cfn-nag 0.3.26 → 0.3.29
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/bin/cfn_nag_rules +7 -3
- data/bin/cfn_nag_scan +34 -17
- data/lib/cfn-nag.rb +3 -1
- data/lib/cfn-nag/cfn_nag.rb +6 -7
- data/lib/cfn-nag/custom_rule_loader.rb +3 -4
- data/lib/cfn-nag/custom_rules/CloudFormationAuthenticationRule.rb +2 -3
- data/lib/cfn-nag/custom_rules/CloudFrontDistributionAccessLoggingRule.rb +1 -1
- data/lib/cfn-nag/custom_rules/EbsVolumeHasSseRule.rb +1 -1
- data/lib/cfn-nag/custom_rules/ElasticLoadBalancerAccessLoggingRule.rb +1 -1
- data/lib/cfn-nag/custom_rules/IamManagedPolicyNotActionRule.rb +1 -2
- data/lib/cfn-nag/custom_rules/IamManagedPolicyNotResourceRule.rb +1 -2
- data/lib/cfn-nag/custom_rules/IamManagedPolicyWildcardActionRule.rb +2 -3
- data/lib/cfn-nag/custom_rules/IamManagedPolicyWildcardResourceRule.rb +1 -2
- data/lib/cfn-nag/custom_rules/IamPolicyNotActionRule.rb +1 -2
- data/lib/cfn-nag/custom_rules/IamPolicyNotResourceRule.rb +1 -2
- data/lib/cfn-nag/custom_rules/IamPolicyWildcardActionRule.rb +2 -3
- data/lib/cfn-nag/custom_rules/IamPolicyWildcardResourceRule.rb +1 -2
- data/lib/cfn-nag/custom_rules/IamRoleNotActionOnPermissionsPolicyRule.rb +1 -2
- data/lib/cfn-nag/custom_rules/IamRoleNotActionOnTrustPolicyRule.rb +1 -2
- data/lib/cfn-nag/custom_rules/IamRoleNotPrincipalOnTrustPolicyRule.rb +1 -2
- data/lib/cfn-nag/custom_rules/IamRoleNotResourceOnPermissionsPolicyRule.rb +1 -2
- data/lib/cfn-nag/custom_rules/IamRoleWildcardActionOnPermissionsPolicyRule.rb +2 -3
- data/lib/cfn-nag/custom_rules/IamRoleWildcardActionOnTrustPolicyRule.rb +1 -4
- data/lib/cfn-nag/custom_rules/IamRoleWildcardResourceOnPermissionsPolicyRule.rb +2 -3
- data/lib/cfn-nag/custom_rules/LambdaPermissionInvokeFunctionActionRule.rb +1 -1
- data/lib/cfn-nag/custom_rules/LambdaPermissionWildcardPrincipalRule.rb +1 -1
- data/lib/cfn-nag/custom_rules/ManagedPolicyOnUserRule.rb +1 -1
- data/lib/cfn-nag/custom_rules/PolicyOnUserRule.rb +1 -1
- data/lib/cfn-nag/custom_rules/RDSInstanceMasterUserPasswordRule.rb +3 -4
- data/lib/cfn-nag/custom_rules/RDSInstancePubliclyAccessibleRule.rb +1 -2
- data/lib/cfn-nag/custom_rules/S3BucketPolicyNotActionRule.rb +1 -2
- data/lib/cfn-nag/custom_rules/S3BucketPolicyNotPrincipalRule.rb +1 -2
- data/lib/cfn-nag/custom_rules/S3BucketPolicyWildcardActionRule.rb +0 -1
- data/lib/cfn-nag/custom_rules/S3BucketPolicyWildcardPrincipalRule.rb +0 -1
- data/lib/cfn-nag/custom_rules/S3BucketPublicReadAclRule.rb +0 -1
- data/lib/cfn-nag/custom_rules/S3BucketPublicReadWriteAclRule.rb +0 -1
- data/lib/cfn-nag/custom_rules/SecurityGroupEgressOpenToWorldRule.rb +1 -1
- data/lib/cfn-nag/custom_rules/SecurityGroupEgressPortRangeRule.rb +1 -2
- data/lib/cfn-nag/custom_rules/SecurityGroupIngressCidrNon32Rule.rb +1 -2
- data/lib/cfn-nag/custom_rules/SecurityGroupIngressOpenToWorldRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/SecurityGroupIngressPortRangeRule.rb +1 -2
- data/lib/cfn-nag/custom_rules/SecurityGroupMissingEgressRule.rb +1 -2
- data/lib/cfn-nag/custom_rules/SnsTopicPolicyNotActionRule.rb +2 -3
- data/lib/cfn-nag/custom_rules/SnsTopicPolicyNotPrincipalRule.rb +1 -3
- data/lib/cfn-nag/custom_rules/SnsTopicPolicyWildcardPrincipalRule.rb +0 -1
- data/lib/cfn-nag/custom_rules/SqsQueuePolicyNotActionRule.rb +1 -2
- data/lib/cfn-nag/custom_rules/SqsQueuePolicyNotPrincipalRule.rb +1 -2
- data/lib/cfn-nag/custom_rules/SqsQueuePolicyWildcardActionRule.rb +0 -1
- data/lib/cfn-nag/custom_rules/SqsQueuePolicyWildcardPrincipalRule.rb +0 -1
- data/lib/cfn-nag/custom_rules/UserHasInlinePolicyRule.rb +1 -2
- data/lib/cfn-nag/custom_rules/UserMissingGroupRule.rb +1 -2
- data/lib/cfn-nag/custom_rules/WafWebAclDefaultActionRule.rb +1 -2
- data/lib/cfn-nag/custom_rules/base.rb +2 -3
- data/lib/cfn-nag/custom_rules/unencrypted_s3_put_allowed.rb +1 -1
- data/lib/cfn-nag/ip_addr.rb +1 -2
- data/lib/cfn-nag/jmes_path_discovery.rb +1 -1
- data/lib/cfn-nag/jmes_path_evaluator.rb +1 -1
- data/lib/cfn-nag/profile.rb +1 -1
- data/lib/cfn-nag/profile_loader.rb +1 -3
- data/lib/cfn-nag/result_view/json_results.rb +2 -3
- data/lib/cfn-nag/result_view/rules_view.rb +4 -6
- data/lib/cfn-nag/result_view/simple_stdout_results.rb +5 -8
- data/lib/cfn-nag/rule_definition.rb +4 -6
- data/lib/cfn-nag/rule_dumper.rb +1 -1
- data/lib/cfn-nag/rule_registry.rb +1 -1
- data/lib/cfn-nag/template_discovery.rb +8 -8
- data/lib/cfn-nag/violation.rb +14 -14
- metadata +16 -16
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 7144cb5b2b3d13133235f4005a1fac1de6451b5a
|
4
|
+
data.tar.gz: fa086c99e462871db43246722da212b7125a7128
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 9d4c65a97de5b446e6d40a420feb53abcc24d8816466797e9c26ae38f23c8f640e24bcf35a18aa624e1cd6db687d81a92aa049399ea9f093724e749584989fcf
|
7
|
+
data.tar.gz: be5f36b7874684b163ff7f97f588aa514c2be9e0ce5d86e5155c7df5805f647e802cad07b2cc88f0c42402cb757d7e8568a973b50bbf02a47086869e28409ef3
|
data/bin/cfn_nag_rules
CHANGED
@@ -3,11 +3,15 @@ require 'trollop'
|
|
3
3
|
require 'cfn-nag'
|
4
4
|
require 'rubygems/specification'
|
5
5
|
|
6
|
-
opts = Trollop
|
6
|
+
opts = Trollop.options do
|
7
7
|
version Gem::Specification.find_by_name('cfn-nag').version
|
8
8
|
|
9
|
-
opt :rule_directory, 'Extra rule directories', type: :io,
|
10
|
-
|
9
|
+
opt :rule_directory, 'Extra rule directories', type: :io,
|
10
|
+
required: false,
|
11
|
+
default: nil
|
12
|
+
opt :profile_path, 'Path to a profile file', type: :io,
|
13
|
+
required: false,
|
14
|
+
default: nil
|
11
15
|
end
|
12
16
|
|
13
17
|
profile_definition = nil
|
data/bin/cfn_nag_scan
CHANGED
@@ -5,24 +5,39 @@ require 'logging'
|
|
5
5
|
require 'json'
|
6
6
|
require 'rubygems/specification'
|
7
7
|
|
8
|
-
opts = Trollop
|
8
|
+
opts = Trollop.options do
|
9
9
|
version Gem::Specification.find_by_name('cfn-nag').version
|
10
10
|
|
11
|
-
opt :input_path, 'CloudFormation template to nag on or directory of
|
12
|
-
|
13
|
-
|
14
|
-
opt :
|
15
|
-
|
16
|
-
opt :
|
17
|
-
|
18
|
-
opt :
|
19
|
-
|
11
|
+
opt :input_path, 'CloudFormation template to nag on or directory of ' \
|
12
|
+
'templates - all *.json, *.yaml, *.yml and *.template ' \
|
13
|
+
'recursively', type: :io, required: true
|
14
|
+
opt :output_format, 'Format of results: [txt, json]',
|
15
|
+
type: :string, default: 'txt'
|
16
|
+
opt :debug, 'Enable debug output',
|
17
|
+
type: :boolean, required: false, default: false
|
18
|
+
opt :rule_directory, 'Extra rule directory',
|
19
|
+
type: :io, required: false, default: nil
|
20
|
+
opt :profile_path, 'Path to a profile file',
|
21
|
+
type: :io, required: false, default: nil
|
22
|
+
opt :parameter_values_path,
|
23
|
+
'Path to a JSON file to pull Parameter values from',
|
24
|
+
type: :io, required: false, default: nil
|
25
|
+
opt :allow_suppression, 'Allow using Metadata to suppress violations',
|
26
|
+
type: :boolean, required: false, default: true
|
27
|
+
opt :print_suppression, 'Emit suppressions to stderr',
|
28
|
+
type: :boolean, required: false, default: false
|
29
|
+
opt :isolate_custom_rule_exceptions,
|
30
|
+
'Isolate custom rule exceptions - just emit the exception without ' \
|
31
|
+
'stack trace and keep chugging',
|
32
|
+
type: :boolean, required: false, default: false
|
20
33
|
end
|
21
34
|
|
22
|
-
|
23
|
-
|
35
|
+
unless %w[txt json].include?(opts[:output_format])
|
36
|
+
Trollop.die(:output_format,
|
37
|
+
'Must be txt or json')
|
38
|
+
end
|
24
39
|
|
25
|
-
CfnNag
|
40
|
+
CfnNag.configure_logging(opts)
|
26
41
|
|
27
42
|
profile_definition = nil
|
28
43
|
unless opts[:profile_path].nil?
|
@@ -33,8 +48,10 @@ cfn_nag = CfnNag.new(profile_definition: profile_definition,
|
|
33
48
|
rule_directory: opts[:rule_directory],
|
34
49
|
allow_suppression: opts[:allow_suppression],
|
35
50
|
print_suppression: opts[:print_suppression],
|
36
|
-
isolate_custom_rule_exceptions:
|
51
|
+
isolate_custom_rule_exceptions:
|
52
|
+
opts[:isolate_custom_rule_exceptions])
|
37
53
|
|
38
|
-
exit cfn_nag.audit_aggregate_across_files_and_render_results(
|
39
|
-
|
40
|
-
|
54
|
+
exit cfn_nag.audit_aggregate_across_files_and_render_results(
|
55
|
+
input_path: opts[:input_path], output_format: opts[:output_format],
|
56
|
+
parameter_values_path: opts[:parameter_values_path]
|
57
|
+
)
|
data/lib/cfn-nag.rb
CHANGED
data/lib/cfn-nag/cfn_nag.rb
CHANGED
@@ -27,7 +27,7 @@ class CfnNag
|
|
27
27
|
# Return an aggregate failure count (for exit code usage)
|
28
28
|
#
|
29
29
|
def audit_aggregate_across_files_and_render_results(input_path:,
|
30
|
-
output_format:'txt',
|
30
|
+
output_format: 'txt',
|
31
31
|
parameter_values_path: nil)
|
32
32
|
aggregate_results = audit_aggregate_across_files input_path: input_path, parameter_values_path: parameter_values_path
|
33
33
|
|
@@ -74,7 +74,6 @@ class CfnNag
|
|
74
74
|
type: Violation::FAILING_VIOLATION,
|
75
75
|
message: parser_error.to_s)
|
76
76
|
stop_processing = true
|
77
|
-
|
78
77
|
end
|
79
78
|
|
80
79
|
violations += @custom_rule_loader.execute_custom_rules(cfn_model) unless stop_processing == true
|
@@ -89,11 +88,11 @@ class CfnNag
|
|
89
88
|
|
90
89
|
def self.configure_logging(opts)
|
91
90
|
logger = Logging.logger['log']
|
92
|
-
if opts[:debug]
|
93
|
-
|
94
|
-
|
95
|
-
|
96
|
-
|
91
|
+
logger.level = if opts[:debug]
|
92
|
+
:debug
|
93
|
+
else
|
94
|
+
:info
|
95
|
+
end
|
97
96
|
|
98
97
|
logger.add_appenders Logging.appenders.stdout
|
99
98
|
end
|
@@ -40,7 +40,6 @@ class CustomRuleLoader
|
|
40
40
|
rule_registry
|
41
41
|
end
|
42
42
|
|
43
|
-
|
44
43
|
def execute_custom_rules(cfn_model)
|
45
44
|
Logging.logger['log'].debug "cfn_model: #{cfn_model}"
|
46
45
|
|
@@ -69,7 +68,7 @@ class CustomRuleLoader
|
|
69
68
|
evaluator.instance_eval do
|
70
69
|
eval IO.read jmespath_file
|
71
70
|
end
|
72
|
-
violations +=
|
71
|
+
violations += evaluator.violations
|
73
72
|
end
|
74
73
|
violations
|
75
74
|
end
|
@@ -138,7 +137,7 @@ class CustomRuleLoader
|
|
138
137
|
|
139
138
|
def validate_extra_rule_directory(rule_directory)
|
140
139
|
unless rule_directory.nil?
|
141
|
-
|
140
|
+
raise "Not a real directory #{rule_directory}" unless File.directory? rule_directory
|
142
141
|
end
|
143
142
|
end
|
144
143
|
|
@@ -177,4 +176,4 @@ class CustomRuleLoader
|
|
177
176
|
Logging.logger['log'].debug "jmespath_filenames: #{rule_filenames}"
|
178
177
|
rule_filenames
|
179
178
|
end
|
180
|
-
end
|
179
|
+
end
|
@@ -18,9 +18,8 @@ class CloudFormationAuthenticationRule < BaseRule
|
|
18
18
|
logical_resource_ids = []
|
19
19
|
cfn_model.raw_model['Resources'].each do |resource_name, resource|
|
20
20
|
unless resource['Metadata'].nil?
|
21
|
-
if
|
22
|
-
|
23
|
-
end
|
21
|
+
next if resource['Metadata']['AWS::CloudFormation::Authentication'].nil?
|
22
|
+
logical_resource_ids << resource_name
|
24
23
|
end
|
25
24
|
end
|
26
25
|
logical_resource_ids
|
@@ -19,6 +19,6 @@ class CloudFrontDistributionAccessLoggingRule < BaseRule
|
|
19
19
|
distribution.distributionConfig['Logging'].nil?
|
20
20
|
end
|
21
21
|
|
22
|
-
violating_distributions.map
|
22
|
+
violating_distributions.map(&:logical_resource_id)
|
23
23
|
end
|
24
24
|
end
|
@@ -19,6 +19,6 @@ class ElasticLoadBalancerAccessLoggingRule < BaseRule
|
|
19
19
|
elb.accessLoggingPolicy.nil? || elb.accessLoggingPolicy['Enabled'] != true
|
20
20
|
end
|
21
21
|
|
22
|
-
violating_elbs.map
|
22
|
+
violating_elbs.map(&:logical_resource_id)
|
23
23
|
end
|
24
24
|
end
|
@@ -2,7 +2,6 @@ require 'cfn-nag/violation'
|
|
2
2
|
require_relative 'base'
|
3
3
|
|
4
4
|
class IamManagedPolicyNotActionRule < BaseRule
|
5
|
-
|
6
5
|
def rule_text
|
7
6
|
'IAM managed policy should not allow Allow+NotAction'
|
8
7
|
end
|
@@ -20,6 +19,6 @@ class IamManagedPolicyNotActionRule < BaseRule
|
|
20
19
|
!policy.policy_document.allows_not_action.empty?
|
21
20
|
end
|
22
21
|
|
23
|
-
violating_policies.map
|
22
|
+
violating_policies.map(&:logical_resource_id)
|
24
23
|
end
|
25
24
|
end
|
@@ -2,7 +2,6 @@ require 'cfn-nag/violation'
|
|
2
2
|
require_relative 'base'
|
3
3
|
|
4
4
|
class IamManagedPolicyNotResourceRule < BaseRule
|
5
|
-
|
6
5
|
def rule_text
|
7
6
|
'IAM managed policy should not allow Allow+NotResource'
|
8
7
|
end
|
@@ -20,6 +19,6 @@ class IamManagedPolicyNotResourceRule < BaseRule
|
|
20
19
|
!policy.policy_document.allows_not_resource.empty?
|
21
20
|
end
|
22
21
|
|
23
|
-
violating_policies.map
|
22
|
+
violating_policies.map(&:logical_resource_id)
|
24
23
|
end
|
25
24
|
end
|
@@ -2,7 +2,6 @@ require 'cfn-nag/violation'
|
|
2
2
|
require_relative 'base'
|
3
3
|
|
4
4
|
class IamManagedPolicyWildcardActionRule < BaseRule
|
5
|
-
|
6
5
|
def rule_text
|
7
6
|
'IAM managed policy should not allow * action'
|
8
7
|
end
|
@@ -20,6 +19,6 @@ class IamManagedPolicyWildcardActionRule < BaseRule
|
|
20
19
|
!policy.policy_document.wildcard_allowed_actions.empty?
|
21
20
|
end
|
22
21
|
|
23
|
-
violating_policies.map
|
22
|
+
violating_policies.map(&:logical_resource_id)
|
24
23
|
end
|
25
|
-
end
|
24
|
+
end
|
@@ -2,7 +2,6 @@ require 'cfn-nag/violation'
|
|
2
2
|
require_relative 'base'
|
3
3
|
|
4
4
|
class IamManagedPolicyWildcardResourceRule < BaseRule
|
5
|
-
|
6
5
|
def rule_text
|
7
6
|
'IAM managed policy should not allow * resource'
|
8
7
|
end
|
@@ -20,6 +19,6 @@ class IamManagedPolicyWildcardResourceRule < BaseRule
|
|
20
19
|
!policy.policy_document.wildcard_allowed_resources.empty?
|
21
20
|
end
|
22
21
|
|
23
|
-
violating_policies.map
|
22
|
+
violating_policies.map(&:logical_resource_id)
|
24
23
|
end
|
25
24
|
end
|
@@ -2,7 +2,6 @@ require 'cfn-nag/violation'
|
|
2
2
|
require_relative 'base'
|
3
3
|
|
4
4
|
class IamPolicyNotActionRule < BaseRule
|
5
|
-
|
6
5
|
def rule_text
|
7
6
|
'IAM policy should not allow Allow+NotAction'
|
8
7
|
end
|
@@ -20,6 +19,6 @@ class IamPolicyNotActionRule < BaseRule
|
|
20
19
|
!policy.policy_document.allows_not_action.empty?
|
21
20
|
end
|
22
21
|
|
23
|
-
violating_policies.map
|
22
|
+
violating_policies.map(&:logical_resource_id)
|
24
23
|
end
|
25
24
|
end
|
@@ -2,7 +2,6 @@ require 'cfn-nag/violation'
|
|
2
2
|
require_relative 'base'
|
3
3
|
|
4
4
|
class IamPolicyNotResourceRule < BaseRule
|
5
|
-
|
6
5
|
def rule_text
|
7
6
|
'IAM policy should not allow Allow+NotResource'
|
8
7
|
end
|
@@ -20,6 +19,6 @@ class IamPolicyNotResourceRule < BaseRule
|
|
20
19
|
!policy.policy_document.allows_not_resource.empty?
|
21
20
|
end
|
22
21
|
|
23
|
-
violating_policies.map
|
22
|
+
violating_policies.map(&:logical_resource_id)
|
24
23
|
end
|
25
24
|
end
|
@@ -2,7 +2,6 @@ require 'cfn-nag/violation'
|
|
2
2
|
require_relative 'base'
|
3
3
|
|
4
4
|
class IamPolicyWildcardActionRule < BaseRule
|
5
|
-
|
6
5
|
def rule_text
|
7
6
|
'IAM policy should not allow * action'
|
8
7
|
end
|
@@ -20,6 +19,6 @@ class IamPolicyWildcardActionRule < BaseRule
|
|
20
19
|
!policy.policy_document.wildcard_allowed_actions.empty?
|
21
20
|
end
|
22
21
|
|
23
|
-
violating_policies.map
|
22
|
+
violating_policies.map(&:logical_resource_id)
|
24
23
|
end
|
25
|
-
end
|
24
|
+
end
|
@@ -2,7 +2,6 @@ require 'cfn-nag/violation'
|
|
2
2
|
require_relative 'base'
|
3
3
|
|
4
4
|
class IamPolicyWildcardResourceRule < BaseRule
|
5
|
-
|
6
5
|
def rule_text
|
7
6
|
'IAM policy should not allow * resource'
|
8
7
|
end
|
@@ -20,6 +19,6 @@ class IamPolicyWildcardResourceRule < BaseRule
|
|
20
19
|
!policy.policy_document.wildcard_allowed_resources.empty?
|
21
20
|
end
|
22
21
|
|
23
|
-
violating_policies.map
|
22
|
+
violating_policies.map(&:logical_resource_id)
|
24
23
|
end
|
25
24
|
end
|
@@ -2,7 +2,6 @@ require 'cfn-nag/violation'
|
|
2
2
|
require_relative 'base'
|
3
3
|
|
4
4
|
class IamRoleNotActionOnPermissionsPolicyRule < BaseRule
|
5
|
-
|
6
5
|
def rule_text
|
7
6
|
'IAM role should not allow Allow+NotAction'
|
8
7
|
end
|
@@ -23,6 +22,6 @@ class IamRoleNotActionOnPermissionsPolicyRule < BaseRule
|
|
23
22
|
!violating_policies.empty?
|
24
23
|
end
|
25
24
|
|
26
|
-
violating_roles.map
|
25
|
+
violating_roles.map(&:logical_resource_id)
|
27
26
|
end
|
28
27
|
end
|
@@ -2,7 +2,6 @@ require 'cfn-nag/violation'
|
|
2
2
|
require_relative 'base'
|
3
3
|
|
4
4
|
class IamRoleNotActionOnTrustPolicyRule < BaseRule
|
5
|
-
|
6
5
|
def rule_text
|
7
6
|
'IAM role should not allow Allow+NotAction on trust permissions'
|
8
7
|
end
|
@@ -20,6 +19,6 @@ class IamRoleNotActionOnTrustPolicyRule < BaseRule
|
|
20
19
|
!role.assume_role_policy_document.allows_not_action.empty?
|
21
20
|
end
|
22
21
|
|
23
|
-
violating_roles.map
|
22
|
+
violating_roles.map(&:logical_resource_id)
|
24
23
|
end
|
25
24
|
end
|
@@ -2,7 +2,6 @@ require 'cfn-nag/violation'
|
|
2
2
|
require_relative 'base'
|
3
3
|
|
4
4
|
class IamRoleNotPrincipalOnTrustPolicyRule < BaseRule
|
5
|
-
|
6
5
|
def rule_text
|
7
6
|
'IAM role should not allow Allow+NotPrincipal in its trust policy'
|
8
7
|
end
|
@@ -20,6 +19,6 @@ class IamRoleNotPrincipalOnTrustPolicyRule < BaseRule
|
|
20
19
|
!role.assume_role_policy_document.allows_not_principal.empty?
|
21
20
|
end
|
22
21
|
|
23
|
-
violating_roles.map
|
22
|
+
violating_roles.map(&:logical_resource_id)
|
24
23
|
end
|
25
24
|
end
|
@@ -2,7 +2,6 @@ require 'cfn-nag/violation'
|
|
2
2
|
require_relative 'base'
|
3
3
|
|
4
4
|
class IamRoleNotResourceOnPermissionsPolicyRule < BaseRule
|
5
|
-
|
6
5
|
def rule_text
|
7
6
|
'IAM role should not allow Allow+NotResource'
|
8
7
|
end
|
@@ -23,6 +22,6 @@ class IamRoleNotResourceOnPermissionsPolicyRule < BaseRule
|
|
23
22
|
!violating_policies.empty?
|
24
23
|
end
|
25
24
|
|
26
|
-
violating_roles.map
|
25
|
+
violating_roles.map(&:logical_resource_id)
|
27
26
|
end
|
28
27
|
end
|
@@ -2,7 +2,6 @@ require 'cfn-nag/violation'
|
|
2
2
|
require_relative 'base'
|
3
3
|
|
4
4
|
class IamRoleWildcardActionOnPermissionsPolicyRule < BaseRule
|
5
|
-
|
6
5
|
def rule_text
|
7
6
|
'IAM role should not allow * action on its permissions policy'
|
8
7
|
end
|
@@ -23,6 +22,6 @@ class IamRoleWildcardActionOnPermissionsPolicyRule < BaseRule
|
|
23
22
|
!violating_policies.empty?
|
24
23
|
end
|
25
24
|
|
26
|
-
violating_roles.map
|
25
|
+
violating_roles.map(&:logical_resource_id)
|
27
26
|
end
|
28
|
-
end
|
27
|
+
end
|
@@ -2,7 +2,6 @@ require 'cfn-nag/violation'
|
|
2
2
|
require_relative 'base'
|
3
3
|
|
4
4
|
class IamRoleWildcardActionOnTrustPolicyRule < BaseRule
|
5
|
-
|
6
5
|
def rule_text
|
7
6
|
'IAM role should not allow * action on its trust policy'
|
8
7
|
end
|
@@ -20,8 +19,6 @@ class IamRoleWildcardActionOnTrustPolicyRule < BaseRule
|
|
20
19
|
!role.assume_role_policy_document.wildcard_allowed_actions.empty?
|
21
20
|
end
|
22
21
|
|
23
|
-
violating_roles.map
|
22
|
+
violating_roles.map(&:logical_resource_id)
|
24
23
|
end
|
25
24
|
end
|
26
|
-
|
27
|
-
|