cfn-nag 0.4.43 → 0.4.44

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. checksums.yaml +4 -4
  2. data/lib/cfn-nag/custom_rules/AmazonMQBrokerUserPasswordRule.rb +57 -0
  3. data/lib/cfn-nag/custom_rules/IamUserLoginProfilePasswordResetRule.rb +49 -0
  4. data/lib/cfn-nag/custom_rules/IamUserLoginProfilePasswordRule.rb +53 -0
  5. data/lib/cfn-nag/custom_rules/OpsWorksStackRdsDbInstancePasswordRule.rb +57 -0
  6. metadata +5 -1
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 94151e341aa4f36814724846e921cc4a0e6e453be46fbc800e8f6011be413894
4
- data.tar.gz: 88712f5ea9c1861b1318abbfb2ff403b9ca6a59a18bd78765ae22f2d4326351c
3
+ metadata.gz: dfe0f378872eb729bd6a95f0f6519a75172246c92c3d94aff16dd14dff767ce4
4
+ data.tar.gz: 46e41d43c4f81813a15f2238c8b7825f052c858c197a50c0534d82d25da785de
5
5
  SHA512:
6
- metadata.gz: 0a1a7a9cbde4bfe502341687f651d28c1228ff3e88719a1dc687b5bc176241ac1e1b89fb1a22e690922741ce425a4ee3dd1a8a73399d9723262a6a508eeb76f8
7
- data.tar.gz: da3ab99232f0b93c5332f6ec78d2a2142f3b54f0cf3c609de85012ba020b417d5a3be556b7d799800cf5c4b33027b8704a8facff7ecca34cdd21bdf901d67f96
6
+ metadata.gz: 28ef39b807d418e3426cf770726ed095af0e213f62daa18dd9fa144402ace1184445604c05db8bacad89865feeee4bc9ec465526b6ecc51a8dd17c1ae76f5e50
7
+ data.tar.gz: deeb5de0c7536af52920a2cbf5a6a47dbdd0a9a9dbf0b7ffc8c3125c7c2cc18ece26429ecf95b1af3a450e88432f1939ffab665eec63485f1bd9f6b805e5fe14
data/lib/cfn-nag/custom_rules/AmazonMQBrokerUserPasswordRule.rb ADDED
@@ -0,0 +1,57 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'cfn-nag/violation'
4
+ require 'cfn-nag/util/enforce_reference_parameter'
5
+ require 'cfn-nag/util/enforce_string_or_dynamic_reference'
6
+ require_relative 'base'
7
+
8
+ class AmazonMQBrokerUserPasswordRule < BaseRule
9
+
10
+ def rule_text
11
+ 'Amazon MQ Broker resource Users property should exist and its Password property value ' +
12
+ 'should not show password in plain text, resolve an unsecure ssm string, or have a default value for parameter.'
13
+ end
14
+
15
+ def rule_type
16
+ Violation::FAILING_VIOLATION
17
+ end
18
+
19
+ def rule_id
20
+ 'F52'
21
+ end
22
+
23
+ def audit_impl(cfn_model)
24
+ brokers = cfn_model.resources_by_type('AWS::AmazonMQ::Broker')
25
+ violating_brokers = brokers.select do |mq_broker|
26
+ violating_users?(cfn_model, mq_broker)
27
+ end
28
+ violating_brokers.map(&:logical_resource_id)
29
+ end
30
+
31
+ private
32
+
33
+ def user_has_insecure_password?(cfn_model, user)
34
+ if user.has_key? 'Password'
35
+ if insecure_parameter?(cfn_model, user['Password'])
36
+ true
37
+ elsif insecure_string_or_dynamic_reference?(cfn_model, user['Password'])
38
+ true
39
+ elsif user['Password'].nil?
40
+ true
41
+ end
42
+ else
43
+ true
44
+ end
45
+ end
46
+
47
+ def violating_users?(cfn_model, mq_broker)
48
+ if !mq_broker.users.nil?
49
+ violating_users = mq_broker.users.select do |user|
50
+ user_has_insecure_password?(cfn_model, user)
51
+ end
52
+ !violating_users.empty?
53
+ else
54
+ true
55
+ end
56
+ end
57
+ end
data/lib/cfn-nag/custom_rules/IamUserLoginProfilePasswordResetRule.rb ADDED
@@ -0,0 +1,49 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'cfn-nag/violation'
4
+ require 'cfn-nag/util/truthy'
5
+ require_relative 'base'
6
+
7
+ class IamUserLoginProfilePasswordResetRule < BaseRule
8
+ def rule_text
9
+ 'IAM User Login Profile should exist and have PasswordResetRequired property set to true'
10
+ end
11
+
12
+ def rule_type
13
+ Violation::WARNING
14
+ end
15
+
16
+ def rule_id
17
+ 'W50'
18
+ end
19
+
20
+ def audit_impl(cfn_model)
21
+ violating_iam_users = cfn_model.resources_by_type('AWS::IAM::User').select do |iam_user|
22
+ violating_iam_users?(iam_user)
23
+ end
24
+
25
+ violating_iam_users.map(&:logical_resource_id)
26
+ end
27
+
28
+ private
29
+
30
+ def iam_user_password_reset_required_key?(login_profile)
31
+ if login_profile.has_key? 'PasswordResetRequired'
32
+ if login_profile['PasswordResetRequired'].nil?
33
+ true
34
+ elsif not_truthy?(login_profile['PasswordResetRequired'])
35
+ true
36
+ end
37
+ else
38
+ true
39
+ end
40
+ end
41
+
42
+ def violating_iam_users?(iam_user)
43
+ if !iam_user.loginProfile.nil?
44
+ iam_user_password_reset_required_key?(iam_user.loginProfile)
45
+ else
46
+ false
47
+ end
48
+ end
49
+ end
data/lib/cfn-nag/custom_rules/IamUserLoginProfilePasswordRule.rb ADDED
@@ -0,0 +1,53 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'cfn-nag/violation'
4
+ require 'cfn-nag/util/enforce_reference_parameter'
5
+ require 'cfn-nag/util/enforce_string_or_dynamic_reference'
6
+ require_relative 'base'
7
+
8
+ class IamUserLoginProfilePasswordRule < BaseRule
9
+ def rule_text
10
+ 'If the IAM user LoginProile property exists, then its Password value should not ' +
11
+ 'show password in plain text, resolve an unsecure ssm string, or have a default value for parameter.'
12
+ end
13
+
14
+ def rule_type
15
+ Violation::FAILING_VIOLATION
16
+ end
17
+
18
+ def rule_id
19
+ 'F51'
20
+ end
21
+
22
+ def audit_impl(cfn_model)
23
+ resources = cfn_model.resources_by_type('AWS::IAM::User')
24
+ violating_resources = resources.select do |iam_user|
25
+ violating_users?(cfn_model, iam_user)
26
+ end
27
+ violating_resources.map(&:logical_resource_id)
28
+ end
29
+
30
+ private
31
+
32
+ def iam_user_has_insecure_password?(cfn_model, login_profile)
33
+ if login_profile.has_key? 'Password'
34
+ if insecure_parameter?(cfn_model, login_profile['Password'])
35
+ true
36
+ elsif insecure_string_or_dynamic_reference?(cfn_model, login_profile['Password'])
37
+ true
38
+ elsif login_profile['Password'].nil?
39
+ true
40
+ end
41
+ else
42
+ true
43
+ end
44
+ end
45
+
46
+ def violating_users?(cfn_model, iam_user)
47
+ if !iam_user.loginProfile.nil?
48
+ iam_user_has_insecure_password?(cfn_model, iam_user.loginProfile)
49
+ else
50
+ false
51
+ end
52
+ end
53
+ end
data/lib/cfn-nag/custom_rules/OpsWorksStackRdsDbInstancePasswordRule.rb ADDED
@@ -0,0 +1,57 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'cfn-nag/violation'
4
+ require 'cfn-nag/util/enforce_reference_parameter'
5
+ require 'cfn-nag/util/enforce_string_or_dynamic_reference'
6
+ require_relative 'base'
7
+
8
+ class OpsWorksStackRdsDbInstancePasswordRule < BaseRule
9
+
10
+ def rule_text
11
+ 'OpsWorks Stack RDS DBInstance Password property should not show password ' +
12
+ 'in plain text, resolve an unsecure ssm string, or have a default value for parameter.'
13
+ end
14
+
15
+ def rule_type
16
+ Violation::FAILING_VIOLATION
17
+ end
18
+
19
+ def rule_id
20
+ 'F54'
21
+ end
22
+
23
+ def audit_impl(cfn_model)
24
+ opsworks_stacks = cfn_model.resources_by_type('AWS::OpsWorks::Stack')
25
+ violating_opsworks_stacks = opsworks_stacks.select do |opsworks_stack|
26
+ violating_db_instances?(cfn_model, opsworks_stack)
27
+ end
28
+ violating_opsworks_stacks.map(&:logical_resource_id)
29
+ end
30
+
31
+ private
32
+
33
+ def db_instance_has_insecure_password?(cfn_model, dbinstance)
34
+ if dbinstance.has_key? 'DbPassword'
35
+ if insecure_parameter?(cfn_model, dbinstance['DbPassword'])
36
+ true
37
+ elsif insecure_string_or_dynamic_reference?(cfn_model, dbinstance['DbPassword'])
38
+ true
39
+ elsif dbinstance['DbPassword'].nil?
40
+ true
41
+ end
42
+ else
43
+ true
44
+ end
45
+ end
46
+
47
+ def violating_db_instances?(cfn_model, opsworks_stack)
48
+ if !opsworks_stack.rdsDbInstances.nil?
49
+ violating_dbinstances = opsworks_stack.rdsDbInstances.select do |dbinstance|
50
+ db_instance_has_insecure_password?(cfn_model, dbinstance)
51
+ end
52
+ !violating_dbinstances.empty?
53
+ else
54
+ false
55
+ end
56
+ end
57
+ end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: cfn-nag
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.4.43
4
+ version: 0.4.44
5
5
  platform: ruby
6
6
  authors:
7
7
  - Eric Kascic
@@ -170,6 +170,7 @@ files:
170
170
  - lib/cfn-nag/cfn_nag_logging.rb
171
171
  - lib/cfn-nag/cli_options.rb
172
172
  - lib/cfn-nag/custom_rule_loader.rb
173
+ - lib/cfn-nag/custom_rules/AmazonMQBrokerUserPasswordRule.rb
173
174
  - lib/cfn-nag/custom_rules/AmplifyAppBasicAuthConfigPasswordRule.rb
174
175
  - lib/cfn-nag/custom_rules/ApiGatewayAccessLoggingRule.rb
175
176
  - lib/cfn-nag/custom_rules/BatchJobDefinitionContainerPropertiesPrivilegedRule.rb
@@ -206,6 +207,8 @@ files:
206
207
  - lib/cfn-nag/custom_rules/IamRoleWildcardActionOnPermissionsPolicyRule.rb
207
208
  - lib/cfn-nag/custom_rules/IamRoleWildcardActionOnTrustPolicyRule.rb
208
209
  - lib/cfn-nag/custom_rules/IamRoleWildcardResourceOnPermissionsPolicyRule.rb
210
+ - lib/cfn-nag/custom_rules/IamUserLoginProfilePasswordResetRule.rb
211
+ - lib/cfn-nag/custom_rules/IamUserLoginProfilePasswordRule.rb
209
212
  - lib/cfn-nag/custom_rules/IotPolicyWildcardActionRule.rb
210
213
  - lib/cfn-nag/custom_rules/IotPolicyWildcardResourceRule.rb
211
214
  - lib/cfn-nag/custom_rules/KMSKeyRotationRule.rb
@@ -213,6 +216,7 @@ files:
213
216
  - lib/cfn-nag/custom_rules/LambdaPermissionWildcardPrincipalRule.rb
214
217
  - lib/cfn-nag/custom_rules/ManagedPolicyOnUserRule.rb
215
218
  - lib/cfn-nag/custom_rules/NeptuneDBClusterStorageEncryptedRule.rb
219
+ - lib/cfn-nag/custom_rules/OpsWorksStackRdsDbInstancePasswordRule.rb
216
220
  - lib/cfn-nag/custom_rules/PolicyOnUserRule.rb
217
221
  - lib/cfn-nag/custom_rules/RDSDBClusterMasterUserPasswordRule.rb
218
222
  - lib/cfn-nag/custom_rules/RDSDBClusterStorageEncryptedRule.rb