cfn-nag 0.4.70 → 0.4.71

Sign up to get free protection for your applications and to get access to all the features.
Files changed (6) hide show
  1. checksums.yaml +4 -4
  2. data/lib/cfn-nag/custom_rules/AmazonMQBrokerUsersPasswordRule.rb +31 -0
  3. data/lib/cfn-nag/custom_rules/IAMUserLoginProfilePasswordRule.rb +31 -0
  4. metadata +3 -3
  5. data/lib/cfn-nag/custom_rules/AmazonMQBrokerUserPasswordRule.rb +0 -56
  6. data/lib/cfn-nag/custom_rules/IamUserLoginProfilePasswordRule.rb +0 -53
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: b5f716aaaa7aa9cf67851bc4e5b617779a57f2efa7f36cc0a2a7afafa9614917
4
- data.tar.gz: 332173d8f2a259b4e3192b429789abff67d96b22e3dea0e4677452b47146b49a
3
+ metadata.gz: 8aac032953583895153e90c0c12415050b835ff4d220df996979b4ec8d769a82
4
+ data.tar.gz: 6ebf25a6c6a86e76e11081c7016bbad1148a5af529cc85db608d84b9bbcf7836
5
5
  SHA512:
6
- metadata.gz: 6cf097e08a2bf950ad1bc8be489de3bb36fbe8013b474096b040ca33dfd8d5dad151a1fa64546f5d42e992fed163b41189b0a0099689322120cb9f091fe5d7d0
7
- data.tar.gz: 1e71cf559c01a9b9e1bdb5d86a629a38da31b6a39c5fe1c2b7323bc45c874a355fdaa2e33e41477b60ff96823dce246b15aedd38cd6298357e55d68de2ceddbd
6
+ metadata.gz: 90b0d3a36532be603b08bbf78c8c5f28df13bf3164cd5cf0c9ed06ff56093445dc42a27540b0e09a2c8f1606d1e5b28bfdec4cb8d4a742c09e972bdcab34cf29
7
+ data.tar.gz: f798dd0079bb6448ee8bd130d13f053e9c2c282a7c2b7e06976850962ecb166437ccb158634cb8859c23b496a33c17ce9199aa9a309dd1b521c8abf48814c4f3
data/lib/cfn-nag/custom_rules/AmazonMQBrokerUsersPasswordRule.rb ADDED
@@ -0,0 +1,31 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'cfn-nag/violation'
4
+ require_relative 'sub_property_with_list_password_base_rule'
5
+
6
+ class AmazonMQBrokerUsersPasswordRule < SubPropertyWithListPasswordBaseRule
7
+ def rule_text
8
+ 'AmazonMQ Broker Users Password must not be a plaintext ' \
9
+ 'string or a Ref to a NoEcho Parameter with a Default value.'
10
+ end
11
+
12
+ def rule_type
13
+ Violation::FAILING_VIOLATION
14
+ end
15
+
16
+ def rule_id
17
+ 'F52'
18
+ end
19
+
20
+ def resource_type
21
+ 'AWS::AmazonMQ::Broker'
22
+ end
23
+
24
+ def password_property
25
+ :users
26
+ end
27
+
28
+ def sub_property_name
29
+ 'Password'
30
+ end
31
+ end
data/lib/cfn-nag/custom_rules/IAMUserLoginProfilePasswordRule.rb ADDED
@@ -0,0 +1,31 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'cfn-nag/violation'
4
+ require_relative 'password_base_rule'
5
+
6
+ class IAMUserLoginProfilePasswordRule < PasswordBaseRule
7
+ def rule_text
8
+ 'IAM User LoginProfile Password must not be a plaintext string or ' \
9
+ 'a Ref to a NoEcho Parameter with a Default value.'
10
+ end
11
+
12
+ def rule_type
13
+ Violation::FAILING_VIOLATION
14
+ end
15
+
16
+ def rule_id
17
+ 'F51'
18
+ end
19
+
20
+ def resource_type
21
+ 'AWS::IAM::User'
22
+ end
23
+
24
+ def password_property
25
+ :loginProfile
26
+ end
27
+
28
+ def sub_property_name
29
+ 'Password'
30
+ end
31
+ end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: cfn-nag
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.4.70
4
+ version: 0.4.71
5
5
  platform: ruby
6
6
  authors:
7
7
  - Eric Kascic
@@ -159,7 +159,7 @@ files:
159
159
  - lib/cfn-nag/custom_rules/AlexaASKSkillAuthenticationConfigurationClientSecretRule.rb
160
160
  - lib/cfn-nag/custom_rules/AlexaASKSkillAuthenticationConfigurationRefreshTokenRule.rb
161
161
  - lib/cfn-nag/custom_rules/AmazonMQBrokerEncryptionOptionsRule.rb
162
- - lib/cfn-nag/custom_rules/AmazonMQBrokerUserPasswordRule.rb
162
+ - lib/cfn-nag/custom_rules/AmazonMQBrokerUsersPasswordRule.rb
163
163
  - lib/cfn-nag/custom_rules/AmplifyAppAccessTokenRule.rb
164
164
  - lib/cfn-nag/custom_rules/AmplifyAppBasicAuthConfigPasswordRule.rb
165
165
  - lib/cfn-nag/custom_rules/AmplifyAppOauthTokenRule.rb
@@ -187,6 +187,7 @@ files:
187
187
  - lib/cfn-nag/custom_rules/ElasticLoadBalancerAccessLoggingRule.rb
188
188
  - lib/cfn-nag/custom_rules/ElasticLoadBalancerV2AccessLoggingRule.rb
189
189
  - lib/cfn-nag/custom_rules/ElasticsearchDomainEncryptionAtRestOptionsRule.rb
190
+ - lib/cfn-nag/custom_rules/IAMUserLoginProfilePasswordRule.rb
190
191
  - lib/cfn-nag/custom_rules/IamManagedPolicyNotActionRule.rb
191
192
  - lib/cfn-nag/custom_rules/IamManagedPolicyNotResourceRule.rb
192
193
  - lib/cfn-nag/custom_rules/IamManagedPolicyPassRoleWildcardResourceRule.rb
@@ -208,7 +209,6 @@ files:
208
209
  - lib/cfn-nag/custom_rules/IamRoleWildcardActionOnTrustPolicyRule.rb
209
210
  - lib/cfn-nag/custom_rules/IamRoleWildcardResourceOnPermissionsPolicyRule.rb
210
211
  - lib/cfn-nag/custom_rules/IamUserLoginProfilePasswordResetRule.rb
211
- - lib/cfn-nag/custom_rules/IamUserLoginProfilePasswordRule.rb
212
212
  - lib/cfn-nag/custom_rules/IotPolicyWildcardActionRule.rb
213
213
  - lib/cfn-nag/custom_rules/IotPolicyWildcardResourceRule.rb
214
214
  - lib/cfn-nag/custom_rules/KMSKeyRotationRule.rb
data/lib/cfn-nag/custom_rules/AmazonMQBrokerUserPasswordRule.rb DELETED
@@ -1,56 +0,0 @@
1
- # frozen_string_literal: true
2
-
3
- require 'cfn-nag/violation'
4
- require 'cfn-nag/util/enforce_reference_parameter'
5
- require 'cfn-nag/util/enforce_string_or_dynamic_reference'
6
- require_relative 'base'
7
-
8
- class AmazonMQBrokerUserPasswordRule < BaseRule
9
- def rule_text
10
- 'Amazon MQ Broker resource Users property should exist and its Password property value ' \
11
- 'should not show password in plain text, resolve an unsecure ssm string, or have a default value for parameter.'
12
- end
13
-
14
- def rule_type
15
- Violation::FAILING_VIOLATION
16
- end
17
-
18
- def rule_id
19
- 'F52'
20
- end
21
-
22
- def audit_impl(cfn_model)
23
- brokers = cfn_model.resources_by_type('AWS::AmazonMQ::Broker')
24
- violating_brokers = brokers.select do |mq_broker|
25
- violating_users?(cfn_model, mq_broker)
26
- end
27
- violating_brokers.map(&:logical_resource_id)
28
- end
29
-
30
- private
31
-
32
- def user_has_insecure_password?(cfn_model, user)
33
- if user.key? 'Password'
34
- if insecure_parameter?(cfn_model, user['Password'])
35
- true
36
- elsif insecure_string_or_dynamic_reference?(cfn_model, user['Password'])
37
- true
38
- elsif user['Password'].nil?
39
- true
40
- end
41
- else
42
- true
43
- end
44
- end
45
-
46
- def violating_users?(cfn_model, mq_broker)
47
- if !mq_broker.users.nil?
48
- violating_users = mq_broker.users.select do |user|
49
- user_has_insecure_password?(cfn_model, user)
50
- end
51
- !violating_users.empty?
52
- else
53
- true
54
- end
55
- end
56
- end
data/lib/cfn-nag/custom_rules/IamUserLoginProfilePasswordRule.rb DELETED
@@ -1,53 +0,0 @@
1
- # frozen_string_literal: true
2
-
3
- require 'cfn-nag/violation'
4
- require 'cfn-nag/util/enforce_reference_parameter'
5
- require 'cfn-nag/util/enforce_string_or_dynamic_reference'
6
- require_relative 'base'
7
-
8
- class IamUserLoginProfilePasswordRule < BaseRule
9
- def rule_text
10
- 'If the IAM user LoginProile property exists, then its Password value should not ' \
11
- 'show password in plain text, resolve an unsecure ssm string, or have a default value for parameter.'
12
- end
13
-
14
- def rule_type
15
- Violation::FAILING_VIOLATION
16
- end
17
-
18
- def rule_id
19
- 'F51'
20
- end
21
-
22
- def audit_impl(cfn_model)
23
- resources = cfn_model.resources_by_type('AWS::IAM::User')
24
- violating_resources = resources.select do |iam_user|
25
- violating_users?(cfn_model, iam_user)
26
- end
27
- violating_resources.map(&:logical_resource_id)
28
- end
29
-
30
- private
31
-
32
- def iam_user_has_insecure_password?(cfn_model, login_profile)
33
- if login_profile.key? 'Password'
34
- if insecure_parameter?(cfn_model, login_profile['Password'])
35
- true
36
- elsif insecure_string_or_dynamic_reference?(cfn_model, login_profile['Password'])
37
- true
38
- elsif login_profile['Password'].nil?
39
- true
40
- end
41
- else
42
- true
43
- end
44
- end
45
-
46
- def violating_users?(cfn_model, iam_user)
47
- if !iam_user.loginProfile.nil?
48
- iam_user_has_insecure_password?(cfn_model, iam_user.loginProfile)
49
- else
50
- false
51
- end
52
- end
53
- end