cfn-nag 0.3.47 → 0.3.48
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/cfn-nag/custom_rules/IamManagedPolicyNotActionRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/IamManagedPolicyNotResourceRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/IamManagedPolicyWildcardActionRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/IamManagedPolicyWildcardResourceRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/IamPolicyNotActionRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/IamPolicyNotResourceRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/IamPolicyWildcardActionRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/IamPolicyWildcardResourceRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/IamRoleNotActionOnPermissionsPolicyRule.rb +4 -4
- data/lib/cfn-nag/custom_rules/IamRoleNotActionOnTrustPolicyRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/IamRoleNotPrincipalOnTrustPolicyRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/IamRoleNotResourceOnPermissionsPolicyRule.rb +4 -4
- data/lib/cfn-nag/custom_rules/IamRoleWildcardActionOnPermissionsPolicyRule.rb +4 -4
- data/lib/cfn-nag/custom_rules/IamRoleWildcardActionOnTrustPolicyRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/IamRoleWildcardResourceOnPermissionsPolicyRule.rb +4 -4
- data/lib/cfn-nag/custom_rules/LambdaPermissionInvokeFunctionActionRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/S3BucketPolicyNotActionRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/S3BucketPolicyNotPrincipalRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/SecurityGroupEgressPortRangeRule.rb +4 -4
- data/lib/cfn-nag/custom_rules/SecurityGroupIngressPortRangeRule.rb +4 -4
- data/lib/cfn-nag/custom_rules/SnsTopicPolicyNotActionRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/SnsTopicPolicyNotPrincipalRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/SqsQueuePolicyNotActionRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/SqsQueuePolicyNotPrincipalRule.rb +2 -2
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: a36a2b3db7cfcfa143efef68d06297e953545b5dc184e1931c6d791825dfa553
|
|
4
|
+
data.tar.gz: fbeb74d06cc60788558b9585e47d76de919cabbfd2b58189a02dbda82e02c7be
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: ac98de6eba016edc6e914ae4228a017a3a15918685fca1d2722543f8b48589551866ad715a054e6bb0a0275ccfd3bd8ca6f359eb639252ba824e1b1e3c13f0a2
|
|
7
|
+
data.tar.gz: f2dc1f3fe356b609ab6b5f6bd96c9f7899425cb593f07d2c8549f5f72d5774b0ea49f5b936b90def3e52feb1a2e6aedeae6d1071857316f761ca7c6e25ea8dc4
|
|
@@ -17,8 +17,8 @@ class IamManagedPolicyNotActionRule < BaseRule
|
|
|
17
17
|
def audit_impl(cfn_model)
|
|
18
18
|
violating_policies = \
|
|
19
19
|
cfn_model.resources_by_type('AWS::IAM::ManagedPolicy')
|
|
20
|
-
.
|
|
21
|
-
policy.policy_document.allows_not_action.empty?
|
|
20
|
+
.select do |policy|
|
|
21
|
+
!policy.policy_document.allows_not_action.empty?
|
|
22
22
|
end
|
|
23
23
|
|
|
24
24
|
violating_policies.map(&:logical_resource_id)
|
|
@@ -17,8 +17,8 @@ class IamManagedPolicyNotResourceRule < BaseRule
|
|
|
17
17
|
def audit_impl(cfn_model)
|
|
18
18
|
violating_policies = \
|
|
19
19
|
cfn_model.resources_by_type('AWS::IAM::ManagedPolicy')
|
|
20
|
-
.
|
|
21
|
-
policy.policy_document.allows_not_resource.empty?
|
|
20
|
+
.select do |policy|
|
|
21
|
+
!policy.policy_document.allows_not_resource.empty?
|
|
22
22
|
end
|
|
23
23
|
|
|
24
24
|
violating_policies.map(&:logical_resource_id)
|
|
@@ -17,8 +17,8 @@ class IamManagedPolicyWildcardActionRule < BaseRule
|
|
|
17
17
|
def audit_impl(cfn_model)
|
|
18
18
|
violating_policies = \
|
|
19
19
|
cfn_model.resources_by_type('AWS::IAM::ManagedPolicy')
|
|
20
|
-
.
|
|
21
|
-
policy.policy_document.wildcard_allowed_actions.empty?
|
|
20
|
+
.select do |policy|
|
|
21
|
+
!policy.policy_document.wildcard_allowed_actions.empty?
|
|
22
22
|
end
|
|
23
23
|
|
|
24
24
|
violating_policies.map(&:logical_resource_id)
|
|
@@ -17,8 +17,8 @@ class IamManagedPolicyWildcardResourceRule < BaseRule
|
|
|
17
17
|
def audit_impl(cfn_model)
|
|
18
18
|
violating_policies = \
|
|
19
19
|
cfn_model.resources_by_type('AWS::IAM::ManagedPolicy')
|
|
20
|
-
.
|
|
21
|
-
policy.policy_document.wildcard_allowed_resources.empty?
|
|
20
|
+
.select do |policy|
|
|
21
|
+
!policy.policy_document.wildcard_allowed_resources.empty?
|
|
22
22
|
end
|
|
23
23
|
|
|
24
24
|
violating_policies.map(&:logical_resource_id)
|
|
@@ -17,8 +17,8 @@ class IamPolicyNotActionRule < BaseRule
|
|
|
17
17
|
def audit_impl(cfn_model)
|
|
18
18
|
violating_policies = \
|
|
19
19
|
cfn_model.resources_by_type('AWS::IAM::Policy')
|
|
20
|
-
.
|
|
21
|
-
policy.policy_document.allows_not_action.empty?
|
|
20
|
+
.select do |policy|
|
|
21
|
+
!policy.policy_document.allows_not_action.empty?
|
|
22
22
|
end
|
|
23
23
|
|
|
24
24
|
violating_policies.map(&:logical_resource_id)
|
|
@@ -17,8 +17,8 @@ class IamPolicyNotResourceRule < BaseRule
|
|
|
17
17
|
def audit_impl(cfn_model)
|
|
18
18
|
violating_policies = \
|
|
19
19
|
cfn_model.resources_by_type('AWS::IAM::Policy')
|
|
20
|
-
.
|
|
21
|
-
policy.policy_document.allows_not_resource.empty?
|
|
20
|
+
.select do |policy|
|
|
21
|
+
!policy.policy_document.allows_not_resource.empty?
|
|
22
22
|
end
|
|
23
23
|
|
|
24
24
|
violating_policies.map(&:logical_resource_id)
|
|
@@ -15,8 +15,8 @@ class IamPolicyWildcardActionRule < BaseRule
|
|
|
15
15
|
end
|
|
16
16
|
|
|
17
17
|
def audit_impl(cfn_model)
|
|
18
|
-
violating_policies = cfn_model.resources_by_type('AWS::IAM::Policy').
|
|
19
|
-
policy.policy_document.wildcard_allowed_actions.empty?
|
|
18
|
+
violating_policies = cfn_model.resources_by_type('AWS::IAM::Policy').select do |policy|
|
|
19
|
+
!policy.policy_document.wildcard_allowed_actions.empty?
|
|
20
20
|
end
|
|
21
21
|
|
|
22
22
|
violating_policies.map(&:logical_resource_id)
|
|
@@ -15,8 +15,8 @@ class IamPolicyWildcardResourceRule < BaseRule
|
|
|
15
15
|
end
|
|
16
16
|
|
|
17
17
|
def audit_impl(cfn_model)
|
|
18
|
-
violating_policies = cfn_model.resources_by_type('AWS::IAM::Policy').
|
|
19
|
-
policy.policy_document.wildcard_allowed_resources.empty?
|
|
18
|
+
violating_policies = cfn_model.resources_by_type('AWS::IAM::Policy').select do |policy|
|
|
19
|
+
!policy.policy_document.wildcard_allowed_resources.empty?
|
|
20
20
|
end
|
|
21
21
|
|
|
22
22
|
violating_policies.map(&:logical_resource_id)
|
|
@@ -15,11 +15,11 @@ class IamRoleNotActionOnPermissionsPolicyRule < BaseRule
|
|
|
15
15
|
end
|
|
16
16
|
|
|
17
17
|
def audit_impl(cfn_model)
|
|
18
|
-
violating_roles = cfn_model.resources_by_type('AWS::IAM::Role').
|
|
19
|
-
violating_policies = role.policy_objects.
|
|
20
|
-
policy.policy_document.allows_not_action.empty?
|
|
18
|
+
violating_roles = cfn_model.resources_by_type('AWS::IAM::Role').select do |role|
|
|
19
|
+
violating_policies = role.policy_objects.select do |policy|
|
|
20
|
+
!policy.policy_document.allows_not_action.empty?
|
|
21
21
|
end
|
|
22
|
-
violating_policies.empty?
|
|
22
|
+
!violating_policies.empty?
|
|
23
23
|
end
|
|
24
24
|
|
|
25
25
|
violating_roles.map(&:logical_resource_id)
|
|
@@ -15,8 +15,8 @@ class IamRoleNotActionOnTrustPolicyRule < BaseRule
|
|
|
15
15
|
end
|
|
16
16
|
|
|
17
17
|
def audit_impl(cfn_model)
|
|
18
|
-
violating_roles = cfn_model.resources_by_type('AWS::IAM::Role').
|
|
19
|
-
role.assume_role_policy_document.allows_not_action.empty?
|
|
18
|
+
violating_roles = cfn_model.resources_by_type('AWS::IAM::Role').select do |role|
|
|
19
|
+
!role.assume_role_policy_document.allows_not_action.empty?
|
|
20
20
|
end
|
|
21
21
|
|
|
22
22
|
violating_roles.map(&:logical_resource_id)
|
|
@@ -15,8 +15,8 @@ class IamRoleNotPrincipalOnTrustPolicyRule < BaseRule
|
|
|
15
15
|
end
|
|
16
16
|
|
|
17
17
|
def audit_impl(cfn_model)
|
|
18
|
-
violating_roles = cfn_model.resources_by_type('AWS::IAM::Role').
|
|
19
|
-
role.assume_role_policy_document.allows_not_principal.empty?
|
|
18
|
+
violating_roles = cfn_model.resources_by_type('AWS::IAM::Role').select do |role|
|
|
19
|
+
!role.assume_role_policy_document.allows_not_principal.empty?
|
|
20
20
|
end
|
|
21
21
|
|
|
22
22
|
violating_roles.map(&:logical_resource_id)
|
|
@@ -15,11 +15,11 @@ class IamRoleNotResourceOnPermissionsPolicyRule < BaseRule
|
|
|
15
15
|
end
|
|
16
16
|
|
|
17
17
|
def audit_impl(cfn_model)
|
|
18
|
-
violating_roles = cfn_model.resources_by_type('AWS::IAM::Role').
|
|
19
|
-
violating_policies = role.policy_objects.
|
|
20
|
-
policy.policy_document.allows_not_resource.empty?
|
|
18
|
+
violating_roles = cfn_model.resources_by_type('AWS::IAM::Role').select do |role|
|
|
19
|
+
violating_policies = role.policy_objects.select do |policy|
|
|
20
|
+
!policy.policy_document.allows_not_resource.empty?
|
|
21
21
|
end
|
|
22
|
-
violating_policies.empty?
|
|
22
|
+
!violating_policies.empty?
|
|
23
23
|
end
|
|
24
24
|
|
|
25
25
|
violating_roles.map(&:logical_resource_id)
|
|
@@ -15,11 +15,11 @@ class IamRoleWildcardActionOnPermissionsPolicyRule < BaseRule
|
|
|
15
15
|
end
|
|
16
16
|
|
|
17
17
|
def audit_impl(cfn_model)
|
|
18
|
-
violating_roles = cfn_model.resources_by_type('AWS::IAM::Role').
|
|
19
|
-
violating_policies = role.policy_objects.
|
|
20
|
-
policy.policy_document.wildcard_allowed_actions.empty?
|
|
18
|
+
violating_roles = cfn_model.resources_by_type('AWS::IAM::Role').select do |role|
|
|
19
|
+
violating_policies = role.policy_objects.select do |policy|
|
|
20
|
+
!policy.policy_document.wildcard_allowed_actions.empty?
|
|
21
21
|
end
|
|
22
|
-
violating_policies.empty?
|
|
22
|
+
!violating_policies.empty?
|
|
23
23
|
end
|
|
24
24
|
|
|
25
25
|
violating_roles.map(&:logical_resource_id)
|
|
@@ -15,8 +15,8 @@ class IamRoleWildcardActionOnTrustPolicyRule < BaseRule
|
|
|
15
15
|
end
|
|
16
16
|
|
|
17
17
|
def audit_impl(cfn_model)
|
|
18
|
-
violating_roles = cfn_model.resources_by_type('AWS::IAM::Role').
|
|
19
|
-
role.assume_role_policy_document.wildcard_allowed_actions.empty?
|
|
18
|
+
violating_roles = cfn_model.resources_by_type('AWS::IAM::Role').select do |role|
|
|
19
|
+
!role.assume_role_policy_document.wildcard_allowed_actions.empty?
|
|
20
20
|
end
|
|
21
21
|
|
|
22
22
|
violating_roles.map(&:logical_resource_id)
|
|
@@ -15,11 +15,11 @@ class IamRoleWildcardResourceOnPermissionsPolicyRule < BaseRule
|
|
|
15
15
|
end
|
|
16
16
|
|
|
17
17
|
def audit_impl(cfn_model)
|
|
18
|
-
violating_roles = cfn_model.resources_by_type('AWS::IAM::Role').
|
|
19
|
-
violating_policies = role.policy_objects.
|
|
20
|
-
policy.policy_document.wildcard_allowed_resources.empty?
|
|
18
|
+
violating_roles = cfn_model.resources_by_type('AWS::IAM::Role').select do |role|
|
|
19
|
+
violating_policies = role.policy_objects.select do |policy|
|
|
20
|
+
!policy.policy_document.wildcard_allowed_resources.empty?
|
|
21
21
|
end
|
|
22
|
-
violating_policies.empty?
|
|
22
|
+
!violating_policies.empty?
|
|
23
23
|
end
|
|
24
24
|
|
|
25
25
|
violating_roles.map(&:logical_resource_id)
|
|
@@ -15,8 +15,8 @@ class LambdaPermissionInvokeFunctionActionRule < BaseRule
|
|
|
15
15
|
end
|
|
16
16
|
|
|
17
17
|
def audit_impl(cfn_model)
|
|
18
|
-
violating_lambdas = cfn_model.resources_by_type('AWS::Lambda::Permission').
|
|
19
|
-
lambda_permission.action
|
|
18
|
+
violating_lambdas = cfn_model.resources_by_type('AWS::Lambda::Permission').select do |lambda_permission|
|
|
19
|
+
lambda_permission.action != 'lambda:InvokeFunction'
|
|
20
20
|
end
|
|
21
21
|
|
|
22
22
|
violating_lambdas.map(&:logical_resource_id)
|
|
@@ -15,8 +15,8 @@ class S3BucketPolicyNotActionRule < BaseRule
|
|
|
15
15
|
end
|
|
16
16
|
|
|
17
17
|
def audit_impl(cfn_model)
|
|
18
|
-
violating_policies = cfn_model.resources_by_type('AWS::S3::BucketPolicy').
|
|
19
|
-
policy.policy_document.allows_not_action.empty?
|
|
18
|
+
violating_policies = cfn_model.resources_by_type('AWS::S3::BucketPolicy').select do |policy|
|
|
19
|
+
!policy.policy_document.allows_not_action.empty?
|
|
20
20
|
end
|
|
21
21
|
|
|
22
22
|
violating_policies.map(&:logical_resource_id)
|
|
@@ -15,8 +15,8 @@ class S3BucketPolicyNotPrincipalRule < BaseRule
|
|
|
15
15
|
end
|
|
16
16
|
|
|
17
17
|
def audit_impl(cfn_model)
|
|
18
|
-
violating_policies = cfn_model.resources_by_type('AWS::S3::BucketPolicy').
|
|
19
|
-
policy.policy_document.allows_not_principal.empty?
|
|
18
|
+
violating_policies = cfn_model.resources_by_type('AWS::S3::BucketPolicy').select do |policy|
|
|
19
|
+
!policy.policy_document.allows_not_principal.empty?
|
|
20
20
|
end
|
|
21
21
|
|
|
22
22
|
violating_policies.map(&:logical_resource_id)
|
|
@@ -19,15 +19,15 @@ class SecurityGroupEgressPortRangeRule < BaseRule
|
|
|
19
19
|
def audit_impl(cfn_model)
|
|
20
20
|
logical_resource_ids = []
|
|
21
21
|
cfn_model.security_groups.each do |security_group|
|
|
22
|
-
violating_egresses = security_group.egresses.
|
|
23
|
-
egress.fromPort
|
|
22
|
+
violating_egresses = security_group.egresses.select do |egress|
|
|
23
|
+
egress.fromPort != egress.toPort
|
|
24
24
|
end
|
|
25
25
|
|
|
26
26
|
logical_resource_ids << security_group.logical_resource_id unless violating_egresses.empty?
|
|
27
27
|
end
|
|
28
28
|
|
|
29
|
-
violating_egresses = cfn_model.standalone_egress.
|
|
30
|
-
standalone_egress.fromPort
|
|
29
|
+
violating_egresses = cfn_model.standalone_egress.select do |standalone_egress|
|
|
30
|
+
standalone_egress.fromPort != standalone_egress.toPort
|
|
31
31
|
end
|
|
32
32
|
|
|
33
33
|
logical_resource_ids + violating_egresses.map(&:logical_resource_id)
|
|
@@ -19,15 +19,15 @@ class SecurityGroupIngressPortRangeRule < BaseRule
|
|
|
19
19
|
def audit_impl(cfn_model)
|
|
20
20
|
logical_resource_ids = []
|
|
21
21
|
cfn_model.security_groups.each do |security_group|
|
|
22
|
-
violating_ingresses = security_group.ingresses.
|
|
23
|
-
ingress.fromPort
|
|
22
|
+
violating_ingresses = security_group.ingresses.select do |ingress|
|
|
23
|
+
ingress.fromPort != ingress.toPort
|
|
24
24
|
end
|
|
25
25
|
|
|
26
26
|
logical_resource_ids << security_group.logical_resource_id unless violating_ingresses.empty?
|
|
27
27
|
end
|
|
28
28
|
|
|
29
|
-
violating_ingresses = cfn_model.standalone_ingress.
|
|
30
|
-
standalone_ingress.fromPort
|
|
29
|
+
violating_ingresses = cfn_model.standalone_ingress.select do |standalone_ingress|
|
|
30
|
+
standalone_ingress.fromPort != standalone_ingress.toPort
|
|
31
31
|
end
|
|
32
32
|
|
|
33
33
|
logical_resource_ids + violating_ingresses.map(&:logical_resource_id)
|
|
@@ -15,8 +15,8 @@ class SnsTopicPolicyNotActionRule < BaseRule
|
|
|
15
15
|
end
|
|
16
16
|
|
|
17
17
|
def audit_impl(cfn_model)
|
|
18
|
-
violating_policies = cfn_model.resources_by_type('AWS::SNS::TopicPolicy').
|
|
19
|
-
policy.policy_document.allows_not_action.empty?
|
|
18
|
+
violating_policies = cfn_model.resources_by_type('AWS::SNS::TopicPolicy').select do |policy|
|
|
19
|
+
!policy.policy_document.allows_not_action.empty?
|
|
20
20
|
end
|
|
21
21
|
|
|
22
22
|
violating_policies.map(&:logical_resource_id)
|
|
@@ -15,8 +15,8 @@ class SnsTopicPolicyNotPrincipalRule < BaseRule
|
|
|
15
15
|
end
|
|
16
16
|
|
|
17
17
|
def audit_impl(cfn_model)
|
|
18
|
-
violating_policies = cfn_model.resources_by_type('AWS::SNS::TopicPolicy').
|
|
19
|
-
policy.policy_document.allows_not_principal.empty?
|
|
18
|
+
violating_policies = cfn_model.resources_by_type('AWS::SNS::TopicPolicy').select do |policy|
|
|
19
|
+
!policy.policy_document.allows_not_principal.empty?
|
|
20
20
|
end
|
|
21
21
|
|
|
22
22
|
violating_policies.map(&:logical_resource_id)
|
|
@@ -15,8 +15,8 @@ class SqsQueuePolicyNotActionRule < BaseRule
|
|
|
15
15
|
end
|
|
16
16
|
|
|
17
17
|
def audit_impl(cfn_model)
|
|
18
|
-
violating_policies = cfn_model.resources_by_type('AWS::SQS::QueuePolicy').
|
|
19
|
-
policy.policy_document.allows_not_action.empty?
|
|
18
|
+
violating_policies = cfn_model.resources_by_type('AWS::SQS::QueuePolicy').select do |policy|
|
|
19
|
+
!policy.policy_document.allows_not_action.empty?
|
|
20
20
|
end
|
|
21
21
|
|
|
22
22
|
violating_policies.map(&:logical_resource_id)
|
|
@@ -15,8 +15,8 @@ class SqsQueuePolicyNotPrincipalRule < BaseRule
|
|
|
15
15
|
end
|
|
16
16
|
|
|
17
17
|
def audit_impl(cfn_model)
|
|
18
|
-
violating_policies = cfn_model.resources_by_type('AWS::SQS::QueuePolicy').
|
|
19
|
-
policy.policy_document.allows_not_principal.empty?
|
|
18
|
+
violating_policies = cfn_model.resources_by_type('AWS::SQS::QueuePolicy').select do |policy|
|
|
19
|
+
!policy.policy_document.allows_not_principal.empty?
|
|
20
20
|
end
|
|
21
21
|
|
|
22
22
|
violating_policies.map(&:logical_resource_id)
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: cfn-nag
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.3.
|
|
4
|
+
version: 0.3.48
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Eric Kascic
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2018-
|
|
11
|
+
date: 2018-04-27 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rspec
|