cfn-nag 0.0.17 → 0.0.18

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: d3284f4eba9d2cab9d7790dab39273f9401fbb09
-  data.tar.gz: e715f4800f39198bd95bc1fb6044ce1dd64644d6
+  metadata.gz: 167b9ddba20a5fa469d15c3aaf0a3759503e8ee9
+  data.tar.gz: ffba250d7d7929c7cfbcad43ad0573f99d16b8f9
 SHA512:
-  metadata.gz: 06b61112e6e6cff426fcd6e07af0c0aa75f85f38914816bc1df48286e4aec04d76d9000d61202c9fae3a138e50d55c9af8ca0da56971f07644bdfde4b80f92a8
-  data.tar.gz: 43147a231964233735ee827ee0f1c9ec4894f6725904e95b137b3e8205181213d5ea5698e75ce704fd695025015e9a31467d65d1e14d0580587d79dfbdc75071
+  metadata.gz: 7a09226380b2020d11fb41e07a758095a7f05f89d87c62d734ff8e7bb5e76cbc36c9ddd565af84b271698c56d60a5fe42f0145618d4bc87d8eeec7384445d1df
+  data.tar.gz: 738ccc891e94e19f4f8bfa50bbdeda2621319a13c3ad77d3939a6087f98d10bee517ec52cd4be1bd6bb5a03158e87813feb0bbe31db81e77ff81a90b16ae221b

data/lib/cfn_nag.rb

@@ -4,6 +4,7 @@ require_relative 'custom_rules/user_missing_group'
 require_relative 'model/cfn_model'
 require_relative 'result_view/simple_stdout_results'
 require_relative 'result_view/json_results'
+require_relative 'custom_rules/unencrypted_s3_put_allowed'
 require 'tempfile'
 
 class CfnNag
@@ -175,7 +176,8 @@ class CfnNag
   def custom_rule_registry
     [
       SecurityGroupMissingEgressRule,
-      UserMissingGroupRule
+      UserMissingGroupRule,
+      UnencryptedS3PutObjectAllowedRule
     ]
   end
 end

data/lib/custom_rules/unencrypted_s3_put_allowed.rb

@@ -0,0 +1,49 @@
+require_relative '../violation'
+require 'model/action_parser'
+
+class UnencryptedS3PutObjectAllowedRule
+
+  def rule_text
+    'It appears that the S3 Bucket Policy allows s3:PutObject without server-side encryption'
+  end
+
+  def audit(cfn_model)
+    logical_resource_ids = []
+    cfn_model.bucket_policies.each do |bucket_policy|
+      found_statement = bucket_policy.statements.find do |statement|
+        blocks_put_object_without_encryption(statement)
+      end
+      if found_statement.nil?
+        logical_resource_ids << bucket_policy.logical_resource_id
+      end
+    end
+
+    if logical_resource_ids.size > 0
+      Violation.new(type: Violation::WARNING,
+                    message: rule_text,
+                    logical_resource_ids: logical_resource_ids)
+    else
+      nil
+    end
+  end
+
+  private
+
+  def blocks_put_object_without_encryption(statement)
+    encryption_condition = {
+      'StringNotEquals' => {
+        's3:x-amz-server-side-encryption' => 'AES256'
+      }
+    }
+
+    # this isn't quite complete.  parsing the Resource field can be tricky
+    # looking for a trailing wildcard will likely be right most of the time
+    # but there are a lot of string manipulations to confuse things so...
+    # just warn when we can't find at least the Deny+encryption - they may have an
+    # incomplete Deny (for encryption) and that will slip through
+    statement['Effect'] == 'Deny' and
+        ActionParser.new.include?(actual_action: statement['Action'], action_to_look_for: 's3:PutObject') and
+        S3BucketPolicy::condition_includes?(statement, encryption_condition) and
+        statement['Principal'] == '*'
+  end
+end

data/lib/model/action_parser.rb

@@ -0,0 +1,27 @@
+require 'json'
+
+class ActionParser
+
+  def include?(actual_action:, action_to_look_for:)
+    if actual_action.is_a? Array
+      matches = actual_action.find do |single_action|
+        match_potentially_wildcard_action(actual_action: single_action,
+                                          action_to_look_for: action_to_look_for)
+      end
+      not matches.nil?
+    elsif actual_action.is_a? String
+      match_potentially_wildcard_action(actual_action: actual_action,
+                                        action_to_look_for: action_to_look_for)
+    else
+      fail "actual_action needs to be a String or Array (of String),not : #{actual_action.class}"
+    end
+  end
+
+  private
+
+  def match_potentially_wildcard_action(actual_action:, action_to_look_for:)
+    actual_action_regex = actual_action.gsub /\*/, '.*'
+    match_position = Regexp.new(actual_action_regex) =~ action_to_look_for
+    not match_position.nil?
+  end
+end

data/lib/model/cfn_model.rb

@@ -1,6 +1,7 @@
 require 'json'
 require_relative 'security_group_parser'
 require_relative 'iam_user_parser'
+require_relative 's3_bucket_policy_parser'
 
 # consider a canonical form for template too...
 # always transform optional things into more general forms....
@@ -13,7 +14,8 @@ class CfnModel
       'AWS::EC2::SecurityGroupIngress' => SecurityGroupXgressParser,
       'AWS::EC2::SecurityGroupEgress' => SecurityGroupXgressParser,
       'AWS::IAM::User' => IamUserParser,
-      'AWS::IAM::UserToGroupAddition' => IamUserToGroupAdditionParser
+      'AWS::IAM::UserToGroupAddition' => IamUserToGroupAdditionParser,
+      'AWS::S3::BucketPolicy' => S3BucketPolicyParser
     }
     @dangling_ingress_or_egress_rules = []
     @dangler = Object.new
@@ -44,15 +46,12 @@ class CfnModel
     iam_users_hash.values
   end
 
+  def bucket_policies
+    bucket_policy_hash = resources_by_type('AWS::S3::BucketPolicy')
+    bucket_policy_hash.values
+  end
+
   private
-  #
-  # def is_get_att(object)
-  #   not object['Fn::GetAtt'].nil?
-  # end
-  #
-  # def is_reference(object)
-  #   not object['Ref'].nil?
-  # end
 
   def resolve_user_logical_resource_id(user)
     if not user['Ref'].nil?

data/lib/model/s3_bucket_policy.rb

@@ -0,0 +1,25 @@
+class S3BucketPolicy
+  attr_accessor :logical_resource_id
+
+  attr_reader :statements
+
+  def initialize
+    @statements = []
+  end
+
+  def add_statement(statement_hash)
+    statements << statement_hash
+  end
+
+  def self.condition_includes?(statement, condition_hash)
+    if statement['Condition'].nil?
+      false
+    else
+      if statement['Condition'].is_a? Hash
+        statement['Condition'] == condition_hash
+      else
+        statement['Condition'].include? condition_hash
+      end
+    end
+  end
+end

data/lib/model/s3_bucket_policy_parser.rb

@@ -0,0 +1,28 @@
+require_relative 's3_bucket_policy'
+
+
+class S3BucketPolicyParser
+
+  def parse(resource_name, resource_json)
+    properties = resource_json['Properties']
+    bucket_policy = S3BucketPolicy.new
+
+    bucket_policy.logical_resource_id = resource_name
+
+    unless properties.nil?
+      policy_document = properties['PolicyDocument']
+      unless policy_document.nil?
+        unless policy_document['Statement'].nil?
+          if policy_document['Statement'].is_a? Array
+            policy_document['Statement'].each { |statement | bucket_policy.add_statement(statement)}
+          else
+            bucket_policy.add_statement(policy_document['Statement'])
+          end
+        end
+      end
+    end
+
+    bucket_policy
+  end
+end
+

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: cfn-nag
 version: !ruby/object:Gem::Version
-  version: 0.0.17
+  version: 0.0.18
 platform: ruby
 authors:
 - someguy
@@ -50,6 +50,7 @@ files:
 - bin/cfn_nag_rules
 - lib/cfn_nag.rb
 - lib/custom_rules/security_group_missing_egress.rb
+- lib/custom_rules/unencrypted_s3_put_allowed.rb
 - lib/custom_rules/user_missing_group.rb
 - lib/json_rules/basic_rules.rb
 - lib/json_rules/cfn_rules.rb
@@ -64,8 +65,11 @@ files:
 - lib/json_rules/s3_bucket_rules.rb
 - lib/json_rules/sns_rules.rb
 - lib/json_rules/sqs_rules.rb
+- lib/model/action_parser.rb
 - lib/model/cfn_model.rb
 - lib/model/iam_user_parser.rb
+- lib/model/s3_bucket_policy.rb
+- lib/model/s3_bucket_policy_parser.rb
 - lib/model/security_group_parser.rb
 - lib/result_view/json_results.rb
 - lib/result_view/simple_stdout_results.rb