RubyGems - cfn-nag - Versions diffs - 0.4.41 → 0.4.42 - Mend

cfn-nag 0.4.41 → 0.4.42

Files changed (6) hide show

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5717509a5713623b4f9f0e8842ea6f9763f3c16282d883438b79f7792c5ca7f1
-  data.tar.gz: ebeea57d8a3fc5a59fd461b65d16ef11af5f14da66a3f854de7cc9ac6c2d50a9
+  metadata.gz: cf9086143d88b00f7108e8789779d2ef446fab7ebb704026bcc80003bdfc39c4
+  data.tar.gz: 6fb9e538518f2552bb9aa43797735ae42cad6e01f3b65a400c16557a4626a4fe
 SHA512:
-  metadata.gz: 8412f74d9508acfa2cf7134e27d885fb0953bda6727299c200df28f9ca4bb3d0535e9a9484f736823581aa93ea0668a3cf5abe814063de040042e7064d263725
-  data.tar.gz: 7fbf0e3d0f31ef8753804d208efc816209b47afb65368959f1303e06030332e340853459e786d74863c4e2bf30cb1be24622047b5982da01574f5d143ca4b358
+  metadata.gz: 305cf556e4aaa473311687388b96270cf52d5251317e95c80fd969d438128dd462f308471f581571583bbed8f3256f0cd9335bc70c7a67fcdd5896871d5de771
+  data.tar.gz: 3cccb913d3cc87dc4cbccf54b26e6085fb215c264c5ceccf45f8d7fd5920d68498ab027842e2a018823d9200fdf50166ed6a779f97bfe1af1228717cceb3e573

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+require 'cfn-nag/violation'
+require_relative 'base'
+class ApiGatewayAccessLoggingRule < BaseRule
+  def rule_text
+    'ApiGateway should have access logging configured'
+  end
+  def rule_type
+    Violation::WARNING
+  end
+  def rule_id
+    'W45'
+  end
+  def audit_impl(cfn_model)
+    violating_deployments = cfn_model.resources_by_type('AWS::ApiGateway::Deployment').select do |deployment|
+      deployment.stageDescription.nil? || deployment.stageDescription['AccessLogSetting'].nil?
+    end
+    violating_deployments.map(&:logical_resource_id)
+  end
+end

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+require 'cfn-nag/violation'
+require_relative 'base'
+class IamRoleElevatedManagedPolicyRule < BaseRule
+  def rule_text
+    'IAM role should not have Elevated Managed policy'
+  end
+  def rule_type
+    Violation::WARNING
+  end
+  def rule_id
+    'W44'
+  end
+  def includes_elevated_policy(role)
+    role.managedPolicyArns.find do |policy|
+      policy.include?('arn:aws:iam::aws:policy/PowerUserAccess') ||
+        policy.include?('arn:aws:iam::aws:policy/IAMFullAccess')
+    end
+  end
+  def audit_impl(cfn_model)
+    violating_roles = cfn_model.resources_by_type('AWS::IAM::Role').select do |role|
+      includes_elevated_policy(role)
+    end
+    violating_roles.map(&:logical_resource_id)
+  end
+end

@@ -22,24 +22,26 @@ class SecurityGroupEgressAllProtocolsRule < BaseRule
   def audit_impl(cfn_model)
     violating_security_groups = cfn_model.security_groups.select do |security_group|
       violating_egresses = security_group.egresses.select do |egress|
-        if egress.ipProtocol.is_a?(Integer) || egress.ipProtocol.is_a?(String)
-          egress.ipProtocol.to_i == -1
-        else
-          false
-        end
+        violating_egress(egress)
       end
       !violating_egresses.empty?
     end
     violating_egresses = cfn_model.standalone_egress.select do |standalone_egress|
-      if standalone_egress.ipProtocol.is_a?(Integer) || standalone_egress.ipProtocol.is_a?(String)
-        standalone_egress.ipProtocol.to_i == -1
-      else
-        false
-      end
+      violating_egress(standalone_egress)
     end
     violating_security_groups.map(&:logical_resource_id) + violating_egresses.map(&:logical_resource_id)
   end
+  private
+  def violating_egress(egress)
+    if egress.ipProtocol.is_a?(Integer) || egress.ipProtocol.is_a?(String)
+      egress.ipProtocol.to_i == -1
+    else
+      false
+    end
+  end
 end

@@ -22,24 +22,26 @@ class SecurityGroupIngressAllProtocolsRule < BaseRule
   def audit_impl(cfn_model)
     violating_security_groups = cfn_model.security_groups.select do |security_group|
       violating_ingresses = security_group.ingresses.select do |ingress|
-        if ingress.ipProtocol.is_a?(Integer) || ingress.ipProtocol.is_a?(String)
-          ingress.ipProtocol.to_i == -1
-        else
-          false
-        end
+        violating_ingress(ingress)
       end
       !violating_ingresses.empty?
     end
     violating_ingresses = cfn_model.standalone_ingress.select do |standalone_ingress|
-      if standalone_ingress.ipProtocol.is_a?(Integer) || standalone_ingress.ipProtocol.is_a?(String)
-        standalone_ingress.ipProtocol.to_i == -1
-      else
-        false
-      end
+      violating_ingress(standalone_ingress)
     end
     violating_security_groups.map(&:logical_resource_id) + violating_ingresses.map(&:logical_resource_id)
   end
+  private
+  def violating_ingress(ingress)
+    if ingress.ipProtocol.is_a?(Integer) || ingress.ipProtocol.is_a?(String)
+      ingress.ipProtocol.to_i == -1
+    else
+      false
+    end
+  end
 end

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cfn-nag
 version: !ruby/object:Gem::Version
-  version: 0.4.41
+  version: 0.4.42
 platform: ruby
 authors:
 - Eric Kascic
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2019-10-26 00:00:00.000000000 Z
+date: 2019-10-31 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -171,6 +171,7 @@ files:
 - lib/cfn-nag/cli_options.rb
 - lib/cfn-nag/custom_rule_loader.rb
 - lib/cfn-nag/custom_rules/AmplifyAppBasicAuthConfigPasswordRule.rb
+- lib/cfn-nag/custom_rules/ApiGatewayAccessLoggingRule.rb
 - lib/cfn-nag/custom_rules/BatchJobDefinitionContainerPropertiesPrivilegedRule.rb
 - lib/cfn-nag/custom_rules/CloudFormationAuthenticationRule.rb
 - lib/cfn-nag/custom_rules/CloudFrontDistributionAccessLoggingRule.rb
@@ -196,6 +197,7 @@ files:
 - lib/cfn-nag/custom_rules/IamPolicyWildcardActionRule.rb
 - lib/cfn-nag/custom_rules/IamPolicyWildcardResourceRule.rb
 - lib/cfn-nag/custom_rules/IamRoleAdministratorAccessPolicyRule.rb
+- lib/cfn-nag/custom_rules/IamRoleElevatedManagedPolicyRule.rb
 - lib/cfn-nag/custom_rules/IamRoleNotActionOnPermissionsPolicyRule.rb
 - lib/cfn-nag/custom_rules/IamRoleNotActionOnTrustPolicyRule.rb
 - lib/cfn-nag/custom_rules/IamRoleNotPrincipalOnTrustPolicyRule.rb