cfn-nag 0.0.41 → 0.0.42
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/json_rules/cidr_rules.rb +20 -3
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 3b193c392fea4a0748192a0e75da74b81f7aff3f
|
|
4
|
+
data.tar.gz: ccca9f3103b10b1af725b5a7e23022cebe939c55
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 87e3b4e2756923893753e77af1f63505110393aacdffd19827f0e48b35219404971f3b399246e6219643b75f38817ed809e7c6122936feb4c2ecc2385a3ad460
|
|
7
|
+
data.tar.gz: d02aeaf155a6a47e3876635810b02b44c9079ef5f78ae56b22357aa4960d47fce9009da28601a21778b693a87a09336dedc84fbc10e8f5143c352a6ef8992d97
|
|
@@ -29,10 +29,24 @@ warning id: 'W7',
|
|
|
29
29
|
jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Type == "AWS::EC2::SecurityGroupEgress")|select(.Properties.CidrIp? == "0.0.0.0/0")]|map(.LogicalResourceId)',
|
|
30
30
|
message: 'Security Group Standalone Egress found with cidr open to world.'
|
|
31
31
|
|
|
32
|
+
non32_cidr_standalone_ingress = <<END
|
|
33
|
+
[.Resources|
|
|
34
|
+
with_entries(.value.LogicalResourceId = .key)[] |
|
|
35
|
+
select(.Type == "AWS::EC2::SecurityGroupIngress") |
|
|
36
|
+
if(.Properties.CidrIp|type == "string")
|
|
37
|
+
then select(.Properties.CidrIp|endswith("/32")|not)
|
|
38
|
+
else (
|
|
39
|
+
if(.Properties.CidrIp|type == "array")
|
|
40
|
+
then (select(.Properties.CidrIp[]|if (type == "string") then (endswith("/32")|not) else false end))
|
|
41
|
+
else empty
|
|
42
|
+
end
|
|
43
|
+
)
|
|
44
|
+
end ]|map(.LogicalResourceId)
|
|
45
|
+
END
|
|
32
46
|
|
|
33
47
|
# BEWARE with escapes \d -> \\\d because of how the escapes get munged from ruby through to shell
|
|
34
48
|
warning id: 'W8',
|
|
35
|
-
jq:
|
|
49
|
+
jq: non32_cidr_standalone_ingress,
|
|
36
50
|
message: 'Security Group Standalone Ingress cidr found that is not /32'
|
|
37
51
|
|
|
38
52
|
non_32_cidr_jq_expression = <<END
|
|
@@ -41,12 +55,15 @@ non_32_cidr_jq_expression = <<END
|
|
|
41
55
|
select(.Type == "AWS::EC2::SecurityGroup") |
|
|
42
56
|
if (.Properties.SecurityGroupIngress|type == "object")
|
|
43
57
|
then (
|
|
44
|
-
|
|
58
|
+
if (.Properties.SecurityGroupIngress.CidrIp|type == "string")
|
|
59
|
+
then (select(.Properties.SecurityGroupIngress.CidrIp|endswith("/32")|not))
|
|
60
|
+
else empty
|
|
61
|
+
end
|
|
45
62
|
)
|
|
46
63
|
else (
|
|
47
64
|
if (.Properties.SecurityGroupIngress|type == "array")
|
|
48
65
|
then (
|
|
49
|
-
select(.Properties.SecurityGroupIngress[]|select(.CidrIp|endswith("/32")|not))
|
|
66
|
+
select(.Properties.SecurityGroupIngress[]|(if (.CidrIp|type == "string") then (select(.CidrIp|endswith("/32")|not)) else empty end))
|
|
50
67
|
)
|
|
51
68
|
else empty
|
|
52
69
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: cfn-nag
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.0.
|
|
4
|
+
version: 0.0.42
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- someguy
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2017-05-
|
|
11
|
+
date: 2017-05-12 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: logging
|