cfn-nag 0.0.4

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 17e63b5f6090fdcd198d81ab01f4ad793f54e71e
+  data.tar.gz: 484a60530c4bf5efb6410c7b5eb5a8f46ba9f869
+SHA512:
+  metadata.gz: ff360162ddf6f1378777065b8a6c1079c54bcac2f532edd6246f3c80af51f37d232889014897164b60970e2e2ac4f51db699dbf4a1b60bf2b660a378ea81629b
+  data.tar.gz: c5f4df2a906d9a7c65910d1a917997b8792449763ca7aa0da551c6a854728605b2bab8a8e13ea62893d180e97c536b5d0fb14c4ed6d5e54294514e71e51c2323

data/bin/cfn_nag

@@ -0,0 +1,12 @@
+#!/usr/bin/env ruby
+require 'trollop'
+require 'cfn_nag'
+require 'logging'
+
+opts = Trollop::options do
+  opt :input_json, 'Cloudformation template to nag on', type: :string, required: true
+  opt :debug, 'Enable debug output', type: :boolean, required: false, default: false
+end
+
+CfnNag::configure_logging(opts)
+exit CfnNag.new.audit(opts[:input_json])

data/lib/cfn_nag.rb

@@ -0,0 +1,71 @@
+require_relative 'rule'
+require_relative 'custom_rules/security_group_missing_egress'
+require_relative 'custom_rules/user_missing_group'
+require_relative 'model/cfn_model'
+
+class CfnNag
+  include Rule
+
+  def audit(input_json_path)
+    fail 'not even legit JSON' unless legal_json?(input_json_path)
+
+    @violation_count = 0
+    @warning_count = 0
+
+    generic_json_rules input_json_path
+
+    custom_rules input_json_path
+
+    puts "Violations count: #{@violation_count}"
+    puts "Warnings count: #{@warning_count}"
+    @violation_count
+  end
+
+  def self.configure_logging(opts)
+    logger = Logging.logger['log']
+    if opts[:debug]
+      logger.level = :debug
+    else
+      logger.level = :info
+    end
+
+    logger.add_appenders Logging.appenders.stdout
+  end
+
+  private
+
+  def legal_json?(input_json_path)
+    begin
+      JSON.parse(IO.read(input_json_path))
+      true
+    rescue JSON::ParserError
+      return false
+    end
+  end
+
+  def command?(command)
+    system("which #{command} > /dev/null 2>&1")
+  end
+
+  def generic_json_rules(input_json_path)
+    unless command? 'jq'
+      fail 'jq executable must be available in PATH'
+    end
+
+    Dir[File.join(__dir__, 'json_rules', '*.rb')].sort.each do |rule_file|
+      @input_json_path = input_json_path
+      eval IO.read(rule_file)
+    end
+  end
+
+  def custom_rules(input_json_path)
+    cfn_model = CfnModel.new.parse(IO.read(input_json_path))
+    rules = [
+      SecurityGroupMissingEgressRule,
+      UserMissingGroupRule
+    ]
+    rules.each do |rule_class|
+      @violation_count += rule_class.new.audit(cfn_model)
+    end
+  end
+end

data/lib/custom_rules/security_group_missing_egress.rb

@@ -0,0 +1,26 @@
+require_relative '../rule'
+
+class SecurityGroupMissingEgressRule
+  include Rule
+
+  def audit(cfn_model)
+    violation_count = 0
+
+    logical_resource_ids = []
+    violating_security_groups = []
+    cfn_model.security_groups.each do |security_group|
+      if security_group.egress_rules.size == 0
+        logical_resource_ids << security_group.logical_resource_id
+        violating_security_groups << security_group
+        violation_count += 1
+      end
+    end
+
+    if violation_count > 0
+      message message_type: 'violation',
+              message: 'Missing egress rule means all traffic is allowed outbound.  Make this explicit if it is desired configuration',
+              logical_resource_ids: logical_resource_ids
+    end
+    violation_count
+  end
+end

data/lib/custom_rules/user_missing_group.rb

@@ -0,0 +1,26 @@
+require_relative '../rule'
+
+class UserMissingGroupRule
+  include Rule
+
+  def audit(cfn_model)
+    violation_count = 0
+
+    logical_resource_ids = []
+    violating_iam_users = []
+    cfn_model.iam_users.each do |iam_user|
+      if iam_user.groups.size == 0
+        logical_resource_ids << iam_user.logical_resource_id
+        violating_iam_users << iam_user
+        violation_count += 1
+      end
+    end
+
+    if violation_count > 0
+      message message_type: 'violation',
+              message: 'User is not assigned to a group',
+              logical_resource_ids: logical_resource_ids
+    end
+    violation_count
+  end
+end

data/lib/json_rules/basic_rules.rb

@@ -0,0 +1,42 @@
+raw_fatal_assertion jq: '.Resources|length > 0',
+                    message: 'Must have at least 1 resource'
+
+
+%w(
+  AWS::IAM::Role
+  AWS::IAM::Policy
+  AWS::IAM::ManagedPolicy
+  AWS::IAM::UserToGroupAddition
+  AWS::EC2::SecurityGroup
+  AWS::EC2::SecurityGroupIngress
+  AWS::EC2::SecurityGroupEgress
+).each do |resource_must_have_properties|
+  fatal_violation jq: "[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Type == \"#{resource_must_have_properties}\" and .Properties == null)]|map(.LogicalResourceId)",
+                  message: "#{resource_must_have_properties} must have Properties"
+end
+
+missing_reference_jq = <<END
+  (
+    (
+      ([..|.Ref?]|map(select(. != null)) +  [..|."Fn::GetAtt"?[0]]|map(select(. != null)))
+    )
+    -
+    (
+      ["AWS::AccountId","AWS::StackName","AWS::Region","AWS::StackId","AWS::NoValue"] +
+      ([.Resources|keys]|flatten) +
+      (if .Parameters? then ([.Parameters|keys]|flatten) else [] end)
+    )
+  )|if length==0 then false else . end
+END
+
+raw_fatal_violation jq: missing_reference_jq,
+                    message: 'All Ref and Fn::GetAtt must reference existing logical resource ids'
+
+
+%w(
+  AWS::EC2::SecurityGroupIngress
+  AWS::EC2::SecurityGroupEgress
+).each do |xgress|
+  fatal_violation jq: "[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Type == \"#{xgress}\" and .Properties.GroupName != null)]|map(.LogicalResourceId)",
+                  message: "#{xgress} must not have GroupName - EC2 classic is a no-go!"
+end

data/lib/json_rules/cidr_rules.rb

@@ -0,0 +1,46 @@
+##### inline ingress
+warning jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Type == "AWS::EC2::SecurityGroup" and (.Properties.SecurityGroupIngress|type == "object"))|select(.Properties.SecurityGroupIngress.CidrIp? == "0.0.0.0/0")]|map(.LogicalResourceId)',
+        message: 'Security Groups found with cidr open to world on ingress.  This should never be true on instance.  Permissible on ELB'
+
+warning jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Type == "AWS::EC2::SecurityGroup" and (.Properties.SecurityGroupIngress|type == "array"))|first(select(.Properties.SecurityGroupIngress[].CidrIp? == "0.0.0.0/0"))]|map(.LogicalResourceId)',
+        message: 'Security Groups found with cidr open to world on ingress array.  This should never be true on instance.  Permissible on ELB'
+
+##### external ingress
+warning jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Type == "AWS::EC2::SecurityGroupIngress")|select(.Properties.CidrIp? == "0.0.0.0/0")]|map(.LogicalResourceId)',
+        message: 'Security Group Standalone Ingress found with cidr open to world. This should never be true on instance.  Permissible on ELB'
+
+
+###### inline egress
+warning jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Type == "AWS::EC2::SecurityGroup" and (.Properties.SecurityGroupEgress|type == "object"))|select(.Properties.SecurityGroupEgress.CidrIp? == "0.0.0.0/0")]|map(.LogicalResourceId)',
+        message: 'Security Groups found with cidr open to world on egress'
+
+
+warning jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Type == "AWS::EC2::SecurityGroup" and (.Properties.SecurityGroupEgress|type == "array"))|first(select(.Properties.SecurityGroupEgress[].CidrIp? == "0.0.0.0/0"))]|map(.LogicalResourceId)',
+        message: 'Security Groups found with cidr open to world on egress array'
+
+
+##### external egress
+warning jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Type == "AWS::EC2::SecurityGroupEgress")|select(.Properties.CidrIp? == "0.0.0.0/0")]|map(.LogicalResourceId)',
+        message: 'Security Group Standalone Egress found with cidr open to world.'
+
+
+# BEWARE with escapes \d -> \\\d because of how the escapes get munged from ruby through to shell
+warning jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Type == "AWS::EC2::SecurityGroupIngress" and .Properties.CidrIp|type == "string")|select(.Properties.CidrIp | test("^\\\d{1,3}\\\.\\\d{1,3}\\\.\\\d{1,3}\\\.\\\d{1,3}/(?!32)$") )]|map(.LogicalResourceId)',
+        message: 'Security Group Standalone Ingress cidr found that is not /32'
+
+
+warning jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Type == "AWS::EC2::SecurityGroup" and (.Properties.SecurityGroupIngress|type == "object"))|select(.Properties.SecurityGroupIngress.CidrIp|type == "string")|select(.Properties.SecurityGroupIngress.CidrIp | test("^\\\d{1,3}\\\.\\\d{1,3}\\\.\\\d{1,3}\\\.\\\d{1,3}/(?!32)$") )]|map(.LogicalResourceId)',
+        message: 'Security Groups found with cidr that is not /32'
+
+
+warning jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Type == "AWS::EC2::SecurityGroup" and (.Properties.SecurityGroupIngress|type == "array"))|select(.Properties.SecurityGroupIngress[].CidrIp|type == "string")|select(.Properties.SecurityGroupIngress[].CidrIp | if .|type=="string" then test("^\\\d{1,3}\\\.\\\d{1,3}\\\.\\\d{1,3}\\\.\\\d{1,3}/(?!32)$") else false end)]|map(.LogicalResourceId)',
+        message: 'Security Groups found with cidr that is not /32'
+
+
+#for inline, this covers it, but with an externalized egress rule... the expression gets real evil
+#i guess the ideal would be to do a join of ingress and egress rules with the parent sg
+#but it gets real hairy with FnGetAtt for GroupId and all that.... think it best to
+#write some imperative code in custom rules to take care of things
+# violation '.Resources[]|select(.Type == "AWS::EC2::SecurityGroup")|select(.Properties.SecurityGroupEgress == null or .Properties.SecurityGroupEgress.length? == 0)' do |security_groups|
+#   puts "Security Groups found without egress json_rules: #{security_groups}"
+# end

data/lib/json_rules/iam_policy_rules.rb

@@ -0,0 +1,110 @@
+wildcard_action_filter = <<END
+def wildcard_action:
+  if .Statement|type == "object"
+  then select(.Statement.Effect == "Allow" and .Statement|if .Action|type=="string" then select(.Action == "*") else select(.Action|index("*")) end)
+  else select(.Statement[]|if .Action|type=="string" then select(.Effect == "Allow" and .Action == "*") else select(.Effect == "Allow" and (.Action|index("*"))) end)
+  end;
+END
+
+violation jq: wildcard_action_filter +
+             "[#{resources_by_type('AWS::IAM::Role')}|select(.Properties.AssumeRolePolicyDocument|wildcard_action)]|map(.LogicalResourceId) ",
+          message: 'IAM role should not allow * action on its trust policy'
+
+violation jq: wildcard_action_filter +
+              "[#{resources_by_type('AWS::IAM::Role')}|select(.Properties.Policies !=null)|select(.Properties.Policies[].PolicyDocument|wildcard_action)]|map(.LogicalResourceId)",
+          message: 'IAM role should not allow * action on its permissions policy'
+
+
+violation jq: wildcard_action_filter +
+              "[#{resources_by_type('AWS::IAM::Policy')}|select(.Properties.PolicyDocument|wildcard_action)]|map(.LogicalResourceId) ",
+          message: 'IAM policy should not allow * action'
+
+
+violation jq: wildcard_action_filter +
+              "[#{resources_by_type('AWS::IAM::ManagedPolicy')}|select(.Properties.PolicyDocument|wildcard_action)]|map(.LogicalResourceId) ",
+          message: 'IAM managed policy should not allow * action'
+
+
+wildcard_resource_filter = <<END
+def wildcard_resource:
+  if .Statement|type == "object"
+  then select(.Statement.Effect == "Allow" and .Statement|if .Resource|type=="string" then select(.Resource == "*") else select(.Resource|index("*")) end)
+  else select(.Statement[]|if .Resource|type=="string" then select(.Effect == "Allow" and .Resource == "*") else (if .Resource|type=="array" then select(.Effect == "Allow" and (.Resource|index("*"))) else false end) end)
+  end;
+END
+
+warning jq: wildcard_resource_filter +
+            "[#{resources_by_type('AWS::IAM::Role')}|select(.Properties.Policies !=null)|select(.Properties.Policies[].PolicyDocument|wildcard_resource)]|map(.LogicalResourceId)",
+        message: 'IAM role should not allow * resource on its permissions policy'
+
+
+warning jq: wildcard_resource_filter +
+            "[#{resources_by_type('AWS::IAM::Policy')}|select(.Properties.PolicyDocument|wildcard_resource)]|map(.LogicalResourceId)",
+        message: 'IAM policy should not allow * resource'
+
+warning jq: wildcard_resource_filter +
+            "[#{resources_by_type('AWS::IAM::ManagedPolicy')}|select(.Properties.PolicyDocument|wildcard_resource)]|map(.LogicalResourceId)",
+        message: 'IAM managed policy should not allow * resource'
+
+allow_not_action_filter = <<END
+def allow_not_action:
+  if .Statement|type == "object"
+  then select(.Statement.Effect == "Allow" and .Statement.NotAction != null)
+  else select(.Statement[]|select(.NotAction != null and .Effect == "Allow"))
+  end;
+END
+
+warning jq: allow_not_action_filter +
+            "[#{resources_by_type('AWS::IAM::Role')}|select(.Properties.AssumeRolePolicyDocument|allow_not_action)]|map(.LogicalResourceId)",
+        message: 'IAM role should not allow Allow+NotAction'
+
+
+warning jq: allow_not_action_filter +
+            "[#{resources_by_type('AWS::IAM::Role')}|select(.Properties.Policies !=null)|select(.Properties.Policies[].PolicyDocument|allow_not_action)]|map(.LogicalResourceId)",
+        message: 'IAM role should not allow Allow+NotAction'
+
+
+warning jq: allow_not_action_filter +
+            "[#{resources_by_type('AWS::IAM::Policy')}|select(.Properties.PolicyDocument|allow_not_action)]|map(.LogicalResourceId)",
+        message: 'IAM policy should not allow Allow+NotAction'
+
+
+warning jq: allow_not_action_filter +
+            "[#{resources_by_type('AWS::IAM::ManagedPolicy')}|select(.Properties.PolicyDocument|allow_not_action)]|map(.LogicalResourceId)",
+        message: 'IAM managed policy should not allow Allow+NotAction'
+
+
+allow_not_resource_filter = <<END
+def allow_not_resource:
+  if .Statement|type == "object"
+  then select(.Statement.Effect == "Allow" and .Statement.NotResource != null)
+  else select(.Statement[]|select(.NotResource != null and .Effect == "Allow"))
+  end;
+END
+
+warning jq: allow_not_resource_filter +
+            "[#{resources_by_type('AWS::IAM::Role')}|select(.Properties.Policies !=null)|select(.Properties.Policies[].PolicyDocument|allow_not_resource)]|map(.LogicalResourceId)",
+        message: 'IAM role should not allow Allow+NotResource'
+
+
+warning jq: allow_not_resource_filter +
+            "[#{resources_by_type('AWS::IAM::Policy')}|select(.Properties.PolicyDocument|allow_not_resource)]|map(.LogicalResourceId)",
+        message: 'IAM policy should not allow Allow+NotResource'
+
+
+warning jq: allow_not_resource_filter +
+           "[#{resources_by_type('AWS::IAM::ManagedPolicy')}|select(.Properties.PolicyDocument|allow_not_resource)]|map(.LogicalResourceId)",
+        message: 'IAM managed policy should not allow Allow+NotResource'
+
+
+allow_not_principal_filter = <<END
+def allow_not_principal:
+  if .Statement|type == "object"
+  then select(.Statement.Effect == "Allow" and .Statement.NotPrincipal != null)
+  else select(.Statement[]|select(.NotPrincipal != null and .Effect == "Allow"))
+  end;
+END
+
+violation jq: allow_not_principal_filter +
+              "[#{resources_by_type('AWS::IAM::Role')}|select(.Properties.AssumeRolePolicyDocument|allow_not_principal)]|map(.LogicalResourceId)",
+          message: 'IAM role should not allow Allow+NotPrincipal in its trust policy'

data/lib/json_rules/iam_user_rules.rb

@@ -0,0 +1,12 @@
+violation jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Type == "AWS::IAM::User")|'\
+              'select(.Properties.Policies|length > 0)]|map(.LogicalResourceId) ',
+          message: 'IAM user should not have any directly attached policies.  Should be on group'
+
+violation jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Type == "AWS::IAM::Policy")|'\
+              'select(.Properties.Users|length > 0)]|map(.LogicalResourceId) ',
+          message: 'IAM policy should not apply directly to users.  Should be on group'
+
+violation jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Type == "AWS::IAM::ManagedPolicy")|'\
+              'select(.Properties.Users|length > 0)]|map(.LogicalResourceId) ',
+          message: 'IAM policy should not apply directly to users.  Should be on group'
+

data/lib/json_rules/port_rules.rb

@@ -0,0 +1,17 @@
+warning jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Type == "AWS::EC2::SecurityGroup" and (.Properties.SecurityGroupIngress|type == "object"))|select(.Properties.SecurityGroupIngress.ToPort != .Properties.SecurityGroupIngress.FromPort)]|map(.LogicalResourceId)',
+        message:  'Security Groups found ingress with port range instead of just a single port'
+
+warning jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Type == "AWS::EC2::SecurityGroup" and (.Properties.SecurityGroupIngress|type == "array"))|select([.Properties.SecurityGroupIngress[].ToPort] != [.Properties.SecurityGroupIngress[].FromPort])]|map(.LogicalResourceId)',
+        message:  'Security Groups found ingress with port range instead of just a single port'
+
+warning jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Type == "AWS::EC2::SecurityGroup" and (.Properties.SecurityGroupEgress|type == "object"))|select(.Properties.SecurityGroupEgress.ToPort != .Properties.SecurityGroupEgress.FromPort)]|map(.LogicalResourceId)',
+        message:  'Security Groups found egress with port range instead of just a single port'
+
+warning jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Type == "AWS::EC2::SecurityGroup" and (.Properties.SecurityGroupEgress|type == "array"))|select([.Properties.SecurityGroupEgress[].ToPort] != [.Properties.SecurityGroupEgress[].FromPort])]|map(.LogicalResourceId)',
+        message:  'Security Groups found egress with port range instead of just a single port'
+
+warning jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Type == "AWS::EC2::SecurityGroupIngress")|select(.Properties.ToPort != .Properties.FromPort)]|map(.LogicalResourceId)',
+        message:  'Security Groups found ingress with port range instead of just a single port'
+
+warning jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Type == "AWS::EC2::SecurityGroupEgress")|select(.Properties.ToPort != .Properties.FromPort)]|map(.LogicalResourceId)',
+        message:  'Security Groups found egress with port range instead of just a single port'

data/lib/model/cfn_model.rb

@@ -0,0 +1,187 @@
+require 'json'
+require_relative 'security_group_parser'
+require_relative 'iam_user_parser'
+
+# consider a canonical form for template too...
+# always transform optional things into more general forms....
+# although referencing violations becomes tricky then (a la c preprocessor)
+
+class CfnModel
+  def initialize
+    @parser_registry = {
+      'AWS::EC2::SecurityGroup' => SecurityGroupParser,
+      'AWS::EC2::SecurityGroupIngress' => SecurityGroupXgressParser,
+      'AWS::EC2::SecurityGroupEgress' => SecurityGroupXgressParser,
+      'AWS::IAM::User' => IamUserParser,
+      'AWS::IAM::UserToGroupAddition' => IamUserToGroupAdditionParser
+    }
+    @dangling_ingress_or_egress_rules = []
+    @dangler = Object.new
+  end
+
+  def parse(cfn_json_string)
+    @json_hash = JSON.load cfn_json_string
+    self
+  end
+
+  def security_groups
+    fail 'must call parse first' unless @json_hash
+    security_groups_hash = resources_by_type('AWS::EC2::SecurityGroup')
+    wire_ingress_rules_to_security_groups(security_groups_hash)
+    wire_egress_rules_to_security_groups(security_groups_hash)
+    security_groups_hash.values
+  end
+
+  def dangling_ingress_or_egress_rules
+    fail 'must call parse first' unless @json_hash
+    @dangling_ingress_or_egress_rules
+  end
+
+  def iam_users
+    fail 'must call parse first' unless @json_hash
+    iam_users_hash = resources_by_type('AWS::IAM::User')
+    wire_user_to_group_additions_to_users(iam_users_hash)
+    iam_users_hash.values
+  end
+
+  private
+  #
+  # def is_get_att(object)
+  #   not object['Fn::GetAtt'].nil?
+  # end
+  #
+  # def is_reference(object)
+  #   not object['Ref'].nil?
+  # end
+
+  def resolve_user_logical_resource_id(user)
+    if not user['Ref'].nil?
+      user['Ref']
+    elsif not user['Fn::GetAtt'].nil?
+      fail 'Arn not legal for user to group addition'
+    else
+      @dangler
+    end
+  end
+
+  def resolve_group_id(group_id)
+    if not group_id['Ref'].nil?
+      group_id['Ref']
+    elsif not group_id['Fn::GetAtt'].nil?
+      fail 'GroupId only legal att on security group resource' unless group_id['Fn::GetAtt'][1] == 'GroupId'
+      group_id['Fn::GetAtt'][0]
+    else
+      @dangling_ingress_or_egress_rules << group_id
+      @dangler
+    end
+  end
+
+  def wire_user_to_group_additions_to_users(iam_users_hash)
+    resources_by_type('AWS::IAM::UserToGroupAddition').each do |resource_name, user_to_group_addition|
+      user_to_group_addition['Users'].each do |user|
+        unless resolve_user_logical_resource_id(user) == @dangler
+          iam_users_hash[resolve_user_logical_resource_id(user)].add_group user_to_group_addition['GroupName']
+        end
+      end
+    end
+    iam_users_hash
+  end
+
+  def wire_ingress_rules_to_security_groups(security_groups_hash)
+    resources_by_type('AWS::EC2::SecurityGroupIngress').each do |resource_name, ingress_rule|
+      if not ingress_rule['GroupId'].nil?
+        group_id = resolve_group_id(ingress_rule['GroupId'])
+
+        unless group_id == @dangler
+          security_groups_hash[group_id].add_ingress_rule ingress_rule
+        end
+      else
+        fail "GroupId must be set: #{ingress_rule}"
+      end
+    end
+    security_groups_hash
+  end
+
+  def wire_egress_rules_to_security_groups(security_groups_hash)
+    resources_by_type('AWS::EC2::SecurityGroupEgress').each do |resource_name, egress_rule|
+      if not egress_rule['GroupId'].nil?
+        group_id = resolve_group_id(egress_rule['GroupId'])
+
+        unless group_id == @dangler
+          security_groups_hash[group_id].add_egress_rule egress_rule
+        end
+      else
+        fail "GroupId must be set: #{egress_rule}"
+      end
+    end
+    security_groups_hash
+  end
+
+  def resources
+    @json_hash['Resources']
+  end
+
+  def resources_by_type(resource_type)
+    resources_map = {}
+    resources.each do |resource_name, resource|
+      if resource['Type'] == resource_type
+        resource_parser = @parser_registry[resource_type].new
+        resources_map[resource_name] = resource_parser.parse(resource_name, resource)
+      end
+    end
+    resources_map
+  end
+end
+
+class SecurityGroup
+  attr_accessor :group_description, :vpc_id, :logical_resource_id
+  attr_reader :ingress_rules, :egress_rules
+
+  def initialize
+    @ingress_rules = []
+    @egress_rules = []
+  end
+
+  def add_ingress_rule(ingress_rule)
+    @ingress_rules << ingress_rule
+  end
+
+  def add_egress_rule(egress_rule)
+    @egress_rules << egress_rule
+  end
+
+  def to_s
+    <<-END
+    {
+      logical_resource_id: #{@logical_resource_id}
+      group_description: #{@group_description}
+      vpc_id: #{@vpc_id}
+      ingress_rules: #{@ingress_rules}
+      egress_rules: #{@egress_rules}
+    }
+    END
+  end
+end
+
+class IamUser
+  attr_accessor :logical_resource_id
+  attr_reader :groups
+
+  def initialize
+    @groups = []
+  end
+
+  def add_group(group)
+    @groups << group
+  end
+
+  def to_s
+    <<-END
+    {
+      logical_resource_id: #{@logical_resource_id}
+      groups: #{@groups}
+    }
+    END
+  end
+end
+

data/lib/model/iam_user_parser.rb

@@ -0,0 +1,34 @@
+require_relative 'cfn_model'
+
+
+class IamUserParser
+
+  def parse(resource_name, resource_json)
+    properties = resource_json['Properties']
+    iam_user = IamUser.new
+
+    iam_user.logical_resource_id = resource_name
+
+    unless properties.nil?
+      unless properties['Groups'].nil?
+        properties['Groups'].each do |group|
+          iam_user.add_group group
+        end
+      end
+    end
+
+    iam_user
+  end
+end
+
+class IamUserToGroupAdditionParser
+
+  def parse(resource_name, resource_json)
+    user_to_group_addition = {}
+    user_to_group_addition['logical_resource_id'] = resource_name
+    resource_json['Properties'].each_pair do |key, value|
+      user_to_group_addition[key] = value
+    end
+    user_to_group_addition
+  end
+end

data/lib/model/security_group_parser.rb

@@ -0,0 +1,59 @@
+require_relative 'cfn_model'
+
+class SecurityGroupParser
+
+  # precondition: properties are actually there... other validator takes care
+  def parse(resource_name, resource_json)
+    properties = resource_json['Properties']
+    security_group = SecurityGroup.new
+
+    parse_ingress_rules(security_group, properties)
+
+    parse_egress_rules(security_group, properties)
+
+    security_group.vpc_id = properties['VpcId']
+    security_group.group_description = properties['GroupDescription']
+    security_group.logical_resource_id = resource_name
+
+    security_group
+  end
+
+  private
+
+  def parse_ingress_rules(security_group, properties)
+    unless properties['SecurityGroupIngress'].nil?
+      if properties['SecurityGroupIngress'].is_a? Array
+        properties['SecurityGroupIngress'].each do |ingress_json|
+          security_group.add_ingress_rule ingress_json
+        end
+      elsif properties['SecurityGroupIngress'].is_a? Hash
+        security_group.add_ingress_rule properties['SecurityGroupIngress']
+      end
+    end
+  end
+
+  def parse_egress_rules(security_group, properties)
+    unless properties['SecurityGroupEgress'].nil?
+      if properties['SecurityGroupEgress'].is_a? Array
+        properties['SecurityGroupEgress'].each do |egress_json|
+          security_group.add_egress_rule egress_json
+        end
+      elsif properties['SecurityGroupEgress'].is_a? Hash
+        security_group.add_egress_rule properties['SecurityGroupEgress']
+      end
+    end
+  end
+
+end
+
+class SecurityGroupXgressParser
+
+  def parse(resource_name, resource_json)
+    xgress = {}
+    xgress['logical_resource_id'] = resource_name
+    resource_json['Properties'].each_pair do |key, value|
+      xgress[key] = value
+    end
+    xgress
+  end
+end

data/lib/rule.rb

@@ -0,0 +1,168 @@
+require 'logging'
+
+module Rule
+  attr_accessor :input_json_path, :failure_count
+
+  def resources
+    '.Resources|with_entries(.value.LogicalResourceId = .key)[]'
+  end
+
+  def resources_by_type(resource)
+    "#{resources}| select(.Type == \"#{resource}\")"
+  end
+
+  def warning(jq:, message:)
+    Logging.logger['log'].debug jq
+
+    stdout = jq_command(@input_json_path, jq)
+    result = $?.exitstatus
+    scrape_jq_output_for_error(stdout)
+
+    resource_ids = parse_logical_resource_ids(stdout)
+    new_warnings = resource_ids.size
+    if result == 0 and new_warnings > 0
+      @warning_count ||= 0
+      @warning_count += new_warnings
+
+      message(message_type: 'warning',
+              message: message,
+              logical_resource_ids: resource_ids)
+    end
+  end
+
+  def raw_fatal_assertion(jq:, message:)
+    failing_rule(jq_expression: jq,
+                 fail_if_found: false,
+                 fatal: true,
+                 message: message,
+                 message_type: 'fatal assertion',
+                 raw: true)
+  end
+
+  def fatal_assertion(jq:, message:)
+    failing_rule(jq_expression: jq,
+                 fail_if_found: false,
+                 fatal: true,
+                 message: message,
+                 message_type: 'fatal assertion')
+  end
+
+  def raw_fatal_violation(jq:, message:)
+    failing_rule(jq_expression: jq,
+                 fail_if_found: true,
+                 fatal: true,
+                 message: message,
+                 message_type: 'fatal violation',
+                 raw: true)
+  end
+
+  def fatal_violation(jq:, message:)
+    failing_rule(jq_expression: jq,
+                 fail_if_found: true,
+                 fatal: true,
+                 message: message,
+                 message_type: 'fatal violation')
+  end
+
+  def violation(jq:, message:)
+    failing_rule(jq_expression: jq,
+                 fail_if_found: true,
+                 message: message,
+                 message_type: 'violation')
+  end
+
+  def assertion(jq:, message:)
+    failing_rule(jq_expression: jq,
+                 fail_if_found: false,
+                 message: message,
+                 message_type: 'assertion')
+  end
+
+  def message(message_type:,
+              message:,
+              logical_resource_ids: nil,
+              violating_code: nil)
+
+    if logical_resource_ids == []
+      logical_resource_ids = nil
+    end
+
+    (1..60).each { print '-' }
+    puts
+    puts "| #{message_type.upcase}"
+    puts '|'
+    puts "| Resources: #{logical_resource_ids}" unless logical_resource_ids.nil?
+    puts '|' unless logical_resource_ids.nil?
+    puts "| #{message}"
+
+    unless violating_code.nil?
+      puts '|'
+      puts indent_multiline_string_with_prefix('|', violating_code.to_s)
+    end
+  end
+
+  private
+
+  def parse_logical_resource_ids(stdout)
+    JSON.load(stdout)
+  end
+
+  def scrape_jq_output_for_error(stdout)
+    fail 'json rule is likely not complete' if stdout.match /jq: error/
+  end
+
+  def indent_multiline_string_with_prefix(prefix, multiline_string)
+    prefix + ' ' + multiline_string.gsub(/\n/, "\n#{prefix} ")
+  end
+
+  def failing_rule(jq_expression:,
+                   fail_if_found:,
+                   message:,
+                   message_type:,
+                   fatal: false,
+                   raw: false)
+    Logging.logger['log'].debug jq_expression
+
+    stdout = jq_command(@input_json_path, jq_expression)
+    result = $?.exitstatus
+    scrape_jq_output_for_error(stdout)
+    if (fail_if_found and result == 0) or
+       (not fail_if_found and result != 0)
+      @violation_count ||= 0
+
+      if raw
+        @violation_count += 1
+
+        message(message_type: message_type,
+                message: message,
+                violating_code: stdout)
+
+        if fatal
+          exit 1
+        end
+      else
+        resource_ids = parse_logical_resource_ids(stdout)
+        @violation_count += resource_ids.size
+
+        if resource_ids.size > 0
+          message(message_type: message_type,
+                  message: message,
+                  logical_resource_ids: resource_ids)
+
+          if fatal
+            exit 1
+          end
+        end
+      end
+    end
+  end
+
+  def jq_command(input_json_path, jq_expression)
+    command = "cat #{input_json_path} | jq '#{jq_expression}' -e"
+
+    Logging.logger['log'].debug command
+
+    `#{command}`
+  end
+end
+

metadata

@@ -0,0 +1,85 @@
+--- !ruby/object:Gem::Specification
+name: cfn-nag
+version: !ruby/object:Gem::Version
+  version: 0.0.4
+platform: ruby
+authors:
+- someguy
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2016-02-24 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: logging
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 2.0.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 2.0.0
+- !ruby/object:Gem::Dependency
+  name: trollop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 2.1.2
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 2.1.2
+description: Auditing tool for Cloudformation templates
+email: 
+executables:
+- cfn_nag
+extensions: []
+extra_rdoc_files: []
+files:
+- bin/cfn_nag
+- lib/cfn_nag.rb
+- lib/custom_rules/security_group_missing_egress.rb
+- lib/custom_rules/user_missing_group.rb
+- lib/json_rules/basic_rules.rb
+- lib/json_rules/cidr_rules.rb
+- lib/json_rules/iam_policy_rules.rb
+- lib/json_rules/iam_user_rules.rb
+- lib/json_rules/port_rules.rb
+- lib/model/cfn_model.rb
+- lib/model/iam_user_parser.rb
+- lib/model/security_group_parser.rb
+- lib/rule.rb
+homepage: 
+licenses: []
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.5.1
+signing_key: 
+specification_version: 4
+summary: cfn-nag
+test_files: []