cfn-nag 0.1.8 → 0.3.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/cfn-nag/custom_rules/IamManagedPolicyNotActionRule.rb +1 -1
- data/lib/cfn-nag/custom_rules/IamManagedPolicyNotResourceRule.rb +1 -1
- data/lib/cfn-nag/custom_rules/IamManagedPolicyWildcardActionRule.rb +1 -1
- data/lib/cfn-nag/custom_rules/IamManagedPolicyWildcardResourceRule.rb +1 -1
- data/lib/cfn-nag/custom_rules/IamPolicyNotActionRule.rb +1 -1
- data/lib/cfn-nag/custom_rules/IamPolicyNotResourceRule.rb +1 -1
- data/lib/cfn-nag/custom_rules/IamPolicyWildcardActionRule.rb +1 -1
- data/lib/cfn-nag/custom_rules/IamPolicyWildcardResourceRule.rb +1 -1
- data/lib/cfn-nag/custom_rules/IamRoleNotActionOnPermissionsPolicyRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/IamRoleNotActionOnTrustPolicyRule.rb +1 -1
- data/lib/cfn-nag/custom_rules/IamRoleNotPrincipalOnTrustPolicyRule.rb +1 -1
- data/lib/cfn-nag/custom_rules/IamRoleNotResourceOnPermissionsPolicyRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/IamRoleWildcardActionOnPermissionsPolicyRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/IamRoleWildcardActionOnTrustPolicyRule.rb +1 -1
- data/lib/cfn-nag/custom_rules/IamRoleWildcardResourceOnPermissionsPolicyRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/S3BucketPolicyNotActionRule.rb +1 -1
- data/lib/cfn-nag/custom_rules/S3BucketPolicyNotPrincipalRule.rb +1 -1
- data/lib/cfn-nag/custom_rules/S3BucketPolicyWildcardActionRule.rb +1 -1
- data/lib/cfn-nag/custom_rules/S3BucketPolicyWildcardPrincipalRule.rb +1 -1
- data/lib/cfn-nag/custom_rules/SecurityGroupEgressOpenToWorldRule.rb +1 -1
- data/lib/cfn-nag/custom_rules/SecurityGroupEgressPortRangeRule.rb +1 -1
- data/lib/cfn-nag/custom_rules/SecurityGroupIngressCidrNon32Rule.rb +1 -1
- data/lib/cfn-nag/custom_rules/SecurityGroupIngressOpenToWorldRule.rb +1 -1
- data/lib/cfn-nag/custom_rules/SecurityGroupIngressPortRangeRule.rb +1 -1
- data/lib/cfn-nag/custom_rules/SecurityGroupMissingEgressRule.rb +1 -1
- data/lib/cfn-nag/custom_rules/SnsTopicPolicyNotActionRule.rb +1 -1
- data/lib/cfn-nag/custom_rules/SnsTopicPolicyNotPrincipalRule.rb +1 -1
- data/lib/cfn-nag/custom_rules/SnsTopicPolicyWildcardPrincipalRule.rb +1 -1
- data/lib/cfn-nag/custom_rules/SqsQueuePolicyNotActionRule.rb +1 -1
- data/lib/cfn-nag/custom_rules/SqsQueuePolicyNotPrincipalRule.rb +1 -1
- data/lib/cfn-nag/custom_rules/SqsQueuePolicyWildcardActionRule.rb +1 -1
- data/lib/cfn-nag/custom_rules/SqsQueuePolicyWildcardPrincipalRule.rb +1 -1
- data/lib/cfn-nag/custom_rules/UserHasInlinePolicyRule.rb +1 -1
- data/lib/cfn-nag/custom_rules/UserMissingGroupRule.rb +1 -1
- metadata +4 -4
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 9afa055a091cce26ce861f4788565f5e4be10fee
|
4
|
+
data.tar.gz: 0bd54fe8e8c9c4fc7d53e2aa755051c11becd143
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: ac0a50f49100462562dc74c792bd4c367018c931a8d01ad7e534d910b21116cc2b93abb4c2f64d164f9c432e81fc6a07bc4b9457f6238fb23257806998c6e2f4
|
7
|
+
data.tar.gz: cf262ff579adfc1072673cf8c9ef34cb7785035c2c460120a7b211f8e37574981d895c88920f4f4c7ead50eb5c0b5a7fc7fd7bae52ac75b40a2bb761ab7f5efd
|
@@ -17,7 +17,7 @@ class IamManagedPolicyNotActionRule < BaseRule
|
|
17
17
|
|
18
18
|
def audit_impl(cfn_model)
|
19
19
|
violating_policies = cfn_model.resources_by_type('AWS::IAM::ManagedPolicy').select do |policy|
|
20
|
-
!policy.
|
20
|
+
!policy.policy_document.allows_not_action.empty?
|
21
21
|
end
|
22
22
|
|
23
23
|
violating_policies.map { |policy| policy.logical_resource_id }
|
@@ -17,7 +17,7 @@ class IamManagedPolicyNotResourceRule < BaseRule
|
|
17
17
|
|
18
18
|
def audit_impl(cfn_model)
|
19
19
|
violating_policies = cfn_model.resources_by_type('AWS::IAM::ManagedPolicy').select do |policy|
|
20
|
-
!policy.
|
20
|
+
!policy.policy_document.allows_not_resource.empty?
|
21
21
|
end
|
22
22
|
|
23
23
|
violating_policies.map { |policy| policy.logical_resource_id }
|
@@ -17,7 +17,7 @@ class IamManagedPolicyWildcardActionRule < BaseRule
|
|
17
17
|
|
18
18
|
def audit_impl(cfn_model)
|
19
19
|
violating_policies = cfn_model.resources_by_type('AWS::IAM::ManagedPolicy').select do |policy|
|
20
|
-
!policy.
|
20
|
+
!policy.policy_document.wildcard_allowed_actions.empty?
|
21
21
|
end
|
22
22
|
|
23
23
|
violating_policies.map { |policy| policy.logical_resource_id }
|
@@ -17,7 +17,7 @@ class IamManagedPolicyWildcardResourceRule < BaseRule
|
|
17
17
|
|
18
18
|
def audit_impl(cfn_model)
|
19
19
|
violating_policies = cfn_model.resources_by_type('AWS::IAM::ManagedPolicy').select do |policy|
|
20
|
-
!policy.
|
20
|
+
!policy.policy_document.wildcard_allowed_resources.empty?
|
21
21
|
end
|
22
22
|
|
23
23
|
violating_policies.map { |policy| policy.logical_resource_id }
|
@@ -17,7 +17,7 @@ class IamPolicyNotActionRule < BaseRule
|
|
17
17
|
|
18
18
|
def audit_impl(cfn_model)
|
19
19
|
violating_policies = cfn_model.resources_by_type('AWS::IAM::Policy').select do |policy|
|
20
|
-
!policy.
|
20
|
+
!policy.policy_document.allows_not_action.empty?
|
21
21
|
end
|
22
22
|
|
23
23
|
violating_policies.map { |policy| policy.logical_resource_id }
|
@@ -17,7 +17,7 @@ class IamPolicyNotResourceRule < BaseRule
|
|
17
17
|
|
18
18
|
def audit_impl(cfn_model)
|
19
19
|
violating_policies = cfn_model.resources_by_type('AWS::IAM::Policy').select do |policy|
|
20
|
-
!policy.
|
20
|
+
!policy.policy_document.allows_not_resource.empty?
|
21
21
|
end
|
22
22
|
|
23
23
|
violating_policies.map { |policy| policy.logical_resource_id }
|
@@ -17,7 +17,7 @@ class IamPolicyWildcardActionRule < BaseRule
|
|
17
17
|
|
18
18
|
def audit_impl(cfn_model)
|
19
19
|
violating_policies = cfn_model.resources_by_type('AWS::IAM::Policy').select do |policy|
|
20
|
-
!policy.
|
20
|
+
!policy.policy_document.wildcard_allowed_actions.empty?
|
21
21
|
end
|
22
22
|
|
23
23
|
violating_policies.map { |policy| policy.logical_resource_id }
|
@@ -17,7 +17,7 @@ class IamPolicyWildcardResourceRule < BaseRule
|
|
17
17
|
|
18
18
|
def audit_impl(cfn_model)
|
19
19
|
violating_policies = cfn_model.resources_by_type('AWS::IAM::Policy').select do |policy|
|
20
|
-
!policy.
|
20
|
+
!policy.policy_document.wildcard_allowed_resources.empty?
|
21
21
|
end
|
22
22
|
|
23
23
|
violating_policies.map { |policy| policy.logical_resource_id }
|
@@ -17,8 +17,8 @@ class IamRoleNotActionOnPermissionsPolicyRule < BaseRule
|
|
17
17
|
|
18
18
|
def audit_impl(cfn_model)
|
19
19
|
violating_roles = cfn_model.resources_by_type('AWS::IAM::Role').select do |role|
|
20
|
-
violating_policies = role.
|
21
|
-
!policy.
|
20
|
+
violating_policies = role.policy_objects.select do |policy|
|
21
|
+
!policy.policy_document.allows_not_action.empty?
|
22
22
|
end
|
23
23
|
!violating_policies.empty?
|
24
24
|
end
|
@@ -17,7 +17,7 @@ class IamRoleNotActionOnTrustPolicyRule < BaseRule
|
|
17
17
|
|
18
18
|
def audit_impl(cfn_model)
|
19
19
|
violating_roles = cfn_model.resources_by_type('AWS::IAM::Role').select do |role|
|
20
|
-
!role.
|
20
|
+
!role.assume_role_policy_document.allows_not_action.empty?
|
21
21
|
end
|
22
22
|
|
23
23
|
violating_roles.map { |role| role.logical_resource_id }
|
@@ -17,7 +17,7 @@ class IamRoleNotPrincipalOnTrustPolicyRule < BaseRule
|
|
17
17
|
|
18
18
|
def audit_impl(cfn_model)
|
19
19
|
violating_roles = cfn_model.resources_by_type('AWS::IAM::Role').select do |role|
|
20
|
-
!role.
|
20
|
+
!role.assume_role_policy_document.allows_not_principal.empty?
|
21
21
|
end
|
22
22
|
|
23
23
|
violating_roles.map { |role| role.logical_resource_id }
|
@@ -17,8 +17,8 @@ class IamRoleNotResourceOnPermissionsPolicyRule < BaseRule
|
|
17
17
|
|
18
18
|
def audit_impl(cfn_model)
|
19
19
|
violating_roles = cfn_model.resources_by_type('AWS::IAM::Role').select do |role|
|
20
|
-
violating_policies = role.
|
21
|
-
!policy.
|
20
|
+
violating_policies = role.policy_objects.select do |policy|
|
21
|
+
!policy.policy_document.allows_not_resource.empty?
|
22
22
|
end
|
23
23
|
!violating_policies.empty?
|
24
24
|
end
|
@@ -17,8 +17,8 @@ class IamRoleWildcardActionOnPermissionsPolicyRule < BaseRule
|
|
17
17
|
|
18
18
|
def audit_impl(cfn_model)
|
19
19
|
violating_roles = cfn_model.resources_by_type('AWS::IAM::Role').select do |role|
|
20
|
-
violating_policies = role.
|
21
|
-
!policy.
|
20
|
+
violating_policies = role.policy_objects.select do |policy|
|
21
|
+
!policy.policy_document.wildcard_allowed_actions.empty?
|
22
22
|
end
|
23
23
|
!violating_policies.empty?
|
24
24
|
end
|
@@ -17,7 +17,7 @@ class IamRoleWildcardActionOnTrustPolicyRule < BaseRule
|
|
17
17
|
|
18
18
|
def audit_impl(cfn_model)
|
19
19
|
violating_roles = cfn_model.resources_by_type('AWS::IAM::Role').select do |role|
|
20
|
-
!role.
|
20
|
+
!role.assume_role_policy_document.wildcard_allowed_actions.empty?
|
21
21
|
end
|
22
22
|
|
23
23
|
violating_roles.map { |role| role.logical_resource_id}
|
@@ -17,8 +17,8 @@ class IamRoleWildcardResourceOnPermissionsPolicyRule < BaseRule
|
|
17
17
|
|
18
18
|
def audit_impl(cfn_model)
|
19
19
|
violating_roles = cfn_model.resources_by_type('AWS::IAM::Role').select do |role|
|
20
|
-
violating_policies = role.
|
21
|
-
!policy.
|
20
|
+
violating_policies = role.policy_objects.select do |policy|
|
21
|
+
!policy.policy_document.wildcard_allowed_resources.empty?
|
22
22
|
end
|
23
23
|
!violating_policies.empty?
|
24
24
|
end
|
@@ -17,7 +17,7 @@ class S3BucketPolicyNotActionRule < BaseRule
|
|
17
17
|
|
18
18
|
def audit_impl(cfn_model)
|
19
19
|
violating_policies = cfn_model.resources_by_type('AWS::S3::BucketPolicy').select do |policy|
|
20
|
-
!policy.
|
20
|
+
!policy.policy_document.allows_not_action.empty?
|
21
21
|
end
|
22
22
|
|
23
23
|
violating_policies.map { |policy| policy.logical_resource_id }
|
@@ -17,7 +17,7 @@ class S3BucketPolicyNotPrincipalRule < BaseRule
|
|
17
17
|
|
18
18
|
def audit_impl(cfn_model)
|
19
19
|
violating_policies = cfn_model.resources_by_type('AWS::S3::BucketPolicy').select do |policy|
|
20
|
-
!policy.
|
20
|
+
!policy.policy_document.allows_not_principal.empty?
|
21
21
|
end
|
22
22
|
|
23
23
|
violating_policies.map { |policy| policy.logical_resource_id }
|
@@ -20,7 +20,7 @@ class S3BucketPolicyWildcardActionRule < BaseRule
|
|
20
20
|
|
21
21
|
cfn_model.resources_by_type('AWS::S3::BucketPolicy').each do |bucket_policy|
|
22
22
|
|
23
|
-
if !bucket_policy.
|
23
|
+
if !bucket_policy.policy_document.wildcard_allowed_actions.empty?
|
24
24
|
logical_resource_ids << bucket_policy.logical_resource_id
|
25
25
|
end
|
26
26
|
end
|
@@ -19,7 +19,7 @@ class S3BucketPolicyWildcardPrincipalRule < BaseRule
|
|
19
19
|
logical_resource_ids = []
|
20
20
|
|
21
21
|
cfn_model.resources_by_type('AWS::S3::BucketPolicy').each do |topic_policy|
|
22
|
-
if !topic_policy.
|
22
|
+
if !topic_policy.policy_document.wildcard_allowed_principals.empty?
|
23
23
|
logical_resource_ids << topic_policy.logical_resource_id
|
24
24
|
end
|
25
25
|
end
|
@@ -22,7 +22,7 @@ class SecurityGroupEgressOpenToWorldRule < BaseRule
|
|
22
22
|
def audit_impl(cfn_model)
|
23
23
|
logical_resource_ids = []
|
24
24
|
cfn_model.security_groups.each do |security_group|
|
25
|
-
violating_egresses = security_group.
|
25
|
+
violating_egresses = security_group.egresses.select do |egress|
|
26
26
|
ip4_open?(egress) || ip6_open?(egress)
|
27
27
|
end
|
28
28
|
|
@@ -20,7 +20,7 @@ class SecurityGroupEgressPortRangeRule < BaseRule
|
|
20
20
|
def audit_impl(cfn_model)
|
21
21
|
logical_resource_ids = []
|
22
22
|
cfn_model.security_groups.each do |security_group|
|
23
|
-
violating_egresses = security_group.
|
23
|
+
violating_egresses = security_group.egresses.select do |egress|
|
24
24
|
egress.fromPort != egress.toPort
|
25
25
|
end
|
26
26
|
|
@@ -22,7 +22,7 @@ class SecurityGroupIngressCidrNon32Rule < BaseRule
|
|
22
22
|
def audit_impl(cfn_model)
|
23
23
|
logical_resource_ids = []
|
24
24
|
cfn_model.security_groups.each do |security_group|
|
25
|
-
violating_ingresses = security_group.
|
25
|
+
violating_ingresses = security_group.ingresses.select do |ingress|
|
26
26
|
ip4_cidr_range?(ingress) || ip6_cidr_range?(ingress)
|
27
27
|
end
|
28
28
|
|
@@ -22,7 +22,7 @@ class SecurityGroupIngressOpenToWorldRule < BaseRule
|
|
22
22
|
def audit_impl(cfn_model)
|
23
23
|
logical_resource_ids = []
|
24
24
|
cfn_model.security_groups.each do |security_group|
|
25
|
-
violating_ingresses = security_group.
|
25
|
+
violating_ingresses = security_group.ingresses.select do |ingress|
|
26
26
|
ip4_open?(ingress) || ip6_open?(ingress)
|
27
27
|
end
|
28
28
|
|
@@ -20,7 +20,7 @@ class SecurityGroupIngressPortRangeRule < BaseRule
|
|
20
20
|
def audit_impl(cfn_model)
|
21
21
|
logical_resource_ids = []
|
22
22
|
cfn_model.security_groups.each do |security_group|
|
23
|
-
violating_ingresses = security_group.
|
23
|
+
violating_ingresses = security_group.ingresses.select do |ingress|
|
24
24
|
ingress.fromPort != ingress.toPort
|
25
25
|
end
|
26
26
|
|
@@ -18,7 +18,7 @@ class SecurityGroupMissingEgressRule < BaseRule
|
|
18
18
|
def audit_impl(cfn_model)
|
19
19
|
logical_resource_ids = []
|
20
20
|
cfn_model.security_groups.each do |security_group|
|
21
|
-
if security_group.
|
21
|
+
if security_group.egresses.empty?
|
22
22
|
logical_resource_ids << security_group.logical_resource_id
|
23
23
|
end
|
24
24
|
end
|
@@ -17,7 +17,7 @@ class SnsTopicPolicyNotActionRule < BaseRule
|
|
17
17
|
|
18
18
|
def audit_impl(cfn_model)
|
19
19
|
violating_policies = cfn_model.resources_by_type('AWS::SNS::TopicPolicy').select do |policy|
|
20
|
-
!policy.
|
20
|
+
!policy.policy_document.allows_not_action.empty?
|
21
21
|
end
|
22
22
|
|
23
23
|
violating_policies.map { |policy| policy.logical_resource_id }
|
@@ -17,7 +17,7 @@ class SnsTopicPolicyNotPrincipalRule < BaseRule
|
|
17
17
|
|
18
18
|
def audit_impl(cfn_model)
|
19
19
|
violating_policies = cfn_model.resources_by_type('AWS::SNS::TopicPolicy').select do |policy|
|
20
|
-
!policy.
|
20
|
+
!policy.policy_document.allows_not_principal.empty?
|
21
21
|
end
|
22
22
|
|
23
23
|
violating_policies.map { |policy| policy.logical_resource_id }
|
@@ -19,7 +19,7 @@ class SnsTopicPolicyWildcardPrincipalRule < BaseRule
|
|
19
19
|
logical_resource_ids = []
|
20
20
|
|
21
21
|
cfn_model.resources_by_type('AWS::SNS::TopicPolicy').each do |topic_policy|
|
22
|
-
if !topic_policy.
|
22
|
+
if !topic_policy.policy_document.wildcard_allowed_principals.empty?
|
23
23
|
logical_resource_ids << topic_policy.logical_resource_id
|
24
24
|
end
|
25
25
|
end
|
@@ -17,7 +17,7 @@ class SqsQueuePolicyNotActionRule < BaseRule
|
|
17
17
|
|
18
18
|
def audit_impl(cfn_model)
|
19
19
|
violating_policies = cfn_model.resources_by_type('AWS::SQS::QueuePolicy').select do |policy|
|
20
|
-
!policy.
|
20
|
+
!policy.policy_document.allows_not_action.empty?
|
21
21
|
end
|
22
22
|
|
23
23
|
violating_policies.map { |policy| policy.logical_resource_id }
|
@@ -17,7 +17,7 @@ class SqsQueuePolicyNotPrincipalRule < BaseRule
|
|
17
17
|
|
18
18
|
def audit_impl(cfn_model)
|
19
19
|
violating_policies = cfn_model.resources_by_type('AWS::SQS::QueuePolicy').select do |policy|
|
20
|
-
!policy.
|
20
|
+
!policy.policy_document.allows_not_principal.empty?
|
21
21
|
end
|
22
22
|
|
23
23
|
violating_policies.map { |policy| policy.logical_resource_id }
|
@@ -20,7 +20,7 @@ class SqsQueuePolicyWildcardActionRule < BaseRule
|
|
20
20
|
|
21
21
|
cfn_model.resources_by_type('AWS::SQS::QueuePolicy').each do |queue_policy|
|
22
22
|
|
23
|
-
if !queue_policy.
|
23
|
+
if !queue_policy.policy_document.wildcard_allowed_actions.empty?
|
24
24
|
logical_resource_ids << queue_policy.logical_resource_id
|
25
25
|
end
|
26
26
|
end
|
@@ -19,7 +19,7 @@ class SqsQueuePolicyWildcardPrincipalRule < BaseRule
|
|
19
19
|
logical_resource_ids = []
|
20
20
|
|
21
21
|
cfn_model.resources_by_type('AWS::SQS::QueuePolicy').each do |topic_policy|
|
22
|
-
if !topic_policy.
|
22
|
+
if !topic_policy.policy_document.wildcard_allowed_principals.empty?
|
23
23
|
logical_resource_ids << topic_policy.logical_resource_id
|
24
24
|
end
|
25
25
|
end
|
@@ -17,7 +17,7 @@ class UserHasInlinePolicyRule < BaseRule
|
|
17
17
|
|
18
18
|
def audit_impl(cfn_model)
|
19
19
|
violating_users = cfn_model.iam_users.select do |iam_user|
|
20
|
-
iam_user.
|
20
|
+
iam_user.policy_objects.size > 0
|
21
21
|
end
|
22
22
|
|
23
23
|
violating_users.map { |violating_user| violating_user.logical_resource_id }
|
@@ -18,7 +18,7 @@ class UserMissingGroupRule < BaseRule
|
|
18
18
|
def audit_impl(cfn_model)
|
19
19
|
logical_resource_ids = []
|
20
20
|
cfn_model.iam_users.each do |iam_user|
|
21
|
-
if iam_user.
|
21
|
+
if iam_user.group_names.empty?
|
22
22
|
logical_resource_ids << iam_user.logical_resource_id
|
23
23
|
end
|
24
24
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: cfn-nag
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.3.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Eric Kascic
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2017-
|
11
|
+
date: 2017-08-15 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: logging
|
@@ -44,14 +44,14 @@ dependencies:
|
|
44
44
|
requirements:
|
45
45
|
- - '='
|
46
46
|
- !ruby/object:Gem::Version
|
47
|
-
version: 0.
|
47
|
+
version: 0.1.2
|
48
48
|
type: :runtime
|
49
49
|
prerelease: false
|
50
50
|
version_requirements: !ruby/object:Gem::Requirement
|
51
51
|
requirements:
|
52
52
|
- - '='
|
53
53
|
- !ruby/object:Gem::Version
|
54
|
-
version: 0.
|
54
|
+
version: 0.1.2
|
55
55
|
- !ruby/object:Gem::Dependency
|
56
56
|
name: jmespath
|
57
57
|
requirement: !ruby/object:Gem::Requirement
|