cfn-nag 0.3.34 → 0.3.35
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 821467b3c94b85480611811d3ecf3959b87d3f64
|
4
|
+
data.tar.gz: f257d85b17c7de3c5407dc67db8ac00cd0f9f229
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 18e1579d351d535cbe20a6fee0a7d2f8ab1d25923918443a2849f6507ed1342ca0c3d566472d25a329d5fe8397fd38e2f5b76098e16c372010773b48d47d1c2c
|
7
|
+
data.tar.gz: 24b709da4b8a16aaddec484438ae9ec7791e157c2160de8ea1fe1ead0f3310e70b00fcb664f0801349b18c15b8d72308407d721f4c091157703f947b372f8745
|
@@ -3,7 +3,7 @@ require_relative 'base'
|
|
3
3
|
|
4
4
|
class RDSInstanceMasterUserPasswordRule < BaseRule
|
5
5
|
def rule_text
|
6
|
-
'RDS instance master user password must be Ref to NoEcho Parameter'
|
6
|
+
'RDS instance master user password must be Ref to NoEcho Parameter. Default credentials are not recommended'
|
7
7
|
end
|
8
8
|
|
9
9
|
def rule_type
|
@@ -0,0 +1,65 @@
|
|
1
|
+
require 'cfn-nag/violation'
|
2
|
+
require_relative 'base'
|
3
|
+
|
4
|
+
# cfn_nag rules related to RDS Instance master username
|
5
|
+
class RDSInstanceMasterUsernameRule < BaseRule
|
6
|
+
def rule_text
|
7
|
+
'RDS instance master username must be Ref to NoEcho Parameter. ' \
|
8
|
+
'Default credentials are not recommended'
|
9
|
+
end
|
10
|
+
|
11
|
+
def rule_type
|
12
|
+
Violation::FAILING_VIOLATION
|
13
|
+
end
|
14
|
+
|
15
|
+
def rule_id
|
16
|
+
'F24'
|
17
|
+
end
|
18
|
+
|
19
|
+
# Warning: if somebody applies parameter values via JSON, this will compare
|
20
|
+
# that....
|
21
|
+
# probably shouldn't be doing that though -
|
22
|
+
# if it's NoEcho there's a good reason
|
23
|
+
# bother checking synthesized_value? that would be the indicator.....
|
24
|
+
def audit_impl(cfn_model)
|
25
|
+
violating_rdsinstances = cfn_model.resources_by_type('AWS::RDS::DBInstance')
|
26
|
+
.select do |instance|
|
27
|
+
if instance.masterUsername.nil?
|
28
|
+
false
|
29
|
+
else
|
30
|
+
!references_no_echo_parameter_without_default?(cfn_model,
|
31
|
+
instance.masterUsername)
|
32
|
+
end
|
33
|
+
end
|
34
|
+
|
35
|
+
violating_rdsinstances.map(&:logical_resource_id)
|
36
|
+
end
|
37
|
+
|
38
|
+
private
|
39
|
+
|
40
|
+
def to_boolean(string)
|
41
|
+
if string.to_s.casecmp('true').zero?
|
42
|
+
true
|
43
|
+
else
|
44
|
+
false
|
45
|
+
end
|
46
|
+
end
|
47
|
+
|
48
|
+
def references_no_echo_parameter_without_default?(cfn_model, master_username)
|
49
|
+
if master_username.is_a? Hash
|
50
|
+
if master_username.key? 'Ref'
|
51
|
+
if cfn_model.parameters.key? master_username['Ref']
|
52
|
+
parameter = cfn_model.parameters[master_username['Ref']]
|
53
|
+
|
54
|
+
return to_boolean(parameter.noEcho) && parameter.default.nil?
|
55
|
+
else
|
56
|
+
return false
|
57
|
+
end
|
58
|
+
else
|
59
|
+
return false
|
60
|
+
end
|
61
|
+
end
|
62
|
+
# String or anything weird will fall through here
|
63
|
+
false
|
64
|
+
end
|
65
|
+
end
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: cfn-nag
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.3.
|
4
|
+
version: 0.3.35
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Eric Kascic
|
@@ -147,6 +147,7 @@ files:
|
|
147
147
|
- lib/cfn-nag/custom_rules/ManagedPolicyOnUserRule.rb
|
148
148
|
- lib/cfn-nag/custom_rules/PolicyOnUserRule.rb
|
149
149
|
- lib/cfn-nag/custom_rules/RDSInstanceMasterUserPasswordRule.rb
|
150
|
+
- lib/cfn-nag/custom_rules/RDSInstanceMasterUsernameRule.rb
|
150
151
|
- lib/cfn-nag/custom_rules/RDSInstancePubliclyAccessibleRule.rb
|
151
152
|
- lib/cfn-nag/custom_rules/S3BucketPolicyNotActionRule.rb
|
152
153
|
- lib/cfn-nag/custom_rules/S3BucketPolicyNotPrincipalRule.rb
|