cfn-nag 0.4.16 → 0.4.17

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (9) hide show
  1. checksums.yaml +4 -4
  2. data/lib/cfn-nag/custom_rules/DirectoryServiceSimpleADPasswordRule.rb +4 -3
  3. data/lib/cfn-nag/custom_rules/RDSDBClusterMasterUserPasswordRule.rb +35 -0
  4. data/lib/cfn-nag/custom_rules/RDSInstanceMasterUserPasswordRule.rb +4 -3
  5. data/lib/cfn-nag/custom_rules/RDSInstanceMasterUsernameRule.rb +4 -3
  6. data/lib/cfn-nag/util/enforce_reference_parameter.rb +28 -0
  7. data/lib/cfn-nag/util/enforce_string_or_dynamic_reference.rb +25 -0
  8. metadata +5 -3
  9. data/lib/cfn-nag/util/enforce_noecho_parameter.rb +0 -24
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 25cd64f494aff69c5b5c9c0ffab18be84fa05833bc4360a5d6da12d188a36711
4
- data.tar.gz: 021026b278fb868306ae7153049bc1137cb5ef8268c475469eb2d225ac9d7762
3
+ metadata.gz: c8f64b2627c295ba7c869af59479c05a32add6651102f524774042a087803688
4
+ data.tar.gz: b2f81c63e51e30e38127d6c0ec30ae586714fbaaf4b919afd7ec2c0e85a62fb2
5
5
  SHA512:
6
- metadata.gz: c7a921d40e9e739c0b1c333e7af2e1665487222097cebadca4e1bb47a36c90e2118a6f8f7d801ebf06645a8c62102500b619dcd803aca690ead02c09063b77e0
7
- data.tar.gz: e995d6228f02f2be0662d25081e9a98d6600dd7ac8245688b38bb574b14704562a3219c4d702b8111a44a006514e856d59fc366ddd77dfa88c9e97ccd9efe4d3
6
+ metadata.gz: aad7022cf2aab396e0dd035652f9a42527a83ccf49247554d4b19fbd9030890d926aa922b36c831fea88b223734ed29d628ee9df09442293f62a5f2f484c9b07
7
+ data.tar.gz: 1116091a6da82d47ec44633c41e1fc4a1e9486602b88521dce3a0ada014153ddcfc5ef42eeb570708cb5041ade79063913dbb3539a0a0a471b02536908cd8b80
data/lib/cfn-nag/custom_rules/DirectoryServiceSimpleADPasswordRule.rb CHANGED
@@ -1,7 +1,8 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  require 'cfn-nag/violation'
4
- require 'cfn-nag/util/enforce_noecho_parameter'
4
+ require 'cfn-nag/util/enforce_reference_parameter'
5
+ require 'cfn-nag/util/enforce_string_or_dynamic_reference'
5
6
  require_relative 'base'
6
7
 
7
8
  # Rule class to fail on DirectoryService::SimpleAD password in template
@@ -24,8 +25,8 @@ class DirectoryServiceSimpleADPasswordRule < BaseRule
24
25
  if ad.password.nil?
25
26
  false
26
27
  else
27
- !no_echo_parameter_without_default?(cfn_model,
28
- ad.password)
28
+ insecure_parameter?(cfn_model, ad.password) ||
29
+ insecure_string_or_dynamic_reference?(cfn_model, ad.password)
29
30
  end
30
31
  end
31
32
  violating_ad.map(&:logical_resource_id)
data/lib/cfn-nag/custom_rules/RDSDBClusterMasterUserPasswordRule.rb ADDED
@@ -0,0 +1,35 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'cfn-nag/violation'
4
+ require 'cfn-nag/util/enforce_reference_parameter'
5
+ require 'cfn-nag/util/enforce_string_or_dynamic_reference'
6
+ require_relative 'base'
7
+
8
+ class RDSDBClusterMasterUserPasswordRule < BaseRule
9
+ def rule_text
10
+ 'RDS DB Cluster master user password must be Ref to NoEcho Parameter. ' \
11
+ 'Default credentials are not recommended'
12
+ end
13
+
14
+ def rule_type
15
+ Violation::FAILING_VIOLATION
16
+ end
17
+
18
+ def rule_id
19
+ 'F34'
20
+ end
21
+
22
+ def audit_impl(cfn_model)
23
+ rds_dbclusters = cfn_model.resources_by_type('AWS::RDS::DBCluster')
24
+ violating_rdsclusters = rds_dbclusters.select do |cluster|
25
+ if cluster.masterUserPassword.nil?
26
+ false
27
+ else
28
+ insecure_parameter?(cfn_model, cluster.masterUserPassword) ||
29
+ insecure_string_or_dynamic_reference?(cfn_model, cluster.masterUserPassword)
30
+ end
31
+ end
32
+
33
+ violating_rdsclusters.map(&:logical_resource_id)
34
+ end
35
+ end
data/lib/cfn-nag/custom_rules/RDSInstanceMasterUserPasswordRule.rb CHANGED
@@ -1,7 +1,8 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  require 'cfn-nag/violation'
4
- require 'cfn-nag/util/enforce_noecho_parameter.rb'
4
+ require 'cfn-nag/util/enforce_reference_parameter'
5
+ require 'cfn-nag/util/enforce_string_or_dynamic_reference'
5
6
  require_relative 'base'
6
7
 
7
8
  class RDSInstanceMasterUserPasswordRule < BaseRule
@@ -28,8 +29,8 @@ class RDSInstanceMasterUserPasswordRule < BaseRule
28
29
  if instance.masterUserPassword.nil?
29
30
  false
30
31
  else
31
- !no_echo_parameter_without_default?(cfn_model,
32
- instance.masterUserPassword)
32
+ insecure_parameter?(cfn_model, instance.masterUserPassword) ||
33
+ insecure_string_or_dynamic_reference?(cfn_model, instance.masterUserPassword)
33
34
  end
34
35
  end
35
36
 
data/lib/cfn-nag/custom_rules/RDSInstanceMasterUsernameRule.rb CHANGED
@@ -1,7 +1,8 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  require 'cfn-nag/violation'
4
- require 'cfn-nag/util/enforce_noecho_parameter'
4
+ require 'cfn-nag/util/enforce_reference_parameter'
5
+ require 'cfn-nag/util/enforce_string_or_dynamic_reference'
5
6
  require_relative 'base'
6
7
 
7
8
  # cfn_nag rules related to RDS Instance master username
@@ -30,8 +31,8 @@ class RDSInstanceMasterUsernameRule < BaseRule
30
31
  if instance.masterUsername.nil?
31
32
  false
32
33
  else
33
- !no_echo_parameter_without_default?(cfn_model,
34
- instance.masterUsername)
34
+ insecure_parameter?(cfn_model, instance.masterUsername) ||
35
+ insecure_string_or_dynamic_reference?(cfn_model, instance.masterUsername)
35
36
  end
36
37
  end
37
38
 
data/lib/cfn-nag/util/enforce_reference_parameter.rb ADDED
@@ -0,0 +1,28 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'cfn-nag/util/truthy.rb'
4
+
5
+ # Returns false if the provided key_to_check is a no-echo parameter
6
+ # without a default value; true otherwise.
7
+ # Only applicable for a hash
8
+ def insecure_parameter?(cfn_model, key_to_check)
9
+ # We only want to perform the check against a hash
10
+ return false unless key_to_check.is_a? Hash
11
+
12
+ # We don't care if any other intrinsic function is used here. We only want to
13
+ # verify that Ref is being used properly
14
+ return false unless key_to_check.key? 'Ref'
15
+
16
+ # Check if the key parameter is Ref and if that corresponding reference is
17
+ # setup securely by stating NoEcho=true & Default is not present
18
+ if cfn_model.parameters.key? key_to_check['Ref']
19
+ parameter = cfn_model.parameters[key_to_check['Ref']]
20
+ if truthy?(parameter.noEcho) && parameter.default.nil?
21
+ return false
22
+ end
23
+ end
24
+
25
+ # Return true if key_to_check is a hash and/or a key Ref that does not have
26
+ # the NoEcho parameter set to true and a Default parameter that is not nil
27
+ true
28
+ end
data/lib/cfn-nag/util/enforce_string_or_dynamic_reference.rb ADDED
@@ -0,0 +1,25 @@
1
+ # frozen_string_literal: true
2
+
3
+ # Returns false if the provided key_to_check is a dynamic reference
4
+ # to SSM Secure or Secrets Manager; true otherwise.
5
+ # Only applicable for a string
6
+ def insecure_string_or_dynamic_reference?(_cfn_model, key_to_check)
7
+ # We only want to perform the check agains a string
8
+ return false unless key_to_check.is_a? String
9
+
10
+ # Check if string starts with a Dynamic Reference pointing to SecretsManager
11
+ # or SSM Secure
12
+ if key_to_check.start_with?(
13
+ '{{resolve:secretsmanager:',
14
+ '{{resolve:ssm-secure:'
15
+ )
16
+ # Verify that the secure string ends properly with the double curly braces
17
+ if key_to_check.end_with? '}}'
18
+ return false
19
+ end
20
+ end
21
+
22
+ # Retrun true if key_to_check is a string and is not calling a secured
23
+ # dynamic reference pattern (Secrets Manager or SSM-Secure)
24
+ true
25
+ end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: cfn-nag
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.4.16
4
+ version: 0.4.17
5
5
  platform: ruby
6
6
  authors:
7
7
  - Eric Kascic
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2019-06-19 00:00:00.000000000 Z
11
+ date: 2019-06-20 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rspec
@@ -188,6 +188,7 @@ files:
188
188
  - lib/cfn-nag/custom_rules/ManagedPolicyOnUserRule.rb
189
189
  - lib/cfn-nag/custom_rules/NeptuneDBClusterStorageEncryptedRule.rb
190
190
  - lib/cfn-nag/custom_rules/PolicyOnUserRule.rb
191
+ - lib/cfn-nag/custom_rules/RDSDBClusterMasterUserPasswordRule.rb
191
192
  - lib/cfn-nag/custom_rules/RDSDBClusterStorageEncryptedRule.rb
192
193
  - lib/cfn-nag/custom_rules/RDSDBInstanceStorageEncryptedRule.rb
193
194
  - lib/cfn-nag/custom_rules/RDSInstanceMasterUserPasswordRule.rb
@@ -233,7 +234,8 @@ files:
233
234
  - lib/cfn-nag/rule_id_set.rb
234
235
  - lib/cfn-nag/rule_registry.rb
235
236
  - lib/cfn-nag/template_discovery.rb
236
- - lib/cfn-nag/util/enforce_noecho_parameter.rb
237
+ - lib/cfn-nag/util/enforce_reference_parameter.rb
238
+ - lib/cfn-nag/util/enforce_string_or_dynamic_reference.rb
237
239
  - lib/cfn-nag/util/truthy.rb
238
240
  - lib/cfn-nag/violation.rb
239
241
  - lib/cfn-nag/violation_filtering.rb
data/lib/cfn-nag/util/enforce_noecho_parameter.rb DELETED
@@ -1,24 +0,0 @@
1
- # frozen_string_literal: true
2
-
3
- require 'cfn-nag/util/truthy.rb'
4
-
5
- # Migrated from multiple classes, with some modifications
6
- # Returns true if the provided key_to_check is a no-echo parameter
7
- # without a default value; false otherwise.
8
- def no_echo_parameter_without_default?(cfn_model, key_to_check)
9
- if key_to_check.is_a? Hash
10
- if key_to_check.key? 'Ref'
11
- if cfn_model.parameters.key? key_to_check['Ref']
12
- parameter = cfn_model.parameters[key_to_check['Ref']]
13
-
14
- return truthy?(parameter.noEcho) && parameter.default.nil?
15
- else
16
- return false
17
- end
18
- else
19
- return false
20
- end
21
- end
22
- # String or anything weird will fall through here
23
- false
24
- end