cfn-nag 0.3.51 → 0.3.52
Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: dbe97b8bdff1c7ee84e33f5fbcd87412fe418d9b5299c4222065c35f8c85f2ba
|
4
|
+
data.tar.gz: 53465649bd54c9890a6ff35210e8b482f7c24c126d885d81865397367bede71a
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 9c7bf0417eae3f341f99c1e497c96a59334cca32199220c0450f75a6f081f986db2c46683cab46f8b1c15a175c6f86766de92042bc0aac620cdea96cf06a265f
|
7
|
+
data.tar.gz: 110ca000377113199a0af17598a3bf8bfb891833f4e8658d27f872b5ae963de35fca8ab9c59a3d437a4d3220258dabf957db6e767c311fdc7c05bf90a0a206ab
|
@@ -1,7 +1,6 @@
|
|
1
1
|
require 'cfn-nag/violation'
|
2
2
|
require_relative 'base'
|
3
3
|
|
4
|
-
# Rule to ensure credentials are not specified in template
|
5
4
|
class CloudFormationAuthenticationRule < BaseRule
|
6
5
|
def rule_text
|
7
6
|
'Specifying credentials in the template itself is probably not the safest thing'
|
@@ -19,10 +18,21 @@ class CloudFormationAuthenticationRule < BaseRule
|
|
19
18
|
logical_resource_ids = []
|
20
19
|
cfn_model.raw_model['Resources'].each do |resource_name, resource|
|
21
20
|
unless resource['Metadata'].nil?
|
22
|
-
|
23
|
-
|
21
|
+
unless resource['Metadata']['AWS::CloudFormation::Authentication'].nil?
|
22
|
+
|
23
|
+
resource['Metadata']['AWS::CloudFormation::Authentication'].each do |auth_name, auth|
|
24
|
+
if potentially_sensitive_credentials? auth
|
25
|
+
logical_resource_ids << resource_name
|
26
|
+
end
|
27
|
+
end
|
28
|
+
|
29
|
+
end
|
24
30
|
end
|
25
31
|
end
|
26
32
|
logical_resource_ids
|
27
33
|
end
|
28
|
-
|
34
|
+
|
35
|
+
def potentially_sensitive_credentials?(auth)
|
36
|
+
auth['accessKeyId'] || auth['password'] || auth['secretKey']
|
37
|
+
end
|
38
|
+
end
|