RubyGems - cfn-nag - Versions diffs - 0.4.54 → 0.4.55 - Mend

cfn-nag 0.4.54 → 0.4.55

Files changed (7) hide show

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9f1ec99e81c1cb40eb73ada73058cefaa7ca8f5971e9758185151d6d5024cf96
-  data.tar.gz: 429177c30d6994c2729fbf8a7b33f160ceb00c63e1e5037ef19e75cdcbd618a6
+  metadata.gz: 2682c698c9f4b4cc462275cb36c2789f62305084d85175f5f3a2be1d1bc28095
+  data.tar.gz: f0718d888c66edb0d5efa8da809e0379be6c3b9f079299bee93bd73fc396b5d5
 SHA512:
-  metadata.gz: 0fd6d418f467e7d2a96de56ee13aba8ff3c2151f5a740a3e78184cf53fcac18d1c54f24f6d521d7897230e66f86d2b6161d9c0b670a805692e6664f7c080b330
-  data.tar.gz: 329f13656def76e5490e65bfaa16f75012fee1201de587c727b5b274b2f90a6f4417cc8535d71f6845e291c6fbf0b28ce40c3fe3b43e9955b7c3dfbe68ae23e4
+  metadata.gz: 0042f93b7b41c7f3203b532d7bb4342adf8f5c61e0a0aecc962ecb7b2f2bda87cffaed100a6be8464399a9bd3355029f80178319653dfd7e05339e97d3eb149d
+  data.tar.gz: 1ea773c620e0d22ff2e1225022304879b13615c72aabbfbd813630d15b64a3f8c3e31f889fae37dc315fdf2b3990289b843033552c34c7d1dd46bce06834ede8

data/lib/cfn-nag/custom_rules/KinesisStreamStreamEncryptionRule.rb ADDED

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+require 'cfn-nag/violation'
+require_relative 'base'
+class KinesisStreamStreamEncryptionRule < BaseRule
+  def rule_text
+    'Kinesis Stream should specify StreamEncryption. EncryptionType should be KMS and specify KMS Key Id.'
+  end
+  def rule_type
+    Violation::WARNING
+  end
+  def rule_id
+    'W49'
+  end
+  def audit_impl(cfn_model)
+    violating_kinesis_streams = cfn_model.resources_by_type('AWS::Kinesis::Stream').select do |kinesis_stream|
+      violating_kinesis_streams?(kinesis_stream)
+    end
+    violating_kinesis_streams.map(&:logical_resource_id)
+  end
+  private
+  def violating_kinesis_streams?(kinesis_stream)
+    if kinesis_stream.streamEncryption.nil?
+      true
+    elsif kinesis_stream.streamEncryption['EncryptionType'].nil?
+      true
+    elsif kinesis_stream.streamEncryption['KeyId'].nil?
+      true
+    else
+      kinesis_stream.streamEncryption['EncryptionType'] == 'NONE'
+    end
+  end
+end

data/lib/cfn-nag/custom_rules/OpsWorksStackRdsDbInstancesDbPasswordRule.rb ADDED

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+require 'cfn-nag/violation'
+require_relative 'sub_property_with_list_password_base_rule'
+class OpsWorksStackRdsDbInstancesDbPasswordRule < SubPropertyWithListPasswordBaseRule
+  def rule_text
+    'OpsWorks Stack RDS DbInstance DbPassword must not be a plaintext ' \
+    'string or a Ref to a NoEcho Parameter with a Default value.' \
+  end
+  def rule_type
+    Violation::FAILING_VIOLATION
+  end
+  def rule_id
+    'F54'
+  end
+  def resource_type
+    'AWS::OpsWorks::Stack'
+  end
+  def password_property
+    :rdsDbInstances
+  end
+  def sub_property_name
+    'DbPassword'
+  end
+end

data/lib/cfn-nag/custom_rules/password_base_rule.rb CHANGED

@@ -20,7 +20,7 @@ class PasswordBaseRule < BaseRule
     resources = cfn_model.resources_by_type(resource_type)
     violating_resources = resources.select do |resource|
-      if verify_parameter_exists(resource, password_property, sub_property_name)
+      if property_does_not_exist(resource, password_property, sub_property_name)
         false
       else
         verify_insecure_string_and_parameter(
@@ -31,32 +31,34 @@ class PasswordBaseRule < BaseRule
     violating_resources.map(&:logical_resource_id)
   end
-end
-private
+  private
-def verify_parameter_exists(resource, password_property, sub_property_name)
-  if sub_property_name.nil?
-    resource.send(password_property).nil?
-  else
-    resource.send(password_property)[sub_property_name].nil?
+  def property_does_not_exist(resource, password_property, sub_property_name)
+    if resource.send(password_property).nil?
+      true
+    elsif sub_property_name.nil?
+      false
+    else
+      resource.send(password_property)[sub_property_name].nil?
+    end
   end
-end
-def verify_insecure_string_and_parameter(
-  cfn_model, resource, password_property, sub_property_name
-)
-  if sub_property_name.nil?
-    insecure_parameter?(cfn_model, resource.send(password_property)) ||
-      insecure_string_or_dynamic_reference?(
-        cfn_model, resource.send(password_property)
-      )
-  else
-    insecure_parameter?(
-      cfn_model, resource.send(password_property)[sub_property_name]
-    ) ||
-      insecure_string_or_dynamic_reference?(
+  def verify_insecure_string_and_parameter(
+    cfn_model, resource, password_property, sub_property_name
+  )
+    if sub_property_name.nil?
+      insecure_parameter?(cfn_model, resource.send(password_property)) ||
+        insecure_string_or_dynamic_reference?(
+          cfn_model, resource.send(password_property)
+        )
+    else
+      insecure_parameter?(
         cfn_model, resource.send(password_property)[sub_property_name]
-      )
+      ) ||
+        insecure_string_or_dynamic_reference?(
+          cfn_model, resource.send(password_property)[sub_property_name]
+        )
+    end
   end
 end

data/lib/cfn-nag/custom_rules/sub_property_with_list_password_base_rule.rb ADDED

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+require 'cfn-nag/violation'
+require 'cfn-nag/util/enforce_reference_parameter'
+require 'cfn-nag/util/enforce_string_or_dynamic_reference'
+require_relative 'base'
+class SubPropertyWithListPasswordBaseRule < BaseRule
+  def resource_type
+    raise 'must implement in subclass'
+  end
+  def password_property
+    raise 'must implement in subclass'
+  end
+  def sub_property_name; end
+  def audit_impl(cfn_model)
+    resources = cfn_model.resources_by_type(resource_type)
+    violating_resources = resources.select do |resource|
+      verify_insecure_string_and_parameter_with_list(
+        cfn_model, resource, password_property, sub_property_name
+      )
+    end
+    violating_resources.map(&:logical_resource_id)
+  end
+  private
+  def verify_insecure_string_and_parameter_with_list(
+    cfn_model, resource, password_property, sub_property_name
+  )
+    sub_property_checks_result = ''
+    resource.send(password_property).select do |sub_property|
+      sub_property_checks_result = insecure_parameter?(
+        cfn_model, sub_property[sub_property_name]
+      ) || insecure_string_or_dynamic_reference?(
+        cfn_model, sub_property[sub_property_name]
+      )
+    end
+    sub_property_checks_result
+  end
+end

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cfn-nag
 version: !ruby/object:Gem::Version
-  version: 0.4.54
+  version: 0.4.55
 platform: ruby
 authors:
 - Eric Kascic
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2019-12-07 00:00:00.000000000 Z
+date: 2019-12-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -200,12 +200,13 @@ files:
 - lib/cfn-nag/custom_rules/IotPolicyWildcardActionRule.rb
 - lib/cfn-nag/custom_rules/IotPolicyWildcardResourceRule.rb
 - lib/cfn-nag/custom_rules/KMSKeyRotationRule.rb
+- lib/cfn-nag/custom_rules/KinesisStreamStreamEncryptionRule.rb
 - lib/cfn-nag/custom_rules/LambdaPermissionInvokeFunctionActionRule.rb
 - lib/cfn-nag/custom_rules/LambdaPermissionWildcardPrincipalRule.rb
 - lib/cfn-nag/custom_rules/ManagedPolicyOnUserRule.rb
 - lib/cfn-nag/custom_rules/MissingBucketPolicyRule.rb
 - lib/cfn-nag/custom_rules/NeptuneDBClusterStorageEncryptedRule.rb
-- lib/cfn-nag/custom_rules/OpsWorksStackRdsDbInstancePasswordRule.rb
+- lib/cfn-nag/custom_rules/OpsWorksStackRdsDbInstancesDbPasswordRule.rb
 - lib/cfn-nag/custom_rules/PolicyOnUserRule.rb
 - lib/cfn-nag/custom_rules/RDSDBClusterMasterUserPasswordRule.rb
 - lib/cfn-nag/custom_rules/RDSDBClusterStorageEncryptedRule.rb
@@ -250,6 +251,7 @@ files:
 - lib/cfn-nag/custom_rules/boolean_base_rule.rb
 - lib/cfn-nag/custom_rules/passrole_base_rule.rb
 - lib/cfn-nag/custom_rules/password_base_rule.rb
+- lib/cfn-nag/custom_rules/sub_property_with_list_password_base_rule.rb
 - lib/cfn-nag/ip_addr.rb
 - lib/cfn-nag/jmes_path_discovery.rb
 - lib/cfn-nag/jmes_path_evaluator.rb

data/lib/cfn-nag/custom_rules/OpsWorksStackRdsDbInstancePasswordRule.rb DELETED

@@ -1,56 +0,0 @@
-# frozen_string_literal: true
-require 'cfn-nag/violation'
-require 'cfn-nag/util/enforce_reference_parameter'
-require 'cfn-nag/util/enforce_string_or_dynamic_reference'
-require_relative 'base'
-class OpsWorksStackRdsDbInstancePasswordRule < BaseRule
-  def rule_text
-    'OpsWorks Stack RDS DBInstance Password property should not show password ' \
-    'in plain text, resolve an unsecure ssm string, or have a default value for parameter.'
-  end
-  def rule_type
-    Violation::FAILING_VIOLATION
-  end
-  def rule_id
-    'F54'
-  end
-  def audit_impl(cfn_model)
-    opsworks_stacks = cfn_model.resources_by_type('AWS::OpsWorks::Stack')
-    violating_opsworks_stacks = opsworks_stacks.select do |opsworks_stack|
-      violating_db_instances?(cfn_model, opsworks_stack)
-    end
-    violating_opsworks_stacks.map(&:logical_resource_id)
-  end
-  private
-  def db_instance_has_insecure_password?(cfn_model, dbinstance)
-    if dbinstance.key? 'DbPassword'
-      if insecure_parameter?(cfn_model, dbinstance['DbPassword'])
-        true
-      elsif insecure_string_or_dynamic_reference?(cfn_model, dbinstance['DbPassword'])
-        true
-      elsif dbinstance['DbPassword'].nil?
-        true
-      end
-    else
-      true
-    end
-  end
-  def violating_db_instances?(cfn_model, opsworks_stack)
-    if !opsworks_stack.rdsDbInstances.nil?
-      violating_dbinstances = opsworks_stack.rdsDbInstances.select do |dbinstance|
-        db_instance_has_insecure_password?(cfn_model, dbinstance)
-      end
-      !violating_dbinstances.empty?
-    else
-      false
-    end
-  end
-end