cfn-nag 0.4.35 → 0.4.37

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. checksums.yaml +4 -4
  2. data/lib/cfn-nag/custom_rules/IotPolicyWildcardActionRule.rb +28 -0
  3. data/lib/cfn-nag/custom_rules/IotPolicyWildcardResourceRule.rb +28 -0
  4. data/lib/cfn-nag/custom_rules/S3BucketEncryptionSetRule.rb +26 -0
  5. metadata +5 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 1cd3cda83224573532bebacc848e7faeae97f5b3a0a187dd3797239619303d38
4
- data.tar.gz: '08d538e752ee13690d7deb5b5b3e8a6d8fb781b3d9e5f8df956e7123f9739cea'
3
+ metadata.gz: c63f7a83ba068114a9895b55e32158e25dd87f67cd1ec027487bc64102457364
4
+ data.tar.gz: 661de07e06346df408a824655e8d148a161df50833244e85a0aa0d57a127d6ee
5
5
  SHA512:
6
- metadata.gz: 78154bc0b1f476d8331c8f1c0796d523b2315e208e89d409b2424639fbd567c1e2748125c1a1dfac41a8218d70a3d19036eb8b63a517e561a31f170b485c8757
7
- data.tar.gz: 41069d603ec8833debf6bb5f79a73a7f86addf24837a79134b24e00978a536bbc7bb4d781b5848a5e24225232dc95635ece872f830f526ec1364b5826c7ff5ac
6
+ metadata.gz: e917e24120ff829d3c12291e02f6ae360cdebdc97e0aef5db42ecae9a85f74061423fe1565c22dc622baa94e7b3f1197e7fc6f4acb6b5481e4ba08c9d32fde8a
7
+ data.tar.gz: bc6b05f9068133fd662416fe4f21243ba78277ec61855d1c01bb4e3a5ca0283a4f3f19c20751bdb93db6544d18add75a825f7f012f4628278e6e8e29562fc7c1
data/lib/cfn-nag/custom_rules/IotPolicyWildcardActionRule.rb ADDED
@@ -0,0 +1,28 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'cfn-nag/violation'
4
+ require_relative 'base'
5
+ require 'json'
6
+
7
+ class IotPolicyWildcardActionRule < BaseRule
8
+ def rule_text
9
+ 'IOT policy should not allow * action'
10
+ end
11
+
12
+ def rule_type
13
+ Violation::WARNING
14
+ end
15
+
16
+ def rule_id
17
+ 'W38'
18
+ end
19
+
20
+ def audit_impl(cfn_model)
21
+ violating_policies = cfn_model.resources_by_type('AWS::IoT::Policy').select do |policy|
22
+ policy.policy_document = PolicyDocumentParser.new.parse(policy.policyDocument)
23
+ !policy.policy_document.wildcard_allowed_actions.empty?
24
+ end
25
+
26
+ violating_policies.map(&:logical_resource_id)
27
+ end
28
+ end
data/lib/cfn-nag/custom_rules/IotPolicyWildcardResourceRule.rb ADDED
@@ -0,0 +1,28 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'cfn-nag/violation'
4
+ require_relative 'base'
5
+ require 'json'
6
+
7
+ class IotPolicyWildcardResourceRule < BaseRule
8
+ def rule_text
9
+ 'IoT policy should not allow * resource'
10
+ end
11
+
12
+ def rule_type
13
+ Violation::WARNING
14
+ end
15
+
16
+ def rule_id
17
+ 'W39'
18
+ end
19
+
20
+ def audit_impl(cfn_model)
21
+ violating_policies = cfn_model.resources_by_type('AWS::IoT::Policy').select do |policy|
22
+ policy.policy_document = PolicyDocumentParser.new.parse(policy.policyDocument)
23
+ !policy.policy_document.wildcard_allowed_resources.empty?
24
+ end
25
+
26
+ violating_policies.map(&:logical_resource_id)
27
+ end
28
+ end
data/lib/cfn-nag/custom_rules/S3BucketEncryptionSetRule.rb ADDED
@@ -0,0 +1,26 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'cfn-nag/violation'
4
+ require_relative 'base'
5
+
6
+ class S3BucketEncryptionSetRule < BaseRule
7
+ def rule_text
8
+ 'S3 Bucket should have encryption option set'
9
+ end
10
+
11
+ def rule_type
12
+ Violation::WARNING
13
+ end
14
+
15
+ def rule_id
16
+ 'W41'
17
+ end
18
+
19
+ def audit_impl(cfn_model)
20
+ violating_buckets = cfn_model.resources_by_type('AWS::S3::Bucket').select do |bucket|
21
+ bucket.bucketEncryption.nil?
22
+ end
23
+
24
+ violating_buckets.map(&:logical_resource_id)
25
+ end
26
+ end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: cfn-nag
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.4.35
4
+ version: 0.4.37
5
5
  platform: ruby
6
6
  authors:
7
7
  - Eric Kascic
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2019-07-30 00:00:00.000000000 Z
11
+ date: 2019-08-17 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rake
@@ -203,6 +203,8 @@ files:
203
203
  - lib/cfn-nag/custom_rules/IamRoleWildcardActionOnPermissionsPolicyRule.rb
204
204
  - lib/cfn-nag/custom_rules/IamRoleWildcardActionOnTrustPolicyRule.rb
205
205
  - lib/cfn-nag/custom_rules/IamRoleWildcardResourceOnPermissionsPolicyRule.rb
206
+ - lib/cfn-nag/custom_rules/IotPolicyWildcardActionRule.rb
207
+ - lib/cfn-nag/custom_rules/IotPolicyWildcardResourceRule.rb
206
208
  - lib/cfn-nag/custom_rules/KMSKeyRotationRule.rb
207
209
  - lib/cfn-nag/custom_rules/LambdaPermissionInvokeFunctionActionRule.rb
208
210
  - lib/cfn-nag/custom_rules/LambdaPermissionWildcardPrincipalRule.rb
@@ -219,6 +221,7 @@ files:
219
221
  - lib/cfn-nag/custom_rules/RedshiftClusterMasterUserPasswordRule.rb
220
222
  - lib/cfn-nag/custom_rules/ResourceWithExplicitNameRule.rb
221
223
  - lib/cfn-nag/custom_rules/S3BucketAccessLoggingRule.rb
224
+ - lib/cfn-nag/custom_rules/S3BucketEncryptionSetRule.rb
222
225
  - lib/cfn-nag/custom_rules/S3BucketPolicyNotActionRule.rb
223
226
  - lib/cfn-nag/custom_rules/S3BucketPolicyNotPrincipalRule.rb
224
227
  - lib/cfn-nag/custom_rules/S3BucketPolicyWildcardActionRule.rb