cfn-nag 0.3.34 → 0.3.35

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 1300d9862fba6a4b7bd70f13ac005685c800ba9d
4
- data.tar.gz: acd4dc4a042b16a5e1d12fc54680b5d96330ff6b
3
+ metadata.gz: 821467b3c94b85480611811d3ecf3959b87d3f64
4
+ data.tar.gz: f257d85b17c7de3c5407dc67db8ac00cd0f9f229
5
5
  SHA512:
6
- metadata.gz: ab357ab333b5aaae05572afb3772d8f4b9fe0b1ac9472d7c91876a0e96db90645f6ad3eba1cc4d7e348fa9ad7f87a357333b716ae80d15f736bebb37fac8b4ea
7
- data.tar.gz: a01d7cde3bb29e53a56192dfa19827c2e3d6885e0bb6b641b440192f0292cd3592d499e6895d7640493512f672a7328076edf243ededcd71f21167b6b87e1609
6
+ metadata.gz: 18e1579d351d535cbe20a6fee0a7d2f8ab1d25923918443a2849f6507ed1342ca0c3d566472d25a329d5fe8397fd38e2f5b76098e16c372010773b48d47d1c2c
7
+ data.tar.gz: 24b709da4b8a16aaddec484438ae9ec7791e157c2160de8ea1fe1ead0f3310e70b00fcb664f0801349b18c15b8d72308407d721f4c091157703f947b372f8745
@@ -3,7 +3,7 @@ require_relative 'base'
3
3
 
4
4
  class RDSInstanceMasterUserPasswordRule < BaseRule
5
5
  def rule_text
6
- 'RDS instance master user password must be Ref to NoEcho Parameter'
6
+ 'RDS instance master user password must be Ref to NoEcho Parameter. Default credentials are not recommended'
7
7
  end
8
8
 
9
9
  def rule_type
@@ -0,0 +1,65 @@
1
+ require 'cfn-nag/violation'
2
+ require_relative 'base'
3
+
4
+ # cfn_nag rules related to RDS Instance master username
5
+ class RDSInstanceMasterUsernameRule < BaseRule
6
+ def rule_text
7
+ 'RDS instance master username must be Ref to NoEcho Parameter. ' \
8
+ 'Default credentials are not recommended'
9
+ end
10
+
11
+ def rule_type
12
+ Violation::FAILING_VIOLATION
13
+ end
14
+
15
+ def rule_id
16
+ 'F24'
17
+ end
18
+
19
+ # Warning: if somebody applies parameter values via JSON, this will compare
20
+ # that....
21
+ # probably shouldn't be doing that though -
22
+ # if it's NoEcho there's a good reason
23
+ # bother checking synthesized_value? that would be the indicator.....
24
+ def audit_impl(cfn_model)
25
+ violating_rdsinstances = cfn_model.resources_by_type('AWS::RDS::DBInstance')
26
+ .select do |instance|
27
+ if instance.masterUsername.nil?
28
+ false
29
+ else
30
+ !references_no_echo_parameter_without_default?(cfn_model,
31
+ instance.masterUsername)
32
+ end
33
+ end
34
+
35
+ violating_rdsinstances.map(&:logical_resource_id)
36
+ end
37
+
38
+ private
39
+
40
+ def to_boolean(string)
41
+ if string.to_s.casecmp('true').zero?
42
+ true
43
+ else
44
+ false
45
+ end
46
+ end
47
+
48
+ def references_no_echo_parameter_without_default?(cfn_model, master_username)
49
+ if master_username.is_a? Hash
50
+ if master_username.key? 'Ref'
51
+ if cfn_model.parameters.key? master_username['Ref']
52
+ parameter = cfn_model.parameters[master_username['Ref']]
53
+
54
+ return to_boolean(parameter.noEcho) && parameter.default.nil?
55
+ else
56
+ return false
57
+ end
58
+ else
59
+ return false
60
+ end
61
+ end
62
+ # String or anything weird will fall through here
63
+ false
64
+ end
65
+ end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: cfn-nag
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.3.34
4
+ version: 0.3.35
5
5
  platform: ruby
6
6
  authors:
7
7
  - Eric Kascic
@@ -147,6 +147,7 @@ files:
147
147
  - lib/cfn-nag/custom_rules/ManagedPolicyOnUserRule.rb
148
148
  - lib/cfn-nag/custom_rules/PolicyOnUserRule.rb
149
149
  - lib/cfn-nag/custom_rules/RDSInstanceMasterUserPasswordRule.rb
150
+ - lib/cfn-nag/custom_rules/RDSInstanceMasterUsernameRule.rb
150
151
  - lib/cfn-nag/custom_rules/RDSInstancePubliclyAccessibleRule.rb
151
152
  - lib/cfn-nag/custom_rules/S3BucketPolicyNotActionRule.rb
152
153
  - lib/cfn-nag/custom_rules/S3BucketPolicyNotPrincipalRule.rb