RubyGems - cfn-nag - Versions diffs - 0.3.51 → 0.3.52 - Mend

cfn-nag 0.3.51 → 0.3.52

Files changed (3) hide show

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9e764bdbe8170764ddbcc2c6ed6030e2626300ef312af2284f6ba52d32158a75
-  data.tar.gz: b90488a204b909cf5decba7db589c0dc570231354a686f3713e33b056484fdb7
+  metadata.gz: dbe97b8bdff1c7ee84e33f5fbcd87412fe418d9b5299c4222065c35f8c85f2ba
+  data.tar.gz: 53465649bd54c9890a6ff35210e8b482f7c24c126d885d81865397367bede71a
 SHA512:
-  metadata.gz: 242bdde3f47c84cb12246b0c54305df8751ad927bd90a75bebf46fdf1e4ec3e6d93405906d234c2ad1f44b137fd7257a7b22969a867078a1120370d03d9818df
-  data.tar.gz: 0f87bcb3a3c6e404b972c2219b4ca93118ce30a9f2e06f792aed6c75d07b36071e3649df5b58968f54f61286606975bfeae89a87d45785abafbb8d934658fdd6
+  metadata.gz: 9c7bf0417eae3f341f99c1e497c96a59334cca32199220c0450f75a6f081f986db2c46683cab46f8b1c15a175c6f86766de92042bc0aac620cdea96cf06a265f
+  data.tar.gz: 110ca000377113199a0af17598a3bf8bfb891833f4e8658d27f872b5ae963de35fca8ab9c59a3d437a4d3220258dabf957db6e767c311fdc7c05bf90a0a206ab

@@ -1,7 +1,6 @@
 require 'cfn-nag/violation'
 require_relative 'base'
-# Rule to ensure credentials are not specified in template
 class CloudFormationAuthenticationRule < BaseRule
   def rule_text
     'Specifying credentials in the template itself is probably not the safest thing'
@@ -19,10 +18,21 @@ class CloudFormationAuthenticationRule < BaseRule
     logical_resource_ids = []
     cfn_model.raw_model['Resources'].each do |resource_name, resource|
       unless resource['Metadata'].nil?
-        next if resource['Metadata']['AWS::CloudFormation::Authentication'].nil?
-        logical_resource_ids << resource_name
+        unless resource['Metadata']['AWS::CloudFormation::Authentication'].nil?
+          resource['Metadata']['AWS::CloudFormation::Authentication'].each do |auth_name, auth|
+            if potentially_sensitive_credentials? auth
+              logical_resource_ids << resource_name
+            end
+          end
+        end
       end
     end
     logical_resource_ids
   end
-end
+  def potentially_sensitive_credentials?(auth)
+    auth['accessKeyId'] || auth['password'] || auth['secretKey']
+  end
+end

metadata CHANGED

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: cfn-nag
 version: !ruby/object:Gem::Version
-  version: 0.3.51
+  version: 0.3.52
 platform: ruby
 authors:
 - Eric Kascic