cfn-nag 0.4.30 → 0.4.31

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f82f950358452ac63aa12bde592b60ec9c45e07ab2b21e6c90afa744dc8b372a
-  data.tar.gz: cd9c81ca1dbda0f07f426dc11364b2325bfcdbaf699623551d5badaf34784bfc
+  metadata.gz: 2130f00e6dff534fdfa6c39d625c00b7909e998ecf3878a8ea3dae1c4b948417
+  data.tar.gz: 7fe2fdd16898699d4453e276cee8f14d982bebee6e78519dd2995c602566f709
 SHA512:
-  metadata.gz: 9895244d3c78061c3e8547870675eeb1327d3080bb384da07a05feae3819c04475226c7b889594bafdf80981719e8c3a89802966bfba6827098b5a5798c68296
-  data.tar.gz: eb4fcda99303bdea8ea44f3e7e54889eed6a4f1e0a9c20a8e7d2f08006e01812452c37662c193838aceda3784729f2bf98db559277e9fa2eda3290eeb4db0a9d
+  metadata.gz: c6e4d718d5915fa3457cd111ecc7cb0d098a1db5eecc9e39937c89ce15b2a85fcfa3ace72ea611ef53864ad2dfb8b6c8f95475055face3e03e68a21a6ef91495
+  data.tar.gz: 31c79377d5f089c6b2378dc0912d8822ab8bcfc7cca106abf716a2b4cb4e23fa1617a05c9672477dfb03b53bb027ebab68f3e6898257a28ff5500ecc1dd4c630

data/lib/cfn-nag/custom_rules/IamManagedPolicyPassRoleWildcardResourceRule.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+require 'cfn-nag/violation'
+require_relative 'passrole_base_rule'
+
+class IamManagedPolicyPassRoleWildcardResourceRule < PassRoleBaseRule
+  def rule_text
+    'IAM managed policy should not allow a * resource with PassRole action'
+  end
+
+  def rule_type
+    Violation::FAILING_VIOLATION
+  end
+
+  def rule_id
+    'F40'
+  end
+
+  def policy_type
+    'AWS::IAM::ManagedPolicy'
+  end
+end

data/lib/cfn-nag/custom_rules/IamPolicyPassRoleWildcardResourceRule.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+require 'cfn-nag/violation'
+require_relative 'passrole_base_rule'
+
+class IamPolicyPassRoleWildcardResourceRule < PassRoleBaseRule
+  def rule_text
+    'IAM policy should not allow * resource with PassRole action'
+  end
+
+  def rule_type
+    Violation::FAILING_VIOLATION
+  end
+
+  def rule_id
+    'F39'
+  end
+
+  def policy_type
+    'AWS::IAM::Policy'
+  end
+end

data/lib/cfn-nag/custom_rules/IamRolePassRoleWildcardResourceRule.rb

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+require 'cfn-nag/violation'
+require_relative 'base'
+require 'cfn-nag/util/wildcard_patterns'
+
+class IamRolePassRoleWildcardResourceRule < BaseRule
+  IAM_ACTION_PATTERNS = wildcard_patterns('PassRole').map! { |x| 'iam:' + x } + ['*']
+
+  def rule_text
+    'IAM role should not allow * resource with PassRole action on its permissions policy'
+  end
+
+  def rule_type
+    Violation::FAILING_VIOLATION
+  end
+
+  def rule_id
+    'F38'
+  end
+
+  def audit_impl(cfn_model)
+    violating_roles = cfn_model.resources_by_type('AWS::IAM::Role').select do |role|
+      violating_policies = role.policy_objects.select do |policy|
+        violating_statements = policy.policy_document.statements.select do |statement|
+          passrole_action?(statement) && wildcard_resource?(statement)
+        end
+        !violating_statements.empty?
+      end
+      !violating_policies.empty?
+    end
+    violating_roles.map(&:logical_resource_id)
+  end
+
+  private
+
+  def passrole_action?(statement)
+    statement.actions.find { |action| IAM_ACTION_PATTERNS.include? action }
+  end
+
+  def wildcard_resource?(statement)
+    statement.resources.find { |resource| resource == '*' }
+  end
+end

data/lib/cfn-nag/custom_rules/passrole_base_rule.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+require 'cfn-nag/violation'
+require_relative 'base'
+require 'cfn-nag/util/wildcard_patterns'
+
+class PassRoleBaseRule < BaseRule
+  IAM_ACTION_PATTERNS = wildcard_patterns('PassRole').map { |pattern| 'iam:' + pattern } + ['*']
+
+  def policy_type
+    raise 'must implement in subclass'
+  end
+
+  def audit_impl(cfn_model)
+    policies = cfn_model.resources_by_type(policy_type)
+
+    violating_policies = policies.select do |policy|
+      violating_statements = policy.policy_document.statements.select do |statement|
+        passrole_action?(statement) && wildcard_resource?(statement)
+      end
+      !violating_statements.empty?
+    end
+    violating_policies.map(&:logical_resource_id)
+  end
+
+  private
+
+  def passrole_action?(statement)
+    statement.actions.find { |action| IAM_ACTION_PATTERNS.include? action }
+  end
+
+  def wildcard_resource?(statement)
+    statement.resources.find { |resource| resource == '*' }
+  end
+end

data/lib/cfn-nag/util/wildcard_patterns.rb

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+# Create array of wildcard patterns for a given input string
+
+def wildcard_patterns(input, pattern_types: %w[front back both])
+  input_string = input.to_s
+  results = [input_string]
+  pattern_types.each do |pattern_type|
+    case pattern_type
+    when 'front'
+      results += wildcard_front(input_string)
+    when 'back'
+      results += wildcard_back(input_string)
+    when 'both'
+      results += wildcard_front_back(input_string)
+    else
+      raise "no pattern of type: #{pattern_type}. Use one or more of: front, back, both"
+    end
+  end
+  results + ['*']
+end
+
+private
+
+def wildcard_back(input_string, results = [], prepend: '')
+  return results if input_string.empty?
+
+  results << "#{prepend}#{input_string}*"
+  wildcard_back(input_string.chop, results, prepend: prepend)
+end
+
+def wildcard_front(input_string, results = [])
+  return results if input_string.empty?
+
+  results << "*#{input_string}"
+  wildcard_front(input_string[1..-1], results)
+end
+
+def wildcard_front_back(input_string, results = [])
+  return results if input_string.empty?
+
+  results += wildcard_back(input_string, prepend: '*')
+  wildcard_front_back(input_string[1..-1], results)
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: cfn-nag
 version: !ruby/object:Gem::Version
-  version: 0.4.30
+  version: 0.4.31
 platform: ruby
 authors:
 - Eric Kascic
@@ -186,16 +186,19 @@ files:
 - lib/cfn-nag/custom_rules/ElasticLoadBalancerAccessLoggingRule.rb
 - lib/cfn-nag/custom_rules/IamManagedPolicyNotActionRule.rb
 - lib/cfn-nag/custom_rules/IamManagedPolicyNotResourceRule.rb
+- lib/cfn-nag/custom_rules/IamManagedPolicyPassRoleWildcardResourceRule.rb
 - lib/cfn-nag/custom_rules/IamManagedPolicyWildcardActionRule.rb
 - lib/cfn-nag/custom_rules/IamManagedPolicyWildcardResourceRule.rb
 - lib/cfn-nag/custom_rules/IamPolicyNotActionRule.rb
 - lib/cfn-nag/custom_rules/IamPolicyNotResourceRule.rb
+- lib/cfn-nag/custom_rules/IamPolicyPassRoleWildcardResourceRule.rb
 - lib/cfn-nag/custom_rules/IamPolicyWildcardActionRule.rb
 - lib/cfn-nag/custom_rules/IamPolicyWildcardResourceRule.rb
 - lib/cfn-nag/custom_rules/IamRoleNotActionOnPermissionsPolicyRule.rb
 - lib/cfn-nag/custom_rules/IamRoleNotActionOnTrustPolicyRule.rb
 - lib/cfn-nag/custom_rules/IamRoleNotPrincipalOnTrustPolicyRule.rb
 - lib/cfn-nag/custom_rules/IamRoleNotResourceOnPermissionsPolicyRule.rb
+- lib/cfn-nag/custom_rules/IamRolePassRoleWildcardResourceRule.rb
 - lib/cfn-nag/custom_rules/IamRoleWildcardActionOnPermissionsPolicyRule.rb
 - lib/cfn-nag/custom_rules/IamRoleWildcardActionOnTrustPolicyRule.rb
 - lib/cfn-nag/custom_rules/IamRoleWildcardResourceOnPermissionsPolicyRule.rb
@@ -241,6 +244,7 @@ files:
 - lib/cfn-nag/custom_rules/WorkspacesWorkspaceEncryptionRule.rb
 - lib/cfn-nag/custom_rules/base.rb
 - lib/cfn-nag/custom_rules/boolean_base_rule.rb
+- lib/cfn-nag/custom_rules/passrole_base_rule.rb
 - lib/cfn-nag/custom_rules/password_base_rule.rb
 - lib/cfn-nag/ip_addr.rb
 - lib/cfn-nag/jmes_path_discovery.rb
@@ -260,6 +264,7 @@ files:
 - lib/cfn-nag/util/enforce_reference_parameter.rb
 - lib/cfn-nag/util/enforce_string_or_dynamic_reference.rb
 - lib/cfn-nag/util/truthy.rb
+- lib/cfn-nag/util/wildcard_patterns.rb
 - lib/cfn-nag/violation.rb
 - lib/cfn-nag/violation_filtering.rb
 homepage: https://github.com/stelligent/cfn_nag