cfn-nag 0.4.70 → 0.4.71
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/cfn-nag/custom_rules/AmazonMQBrokerUsersPasswordRule.rb +31 -0
- data/lib/cfn-nag/custom_rules/IAMUserLoginProfilePasswordRule.rb +31 -0
- metadata +3 -3
- data/lib/cfn-nag/custom_rules/AmazonMQBrokerUserPasswordRule.rb +0 -56
- data/lib/cfn-nag/custom_rules/IamUserLoginProfilePasswordRule.rb +0 -53
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 8aac032953583895153e90c0c12415050b835ff4d220df996979b4ec8d769a82
|
4
|
+
data.tar.gz: 6ebf25a6c6a86e76e11081c7016bbad1148a5af529cc85db608d84b9bbcf7836
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 90b0d3a36532be603b08bbf78c8c5f28df13bf3164cd5cf0c9ed06ff56093445dc42a27540b0e09a2c8f1606d1e5b28bfdec4cb8d4a742c09e972bdcab34cf29
|
7
|
+
data.tar.gz: f798dd0079bb6448ee8bd130d13f053e9c2c282a7c2b7e06976850962ecb166437ccb158634cb8859c23b496a33c17ce9199aa9a309dd1b521c8abf48814c4f3
|
@@ -0,0 +1,31 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'cfn-nag/violation'
|
4
|
+
require_relative 'sub_property_with_list_password_base_rule'
|
5
|
+
|
6
|
+
class AmazonMQBrokerUsersPasswordRule < SubPropertyWithListPasswordBaseRule
|
7
|
+
def rule_text
|
8
|
+
'AmazonMQ Broker Users Password must not be a plaintext ' \
|
9
|
+
'string or a Ref to a NoEcho Parameter with a Default value.'
|
10
|
+
end
|
11
|
+
|
12
|
+
def rule_type
|
13
|
+
Violation::FAILING_VIOLATION
|
14
|
+
end
|
15
|
+
|
16
|
+
def rule_id
|
17
|
+
'F52'
|
18
|
+
end
|
19
|
+
|
20
|
+
def resource_type
|
21
|
+
'AWS::AmazonMQ::Broker'
|
22
|
+
end
|
23
|
+
|
24
|
+
def password_property
|
25
|
+
:users
|
26
|
+
end
|
27
|
+
|
28
|
+
def sub_property_name
|
29
|
+
'Password'
|
30
|
+
end
|
31
|
+
end
|
@@ -0,0 +1,31 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'cfn-nag/violation'
|
4
|
+
require_relative 'password_base_rule'
|
5
|
+
|
6
|
+
class IAMUserLoginProfilePasswordRule < PasswordBaseRule
|
7
|
+
def rule_text
|
8
|
+
'IAM User LoginProfile Password must not be a plaintext string or ' \
|
9
|
+
'a Ref to a NoEcho Parameter with a Default value.'
|
10
|
+
end
|
11
|
+
|
12
|
+
def rule_type
|
13
|
+
Violation::FAILING_VIOLATION
|
14
|
+
end
|
15
|
+
|
16
|
+
def rule_id
|
17
|
+
'F51'
|
18
|
+
end
|
19
|
+
|
20
|
+
def resource_type
|
21
|
+
'AWS::IAM::User'
|
22
|
+
end
|
23
|
+
|
24
|
+
def password_property
|
25
|
+
:loginProfile
|
26
|
+
end
|
27
|
+
|
28
|
+
def sub_property_name
|
29
|
+
'Password'
|
30
|
+
end
|
31
|
+
end
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: cfn-nag
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.4.
|
4
|
+
version: 0.4.71
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Eric Kascic
|
@@ -159,7 +159,7 @@ files:
|
|
159
159
|
- lib/cfn-nag/custom_rules/AlexaASKSkillAuthenticationConfigurationClientSecretRule.rb
|
160
160
|
- lib/cfn-nag/custom_rules/AlexaASKSkillAuthenticationConfigurationRefreshTokenRule.rb
|
161
161
|
- lib/cfn-nag/custom_rules/AmazonMQBrokerEncryptionOptionsRule.rb
|
162
|
-
- lib/cfn-nag/custom_rules/
|
162
|
+
- lib/cfn-nag/custom_rules/AmazonMQBrokerUsersPasswordRule.rb
|
163
163
|
- lib/cfn-nag/custom_rules/AmplifyAppAccessTokenRule.rb
|
164
164
|
- lib/cfn-nag/custom_rules/AmplifyAppBasicAuthConfigPasswordRule.rb
|
165
165
|
- lib/cfn-nag/custom_rules/AmplifyAppOauthTokenRule.rb
|
@@ -187,6 +187,7 @@ files:
|
|
187
187
|
- lib/cfn-nag/custom_rules/ElasticLoadBalancerAccessLoggingRule.rb
|
188
188
|
- lib/cfn-nag/custom_rules/ElasticLoadBalancerV2AccessLoggingRule.rb
|
189
189
|
- lib/cfn-nag/custom_rules/ElasticsearchDomainEncryptionAtRestOptionsRule.rb
|
190
|
+
- lib/cfn-nag/custom_rules/IAMUserLoginProfilePasswordRule.rb
|
190
191
|
- lib/cfn-nag/custom_rules/IamManagedPolicyNotActionRule.rb
|
191
192
|
- lib/cfn-nag/custom_rules/IamManagedPolicyNotResourceRule.rb
|
192
193
|
- lib/cfn-nag/custom_rules/IamManagedPolicyPassRoleWildcardResourceRule.rb
|
@@ -208,7 +209,6 @@ files:
|
|
208
209
|
- lib/cfn-nag/custom_rules/IamRoleWildcardActionOnTrustPolicyRule.rb
|
209
210
|
- lib/cfn-nag/custom_rules/IamRoleWildcardResourceOnPermissionsPolicyRule.rb
|
210
211
|
- lib/cfn-nag/custom_rules/IamUserLoginProfilePasswordResetRule.rb
|
211
|
-
- lib/cfn-nag/custom_rules/IamUserLoginProfilePasswordRule.rb
|
212
212
|
- lib/cfn-nag/custom_rules/IotPolicyWildcardActionRule.rb
|
213
213
|
- lib/cfn-nag/custom_rules/IotPolicyWildcardResourceRule.rb
|
214
214
|
- lib/cfn-nag/custom_rules/KMSKeyRotationRule.rb
|
@@ -1,56 +0,0 @@
|
|
1
|
-
# frozen_string_literal: true
|
2
|
-
|
3
|
-
require 'cfn-nag/violation'
|
4
|
-
require 'cfn-nag/util/enforce_reference_parameter'
|
5
|
-
require 'cfn-nag/util/enforce_string_or_dynamic_reference'
|
6
|
-
require_relative 'base'
|
7
|
-
|
8
|
-
class AmazonMQBrokerUserPasswordRule < BaseRule
|
9
|
-
def rule_text
|
10
|
-
'Amazon MQ Broker resource Users property should exist and its Password property value ' \
|
11
|
-
'should not show password in plain text, resolve an unsecure ssm string, or have a default value for parameter.'
|
12
|
-
end
|
13
|
-
|
14
|
-
def rule_type
|
15
|
-
Violation::FAILING_VIOLATION
|
16
|
-
end
|
17
|
-
|
18
|
-
def rule_id
|
19
|
-
'F52'
|
20
|
-
end
|
21
|
-
|
22
|
-
def audit_impl(cfn_model)
|
23
|
-
brokers = cfn_model.resources_by_type('AWS::AmazonMQ::Broker')
|
24
|
-
violating_brokers = brokers.select do |mq_broker|
|
25
|
-
violating_users?(cfn_model, mq_broker)
|
26
|
-
end
|
27
|
-
violating_brokers.map(&:logical_resource_id)
|
28
|
-
end
|
29
|
-
|
30
|
-
private
|
31
|
-
|
32
|
-
def user_has_insecure_password?(cfn_model, user)
|
33
|
-
if user.key? 'Password'
|
34
|
-
if insecure_parameter?(cfn_model, user['Password'])
|
35
|
-
true
|
36
|
-
elsif insecure_string_or_dynamic_reference?(cfn_model, user['Password'])
|
37
|
-
true
|
38
|
-
elsif user['Password'].nil?
|
39
|
-
true
|
40
|
-
end
|
41
|
-
else
|
42
|
-
true
|
43
|
-
end
|
44
|
-
end
|
45
|
-
|
46
|
-
def violating_users?(cfn_model, mq_broker)
|
47
|
-
if !mq_broker.users.nil?
|
48
|
-
violating_users = mq_broker.users.select do |user|
|
49
|
-
user_has_insecure_password?(cfn_model, user)
|
50
|
-
end
|
51
|
-
!violating_users.empty?
|
52
|
-
else
|
53
|
-
true
|
54
|
-
end
|
55
|
-
end
|
56
|
-
end
|
@@ -1,53 +0,0 @@
|
|
1
|
-
# frozen_string_literal: true
|
2
|
-
|
3
|
-
require 'cfn-nag/violation'
|
4
|
-
require 'cfn-nag/util/enforce_reference_parameter'
|
5
|
-
require 'cfn-nag/util/enforce_string_or_dynamic_reference'
|
6
|
-
require_relative 'base'
|
7
|
-
|
8
|
-
class IamUserLoginProfilePasswordRule < BaseRule
|
9
|
-
def rule_text
|
10
|
-
'If the IAM user LoginProile property exists, then its Password value should not ' \
|
11
|
-
'show password in plain text, resolve an unsecure ssm string, or have a default value for parameter.'
|
12
|
-
end
|
13
|
-
|
14
|
-
def rule_type
|
15
|
-
Violation::FAILING_VIOLATION
|
16
|
-
end
|
17
|
-
|
18
|
-
def rule_id
|
19
|
-
'F51'
|
20
|
-
end
|
21
|
-
|
22
|
-
def audit_impl(cfn_model)
|
23
|
-
resources = cfn_model.resources_by_type('AWS::IAM::User')
|
24
|
-
violating_resources = resources.select do |iam_user|
|
25
|
-
violating_users?(cfn_model, iam_user)
|
26
|
-
end
|
27
|
-
violating_resources.map(&:logical_resource_id)
|
28
|
-
end
|
29
|
-
|
30
|
-
private
|
31
|
-
|
32
|
-
def iam_user_has_insecure_password?(cfn_model, login_profile)
|
33
|
-
if login_profile.key? 'Password'
|
34
|
-
if insecure_parameter?(cfn_model, login_profile['Password'])
|
35
|
-
true
|
36
|
-
elsif insecure_string_or_dynamic_reference?(cfn_model, login_profile['Password'])
|
37
|
-
true
|
38
|
-
elsif login_profile['Password'].nil?
|
39
|
-
true
|
40
|
-
end
|
41
|
-
else
|
42
|
-
true
|
43
|
-
end
|
44
|
-
end
|
45
|
-
|
46
|
-
def violating_users?(cfn_model, iam_user)
|
47
|
-
if !iam_user.loginProfile.nil?
|
48
|
-
iam_user_has_insecure_password?(cfn_model, iam_user.loginProfile)
|
49
|
-
else
|
50
|
-
false
|
51
|
-
end
|
52
|
-
end
|
53
|
-
end
|