cfn-nag 0.4.47 → 0.4.48
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/cfn-nag/custom_rules/AmazonMQBrokerUserPasswordRule.rb +4 -5
- data/lib/cfn-nag/custom_rules/ApiGatewayV2AccessLoggingRule.rb +26 -0
- data/lib/cfn-nag/custom_rules/IamUserLoginProfilePasswordResetRule.rb +2 -2
- data/lib/cfn-nag/custom_rules/IamUserLoginProfilePasswordRule.rb +5 -5
- data/lib/cfn-nag/custom_rules/MissingBucketPolicyRule.rb +1 -1
- data/lib/cfn-nag/custom_rules/OpsWorksStackRdsDbInstancePasswordRule.rb +6 -7
- metadata +3 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 9b8c05850ca1c4622ee72dfe950ea4d0b3a6b80ef3db915c0ec6dec0f7b239aa
|
4
|
+
data.tar.gz: f69c4f271e4372f00ea392c7c76ac47ef28d7e6ee0f6b759d116db192c5e74f5
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 6afa307b35c4a449b4cc2279360dcbde14acbc664ab577403054676689e94a33eb4e1c9d33fc6469d73f4032d60f29b9e298218675e468ee14a747ed4e4c2785
|
7
|
+
data.tar.gz: 36ab1e480b2d0d133cf5e27147ca1c41b3f177fca160030912ef714bcbe193067cc29fd1c114ca726237f5eaf34ae0b9233af2f694f65e9aba4cb308e3648b33
|
@@ -6,9 +6,8 @@ require 'cfn-nag/util/enforce_string_or_dynamic_reference'
|
|
6
6
|
require_relative 'base'
|
7
7
|
|
8
8
|
class AmazonMQBrokerUserPasswordRule < BaseRule
|
9
|
-
|
10
9
|
def rule_text
|
11
|
-
'Amazon MQ Broker resource Users property should exist and its Password property value '
|
10
|
+
'Amazon MQ Broker resource Users property should exist and its Password property value ' \
|
12
11
|
'should not show password in plain text, resolve an unsecure ssm string, or have a default value for parameter.'
|
13
12
|
end
|
14
13
|
|
@@ -31,7 +30,7 @@ class AmazonMQBrokerUserPasswordRule < BaseRule
|
|
31
30
|
private
|
32
31
|
|
33
32
|
def user_has_insecure_password?(cfn_model, user)
|
34
|
-
if user.
|
33
|
+
if user.key? 'Password'
|
35
34
|
if insecure_parameter?(cfn_model, user['Password'])
|
36
35
|
true
|
37
36
|
elsif insecure_string_or_dynamic_reference?(cfn_model, user['Password'])
|
@@ -40,7 +39,7 @@ class AmazonMQBrokerUserPasswordRule < BaseRule
|
|
40
39
|
true
|
41
40
|
end
|
42
41
|
else
|
43
|
-
true
|
42
|
+
true
|
44
43
|
end
|
45
44
|
end
|
46
45
|
|
@@ -53,5 +52,5 @@ class AmazonMQBrokerUserPasswordRule < BaseRule
|
|
53
52
|
else
|
54
53
|
true
|
55
54
|
end
|
56
|
-
end
|
55
|
+
end
|
57
56
|
end
|
@@ -0,0 +1,26 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'cfn-nag/violation'
|
4
|
+
require_relative 'base'
|
5
|
+
|
6
|
+
class ApiGatewayV2AccessLoggingRule < BaseRule
|
7
|
+
def rule_text
|
8
|
+
'ApiGateway V2 should have access logging configured'
|
9
|
+
end
|
10
|
+
|
11
|
+
def rule_type
|
12
|
+
Violation::WARNING
|
13
|
+
end
|
14
|
+
|
15
|
+
def rule_id
|
16
|
+
'W46'
|
17
|
+
end
|
18
|
+
|
19
|
+
def audit_impl(cfn_model)
|
20
|
+
violating_deployments = cfn_model.resources_by_type('AWS::ApiGatewayV2::Stage').select do |deployment|
|
21
|
+
deployment.accessLogSetting.nil?
|
22
|
+
end
|
23
|
+
|
24
|
+
violating_deployments.map(&:logical_resource_id)
|
25
|
+
end
|
26
|
+
end
|
@@ -28,7 +28,7 @@ class IamUserLoginProfilePasswordResetRule < BaseRule
|
|
28
28
|
private
|
29
29
|
|
30
30
|
def iam_user_password_reset_required_key?(login_profile)
|
31
|
-
if login_profile.
|
31
|
+
if login_profile.key? 'PasswordResetRequired'
|
32
32
|
if login_profile['PasswordResetRequired'].nil?
|
33
33
|
true
|
34
34
|
elsif not_truthy?(login_profile['PasswordResetRequired'])
|
@@ -45,5 +45,5 @@ class IamUserLoginProfilePasswordResetRule < BaseRule
|
|
45
45
|
else
|
46
46
|
false
|
47
47
|
end
|
48
|
-
end
|
48
|
+
end
|
49
49
|
end
|
@@ -7,7 +7,7 @@ require_relative 'base'
|
|
7
7
|
|
8
8
|
class IamUserLoginProfilePasswordRule < BaseRule
|
9
9
|
def rule_text
|
10
|
-
'If the IAM user LoginProile property exists, then its Password value should not '
|
10
|
+
'If the IAM user LoginProile property exists, then its Password value should not ' \
|
11
11
|
'show password in plain text, resolve an unsecure ssm string, or have a default value for parameter.'
|
12
12
|
end
|
13
13
|
|
@@ -28,9 +28,9 @@ class IamUserLoginProfilePasswordRule < BaseRule
|
|
28
28
|
end
|
29
29
|
|
30
30
|
private
|
31
|
-
|
31
|
+
|
32
32
|
def iam_user_has_insecure_password?(cfn_model, login_profile)
|
33
|
-
if login_profile.
|
33
|
+
if login_profile.key? 'Password'
|
34
34
|
if insecure_parameter?(cfn_model, login_profile['Password'])
|
35
35
|
true
|
36
36
|
elsif insecure_string_or_dynamic_reference?(cfn_model, login_profile['Password'])
|
@@ -39,7 +39,7 @@ class IamUserLoginProfilePasswordRule < BaseRule
|
|
39
39
|
true
|
40
40
|
end
|
41
41
|
else
|
42
|
-
true
|
42
|
+
true
|
43
43
|
end
|
44
44
|
end
|
45
45
|
|
@@ -49,5 +49,5 @@ class IamUserLoginProfilePasswordRule < BaseRule
|
|
49
49
|
else
|
50
50
|
false
|
51
51
|
end
|
52
|
-
end
|
52
|
+
end
|
53
53
|
end
|
@@ -28,7 +28,7 @@ class MissingBucketPolicyRule < BaseRule
|
|
28
28
|
|
29
29
|
def policy_for_bucket(cfn_model, bucket)
|
30
30
|
cfn_model.resources_by_type('AWS::S3::BucketPolicy').find do |bucket_policy|
|
31
|
-
if bucket_policy.bucket.is_a?(Hash) && bucket_policy.bucket.
|
31
|
+
if bucket_policy.bucket.is_a?(Hash) && bucket_policy.bucket.key?('Ref')
|
32
32
|
bucket_policy.bucket['Ref'] == bucket.logical_resource_id
|
33
33
|
else
|
34
34
|
bucket.bucketName == bucket_policy.bucket
|
@@ -6,9 +6,8 @@ require 'cfn-nag/util/enforce_string_or_dynamic_reference'
|
|
6
6
|
require_relative 'base'
|
7
7
|
|
8
8
|
class OpsWorksStackRdsDbInstancePasswordRule < BaseRule
|
9
|
-
|
10
9
|
def rule_text
|
11
|
-
'OpsWorks Stack RDS DBInstance Password property should not show password '
|
10
|
+
'OpsWorks Stack RDS DBInstance Password property should not show password ' \
|
12
11
|
'in plain text, resolve an unsecure ssm string, or have a default value for parameter.'
|
13
12
|
end
|
14
13
|
|
@@ -28,10 +27,10 @@ class OpsWorksStackRdsDbInstancePasswordRule < BaseRule
|
|
28
27
|
violating_opsworks_stacks.map(&:logical_resource_id)
|
29
28
|
end
|
30
29
|
|
31
|
-
private
|
30
|
+
private
|
32
31
|
|
33
32
|
def db_instance_has_insecure_password?(cfn_model, dbinstance)
|
34
|
-
if dbinstance.
|
33
|
+
if dbinstance.key? 'DbPassword'
|
35
34
|
if insecure_parameter?(cfn_model, dbinstance['DbPassword'])
|
36
35
|
true
|
37
36
|
elsif insecure_string_or_dynamic_reference?(cfn_model, dbinstance['DbPassword'])
|
@@ -40,7 +39,7 @@ class OpsWorksStackRdsDbInstancePasswordRule < BaseRule
|
|
40
39
|
true
|
41
40
|
end
|
42
41
|
else
|
43
|
-
true
|
42
|
+
true
|
44
43
|
end
|
45
44
|
end
|
46
45
|
|
@@ -53,5 +52,5 @@ class OpsWorksStackRdsDbInstancePasswordRule < BaseRule
|
|
53
52
|
else
|
54
53
|
false
|
55
54
|
end
|
56
|
-
end
|
57
|
-
end
|
55
|
+
end
|
56
|
+
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: cfn-nag
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.4.
|
4
|
+
version: 0.4.48
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Eric Kascic
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2019-11-
|
11
|
+
date: 2019-11-29 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: rake
|
@@ -159,6 +159,7 @@ files:
|
|
159
159
|
- lib/cfn-nag/custom_rules/AmazonMQBrokerUserPasswordRule.rb
|
160
160
|
- lib/cfn-nag/custom_rules/AmplifyAppBasicAuthConfigPasswordRule.rb
|
161
161
|
- lib/cfn-nag/custom_rules/ApiGatewayAccessLoggingRule.rb
|
162
|
+
- lib/cfn-nag/custom_rules/ApiGatewayV2AccessLoggingRule.rb
|
162
163
|
- lib/cfn-nag/custom_rules/BatchJobDefinitionContainerPropertiesPrivilegedRule.rb
|
163
164
|
- lib/cfn-nag/custom_rules/CloudFormationAuthenticationRule.rb
|
164
165
|
- lib/cfn-nag/custom_rules/CloudFrontDistributionAccessLoggingRule.rb
|