cfn-nag 0.4.43 → 0.4.44
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/cfn-nag/custom_rules/AmazonMQBrokerUserPasswordRule.rb +57 -0
- data/lib/cfn-nag/custom_rules/IamUserLoginProfilePasswordResetRule.rb +49 -0
- data/lib/cfn-nag/custom_rules/IamUserLoginProfilePasswordRule.rb +53 -0
- data/lib/cfn-nag/custom_rules/OpsWorksStackRdsDbInstancePasswordRule.rb +57 -0
- metadata +5 -1
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: dfe0f378872eb729bd6a95f0f6519a75172246c92c3d94aff16dd14dff767ce4
|
4
|
+
data.tar.gz: 46e41d43c4f81813a15f2238c8b7825f052c858c197a50c0534d82d25da785de
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 28ef39b807d418e3426cf770726ed095af0e213f62daa18dd9fa144402ace1184445604c05db8bacad89865feeee4bc9ec465526b6ecc51a8dd17c1ae76f5e50
|
7
|
+
data.tar.gz: deeb5de0c7536af52920a2cbf5a6a47dbdd0a9a9dbf0b7ffc8c3125c7c2cc18ece26429ecf95b1af3a450e88432f1939ffab665eec63485f1bd9f6b805e5fe14
|
@@ -0,0 +1,57 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'cfn-nag/violation'
|
4
|
+
require 'cfn-nag/util/enforce_reference_parameter'
|
5
|
+
require 'cfn-nag/util/enforce_string_or_dynamic_reference'
|
6
|
+
require_relative 'base'
|
7
|
+
|
8
|
+
class AmazonMQBrokerUserPasswordRule < BaseRule
|
9
|
+
|
10
|
+
def rule_text
|
11
|
+
'Amazon MQ Broker resource Users property should exist and its Password property value ' +
|
12
|
+
'should not show password in plain text, resolve an unsecure ssm string, or have a default value for parameter.'
|
13
|
+
end
|
14
|
+
|
15
|
+
def rule_type
|
16
|
+
Violation::FAILING_VIOLATION
|
17
|
+
end
|
18
|
+
|
19
|
+
def rule_id
|
20
|
+
'F52'
|
21
|
+
end
|
22
|
+
|
23
|
+
def audit_impl(cfn_model)
|
24
|
+
brokers = cfn_model.resources_by_type('AWS::AmazonMQ::Broker')
|
25
|
+
violating_brokers = brokers.select do |mq_broker|
|
26
|
+
violating_users?(cfn_model, mq_broker)
|
27
|
+
end
|
28
|
+
violating_brokers.map(&:logical_resource_id)
|
29
|
+
end
|
30
|
+
|
31
|
+
private
|
32
|
+
|
33
|
+
def user_has_insecure_password?(cfn_model, user)
|
34
|
+
if user.has_key? 'Password'
|
35
|
+
if insecure_parameter?(cfn_model, user['Password'])
|
36
|
+
true
|
37
|
+
elsif insecure_string_or_dynamic_reference?(cfn_model, user['Password'])
|
38
|
+
true
|
39
|
+
elsif user['Password'].nil?
|
40
|
+
true
|
41
|
+
end
|
42
|
+
else
|
43
|
+
true
|
44
|
+
end
|
45
|
+
end
|
46
|
+
|
47
|
+
def violating_users?(cfn_model, mq_broker)
|
48
|
+
if !mq_broker.users.nil?
|
49
|
+
violating_users = mq_broker.users.select do |user|
|
50
|
+
user_has_insecure_password?(cfn_model, user)
|
51
|
+
end
|
52
|
+
!violating_users.empty?
|
53
|
+
else
|
54
|
+
true
|
55
|
+
end
|
56
|
+
end
|
57
|
+
end
|
@@ -0,0 +1,49 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'cfn-nag/violation'
|
4
|
+
require 'cfn-nag/util/truthy'
|
5
|
+
require_relative 'base'
|
6
|
+
|
7
|
+
class IamUserLoginProfilePasswordResetRule < BaseRule
|
8
|
+
def rule_text
|
9
|
+
'IAM User Login Profile should exist and have PasswordResetRequired property set to true'
|
10
|
+
end
|
11
|
+
|
12
|
+
def rule_type
|
13
|
+
Violation::WARNING
|
14
|
+
end
|
15
|
+
|
16
|
+
def rule_id
|
17
|
+
'W50'
|
18
|
+
end
|
19
|
+
|
20
|
+
def audit_impl(cfn_model)
|
21
|
+
violating_iam_users = cfn_model.resources_by_type('AWS::IAM::User').select do |iam_user|
|
22
|
+
violating_iam_users?(iam_user)
|
23
|
+
end
|
24
|
+
|
25
|
+
violating_iam_users.map(&:logical_resource_id)
|
26
|
+
end
|
27
|
+
|
28
|
+
private
|
29
|
+
|
30
|
+
def iam_user_password_reset_required_key?(login_profile)
|
31
|
+
if login_profile.has_key? 'PasswordResetRequired'
|
32
|
+
if login_profile['PasswordResetRequired'].nil?
|
33
|
+
true
|
34
|
+
elsif not_truthy?(login_profile['PasswordResetRequired'])
|
35
|
+
true
|
36
|
+
end
|
37
|
+
else
|
38
|
+
true
|
39
|
+
end
|
40
|
+
end
|
41
|
+
|
42
|
+
def violating_iam_users?(iam_user)
|
43
|
+
if !iam_user.loginProfile.nil?
|
44
|
+
iam_user_password_reset_required_key?(iam_user.loginProfile)
|
45
|
+
else
|
46
|
+
false
|
47
|
+
end
|
48
|
+
end
|
49
|
+
end
|
@@ -0,0 +1,53 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'cfn-nag/violation'
|
4
|
+
require 'cfn-nag/util/enforce_reference_parameter'
|
5
|
+
require 'cfn-nag/util/enforce_string_or_dynamic_reference'
|
6
|
+
require_relative 'base'
|
7
|
+
|
8
|
+
class IamUserLoginProfilePasswordRule < BaseRule
|
9
|
+
def rule_text
|
10
|
+
'If the IAM user LoginProile property exists, then its Password value should not ' +
|
11
|
+
'show password in plain text, resolve an unsecure ssm string, or have a default value for parameter.'
|
12
|
+
end
|
13
|
+
|
14
|
+
def rule_type
|
15
|
+
Violation::FAILING_VIOLATION
|
16
|
+
end
|
17
|
+
|
18
|
+
def rule_id
|
19
|
+
'F51'
|
20
|
+
end
|
21
|
+
|
22
|
+
def audit_impl(cfn_model)
|
23
|
+
resources = cfn_model.resources_by_type('AWS::IAM::User')
|
24
|
+
violating_resources = resources.select do |iam_user|
|
25
|
+
violating_users?(cfn_model, iam_user)
|
26
|
+
end
|
27
|
+
violating_resources.map(&:logical_resource_id)
|
28
|
+
end
|
29
|
+
|
30
|
+
private
|
31
|
+
|
32
|
+
def iam_user_has_insecure_password?(cfn_model, login_profile)
|
33
|
+
if login_profile.has_key? 'Password'
|
34
|
+
if insecure_parameter?(cfn_model, login_profile['Password'])
|
35
|
+
true
|
36
|
+
elsif insecure_string_or_dynamic_reference?(cfn_model, login_profile['Password'])
|
37
|
+
true
|
38
|
+
elsif login_profile['Password'].nil?
|
39
|
+
true
|
40
|
+
end
|
41
|
+
else
|
42
|
+
true
|
43
|
+
end
|
44
|
+
end
|
45
|
+
|
46
|
+
def violating_users?(cfn_model, iam_user)
|
47
|
+
if !iam_user.loginProfile.nil?
|
48
|
+
iam_user_has_insecure_password?(cfn_model, iam_user.loginProfile)
|
49
|
+
else
|
50
|
+
false
|
51
|
+
end
|
52
|
+
end
|
53
|
+
end
|
@@ -0,0 +1,57 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'cfn-nag/violation'
|
4
|
+
require 'cfn-nag/util/enforce_reference_parameter'
|
5
|
+
require 'cfn-nag/util/enforce_string_or_dynamic_reference'
|
6
|
+
require_relative 'base'
|
7
|
+
|
8
|
+
class OpsWorksStackRdsDbInstancePasswordRule < BaseRule
|
9
|
+
|
10
|
+
def rule_text
|
11
|
+
'OpsWorks Stack RDS DBInstance Password property should not show password ' +
|
12
|
+
'in plain text, resolve an unsecure ssm string, or have a default value for parameter.'
|
13
|
+
end
|
14
|
+
|
15
|
+
def rule_type
|
16
|
+
Violation::FAILING_VIOLATION
|
17
|
+
end
|
18
|
+
|
19
|
+
def rule_id
|
20
|
+
'F54'
|
21
|
+
end
|
22
|
+
|
23
|
+
def audit_impl(cfn_model)
|
24
|
+
opsworks_stacks = cfn_model.resources_by_type('AWS::OpsWorks::Stack')
|
25
|
+
violating_opsworks_stacks = opsworks_stacks.select do |opsworks_stack|
|
26
|
+
violating_db_instances?(cfn_model, opsworks_stack)
|
27
|
+
end
|
28
|
+
violating_opsworks_stacks.map(&:logical_resource_id)
|
29
|
+
end
|
30
|
+
|
31
|
+
private
|
32
|
+
|
33
|
+
def db_instance_has_insecure_password?(cfn_model, dbinstance)
|
34
|
+
if dbinstance.has_key? 'DbPassword'
|
35
|
+
if insecure_parameter?(cfn_model, dbinstance['DbPassword'])
|
36
|
+
true
|
37
|
+
elsif insecure_string_or_dynamic_reference?(cfn_model, dbinstance['DbPassword'])
|
38
|
+
true
|
39
|
+
elsif dbinstance['DbPassword'].nil?
|
40
|
+
true
|
41
|
+
end
|
42
|
+
else
|
43
|
+
true
|
44
|
+
end
|
45
|
+
end
|
46
|
+
|
47
|
+
def violating_db_instances?(cfn_model, opsworks_stack)
|
48
|
+
if !opsworks_stack.rdsDbInstances.nil?
|
49
|
+
violating_dbinstances = opsworks_stack.rdsDbInstances.select do |dbinstance|
|
50
|
+
db_instance_has_insecure_password?(cfn_model, dbinstance)
|
51
|
+
end
|
52
|
+
!violating_dbinstances.empty?
|
53
|
+
else
|
54
|
+
false
|
55
|
+
end
|
56
|
+
end
|
57
|
+
end
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: cfn-nag
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.4.
|
4
|
+
version: 0.4.44
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Eric Kascic
|
@@ -170,6 +170,7 @@ files:
|
|
170
170
|
- lib/cfn-nag/cfn_nag_logging.rb
|
171
171
|
- lib/cfn-nag/cli_options.rb
|
172
172
|
- lib/cfn-nag/custom_rule_loader.rb
|
173
|
+
- lib/cfn-nag/custom_rules/AmazonMQBrokerUserPasswordRule.rb
|
173
174
|
- lib/cfn-nag/custom_rules/AmplifyAppBasicAuthConfigPasswordRule.rb
|
174
175
|
- lib/cfn-nag/custom_rules/ApiGatewayAccessLoggingRule.rb
|
175
176
|
- lib/cfn-nag/custom_rules/BatchJobDefinitionContainerPropertiesPrivilegedRule.rb
|
@@ -206,6 +207,8 @@ files:
|
|
206
207
|
- lib/cfn-nag/custom_rules/IamRoleWildcardActionOnPermissionsPolicyRule.rb
|
207
208
|
- lib/cfn-nag/custom_rules/IamRoleWildcardActionOnTrustPolicyRule.rb
|
208
209
|
- lib/cfn-nag/custom_rules/IamRoleWildcardResourceOnPermissionsPolicyRule.rb
|
210
|
+
- lib/cfn-nag/custom_rules/IamUserLoginProfilePasswordResetRule.rb
|
211
|
+
- lib/cfn-nag/custom_rules/IamUserLoginProfilePasswordRule.rb
|
209
212
|
- lib/cfn-nag/custom_rules/IotPolicyWildcardActionRule.rb
|
210
213
|
- lib/cfn-nag/custom_rules/IotPolicyWildcardResourceRule.rb
|
211
214
|
- lib/cfn-nag/custom_rules/KMSKeyRotationRule.rb
|
@@ -213,6 +216,7 @@ files:
|
|
213
216
|
- lib/cfn-nag/custom_rules/LambdaPermissionWildcardPrincipalRule.rb
|
214
217
|
- lib/cfn-nag/custom_rules/ManagedPolicyOnUserRule.rb
|
215
218
|
- lib/cfn-nag/custom_rules/NeptuneDBClusterStorageEncryptedRule.rb
|
219
|
+
- lib/cfn-nag/custom_rules/OpsWorksStackRdsDbInstancePasswordRule.rb
|
216
220
|
- lib/cfn-nag/custom_rules/PolicyOnUserRule.rb
|
217
221
|
- lib/cfn-nag/custom_rules/RDSDBClusterMasterUserPasswordRule.rb
|
218
222
|
- lib/cfn-nag/custom_rules/RDSDBClusterStorageEncryptedRule.rb
|