cfn-nag 0.3.34 → 0.3.35

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 1300d9862fba6a4b7bd70f13ac005685c800ba9d
-  data.tar.gz: acd4dc4a042b16a5e1d12fc54680b5d96330ff6b
+  metadata.gz: 821467b3c94b85480611811d3ecf3959b87d3f64
+  data.tar.gz: f257d85b17c7de3c5407dc67db8ac00cd0f9f229
 SHA512:
-  metadata.gz: ab357ab333b5aaae05572afb3772d8f4b9fe0b1ac9472d7c91876a0e96db90645f6ad3eba1cc4d7e348fa9ad7f87a357333b716ae80d15f736bebb37fac8b4ea
-  data.tar.gz: a01d7cde3bb29e53a56192dfa19827c2e3d6885e0bb6b641b440192f0292cd3592d499e6895d7640493512f672a7328076edf243ededcd71f21167b6b87e1609
+  metadata.gz: 18e1579d351d535cbe20a6fee0a7d2f8ab1d25923918443a2849f6507ed1342ca0c3d566472d25a329d5fe8397fd38e2f5b76098e16c372010773b48d47d1c2c
+  data.tar.gz: 24b709da4b8a16aaddec484438ae9ec7791e157c2160de8ea1fe1ead0f3310e70b00fcb664f0801349b18c15b8d72308407d721f4c091157703f947b372f8745

data/lib/cfn-nag/custom_rules/RDSInstanceMasterUserPasswordRule.rb

@@ -3,7 +3,7 @@ require_relative 'base'
 
 class RDSInstanceMasterUserPasswordRule < BaseRule
   def rule_text
-    'RDS instance master user password must be Ref to NoEcho Parameter'
+    'RDS instance master user password must be Ref to NoEcho Parameter. Default credentials are not recommended'
   end
 
   def rule_type

data/lib/cfn-nag/custom_rules/RDSInstanceMasterUsernameRule.rb

@@ -0,0 +1,65 @@
+require 'cfn-nag/violation'
+require_relative 'base'
+
+# cfn_nag rules related to RDS Instance master username
+class RDSInstanceMasterUsernameRule < BaseRule
+  def rule_text
+    'RDS instance master username must be Ref to NoEcho Parameter. ' \
+    'Default credentials are not recommended'
+  end
+
+  def rule_type
+    Violation::FAILING_VIOLATION
+  end
+
+  def rule_id
+    'F24'
+  end
+
+  # Warning: if somebody applies parameter values via JSON, this will compare
+  # that....
+  # probably shouldn't be doing that though -
+  # if it's NoEcho there's a good reason
+  # bother checking synthesized_value? that would be the indicator.....
+  def audit_impl(cfn_model)
+    violating_rdsinstances = cfn_model.resources_by_type('AWS::RDS::DBInstance')
+                                      .select do |instance|
+      if instance.masterUsername.nil?
+        false
+      else
+        !references_no_echo_parameter_without_default?(cfn_model,
+                                                       instance.masterUsername)
+      end
+    end
+
+    violating_rdsinstances.map(&:logical_resource_id)
+  end
+
+  private
+
+  def to_boolean(string)
+    if string.to_s.casecmp('true').zero?
+      true
+    else
+      false
+    end
+  end
+
+  def references_no_echo_parameter_without_default?(cfn_model, master_username)
+    if master_username.is_a? Hash
+      if master_username.key? 'Ref'
+        if cfn_model.parameters.key? master_username['Ref']
+          parameter = cfn_model.parameters[master_username['Ref']]
+
+          return to_boolean(parameter.noEcho) && parameter.default.nil?
+        else
+          return false
+        end
+      else
+        return false
+      end
+    end
+    # String or anything weird will fall through here
+    false
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: cfn-nag
 version: !ruby/object:Gem::Version
-  version: 0.3.34
+  version: 0.3.35
 platform: ruby
 authors:
 - Eric Kascic
@@ -147,6 +147,7 @@ files:
 - lib/cfn-nag/custom_rules/ManagedPolicyOnUserRule.rb
 - lib/cfn-nag/custom_rules/PolicyOnUserRule.rb
 - lib/cfn-nag/custom_rules/RDSInstanceMasterUserPasswordRule.rb
+- lib/cfn-nag/custom_rules/RDSInstanceMasterUsernameRule.rb
 - lib/cfn-nag/custom_rules/RDSInstancePubliclyAccessibleRule.rb
 - lib/cfn-nag/custom_rules/S3BucketPolicyNotActionRule.rb
 - lib/cfn-nag/custom_rules/S3BucketPolicyNotPrincipalRule.rb