cfn-nag 0.4.9 → 0.4.10
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/cfn-nag/custom_rules/EFSFileSystemEncryptedRule.rb +7 -10
- data/lib/cfn-nag/custom_rules/ElastiCacheReplicationGroupAtRestEncryptionRule.rb +7 -10
- data/lib/cfn-nag/custom_rules/ElastiCacheReplicationGroupTransitEncryptionRule.rb +7 -10
- data/lib/cfn-nag/custom_rules/NeptuneDBClusterStorageEncryptedRule.rb +7 -10
- data/lib/cfn-nag/custom_rules/RDSDBClusterStorageEncryptedRule.rb +7 -10
- data/lib/cfn-nag/custom_rules/RDSDBInstanceStorageEncryptedRule.rb +1 -5
- data/lib/cfn-nag/custom_rules/RedshiftClusterEncryptedRule.rb +7 -10
- data/lib/cfn-nag/custom_rules/boolean_base_rule.rb +25 -0
- data/lib/cfn-nag/util/truthy.rb +4 -0
- metadata +3 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: a7c5be6d25789f38b37bbde75e1b732dbec718ef49f0121efbd61f4032cd1f37
|
|
4
|
+
data.tar.gz: 48f3345f39d00e23b7448b5316dc5e77993afd087974c237fb7e655c2a7cb73c
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 84f04c28790ed9efc963455ca677acb1886f3b4af262efb0ac32e078d367393c7f6eca51bf59ac49ee97f0bb68133af4d2adde192535656483ec64c149cda9e8
|
|
7
|
+
data.tar.gz: bfa559caa6910cf0e1f49d03499b3254c13857c6ae677f61697a932c41a629be88e8803caddfd775bc88773664cea092f4c2c8ae7d709b55bd5973f3263372c9
|
|
@@ -1,9 +1,9 @@
|
|
|
1
1
|
# frozen_string_literal: true
|
|
2
2
|
|
|
3
3
|
require 'cfn-nag/violation'
|
|
4
|
-
require_relative '
|
|
4
|
+
require_relative 'boolean_base_rule'
|
|
5
5
|
|
|
6
|
-
class EFSFileSystemEncryptedRule <
|
|
6
|
+
class EFSFileSystemEncryptedRule < BooleanBaseRule
|
|
7
7
|
def rule_text
|
|
8
8
|
'EFS FileSystem should have encryption enabled'
|
|
9
9
|
end
|
|
@@ -16,14 +16,11 @@ class EFSFileSystemEncryptedRule < BaseRule
|
|
|
16
16
|
'F32'
|
|
17
17
|
end
|
|
18
18
|
|
|
19
|
-
def
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
violating_filesystems = resources.select do |filesystem|
|
|
23
|
-
filesystem.encrypted.nil? ||
|
|
24
|
-
filesystem.encrypted.to_s.casecmp('false').zero?
|
|
25
|
-
end
|
|
19
|
+
def resource_type
|
|
20
|
+
'AWS::EFS::FileSystem'
|
|
21
|
+
end
|
|
26
22
|
|
|
27
|
-
|
|
23
|
+
def boolean_property
|
|
24
|
+
:encrypted
|
|
28
25
|
end
|
|
29
26
|
end
|
|
@@ -1,9 +1,9 @@
|
|
|
1
1
|
# frozen_string_literal: true
|
|
2
2
|
|
|
3
3
|
require 'cfn-nag/violation'
|
|
4
|
-
require_relative '
|
|
4
|
+
require_relative 'boolean_base_rule'
|
|
5
5
|
|
|
6
|
-
class ElastiCacheReplicationGroupAtRestEncryptionRule <
|
|
6
|
+
class ElastiCacheReplicationGroupAtRestEncryptionRule < BooleanBaseRule
|
|
7
7
|
def rule_text
|
|
8
8
|
'ElastiCache ReplicationGroup should have encryption enabled for at rest'
|
|
9
9
|
end
|
|
@@ -16,14 +16,11 @@ class ElastiCacheReplicationGroupAtRestEncryptionRule < BaseRule
|
|
|
16
16
|
'F25'
|
|
17
17
|
end
|
|
18
18
|
|
|
19
|
-
def
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
violating_groups = resources.select do |group|
|
|
23
|
-
group.atRestEncryptionEnabled.nil? ||
|
|
24
|
-
group.atRestEncryptionEnabled.to_s.casecmp('false').zero?
|
|
25
|
-
end
|
|
19
|
+
def resource_type
|
|
20
|
+
'AWS::ElastiCache::ReplicationGroup'
|
|
21
|
+
end
|
|
26
22
|
|
|
27
|
-
|
|
23
|
+
def boolean_property
|
|
24
|
+
:atRestEncryptionEnabled
|
|
28
25
|
end
|
|
29
26
|
end
|
|
@@ -1,9 +1,9 @@
|
|
|
1
1
|
# frozen_string_literal: true
|
|
2
2
|
|
|
3
3
|
require 'cfn-nag/violation'
|
|
4
|
-
require_relative '
|
|
4
|
+
require_relative 'boolean_base_rule'
|
|
5
5
|
|
|
6
|
-
class ElastiCacheReplicationGroupTransitEncryptionRule <
|
|
6
|
+
class ElastiCacheReplicationGroupTransitEncryptionRule < BooleanBaseRule
|
|
7
7
|
def rule_text
|
|
8
8
|
'ElastiCache ReplicationGroup should have encryption enabled for in transit'
|
|
9
9
|
end
|
|
@@ -16,14 +16,11 @@ class ElastiCacheReplicationGroupTransitEncryptionRule < BaseRule
|
|
|
16
16
|
'F24'
|
|
17
17
|
end
|
|
18
18
|
|
|
19
|
-
def
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
violating_groups = resources.select do |group|
|
|
23
|
-
group.transitEncryptionEnabled.nil? ||
|
|
24
|
-
group.transitEncryptionEnabled.to_s.casecmp('false').zero?
|
|
25
|
-
end
|
|
19
|
+
def resource_type
|
|
20
|
+
'AWS::ElastiCache::ReplicationGroup'
|
|
21
|
+
end
|
|
26
22
|
|
|
27
|
-
|
|
23
|
+
def boolean_property
|
|
24
|
+
:transitEncryptionEnabled
|
|
28
25
|
end
|
|
29
26
|
end
|
|
@@ -1,9 +1,9 @@
|
|
|
1
1
|
# frozen_string_literal: true
|
|
2
2
|
|
|
3
3
|
require 'cfn-nag/violation'
|
|
4
|
-
require_relative '
|
|
4
|
+
require_relative 'boolean_base_rule'
|
|
5
5
|
|
|
6
|
-
class NeptuneDBClusterStorageEncryptedRule <
|
|
6
|
+
class NeptuneDBClusterStorageEncryptedRule < BooleanBaseRule
|
|
7
7
|
def rule_text
|
|
8
8
|
'Neptune database cluster storage should have encryption enabled'
|
|
9
9
|
end
|
|
@@ -16,14 +16,11 @@ class NeptuneDBClusterStorageEncryptedRule < BaseRule
|
|
|
16
16
|
'F30'
|
|
17
17
|
end
|
|
18
18
|
|
|
19
|
-
def
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
violating_storage = resources.select do |filesystem|
|
|
23
|
-
filesystem.storageEncrypted.nil? ||
|
|
24
|
-
filesystem.storageEncrypted.to_s.casecmp('false').zero?
|
|
25
|
-
end
|
|
19
|
+
def resource_type
|
|
20
|
+
'AWS::Neptune::DBCluster'
|
|
21
|
+
end
|
|
26
22
|
|
|
27
|
-
|
|
23
|
+
def boolean_property
|
|
24
|
+
:storageEncrypted
|
|
28
25
|
end
|
|
29
26
|
end
|
|
@@ -1,9 +1,9 @@
|
|
|
1
1
|
# frozen_string_literal: true
|
|
2
2
|
|
|
3
3
|
require 'cfn-nag/violation'
|
|
4
|
-
require_relative '
|
|
4
|
+
require_relative 'boolean_base_rule'
|
|
5
5
|
|
|
6
|
-
class RDSDBClusterStorageEncryptedRule <
|
|
6
|
+
class RDSDBClusterStorageEncryptedRule < BooleanBaseRule
|
|
7
7
|
def rule_text
|
|
8
8
|
'RDS DBCluster should have StorageEncrypted enabled'
|
|
9
9
|
end
|
|
@@ -16,14 +16,11 @@ class RDSDBClusterStorageEncryptedRule < BaseRule
|
|
|
16
16
|
'F26'
|
|
17
17
|
end
|
|
18
18
|
|
|
19
|
-
def
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
violating_clusters = resources.select do |cluster|
|
|
23
|
-
cluster.storageEncrypted.nil? ||
|
|
24
|
-
cluster.storageEncrypted.to_s.casecmp('false').zero?
|
|
25
|
-
end
|
|
19
|
+
def resource_type
|
|
20
|
+
'AWS::RDS::DBCluster'
|
|
21
|
+
end
|
|
26
22
|
|
|
27
|
-
|
|
23
|
+
def boolean_property
|
|
24
|
+
:storageEncrypted
|
|
28
25
|
end
|
|
29
26
|
end
|
|
@@ -20,11 +20,7 @@ class RDSDBInstanceStorageEncryptedRule < BaseRule
|
|
|
20
20
|
resources = cfn_model.resources_by_type('AWS::RDS::DBInstance')
|
|
21
21
|
|
|
22
22
|
violating_instances = resources.select do |instance|
|
|
23
|
-
instance.dBClusterIdentifier.nil? &&
|
|
24
|
-
(
|
|
25
|
-
instance.storageEncrypted.nil? ||
|
|
26
|
-
instance.storageEncrypted.to_s.casecmp('false').zero?
|
|
27
|
-
)
|
|
23
|
+
instance.dBClusterIdentifier.nil? && not_truthy?(instance.storageEncrypted)
|
|
28
24
|
end
|
|
29
25
|
|
|
30
26
|
violating_instances.map(&:logical_resource_id)
|
|
@@ -1,9 +1,9 @@
|
|
|
1
1
|
# frozen_string_literal: true
|
|
2
2
|
|
|
3
3
|
require 'cfn-nag/violation'
|
|
4
|
-
require_relative '
|
|
4
|
+
require_relative 'boolean_base_rule'
|
|
5
5
|
|
|
6
|
-
class RedshiftClusterEncryptedRule <
|
|
6
|
+
class RedshiftClusterEncryptedRule < BooleanBaseRule
|
|
7
7
|
def rule_text
|
|
8
8
|
'Redshift Cluster should have encryption enabled'
|
|
9
9
|
end
|
|
@@ -16,14 +16,11 @@ class RedshiftClusterEncryptedRule < BaseRule
|
|
|
16
16
|
'F28'
|
|
17
17
|
end
|
|
18
18
|
|
|
19
|
-
def
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
violating_clusters = resources.select do |cluster|
|
|
23
|
-
cluster.encrypted.nil? ||
|
|
24
|
-
cluster.encrypted.to_s.casecmp('false').zero?
|
|
25
|
-
end
|
|
19
|
+
def resource_type
|
|
20
|
+
'AWS::Redshift::Cluster'
|
|
21
|
+
end
|
|
26
22
|
|
|
27
|
-
|
|
23
|
+
def boolean_property
|
|
24
|
+
:encrypted
|
|
28
25
|
end
|
|
29
26
|
end
|
|
@@ -0,0 +1,25 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
require 'cfn-nag/violation'
|
|
4
|
+
require_relative 'base'
|
|
5
|
+
require 'cfn-nag/util/truthy.rb'
|
|
6
|
+
|
|
7
|
+
class BooleanBaseRule < BaseRule
|
|
8
|
+
def resource_type
|
|
9
|
+
raise 'must implement in subclass'
|
|
10
|
+
end
|
|
11
|
+
|
|
12
|
+
def boolean_property
|
|
13
|
+
raise 'must implement in subclass'
|
|
14
|
+
end
|
|
15
|
+
|
|
16
|
+
def audit_impl(cfn_model)
|
|
17
|
+
resources = cfn_model.resources_by_type(resource_type)
|
|
18
|
+
|
|
19
|
+
violating_resources = resources.select do |resource|
|
|
20
|
+
not_truthy?(resource.send(boolean_property))
|
|
21
|
+
end
|
|
22
|
+
|
|
23
|
+
violating_resources.map(&:logical_resource_id)
|
|
24
|
+
end
|
|
25
|
+
end
|
data/lib/cfn-nag/util/truthy.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: cfn-nag
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.4.
|
|
4
|
+
version: 0.4.10
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Eric Kascic
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2019-06-
|
|
11
|
+
date: 2019-06-05 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rspec
|
|
@@ -220,6 +220,7 @@ files:
|
|
|
220
220
|
- lib/cfn-nag/custom_rules/WafWebAclDefaultActionRule.rb
|
|
221
221
|
- lib/cfn-nag/custom_rules/WorkspacesWorkspaceEncryptionRule.rb
|
|
222
222
|
- lib/cfn-nag/custom_rules/base.rb
|
|
223
|
+
- lib/cfn-nag/custom_rules/boolean_base_rule.rb
|
|
223
224
|
- lib/cfn-nag/ip_addr.rb
|
|
224
225
|
- lib/cfn-nag/jmes_path_discovery.rb
|
|
225
226
|
- lib/cfn-nag/jmes_path_evaluator.rb
|