cfn-nag 0.0.41 → 0.0.42
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/json_rules/cidr_rules.rb +20 -3
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 3b193c392fea4a0748192a0e75da74b81f7aff3f
|
4
|
+
data.tar.gz: ccca9f3103b10b1af725b5a7e23022cebe939c55
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 87e3b4e2756923893753e77af1f63505110393aacdffd19827f0e48b35219404971f3b399246e6219643b75f38817ed809e7c6122936feb4c2ecc2385a3ad460
|
7
|
+
data.tar.gz: d02aeaf155a6a47e3876635810b02b44c9079ef5f78ae56b22357aa4960d47fce9009da28601a21778b693a87a09336dedc84fbc10e8f5143c352a6ef8992d97
|
@@ -29,10 +29,24 @@ warning id: 'W7',
|
|
29
29
|
jq: '[.Resources|with_entries(.value.LogicalResourceId = .key)[] | select(.Type == "AWS::EC2::SecurityGroupEgress")|select(.Properties.CidrIp? == "0.0.0.0/0")]|map(.LogicalResourceId)',
|
30
30
|
message: 'Security Group Standalone Egress found with cidr open to world.'
|
31
31
|
|
32
|
+
non32_cidr_standalone_ingress = <<END
|
33
|
+
[.Resources|
|
34
|
+
with_entries(.value.LogicalResourceId = .key)[] |
|
35
|
+
select(.Type == "AWS::EC2::SecurityGroupIngress") |
|
36
|
+
if(.Properties.CidrIp|type == "string")
|
37
|
+
then select(.Properties.CidrIp|endswith("/32")|not)
|
38
|
+
else (
|
39
|
+
if(.Properties.CidrIp|type == "array")
|
40
|
+
then (select(.Properties.CidrIp[]|if (type == "string") then (endswith("/32")|not) else false end))
|
41
|
+
else empty
|
42
|
+
end
|
43
|
+
)
|
44
|
+
end ]|map(.LogicalResourceId)
|
45
|
+
END
|
32
46
|
|
33
47
|
# BEWARE with escapes \d -> \\\d because of how the escapes get munged from ruby through to shell
|
34
48
|
warning id: 'W8',
|
35
|
-
jq:
|
49
|
+
jq: non32_cidr_standalone_ingress,
|
36
50
|
message: 'Security Group Standalone Ingress cidr found that is not /32'
|
37
51
|
|
38
52
|
non_32_cidr_jq_expression = <<END
|
@@ -41,12 +55,15 @@ non_32_cidr_jq_expression = <<END
|
|
41
55
|
select(.Type == "AWS::EC2::SecurityGroup") |
|
42
56
|
if (.Properties.SecurityGroupIngress|type == "object")
|
43
57
|
then (
|
44
|
-
|
58
|
+
if (.Properties.SecurityGroupIngress.CidrIp|type == "string")
|
59
|
+
then (select(.Properties.SecurityGroupIngress.CidrIp|endswith("/32")|not))
|
60
|
+
else empty
|
61
|
+
end
|
45
62
|
)
|
46
63
|
else (
|
47
64
|
if (.Properties.SecurityGroupIngress|type == "array")
|
48
65
|
then (
|
49
|
-
select(.Properties.SecurityGroupIngress[]|select(.CidrIp|endswith("/32")|not))
|
66
|
+
select(.Properties.SecurityGroupIngress[]|(if (.CidrIp|type == "string") then (select(.CidrIp|endswith("/32")|not)) else empty end))
|
50
67
|
)
|
51
68
|
else empty
|
52
69
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: cfn-nag
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.0.
|
4
|
+
version: 0.0.42
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- someguy
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2017-05-
|
11
|
+
date: 2017-05-12 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: logging
|