cfn-nag 0.4.16 → 0.4.17

Sign up to get free protection for your applications and to get access to all the features.
Files changed (9) hide show
  1. checksums.yaml +4 -4
  2. data/lib/cfn-nag/custom_rules/DirectoryServiceSimpleADPasswordRule.rb +4 -3
  3. data/lib/cfn-nag/custom_rules/RDSDBClusterMasterUserPasswordRule.rb +35 -0
  4. data/lib/cfn-nag/custom_rules/RDSInstanceMasterUserPasswordRule.rb +4 -3
  5. data/lib/cfn-nag/custom_rules/RDSInstanceMasterUsernameRule.rb +4 -3
  6. data/lib/cfn-nag/util/enforce_reference_parameter.rb +28 -0
  7. data/lib/cfn-nag/util/enforce_string_or_dynamic_reference.rb +25 -0
  8. metadata +5 -3
  9. data/lib/cfn-nag/util/enforce_noecho_parameter.rb +0 -24
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 25cd64f494aff69c5b5c9c0ffab18be84fa05833bc4360a5d6da12d188a36711
4
- data.tar.gz: 021026b278fb868306ae7153049bc1137cb5ef8268c475469eb2d225ac9d7762
3
+ metadata.gz: c8f64b2627c295ba7c869af59479c05a32add6651102f524774042a087803688
4
+ data.tar.gz: b2f81c63e51e30e38127d6c0ec30ae586714fbaaf4b919afd7ec2c0e85a62fb2
5
5
  SHA512:
6
- metadata.gz: c7a921d40e9e739c0b1c333e7af2e1665487222097cebadca4e1bb47a36c90e2118a6f8f7d801ebf06645a8c62102500b619dcd803aca690ead02c09063b77e0
7
- data.tar.gz: e995d6228f02f2be0662d25081e9a98d6600dd7ac8245688b38bb574b14704562a3219c4d702b8111a44a006514e856d59fc366ddd77dfa88c9e97ccd9efe4d3
6
+ metadata.gz: aad7022cf2aab396e0dd035652f9a42527a83ccf49247554d4b19fbd9030890d926aa922b36c831fea88b223734ed29d628ee9df09442293f62a5f2f484c9b07
7
+ data.tar.gz: 1116091a6da82d47ec44633c41e1fc4a1e9486602b88521dce3a0ada014153ddcfc5ef42eeb570708cb5041ade79063913dbb3539a0a0a471b02536908cd8b80
data/lib/cfn-nag/custom_rules/DirectoryServiceSimpleADPasswordRule.rb CHANGED
@@ -1,7 +1,8 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  require 'cfn-nag/violation'
4
- require 'cfn-nag/util/enforce_noecho_parameter'
4
+ require 'cfn-nag/util/enforce_reference_parameter'
5
+ require 'cfn-nag/util/enforce_string_or_dynamic_reference'
5
6
  require_relative 'base'
6
7
 
7
8
  # Rule class to fail on DirectoryService::SimpleAD password in template
@@ -24,8 +25,8 @@ class DirectoryServiceSimpleADPasswordRule < BaseRule
24
25
  if ad.password.nil?
25
26
  false
26
27
  else
27
- !no_echo_parameter_without_default?(cfn_model,
28
- ad.password)
28
+ insecure_parameter?(cfn_model, ad.password) ||
29
+ insecure_string_or_dynamic_reference?(cfn_model, ad.password)
29
30
  end
30
31
  end
31
32
  violating_ad.map(&:logical_resource_id)
data/lib/cfn-nag/custom_rules/RDSDBClusterMasterUserPasswordRule.rb ADDED
@@ -0,0 +1,35 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'cfn-nag/violation'
4
+ require 'cfn-nag/util/enforce_reference_parameter'
5
+ require 'cfn-nag/util/enforce_string_or_dynamic_reference'
6
+ require_relative 'base'
7
+
8
+ class RDSDBClusterMasterUserPasswordRule < BaseRule
9
+ def rule_text
10
+ 'RDS DB Cluster master user password must be Ref to NoEcho Parameter. ' \
11
+ 'Default credentials are not recommended'
12
+ end
13
+
14
+ def rule_type
15
+ Violation::FAILING_VIOLATION
16
+ end
17
+
18
+ def rule_id
19
+ 'F34'
20
+ end
21
+
22
+ def audit_impl(cfn_model)
23
+ rds_dbclusters = cfn_model.resources_by_type('AWS::RDS::DBCluster')
24
+ violating_rdsclusters = rds_dbclusters.select do |cluster|
25
+ if cluster.masterUserPassword.nil?
26
+ false
27
+ else
28
+ insecure_parameter?(cfn_model, cluster.masterUserPassword) ||
29
+ insecure_string_or_dynamic_reference?(cfn_model, cluster.masterUserPassword)
30
+ end
31
+ end
32
+
33
+ violating_rdsclusters.map(&:logical_resource_id)
34
+ end
35
+ end
data/lib/cfn-nag/custom_rules/RDSInstanceMasterUserPasswordRule.rb CHANGED
@@ -1,7 +1,8 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  require 'cfn-nag/violation'
4
- require 'cfn-nag/util/enforce_noecho_parameter.rb'
4
+ require 'cfn-nag/util/enforce_reference_parameter'
5
+ require 'cfn-nag/util/enforce_string_or_dynamic_reference'
5
6
  require_relative 'base'
6
7
 
7
8
  class RDSInstanceMasterUserPasswordRule < BaseRule
@@ -28,8 +29,8 @@ class RDSInstanceMasterUserPasswordRule < BaseRule
28
29
  if instance.masterUserPassword.nil?
29
30
  false
30
31
  else
31
- !no_echo_parameter_without_default?(cfn_model,
32
- instance.masterUserPassword)
32
+ insecure_parameter?(cfn_model, instance.masterUserPassword) ||
33
+ insecure_string_or_dynamic_reference?(cfn_model, instance.masterUserPassword)
33
34
  end
34
35
  end
35
36
 
data/lib/cfn-nag/custom_rules/RDSInstanceMasterUsernameRule.rb CHANGED
@@ -1,7 +1,8 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  require 'cfn-nag/violation'
4
- require 'cfn-nag/util/enforce_noecho_parameter'
4
+ require 'cfn-nag/util/enforce_reference_parameter'
5
+ require 'cfn-nag/util/enforce_string_or_dynamic_reference'
5
6
  require_relative 'base'
6
7
 
7
8
  # cfn_nag rules related to RDS Instance master username
@@ -30,8 +31,8 @@ class RDSInstanceMasterUsernameRule < BaseRule
30
31
  if instance.masterUsername.nil?
31
32
  false
32
33
  else
33
- !no_echo_parameter_without_default?(cfn_model,
34
- instance.masterUsername)
34
+ insecure_parameter?(cfn_model, instance.masterUsername) ||
35
+ insecure_string_or_dynamic_reference?(cfn_model, instance.masterUsername)
35
36
  end
36
37
  end
37
38
 
data/lib/cfn-nag/util/enforce_reference_parameter.rb ADDED
@@ -0,0 +1,28 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'cfn-nag/util/truthy.rb'
4
+
5
+ # Returns false if the provided key_to_check is a no-echo parameter
6
+ # without a default value; true otherwise.
7
+ # Only applicable for a hash
8
+ def insecure_parameter?(cfn_model, key_to_check)
9
+ # We only want to perform the check against a hash
10
+ return false unless key_to_check.is_a? Hash
11
+
12
+ # We don't care if any other intrinsic function is used here. We only want to
13
+ # verify that Ref is being used properly
14
+ return false unless key_to_check.key? 'Ref'
15
+
16
+ # Check if the key parameter is Ref and if that corresponding reference is
17
+ # setup securely by stating NoEcho=true & Default is not present
18
+ if cfn_model.parameters.key? key_to_check['Ref']
19
+ parameter = cfn_model.parameters[key_to_check['Ref']]
20
+ if truthy?(parameter.noEcho) && parameter.default.nil?
21
+ return false
22
+ end
23
+ end
24
+
25
+ # Return true if key_to_check is a hash and/or a key Ref that does not have
26
+ # the NoEcho parameter set to true and a Default parameter that is not nil
27
+ true
28
+ end
data/lib/cfn-nag/util/enforce_string_or_dynamic_reference.rb ADDED
@@ -0,0 +1,25 @@
1
+ # frozen_string_literal: true
2
+
3
+ # Returns false if the provided key_to_check is a dynamic reference
4
+ # to SSM Secure or Secrets Manager; true otherwise.
5
+ # Only applicable for a string
6
+ def insecure_string_or_dynamic_reference?(_cfn_model, key_to_check)
7
+ # We only want to perform the check agains a string
8
+ return false unless key_to_check.is_a? String
9
+
10
+ # Check if string starts with a Dynamic Reference pointing to SecretsManager
11
+ # or SSM Secure
12
+ if key_to_check.start_with?(
13
+ '{{resolve:secretsmanager:',
14
+ '{{resolve:ssm-secure:'
15
+ )
16
+ # Verify that the secure string ends properly with the double curly braces
17
+ if key_to_check.end_with? '}}'
18
+ return false
19
+ end
20
+ end
21
+
22
+ # Retrun true if key_to_check is a string and is not calling a secured
23
+ # dynamic reference pattern (Secrets Manager or SSM-Secure)
24
+ true
25
+ end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: cfn-nag
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.4.16
4
+ version: 0.4.17
5
5
  platform: ruby
6
6
  authors:
7
7
  - Eric Kascic
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2019-06-19 00:00:00.000000000 Z
11
+ date: 2019-06-20 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rspec
@@ -188,6 +188,7 @@ files:
188
188
  - lib/cfn-nag/custom_rules/ManagedPolicyOnUserRule.rb
189
189
  - lib/cfn-nag/custom_rules/NeptuneDBClusterStorageEncryptedRule.rb
190
190
  - lib/cfn-nag/custom_rules/PolicyOnUserRule.rb
191
+ - lib/cfn-nag/custom_rules/RDSDBClusterMasterUserPasswordRule.rb
191
192
  - lib/cfn-nag/custom_rules/RDSDBClusterStorageEncryptedRule.rb
192
193
  - lib/cfn-nag/custom_rules/RDSDBInstanceStorageEncryptedRule.rb
193
194
  - lib/cfn-nag/custom_rules/RDSInstanceMasterUserPasswordRule.rb
@@ -233,7 +234,8 @@ files:
233
234
  - lib/cfn-nag/rule_id_set.rb
234
235
  - lib/cfn-nag/rule_registry.rb
235
236
  - lib/cfn-nag/template_discovery.rb
236
- - lib/cfn-nag/util/enforce_noecho_parameter.rb
237
+ - lib/cfn-nag/util/enforce_reference_parameter.rb
238
+ - lib/cfn-nag/util/enforce_string_or_dynamic_reference.rb
237
239
  - lib/cfn-nag/util/truthy.rb
238
240
  - lib/cfn-nag/violation.rb
239
241
  - lib/cfn-nag/violation_filtering.rb
data/lib/cfn-nag/util/enforce_noecho_parameter.rb DELETED
@@ -1,24 +0,0 @@
1
- # frozen_string_literal: true
2
-
3
- require 'cfn-nag/util/truthy.rb'
4
-
5
- # Migrated from multiple classes, with some modifications
6
- # Returns true if the provided key_to_check is a no-echo parameter
7
- # without a default value; false otherwise.
8
- def no_echo_parameter_without_default?(cfn_model, key_to_check)
9
- if key_to_check.is_a? Hash
10
- if key_to_check.key? 'Ref'
11
- if cfn_model.parameters.key? key_to_check['Ref']
12
- parameter = cfn_model.parameters[key_to_check['Ref']]
13
-
14
- return truthy?(parameter.noEcho) && parameter.default.nil?
15
- else
16
- return false
17
- end
18
- else
19
- return false
20
- end
21
- end
22
- # String or anything weird will fall through here
23
- false
24
- end