cfn-nag 0.4.16 → 0.4.17
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/cfn-nag/custom_rules/DirectoryServiceSimpleADPasswordRule.rb +4 -3
- data/lib/cfn-nag/custom_rules/RDSDBClusterMasterUserPasswordRule.rb +35 -0
- data/lib/cfn-nag/custom_rules/RDSInstanceMasterUserPasswordRule.rb +4 -3
- data/lib/cfn-nag/custom_rules/RDSInstanceMasterUsernameRule.rb +4 -3
- data/lib/cfn-nag/util/enforce_reference_parameter.rb +28 -0
- data/lib/cfn-nag/util/enforce_string_or_dynamic_reference.rb +25 -0
- metadata +5 -3
- data/lib/cfn-nag/util/enforce_noecho_parameter.rb +0 -24
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: c8f64b2627c295ba7c869af59479c05a32add6651102f524774042a087803688
|
4
|
+
data.tar.gz: b2f81c63e51e30e38127d6c0ec30ae586714fbaaf4b919afd7ec2c0e85a62fb2
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: aad7022cf2aab396e0dd035652f9a42527a83ccf49247554d4b19fbd9030890d926aa922b36c831fea88b223734ed29d628ee9df09442293f62a5f2f484c9b07
|
7
|
+
data.tar.gz: 1116091a6da82d47ec44633c41e1fc4a1e9486602b88521dce3a0ada014153ddcfc5ef42eeb570708cb5041ade79063913dbb3539a0a0a471b02536908cd8b80
|
@@ -1,7 +1,8 @@
|
|
1
1
|
# frozen_string_literal: true
|
2
2
|
|
3
3
|
require 'cfn-nag/violation'
|
4
|
-
require 'cfn-nag/util/
|
4
|
+
require 'cfn-nag/util/enforce_reference_parameter'
|
5
|
+
require 'cfn-nag/util/enforce_string_or_dynamic_reference'
|
5
6
|
require_relative 'base'
|
6
7
|
|
7
8
|
# Rule class to fail on DirectoryService::SimpleAD password in template
|
@@ -24,8 +25,8 @@ class DirectoryServiceSimpleADPasswordRule < BaseRule
|
|
24
25
|
if ad.password.nil?
|
25
26
|
false
|
26
27
|
else
|
27
|
-
|
28
|
-
|
28
|
+
insecure_parameter?(cfn_model, ad.password) ||
|
29
|
+
insecure_string_or_dynamic_reference?(cfn_model, ad.password)
|
29
30
|
end
|
30
31
|
end
|
31
32
|
violating_ad.map(&:logical_resource_id)
|
@@ -0,0 +1,35 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'cfn-nag/violation'
|
4
|
+
require 'cfn-nag/util/enforce_reference_parameter'
|
5
|
+
require 'cfn-nag/util/enforce_string_or_dynamic_reference'
|
6
|
+
require_relative 'base'
|
7
|
+
|
8
|
+
class RDSDBClusterMasterUserPasswordRule < BaseRule
|
9
|
+
def rule_text
|
10
|
+
'RDS DB Cluster master user password must be Ref to NoEcho Parameter. ' \
|
11
|
+
'Default credentials are not recommended'
|
12
|
+
end
|
13
|
+
|
14
|
+
def rule_type
|
15
|
+
Violation::FAILING_VIOLATION
|
16
|
+
end
|
17
|
+
|
18
|
+
def rule_id
|
19
|
+
'F34'
|
20
|
+
end
|
21
|
+
|
22
|
+
def audit_impl(cfn_model)
|
23
|
+
rds_dbclusters = cfn_model.resources_by_type('AWS::RDS::DBCluster')
|
24
|
+
violating_rdsclusters = rds_dbclusters.select do |cluster|
|
25
|
+
if cluster.masterUserPassword.nil?
|
26
|
+
false
|
27
|
+
else
|
28
|
+
insecure_parameter?(cfn_model, cluster.masterUserPassword) ||
|
29
|
+
insecure_string_or_dynamic_reference?(cfn_model, cluster.masterUserPassword)
|
30
|
+
end
|
31
|
+
end
|
32
|
+
|
33
|
+
violating_rdsclusters.map(&:logical_resource_id)
|
34
|
+
end
|
35
|
+
end
|
@@ -1,7 +1,8 @@
|
|
1
1
|
# frozen_string_literal: true
|
2
2
|
|
3
3
|
require 'cfn-nag/violation'
|
4
|
-
require 'cfn-nag/util/
|
4
|
+
require 'cfn-nag/util/enforce_reference_parameter'
|
5
|
+
require 'cfn-nag/util/enforce_string_or_dynamic_reference'
|
5
6
|
require_relative 'base'
|
6
7
|
|
7
8
|
class RDSInstanceMasterUserPasswordRule < BaseRule
|
@@ -28,8 +29,8 @@ class RDSInstanceMasterUserPasswordRule < BaseRule
|
|
28
29
|
if instance.masterUserPassword.nil?
|
29
30
|
false
|
30
31
|
else
|
31
|
-
|
32
|
-
|
32
|
+
insecure_parameter?(cfn_model, instance.masterUserPassword) ||
|
33
|
+
insecure_string_or_dynamic_reference?(cfn_model, instance.masterUserPassword)
|
33
34
|
end
|
34
35
|
end
|
35
36
|
|
@@ -1,7 +1,8 @@
|
|
1
1
|
# frozen_string_literal: true
|
2
2
|
|
3
3
|
require 'cfn-nag/violation'
|
4
|
-
require 'cfn-nag/util/
|
4
|
+
require 'cfn-nag/util/enforce_reference_parameter'
|
5
|
+
require 'cfn-nag/util/enforce_string_or_dynamic_reference'
|
5
6
|
require_relative 'base'
|
6
7
|
|
7
8
|
# cfn_nag rules related to RDS Instance master username
|
@@ -30,8 +31,8 @@ class RDSInstanceMasterUsernameRule < BaseRule
|
|
30
31
|
if instance.masterUsername.nil?
|
31
32
|
false
|
32
33
|
else
|
33
|
-
|
34
|
-
|
34
|
+
insecure_parameter?(cfn_model, instance.masterUsername) ||
|
35
|
+
insecure_string_or_dynamic_reference?(cfn_model, instance.masterUsername)
|
35
36
|
end
|
36
37
|
end
|
37
38
|
|
@@ -0,0 +1,28 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'cfn-nag/util/truthy.rb'
|
4
|
+
|
5
|
+
# Returns false if the provided key_to_check is a no-echo parameter
|
6
|
+
# without a default value; true otherwise.
|
7
|
+
# Only applicable for a hash
|
8
|
+
def insecure_parameter?(cfn_model, key_to_check)
|
9
|
+
# We only want to perform the check against a hash
|
10
|
+
return false unless key_to_check.is_a? Hash
|
11
|
+
|
12
|
+
# We don't care if any other intrinsic function is used here. We only want to
|
13
|
+
# verify that Ref is being used properly
|
14
|
+
return false unless key_to_check.key? 'Ref'
|
15
|
+
|
16
|
+
# Check if the key parameter is Ref and if that corresponding reference is
|
17
|
+
# setup securely by stating NoEcho=true & Default is not present
|
18
|
+
if cfn_model.parameters.key? key_to_check['Ref']
|
19
|
+
parameter = cfn_model.parameters[key_to_check['Ref']]
|
20
|
+
if truthy?(parameter.noEcho) && parameter.default.nil?
|
21
|
+
return false
|
22
|
+
end
|
23
|
+
end
|
24
|
+
|
25
|
+
# Return true if key_to_check is a hash and/or a key Ref that does not have
|
26
|
+
# the NoEcho parameter set to true and a Default parameter that is not nil
|
27
|
+
true
|
28
|
+
end
|
@@ -0,0 +1,25 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
# Returns false if the provided key_to_check is a dynamic reference
|
4
|
+
# to SSM Secure or Secrets Manager; true otherwise.
|
5
|
+
# Only applicable for a string
|
6
|
+
def insecure_string_or_dynamic_reference?(_cfn_model, key_to_check)
|
7
|
+
# We only want to perform the check agains a string
|
8
|
+
return false unless key_to_check.is_a? String
|
9
|
+
|
10
|
+
# Check if string starts with a Dynamic Reference pointing to SecretsManager
|
11
|
+
# or SSM Secure
|
12
|
+
if key_to_check.start_with?(
|
13
|
+
'{{resolve:secretsmanager:',
|
14
|
+
'{{resolve:ssm-secure:'
|
15
|
+
)
|
16
|
+
# Verify that the secure string ends properly with the double curly braces
|
17
|
+
if key_to_check.end_with? '}}'
|
18
|
+
return false
|
19
|
+
end
|
20
|
+
end
|
21
|
+
|
22
|
+
# Retrun true if key_to_check is a string and is not calling a secured
|
23
|
+
# dynamic reference pattern (Secrets Manager or SSM-Secure)
|
24
|
+
true
|
25
|
+
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: cfn-nag
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.4.
|
4
|
+
version: 0.4.17
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Eric Kascic
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2019-06-
|
11
|
+
date: 2019-06-20 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: rspec
|
@@ -188,6 +188,7 @@ files:
|
|
188
188
|
- lib/cfn-nag/custom_rules/ManagedPolicyOnUserRule.rb
|
189
189
|
- lib/cfn-nag/custom_rules/NeptuneDBClusterStorageEncryptedRule.rb
|
190
190
|
- lib/cfn-nag/custom_rules/PolicyOnUserRule.rb
|
191
|
+
- lib/cfn-nag/custom_rules/RDSDBClusterMasterUserPasswordRule.rb
|
191
192
|
- lib/cfn-nag/custom_rules/RDSDBClusterStorageEncryptedRule.rb
|
192
193
|
- lib/cfn-nag/custom_rules/RDSDBInstanceStorageEncryptedRule.rb
|
193
194
|
- lib/cfn-nag/custom_rules/RDSInstanceMasterUserPasswordRule.rb
|
@@ -233,7 +234,8 @@ files:
|
|
233
234
|
- lib/cfn-nag/rule_id_set.rb
|
234
235
|
- lib/cfn-nag/rule_registry.rb
|
235
236
|
- lib/cfn-nag/template_discovery.rb
|
236
|
-
- lib/cfn-nag/util/
|
237
|
+
- lib/cfn-nag/util/enforce_reference_parameter.rb
|
238
|
+
- lib/cfn-nag/util/enforce_string_or_dynamic_reference.rb
|
237
239
|
- lib/cfn-nag/util/truthy.rb
|
238
240
|
- lib/cfn-nag/violation.rb
|
239
241
|
- lib/cfn-nag/violation_filtering.rb
|
@@ -1,24 +0,0 @@
|
|
1
|
-
# frozen_string_literal: true
|
2
|
-
|
3
|
-
require 'cfn-nag/util/truthy.rb'
|
4
|
-
|
5
|
-
# Migrated from multiple classes, with some modifications
|
6
|
-
# Returns true if the provided key_to_check is a no-echo parameter
|
7
|
-
# without a default value; false otherwise.
|
8
|
-
def no_echo_parameter_without_default?(cfn_model, key_to_check)
|
9
|
-
if key_to_check.is_a? Hash
|
10
|
-
if key_to_check.key? 'Ref'
|
11
|
-
if cfn_model.parameters.key? key_to_check['Ref']
|
12
|
-
parameter = cfn_model.parameters[key_to_check['Ref']]
|
13
|
-
|
14
|
-
return truthy?(parameter.noEcho) && parameter.default.nil?
|
15
|
-
else
|
16
|
-
return false
|
17
|
-
end
|
18
|
-
else
|
19
|
-
return false
|
20
|
-
end
|
21
|
-
end
|
22
|
-
# String or anything weird will fall through here
|
23
|
-
false
|
24
|
-
end
|