cfn-nag 0.4.62 → 0.4.63

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2eb58c1f70a79801771b6bc7fc707a0fa108874bcd7880a4fd78904320319e22
-  data.tar.gz: ba52eff1a3ba6297c9aca52c653fe2cdbc78d9cb5db86aa903e351ba1e01bd25
+  metadata.gz: f815bd0f4c95fc396806e61ad78339398dd99019b6208de8e94649750e3dec0e
+  data.tar.gz: 7647413ad2e87e8d501fcd0d1f6280273ecd6f474a78ebdc46ea17f3478fa688
 SHA512:
-  metadata.gz: 2bfa223aa35e3c2582b4cf5d5cc5d7c07fad9da65ae1f91e73141ee1d3cb8de2b26c53fec9085bdf41d4af3e8c6759d3e4fd626db84b1093d5521774c3139ea4
-  data.tar.gz: f4ea688c9e00530ac98715d91bc35d5cb15bb70c2f60d17752476bfd8cdd730655aa96218fb85ef9076b5ffed120f43054fe1e7ce75d87d570af4c01a51d9cd0
+  metadata.gz: 97c9ccee4d1a90673381de942a6f7f18475bbf38e135d58404c0db558a17cc283bedfe6b1def88b82a78cf34f2f9d1797183d3776b6de56ae104b1e95eb714bd
+  data.tar.gz: dd930b363d88cb0acb7e3fbb399721cba200fdcd43debe4bd03bd132420790319048d52025ad5ff3f68fc865bbf751a601a34430e496bc69b2dd30b85a61615f

data/lib/cfn-nag/custom_rules/AlexaASKSkillAuthenticationConfigurationClientSecretRule.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+require 'cfn-nag/violation'
+require 'cfn-nag/util/enforce_reference_parameter'
+require 'cfn-nag/util/enforce_string_or_dynamic_reference'
+require_relative 'base'
+
+class AlexaASKSkillAuthenticationConfigurationClientSecretRule < BaseRule
+  def rule_text
+    'Alexa ASK Skill AuthenticationConfiguration ClientSecret must not be ' \
+    'a plaintext string or a Ref to a NoEcho Parameter with a Default value.'
+  end
+
+  def rule_type
+    Violation::FAILING_VIOLATION
+  end
+
+  def rule_id
+    'F74'
+  end
+
+  def audit_impl(cfn_model)
+    ask_skills = cfn_model.resources_by_type('Alexa::ASK::Skill')
+    violating_skills = ask_skills.select do |skill|
+      client_secret = skill.authenticationConfiguration['ClientSecret']
+      if client_secret.nil?
+        false
+      else
+        insecure_parameter?(cfn_model, client_secret) ||
+          insecure_string_or_dynamic_reference?(cfn_model, client_secret)
+      end
+    end
+
+    violating_skills.map(&:logical_resource_id)
+  end
+end

data/lib/cfn-nag/custom_rules/AlexaASKSkillAuthenticationConfigurationRefreshTokenRule.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+require 'cfn-nag/violation'
+require 'cfn-nag/util/enforce_reference_parameter'
+require 'cfn-nag/util/enforce_string_or_dynamic_reference'
+require_relative 'base'
+
+class AlexaASKSkillAuthenticationConfigurationRefreshTokenRule < BaseRule
+  def rule_text
+    'Alexa ASK Skill AuthenticationConfiguration RefreshToken must not be ' \
+    'a plaintext string or a Ref to a NoEcho Parameter with a Default value.'
+  end
+
+  def rule_type
+    Violation::FAILING_VIOLATION
+  end
+
+  def rule_id
+    'F75'
+  end
+
+  def audit_impl(cfn_model)
+    ask_skills = cfn_model.resources_by_type('Alexa::ASK::Skill')
+    violating_skills = ask_skills.select do |skill|
+      refresh_token = skill.authenticationConfiguration['RefreshToken']
+      if refresh_token.nil?
+        false
+      else
+        insecure_parameter?(cfn_model, refresh_token) ||
+          insecure_string_or_dynamic_reference?(cfn_model, refresh_token)
+      end
+    end
+
+    violating_skills.map(&:logical_resource_id)
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: cfn-nag
 version: !ruby/object:Gem::Version
-  version: 0.4.62
+  version: 0.4.63
 platform: ruby
 authors:
 - Eric Kascic
@@ -156,6 +156,8 @@ files:
 - lib/cfn-nag/cfn_nag_logging.rb
 - lib/cfn-nag/cli_options.rb
 - lib/cfn-nag/custom_rule_loader.rb
+- lib/cfn-nag/custom_rules/AlexaASKSkillAuthenticationConfigurationClientSecretRule.rb
+- lib/cfn-nag/custom_rules/AlexaASKSkillAuthenticationConfigurationRefreshTokenRule.rb
 - lib/cfn-nag/custom_rules/AmazonMQBrokerEncryptionOptionsRule.rb
 - lib/cfn-nag/custom_rules/AmazonMQBrokerUserPasswordRule.rb
 - lib/cfn-nag/custom_rules/AmplifyAppAccessTokenRule.rb