cfn-nag 0.4.43 → 0.4.44

Sign up to get free protection for your applications and to get access to all the features.
Files changed (6) hide show
  1. checksums.yaml +4 -4
  2. data/lib/cfn-nag/custom_rules/AmazonMQBrokerUserPasswordRule.rb +57 -0
  3. data/lib/cfn-nag/custom_rules/IamUserLoginProfilePasswordResetRule.rb +49 -0
  4. data/lib/cfn-nag/custom_rules/IamUserLoginProfilePasswordRule.rb +53 -0
  5. data/lib/cfn-nag/custom_rules/OpsWorksStackRdsDbInstancePasswordRule.rb +57 -0
  6. metadata +5 -1
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 94151e341aa4f36814724846e921cc4a0e6e453be46fbc800e8f6011be413894
4
- data.tar.gz: 88712f5ea9c1861b1318abbfb2ff403b9ca6a59a18bd78765ae22f2d4326351c
3
+ metadata.gz: dfe0f378872eb729bd6a95f0f6519a75172246c92c3d94aff16dd14dff767ce4
4
+ data.tar.gz: 46e41d43c4f81813a15f2238c8b7825f052c858c197a50c0534d82d25da785de
5
5
  SHA512:
6
- metadata.gz: 0a1a7a9cbde4bfe502341687f651d28c1228ff3e88719a1dc687b5bc176241ac1e1b89fb1a22e690922741ce425a4ee3dd1a8a73399d9723262a6a508eeb76f8
7
- data.tar.gz: da3ab99232f0b93c5332f6ec78d2a2142f3b54f0cf3c609de85012ba020b417d5a3be556b7d799800cf5c4b33027b8704a8facff7ecca34cdd21bdf901d67f96
6
+ metadata.gz: 28ef39b807d418e3426cf770726ed095af0e213f62daa18dd9fa144402ace1184445604c05db8bacad89865feeee4bc9ec465526b6ecc51a8dd17c1ae76f5e50
7
+ data.tar.gz: deeb5de0c7536af52920a2cbf5a6a47dbdd0a9a9dbf0b7ffc8c3125c7c2cc18ece26429ecf95b1af3a450e88432f1939ffab665eec63485f1bd9f6b805e5fe14
data/lib/cfn-nag/custom_rules/AmazonMQBrokerUserPasswordRule.rb ADDED
@@ -0,0 +1,57 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'cfn-nag/violation'
4
+ require 'cfn-nag/util/enforce_reference_parameter'
5
+ require 'cfn-nag/util/enforce_string_or_dynamic_reference'
6
+ require_relative 'base'
7
+
8
+ class AmazonMQBrokerUserPasswordRule < BaseRule
9
+
10
+ def rule_text
11
+ 'Amazon MQ Broker resource Users property should exist and its Password property value ' +
12
+ 'should not show password in plain text, resolve an unsecure ssm string, or have a default value for parameter.'
13
+ end
14
+
15
+ def rule_type
16
+ Violation::FAILING_VIOLATION
17
+ end
18
+
19
+ def rule_id
20
+ 'F52'
21
+ end
22
+
23
+ def audit_impl(cfn_model)
24
+ brokers = cfn_model.resources_by_type('AWS::AmazonMQ::Broker')
25
+ violating_brokers = brokers.select do |mq_broker|
26
+ violating_users?(cfn_model, mq_broker)
27
+ end
28
+ violating_brokers.map(&:logical_resource_id)
29
+ end
30
+
31
+ private
32
+
33
+ def user_has_insecure_password?(cfn_model, user)
34
+ if user.has_key? 'Password'
35
+ if insecure_parameter?(cfn_model, user['Password'])
36
+ true
37
+ elsif insecure_string_or_dynamic_reference?(cfn_model, user['Password'])
38
+ true
39
+ elsif user['Password'].nil?
40
+ true
41
+ end
42
+ else
43
+ true
44
+ end
45
+ end
46
+
47
+ def violating_users?(cfn_model, mq_broker)
48
+ if !mq_broker.users.nil?
49
+ violating_users = mq_broker.users.select do |user|
50
+ user_has_insecure_password?(cfn_model, user)
51
+ end
52
+ !violating_users.empty?
53
+ else
54
+ true
55
+ end
56
+ end
57
+ end
data/lib/cfn-nag/custom_rules/IamUserLoginProfilePasswordResetRule.rb ADDED
@@ -0,0 +1,49 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'cfn-nag/violation'
4
+ require 'cfn-nag/util/truthy'
5
+ require_relative 'base'
6
+
7
+ class IamUserLoginProfilePasswordResetRule < BaseRule
8
+ def rule_text
9
+ 'IAM User Login Profile should exist and have PasswordResetRequired property set to true'
10
+ end
11
+
12
+ def rule_type
13
+ Violation::WARNING
14
+ end
15
+
16
+ def rule_id
17
+ 'W50'
18
+ end
19
+
20
+ def audit_impl(cfn_model)
21
+ violating_iam_users = cfn_model.resources_by_type('AWS::IAM::User').select do |iam_user|
22
+ violating_iam_users?(iam_user)
23
+ end
24
+
25
+ violating_iam_users.map(&:logical_resource_id)
26
+ end
27
+
28
+ private
29
+
30
+ def iam_user_password_reset_required_key?(login_profile)
31
+ if login_profile.has_key? 'PasswordResetRequired'
32
+ if login_profile['PasswordResetRequired'].nil?
33
+ true
34
+ elsif not_truthy?(login_profile['PasswordResetRequired'])
35
+ true
36
+ end
37
+ else
38
+ true
39
+ end
40
+ end
41
+
42
+ def violating_iam_users?(iam_user)
43
+ if !iam_user.loginProfile.nil?
44
+ iam_user_password_reset_required_key?(iam_user.loginProfile)
45
+ else
46
+ false
47
+ end
48
+ end
49
+ end
data/lib/cfn-nag/custom_rules/IamUserLoginProfilePasswordRule.rb ADDED
@@ -0,0 +1,53 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'cfn-nag/violation'
4
+ require 'cfn-nag/util/enforce_reference_parameter'
5
+ require 'cfn-nag/util/enforce_string_or_dynamic_reference'
6
+ require_relative 'base'
7
+
8
+ class IamUserLoginProfilePasswordRule < BaseRule
9
+ def rule_text
10
+ 'If the IAM user LoginProile property exists, then its Password value should not ' +
11
+ 'show password in plain text, resolve an unsecure ssm string, or have a default value for parameter.'
12
+ end
13
+
14
+ def rule_type
15
+ Violation::FAILING_VIOLATION
16
+ end
17
+
18
+ def rule_id
19
+ 'F51'
20
+ end
21
+
22
+ def audit_impl(cfn_model)
23
+ resources = cfn_model.resources_by_type('AWS::IAM::User')
24
+ violating_resources = resources.select do |iam_user|
25
+ violating_users?(cfn_model, iam_user)
26
+ end
27
+ violating_resources.map(&:logical_resource_id)
28
+ end
29
+
30
+ private
31
+
32
+ def iam_user_has_insecure_password?(cfn_model, login_profile)
33
+ if login_profile.has_key? 'Password'
34
+ if insecure_parameter?(cfn_model, login_profile['Password'])
35
+ true
36
+ elsif insecure_string_or_dynamic_reference?(cfn_model, login_profile['Password'])
37
+ true
38
+ elsif login_profile['Password'].nil?
39
+ true
40
+ end
41
+ else
42
+ true
43
+ end
44
+ end
45
+
46
+ def violating_users?(cfn_model, iam_user)
47
+ if !iam_user.loginProfile.nil?
48
+ iam_user_has_insecure_password?(cfn_model, iam_user.loginProfile)
49
+ else
50
+ false
51
+ end
52
+ end
53
+ end
data/lib/cfn-nag/custom_rules/OpsWorksStackRdsDbInstancePasswordRule.rb ADDED
@@ -0,0 +1,57 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'cfn-nag/violation'
4
+ require 'cfn-nag/util/enforce_reference_parameter'
5
+ require 'cfn-nag/util/enforce_string_or_dynamic_reference'
6
+ require_relative 'base'
7
+
8
+ class OpsWorksStackRdsDbInstancePasswordRule < BaseRule
9
+
10
+ def rule_text
11
+ 'OpsWorks Stack RDS DBInstance Password property should not show password ' +
12
+ 'in plain text, resolve an unsecure ssm string, or have a default value for parameter.'
13
+ end
14
+
15
+ def rule_type
16
+ Violation::FAILING_VIOLATION
17
+ end
18
+
19
+ def rule_id
20
+ 'F54'
21
+ end
22
+
23
+ def audit_impl(cfn_model)
24
+ opsworks_stacks = cfn_model.resources_by_type('AWS::OpsWorks::Stack')
25
+ violating_opsworks_stacks = opsworks_stacks.select do |opsworks_stack|
26
+ violating_db_instances?(cfn_model, opsworks_stack)
27
+ end
28
+ violating_opsworks_stacks.map(&:logical_resource_id)
29
+ end
30
+
31
+ private
32
+
33
+ def db_instance_has_insecure_password?(cfn_model, dbinstance)
34
+ if dbinstance.has_key? 'DbPassword'
35
+ if insecure_parameter?(cfn_model, dbinstance['DbPassword'])
36
+ true
37
+ elsif insecure_string_or_dynamic_reference?(cfn_model, dbinstance['DbPassword'])
38
+ true
39
+ elsif dbinstance['DbPassword'].nil?
40
+ true
41
+ end
42
+ else
43
+ true
44
+ end
45
+ end
46
+
47
+ def violating_db_instances?(cfn_model, opsworks_stack)
48
+ if !opsworks_stack.rdsDbInstances.nil?
49
+ violating_dbinstances = opsworks_stack.rdsDbInstances.select do |dbinstance|
50
+ db_instance_has_insecure_password?(cfn_model, dbinstance)
51
+ end
52
+ !violating_dbinstances.empty?
53
+ else
54
+ false
55
+ end
56
+ end
57
+ end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: cfn-nag
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.4.43
4
+ version: 0.4.44
5
5
  platform: ruby
6
6
  authors:
7
7
  - Eric Kascic
@@ -170,6 +170,7 @@ files:
170
170
  - lib/cfn-nag/cfn_nag_logging.rb
171
171
  - lib/cfn-nag/cli_options.rb
172
172
  - lib/cfn-nag/custom_rule_loader.rb
173
+ - lib/cfn-nag/custom_rules/AmazonMQBrokerUserPasswordRule.rb
173
174
  - lib/cfn-nag/custom_rules/AmplifyAppBasicAuthConfigPasswordRule.rb
174
175
  - lib/cfn-nag/custom_rules/ApiGatewayAccessLoggingRule.rb
175
176
  - lib/cfn-nag/custom_rules/BatchJobDefinitionContainerPropertiesPrivilegedRule.rb
@@ -206,6 +207,8 @@ files:
206
207
  - lib/cfn-nag/custom_rules/IamRoleWildcardActionOnPermissionsPolicyRule.rb
207
208
  - lib/cfn-nag/custom_rules/IamRoleWildcardActionOnTrustPolicyRule.rb
208
209
  - lib/cfn-nag/custom_rules/IamRoleWildcardResourceOnPermissionsPolicyRule.rb
210
+ - lib/cfn-nag/custom_rules/IamUserLoginProfilePasswordResetRule.rb
211
+ - lib/cfn-nag/custom_rules/IamUserLoginProfilePasswordRule.rb
209
212
  - lib/cfn-nag/custom_rules/IotPolicyWildcardActionRule.rb
210
213
  - lib/cfn-nag/custom_rules/IotPolicyWildcardResourceRule.rb
211
214
  - lib/cfn-nag/custom_rules/KMSKeyRotationRule.rb
@@ -213,6 +216,7 @@ files:
213
216
  - lib/cfn-nag/custom_rules/LambdaPermissionWildcardPrincipalRule.rb
214
217
  - lib/cfn-nag/custom_rules/ManagedPolicyOnUserRule.rb
215
218
  - lib/cfn-nag/custom_rules/NeptuneDBClusterStorageEncryptedRule.rb
219
+ - lib/cfn-nag/custom_rules/OpsWorksStackRdsDbInstancePasswordRule.rb
216
220
  - lib/cfn-nag/custom_rules/PolicyOnUserRule.rb
217
221
  - lib/cfn-nag/custom_rules/RDSDBClusterMasterUserPasswordRule.rb
218
222
  - lib/cfn-nag/custom_rules/RDSDBClusterStorageEncryptedRule.rb