cfn-nag 0.4.25 → 0.4.26
Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: ef0acd9549dce74e9f5ef0dca9b82fce29c80e193ccddafc258609a45451ce35
|
4
|
+
data.tar.gz: 93fc908b9ca4982528956237adbdd5f1d205696837ef048f52beefa3ba035646
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: d00ea40e225b0e2f7854949c6aae70ee6f81ebbec3f19c578cc590384c7ba94293cb4a784e267e6b2b96e301d57f7d40916099798a78c84e3b5ae3fdfdc20e94
|
7
|
+
data.tar.gz: 164fa35a935ad405bc02f035cb460edc061fabd81467a6b2a9c65918e36ba059addc646d986bbf5a7ad66d36cd1bcb4b716d03a18094feda790997a71d51aa10
|
@@ -0,0 +1,58 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'cfn-nag/violation'
|
4
|
+
require_relative 'base'
|
5
|
+
require 'cfn-nag/ip_addr'
|
6
|
+
require 'cfn-nag/util/blank.rb'
|
7
|
+
|
8
|
+
class SecurityGroupRuleDescriptionRule < BaseRule
|
9
|
+
def rule_text
|
10
|
+
'Security group rules without a description obscure their purpose and may '\
|
11
|
+
'lead to bad practices in ensuring they only allow traffic from the ports '\
|
12
|
+
'and sources/destinations required.'
|
13
|
+
end
|
14
|
+
|
15
|
+
def rule_type
|
16
|
+
Violation::WARNING
|
17
|
+
end
|
18
|
+
|
19
|
+
def rule_id
|
20
|
+
'W36'
|
21
|
+
end
|
22
|
+
|
23
|
+
def audit_impl(cfn_model)
|
24
|
+
violating_security_groups?(cfn_model) +
|
25
|
+
violating_ingress?(cfn_model) +
|
26
|
+
violating_egress?(cfn_model)
|
27
|
+
end
|
28
|
+
|
29
|
+
private
|
30
|
+
|
31
|
+
def violating_sg_component(sg_component)
|
32
|
+
sg_component.select do |item|
|
33
|
+
blank?(item['Description'])
|
34
|
+
end
|
35
|
+
end
|
36
|
+
|
37
|
+
def violating_security_groups?(cfn_model)
|
38
|
+
violating_security_groups = cfn_model.security_groups.select do |security_group|
|
39
|
+
!violating_sg_component(security_group.securityGroupIngress).empty? ||
|
40
|
+
!violating_sg_component(security_group.securityGroupEgress).empty?
|
41
|
+
end
|
42
|
+
violating_security_groups.map(&:logical_resource_id)
|
43
|
+
end
|
44
|
+
|
45
|
+
def violating_ingress?(cfn_model)
|
46
|
+
violating_ingress = cfn_model.resources_by_type('AWS::EC2::SecurityGroupIngress').select do |standalone_ingress|
|
47
|
+
blank?(standalone_ingress.description)
|
48
|
+
end
|
49
|
+
violating_ingress.map(&:logical_resource_id)
|
50
|
+
end
|
51
|
+
|
52
|
+
def violating_egress?(cfn_model)
|
53
|
+
violating_egress = cfn_model.resources_by_type('AWS::EC2::SecurityGroupEgress').select do |standalone_egress|
|
54
|
+
blank?(standalone_egress.description)
|
55
|
+
end
|
56
|
+
violating_egress.map(&:logical_resource_id)
|
57
|
+
end
|
58
|
+
end
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: cfn-nag
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.4.
|
4
|
+
version: 0.4.26
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Eric Kascic
|
@@ -226,6 +226,7 @@ files:
|
|
226
226
|
- lib/cfn-nag/custom_rules/SecurityGroupIngressOpenToWorldRule.rb
|
227
227
|
- lib/cfn-nag/custom_rules/SecurityGroupIngressPortRangeRule.rb
|
228
228
|
- lib/cfn-nag/custom_rules/SecurityGroupMissingEgressRule.rb
|
229
|
+
- lib/cfn-nag/custom_rules/SecurityGroupRuleDescriptionRule.rb
|
229
230
|
- lib/cfn-nag/custom_rules/SnsTopicPolicyNotActionRule.rb
|
230
231
|
- lib/cfn-nag/custom_rules/SnsTopicPolicyNotPrincipalRule.rb
|
231
232
|
- lib/cfn-nag/custom_rules/SnsTopicPolicyWildcardPrincipalRule.rb
|
@@ -252,6 +253,7 @@ files:
|
|
252
253
|
- lib/cfn-nag/rule_id_set.rb
|
253
254
|
- lib/cfn-nag/rule_registry.rb
|
254
255
|
- lib/cfn-nag/template_discovery.rb
|
256
|
+
- lib/cfn-nag/util/blank.rb
|
255
257
|
- lib/cfn-nag/util/enforce_reference_parameter.rb
|
256
258
|
- lib/cfn-nag/util/enforce_string_or_dynamic_reference.rb
|
257
259
|
- lib/cfn-nag/util/truthy.rb
|