jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Type == "AWS::S3::Bucket")|'\
|
|
6
6
|
'select(.Properties.AccessControl? == "PublicReadWrite")]|map(.LogicalResourceId) ',
|
|
7
|
-
message: 'S3 Bucket should not have a public read-write acl'
|
|
7
|
+
message: 'S3 Bucket should not have a public read-write acl'
|
|
8
|
+
|
|
9
|
+
|
|
10
|
+
|
|
11
|
+
s3_wildcard_action_filter = <<END
|
|
12
|
+
def s3_wildcard_action:
|
|
13
|
+
if .Statement|type == "object"
|
|
14
|
+
then select(.Statement.Effect == "Allow" and (if .Statement.Action|type=="string" then (.Statement.Action == "s3:*" or .Statement.Action == "*") else ((.Statement.Action|indices("s3:*")|length > 0) or (.Statement.Action|indices("*")|length > 0)) end))
|
|
15
|
+
else select(.Statement[]|.Effect == "Allow" and (if .Action|type=="string" then (.Action == "s3:*" or .Action == "*") else ((.Action|indices("s3:*")|length > 0) or (.Action|indices("*")|length > 0)) end))
|
|
16
|
+
end;
|
|
17
|
+
END
|
|
18
|
+
|
|
19
|
+
s3_wildcard_principal_filter = <<END
|
|
20
|
+
def s3_wildcard_principal:
|
|
21
|
+
if .Statement|type == "object"
|
|
22
|
+
then select(.Statement.Effect == "Allow" and (.Statement.Principal?|type=="string") and (.Statement.Principal == "*") )
|
|
23
|
+
else select(.Statement[]|.Effect == "Allow" and ((.Principal?|type=="string") and (.Principal == "*")) )
|
|
24
|
+
end;
|
|
25
|
+
END
|
|
26
|
+
|
|
27
|
+
s3_wildcard_aws_principal_filter = <<END
|
|
28
|
+
def s3_wildcard_aws_principal:
|
|
29
|
+
if .Statement|type == "object"
|
|
30
|
+
then select(.Statement.Effect == "Allow" and (.Statement.Principal?|type=="object") and (.Statement.Principal.AWS == "*"))
|
|
31
|
+
else select(.Statement[]|(.Effect == "Allow" and (.Principal?|type=="object") and (.Principal.AWS == "*")))
|
|
32
|
+
end;
|
|
33
|
+
END
|
|
34
|
+
|
|
35
|
+
|
|
36
|
+
violation jq: s3_wildcard_action_filter +
|
|
37
|
+
"[#{resources_by_type('AWS::S3::BucketPolicy')}|select(.Properties.PolicyDocument|s3_wildcard_action)]|map(.LogicalResourceId) ",
|
|
38
|
+
message: 'S3 Bucket policy should not allow * action'
|
|
39
|
+
|
|
40
|
+
violation jq: s3_wildcard_principal_filter +
|
|
41
|
+
"[#{resources_by_type('AWS::S3::BucketPolicy')}|select(.Properties.PolicyDocument|s3_wildcard_principal)]|map(.LogicalResourceId) ",
|
|
42
|
+
message: 'S3 Bucket policy should not allow * principal'
|
|
43
|
+
|
|
44
|
+
violation jq: s3_wildcard_aws_principal_filter +
|
|
45
|
+
"[#{resources_by_type('AWS::S3::BucketPolicy')}|select(.Properties.PolicyDocument|s3_wildcard_aws_principal)]|map(.LogicalResourceId) ",
|
|
46
|
+
message: 'S3 Bucket policy should not allow * AWS principal'
|
|
@@ -0,0 +1,27 @@
|
|
|
1
|
+
sns_wildcard_principal_filter = <<END
|
|
2
|
+
def sns_wildcard_principal:
|
|
3
|
+
if .Statement|type == "object"
|
|
4
|
+
then select(.Statement.Effect == "Allow" and (.Statement.Principal?|type=="string") and (.Statement.Principal == "*"))
|
|
5
|
+
else select(.Statement[]|(.Effect == "Allow" and (.Principal?|type=="string") and (.Principal == "*")))
|
|
6
|
+
end;
|
|
7
|
+
END
|
|
8
|
+
|
|
9
|
+
sns_wildcard_aws_principal_filter = <<END
|
|
10
|
+
def sns_wildcard_aws_principal:
|
|
11
|
+
if .Statement|type == "object"
|
|
12
|
+
then select(.Statement.Effect == "Allow" and (.Statement.Principal?|type=="object") and (.Statement.Principal.AWS == "*"))
|
|
13
|
+
else select(.Statement[]|(.Effect == "Allow" and (.Principal?|type=="object") and (.Principal.AWS == "*")))
|
|
14
|
+
end;
|
|
15
|
+
END
|
|
16
|
+
|
|
17
|
+
# i guess we could have principal "AWS": ["1111111111", "*", "222222222222"]... or ["*","arn:..."]
|
|
18
|
+
|
|
19
|
+
#sns action wildcard doesnt seem to be accepted by sns so dont sweat it
|
|
20
|
+
|
|
21
|
+
violation jq: sns_wildcard_principal_filter +
|
|
22
|
+
"[#{resources_by_type('AWS::SNS::TopicPolicy')}|select(.Properties.PolicyDocument|sns_wildcard_principal)]|map(.LogicalResourceId) ",
|
|
23
|
+
message: 'SNS topic policy should not allow * principal'
|
|
24
|
+
|
|
25
|
+
violation jq: sns_wildcard_aws_principal_filter +
|
|
26
|
+
"[#{resources_by_type('AWS::SNS::TopicPolicy')}|select(.Properties.PolicyDocument|sns_wildcard_aws_principal)]|map(.LogicalResourceId) ",
|
|
27
|
+
message: 'SNS topic policy should not allow * AWS principal'
|
|
@@ -0,0 +1,23 @@
|
|
|
1
|
+
sqs_wildcard_action_filter = <<END
|
|
2
|
+
def sqs_wildcard_action:
|
|
3
|
+
if .Statement|type == "object"
|
|
4
|
+
then select(.Statement.Effect == "Allow" and (if .Statement.Action|type=="string" then (.Statement.Action == "sqs:*") else (.Statement.Action|indices("sqs:*")|length > 0) end))
|
|
5
|
+
else select(.Statement[]|.Effect == "Allow" and (if .Action|type=="string" then (.Action == "sqs:*") else (.Action|indices("sqs:*")|length > 0) end))
|
|
6
|
+
end;
|
|
7
|
+
END
|
|
8
|
+
|
|
9
|
+
sqs_wildcard_principal_filter = <<END
|
|
10
|
+
def sqs_wildcard_principal:
|
|
11
|
+
if .Statement|type == "object"
|
|
12
|
+
then select(.Statement.Effect == "Allow" and (.Statement.Principal?|type=="string") and (.Statement.Principal == "*") )
|
|
13
|
+
else select(.Statement[]|.Effect == "Allow" and ((.Principal?|type=="string") and (.Principal == "*")) )
|
|
14
|
+
end;
|
|
15
|
+
END
|
|
16
|
+
|
|
17
|
+
violation jq: sqs_wildcard_action_filter +
|
|
18
|
+
"[#{resources_by_type('AWS::SQS::QueuePolicy')}|select(.Properties.PolicyDocument|sqs_wildcard_action)]|map(.LogicalResourceId) ",
|
|
19
|
+
message: 'SQS Queue policy should not allow * action'
|
|
20
|
+
|
|
21
|
+
violation jq: sqs_wildcard_principal_filter +
|
|
22
|
+
"[#{resources_by_type('AWS::SQS::QueuePolicy')}|select(.Properties.PolicyDocument|sqs_wildcard_principal)]|map(.LogicalResourceId) ",
|
|
23
|
+
message: 'SQS Queue policy should not allow * principal'
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: cfn-nag
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.0.
|
|
4
|
+
version: 0.0.16
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- someguy
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2016-
|
|
11
|
+
date: 2016-03-01 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: logging
|
|
@@ -60,6 +60,8 @@ files:
|
|
|
60
60
|
- lib/json_rules/loadbalancer_rules.rb
|
|
61
61
|
- lib/json_rules/port_rules.rb
|
|
62
62
|
- lib/json_rules/s3_bucket_rules.rb
|
|
63
|
+
- lib/json_rules/sns_rules.rb
|
|
64
|
+
- lib/json_rules/sqs_rules.rb
|
|
63
65
|
- lib/model/cfn_model.rb
|
|
64
66
|
- lib/model/iam_user_parser.rb
|
|
65
67
|
- lib/model/security_group_parser.rb
|