RubyGems - cfn-nag - Versions diffs - 0.4.54 → 0.4.55 - Mend

cfn-nag 0.4.54 → 0.4.55

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9f1ec99e81c1cb40eb73ada73058cefaa7ca8f5971e9758185151d6d5024cf96
-  data.tar.gz: 429177c30d6994c2729fbf8a7b33f160ceb00c63e1e5037ef19e75cdcbd618a6
+  metadata.gz: 2682c698c9f4b4cc462275cb36c2789f62305084d85175f5f3a2be1d1bc28095
+  data.tar.gz: f0718d888c66edb0d5efa8da809e0379be6c3b9f079299bee93bd73fc396b5d5
 SHA512:
-  metadata.gz: 0fd6d418f467e7d2a96de56ee13aba8ff3c2151f5a740a3e78184cf53fcac18d1c54f24f6d521d7897230e66f86d2b6161d9c0b670a805692e6664f7c080b330
-  data.tar.gz: 329f13656def76e5490e65bfaa16f75012fee1201de587c727b5b274b2f90a6f4417cc8535d71f6845e291c6fbf0b28ce40c3fe3b43e9955b7c3dfbe68ae23e4
+  metadata.gz: 0042f93b7b41c7f3203b532d7bb4342adf8f5c61e0a0aecc962ecb7b2f2bda87cffaed100a6be8464399a9bd3355029f80178319653dfd7e05339e97d3eb149d
+  data.tar.gz: 1ea773c620e0d22ff2e1225022304879b13615c72aabbfbd813630d15b64a3f8c3e31f889fae37dc315fdf2b3990289b843033552c34c7d1dd46bce06834ede8

data/lib/cfn-nag/custom_rules/KinesisStreamStreamEncryptionRule.rb ADDED

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+require 'cfn-nag/violation'
+require_relative 'base'
+class KinesisStreamStreamEncryptionRule < BaseRule
+  def rule_text
+    'Kinesis Stream should specify StreamEncryption. EncryptionType should be KMS and specify KMS Key Id.'
+  end
+  def rule_type
+    Violation::WARNING
+  end
+  def rule_id
+    'W49'
+  end
+  def audit_impl(cfn_model)
+    violating_kinesis_streams = cfn_model.resources_by_type('AWS::Kinesis::Stream').select do |kinesis_stream|
+      violating_kinesis_streams?(kinesis_stream)
+    end
+    violating_kinesis_streams.map(&:logical_resource_id)
+  end
+  private
+  def violating_kinesis_streams?(kinesis_stream)
+    if kinesis_stream.streamEncryption.nil?
+      true
+    elsif kinesis_stream.streamEncryption['EncryptionType'].nil?
+      true
+    elsif kinesis_stream.streamEncryption['KeyId'].nil?
+      true
+    else
+      kinesis_stream.streamEncryption['EncryptionType'] == 'NONE'
+    end
+  end
+end

data/lib/cfn-nag/custom_rules/OpsWorksStackRdsDbInstancesDbPasswordRule.rb ADDED

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+require 'cfn-nag/violation'
+require_relative 'sub_property_with_list_password_base_rule'
+class OpsWorksStackRdsDbInstancesDbPasswordRule < SubPropertyWithListPasswordBaseRule
+  def rule_text
+    'OpsWorks Stack RDS DbInstance DbPassword must not be a plaintext ' \
+    'string or a Ref to a NoEcho Parameter with a Default value.' \
+  end
+  def rule_type
+    Violation::FAILING_VIOLATION
+  end
+  def rule_id
+    'F54'
+  end
+  def resource_type
+    'AWS::OpsWorks::Stack'
+  end
+  def password_property
+    :rdsDbInstances
+  end
+  def sub_property_name
+    'DbPassword'
+  end
+end

data/lib/cfn-nag/custom_rules/password_base_rule.rb CHANGED

@@ -20,7 +20,7 @@ class PasswordBaseRule < BaseRule
     resources = cfn_model.resources_by_type(resource_type)
     violating_resources = resources.select do |resource|
-      if verify_parameter_exists(resource, password_property, sub_property_name)
+      if property_does_not_exist(resource, password_property, sub_property_name)
         false
       else
         verify_insecure_string_and_parameter(
@@ -31,32 +31,34 @@ class PasswordBaseRule < BaseRule
     violating_resources.map(&:logical_resource_id)
   end
-end
-private
+  private
-def verify_parameter_exists(resource, password_property, sub_property_name)
-  if sub_property_name.nil?
-    resource.send(password_property).nil?
-  else
-    resource.send(password_property)[sub_property_name].nil?
+  def property_does_not_exist(resource, password_property, sub_property_name)
+    if resource.send(password_property).nil?
+      true
+    elsif sub_property_name.nil?
+      false
+    else
+      resource.send(password_property)[sub_property_name].nil?
+    end
   end
-end
-def verify_insecure_string_and_parameter(
-  cfn_model, resource, password_property, sub_property_name
-)
-  if sub_property_name.nil?
-    insecure_parameter?(cfn_model, resource.send(password_property)) ||
-      insecure_string_or_dynamic_reference?(
-        cfn_model, resource.send(password_property)
-      )
-  else
-    insecure_parameter?(
-      cfn_model, resource.send(password_property)[sub_property_name]
-    ) ||
-      insecure_string_or_dynamic_reference?(
+  def verify_insecure_string_and_parameter(
+    cfn_model, resource, password_property, sub_property_name
+  )
+    if sub_property_name.nil?
+      insecure_parameter?(cfn_model, resource.send(password_property)) ||
+        insecure_string_or_dynamic_reference?(
+          cfn_model, resource.send(password_property)
+        )
+    else
+      insecure_parameter?(
         cfn_model, resource.send(password_property)[sub_property_name]
-      )
+      ) ||
+        insecure_string_or_dynamic_reference?(
+          cfn_model, resource.send(password_property)[sub_property_name]
+        )
+    end
   end
 end

data/lib/cfn-nag/custom_rules/sub_property_with_list_password_base_rule.rb ADDED

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+require 'cfn-nag/violation'
+require 'cfn-nag/util/enforce_reference_parameter'
+require 'cfn-nag/util/enforce_string_or_dynamic_reference'
+require_relative 'base'
+class SubPropertyWithListPasswordBaseRule < BaseRule
+  def resource_type
+    raise 'must implement in subclass'
+  end
+  def password_property
+    raise 'must implement in subclass'
+  end
+  def sub_property_name; end
+  def audit_impl(cfn_model)
+    resources = cfn_model.resources_by_type(resource_type)
+    violating_resources = resources.select do |resource|
+      verify_insecure_string_and_parameter_with_list(
+        cfn_model, resource, password_property, sub_property_name
+      )
+    end
+    violating_resources.map(&:logical_resource_id)
+  end
+  private
+  def verify_insecure_string_and_parameter_with_list(
+    cfn_model, resource, password_property, sub_property_name
+  )
+    sub_property_checks_result = ''
+    resource.send(password_property).select do |sub_property|
+      sub_property_checks_result = insecure_parameter?(
+        cfn_model, sub_property[sub_property_name]
+      ) || insecure_string_or_dynamic_reference?(
+        cfn_model, sub_property[sub_property_name]
+      )
+    end
+    sub_property_checks_result
+  end
+end

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cfn-nag
 version: !ruby/object:Gem::Version
-  version: 0.4.54
+  version: 0.4.55
 platform: ruby
 authors:
 - Eric Kascic
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2019-12-07 00:00:00.000000000 Z
+date: 2019-12-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -200,12 +200,13 @@ files:
 - lib/cfn-nag/custom_rules/IotPolicyWildcardActionRule.rb
 - lib/cfn-nag/custom_rules/IotPolicyWildcardResourceRule.rb
 - lib/cfn-nag/custom_rules/KMSKeyRotationRule.rb
+- lib/cfn-nag/custom_rules/KinesisStreamStreamEncryptionRule.rb
 - lib/cfn-nag/custom_rules/LambdaPermissionInvokeFunctionActionRule.rb
 - lib/cfn-nag/custom_rules/LambdaPermissionWildcardPrincipalRule.rb
 - lib/cfn-nag/custom_rules/ManagedPolicyOnUserRule.rb
 - lib/cfn-nag/custom_rules/MissingBucketPolicyRule.rb
 - lib/cfn-nag/custom_rules/NeptuneDBClusterStorageEncryptedRule.rb
-- lib/cfn-nag/custom_rules/OpsWorksStackRdsDbInstancePasswordRule.rb
+- lib/cfn-nag/custom_rules/OpsWorksStackRdsDbInstancesDbPasswordRule.rb
 - lib/cfn-nag/custom_rules/PolicyOnUserRule.rb
 - lib/cfn-nag/custom_rules/RDSDBClusterMasterUserPasswordRule.rb
 - lib/cfn-nag/custom_rules/RDSDBClusterStorageEncryptedRule.rb
@@ -250,6 +251,7 @@ files:
 - lib/cfn-nag/custom_rules/boolean_base_rule.rb
 - lib/cfn-nag/custom_rules/passrole_base_rule.rb
 - lib/cfn-nag/custom_rules/password_base_rule.rb
+- lib/cfn-nag/custom_rules/sub_property_with_list_password_base_rule.rb
 - lib/cfn-nag/ip_addr.rb
 - lib/cfn-nag/jmes_path_discovery.rb
 - lib/cfn-nag/jmes_path_evaluator.rb

data/lib/cfn-nag/custom_rules/OpsWorksStackRdsDbInstancePasswordRule.rb DELETED

@@ -1,56 +0,0 @@
-# frozen_string_literal: true
-require 'cfn-nag/violation'
-require 'cfn-nag/util/enforce_reference_parameter'
-require 'cfn-nag/util/enforce_string_or_dynamic_reference'
-require_relative 'base'
-class OpsWorksStackRdsDbInstancePasswordRule < BaseRule
-  def rule_text
-    'OpsWorks Stack RDS DBInstance Password property should not show password ' \
-    'in plain text, resolve an unsecure ssm string, or have a default value for parameter.'
-  end
-  def rule_type
-    Violation::FAILING_VIOLATION
-  end
-  def rule_id
-    'F54'
-  end
-  def audit_impl(cfn_model)
-    opsworks_stacks = cfn_model.resources_by_type('AWS::OpsWorks::Stack')
-    violating_opsworks_stacks = opsworks_stacks.select do |opsworks_stack|
-      violating_db_instances?(cfn_model, opsworks_stack)
-    end
-    violating_opsworks_stacks.map(&:logical_resource_id)
-  end
-  private
-  def db_instance_has_insecure_password?(cfn_model, dbinstance)
-    if dbinstance.key? 'DbPassword'
-      if insecure_parameter?(cfn_model, dbinstance['DbPassword'])
-        true
-      elsif insecure_string_or_dynamic_reference?(cfn_model, dbinstance['DbPassword'])
-        true
-      elsif dbinstance['DbPassword'].nil?
-        true
-      end
-    else
-      true
-    end
-  end
-  def violating_db_instances?(cfn_model, opsworks_stack)
-    if !opsworks_stack.rdsDbInstances.nil?
-      violating_dbinstances = opsworks_stack.rdsDbInstances.select do |dbinstance|
-        db_instance_has_insecure_password?(cfn_model, dbinstance)
-      end
-      !violating_dbinstances.empty?
-    else
-      false
-    end
-  end
-end