cfn-nag 0.4.64 → 0.4.65
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/cfn-nag/custom_rules/KMSKeyWildcardPrincipalRule.rb +29 -0
- metadata +5 -4
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: bee08d1b2494d86cb88d3f0a55808a7d730d2e997fe8ae8b226378b7a40f23e3
|
4
|
+
data.tar.gz: a7cba7a91824dabe1c466dab679744f30ad845ce50c5c4268eebe0fc923a4dd8
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: bf98d72ffff808be03a9a7dda2f278f88ecb8f056b4c3c4ae1a37677d0267340c76e4b803f0a8ff455d83cb3b47a71036a58a0e9d14c5f2c78f5dc7e41b05687
|
7
|
+
data.tar.gz: c34097f5e6356a8b6616ab004b3bdd26dd3a6429cfa3c2c9c2cd286e397717a0e65c0ac76397ac5b2bbca7ba8b98314cc0486914840ba897cc4fe0be0348a7d7
|
@@ -0,0 +1,29 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'cfn-nag/violation'
|
4
|
+
require_relative 'base'
|
5
|
+
|
6
|
+
class KMSKeyWildcardPrincipalRule < BaseRule
|
7
|
+
def rule_text
|
8
|
+
'KMS key should not allow * principal ' \
|
9
|
+
'(https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html)'
|
10
|
+
end
|
11
|
+
|
12
|
+
def rule_type
|
13
|
+
Violation::FAILING_VIOLATION
|
14
|
+
end
|
15
|
+
|
16
|
+
def rule_id
|
17
|
+
'F76'
|
18
|
+
end
|
19
|
+
|
20
|
+
def audit_impl(cfn_model)
|
21
|
+
# Select all AWS::KMS::Key resources to audit
|
22
|
+
violating_keys = cfn_model.resources_by_type('AWS::KMS::Key').select do |key|
|
23
|
+
# Return key if wildcard_allowed_principals boolean is not empty
|
24
|
+
!key.key_policy.policy_document.wildcard_allowed_principals.empty?
|
25
|
+
end
|
26
|
+
|
27
|
+
violating_keys.map(&:logical_resource_id)
|
28
|
+
end
|
29
|
+
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: cfn-nag
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.4.
|
4
|
+
version: 0.4.65
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Eric Kascic
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2020-01-
|
11
|
+
date: 2020-01-14 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: rake
|
@@ -72,14 +72,14 @@ dependencies:
|
|
72
72
|
requirements:
|
73
73
|
- - '='
|
74
74
|
- !ruby/object:Gem::Version
|
75
|
-
version: 0.4.
|
75
|
+
version: 0.4.12
|
76
76
|
type: :runtime
|
77
77
|
prerelease: false
|
78
78
|
version_requirements: !ruby/object:Gem::Requirement
|
79
79
|
requirements:
|
80
80
|
- - '='
|
81
81
|
- !ruby/object:Gem::Version
|
82
|
-
version: 0.4.
|
82
|
+
version: 0.4.12
|
83
83
|
- !ruby/object:Gem::Dependency
|
84
84
|
name: jmespath
|
85
85
|
requirement: !ruby/object:Gem::Requirement
|
@@ -209,6 +209,7 @@ files:
|
|
209
209
|
- lib/cfn-nag/custom_rules/IotPolicyWildcardActionRule.rb
|
210
210
|
- lib/cfn-nag/custom_rules/IotPolicyWildcardResourceRule.rb
|
211
211
|
- lib/cfn-nag/custom_rules/KMSKeyRotationRule.rb
|
212
|
+
- lib/cfn-nag/custom_rules/KMSKeyWildcardPrincipalRule.rb
|
212
213
|
- lib/cfn-nag/custom_rules/KinesisStreamStreamEncryptionRule.rb
|
213
214
|
- lib/cfn-nag/custom_rules/LambdaPermissionInvokeFunctionActionRule.rb
|
214
215
|
- lib/cfn-nag/custom_rules/LambdaPermissionWildcardPrincipalRule.rb
|