cfn-nag 0.4.81 → 0.4.82

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9e6837a31b143b76971e5d1e8e05eea193a4441523250ffe216bff89a602e96c
-  data.tar.gz: 16d5cd3e61934871209410a73abad0bbb74f3f0f904a1045d4421d6e5dbcb620
+  metadata.gz: da96aa37c7198a301552e939d2013246b2fe285c36719cb5e3cb44cc5e757ddf
+  data.tar.gz: 4cdca4308db2101e4f7ae1e2403eb4944715912b6403b1e5e21629d392148e5e
 SHA512:
-  metadata.gz: 483cd28851e80710b28484dbf9609130cf63943f4637fcc4ccec6f5d5899c8076b37c7e73ff67cf7f21759e25ccdf04405a87b6fec3f2cd6ea6186478155aece
-  data.tar.gz: 4c72585ffd0f1f914d27986758254a3ba2ec29370430f046ebc4dbf964257418bad93eede2d61af405ea3c6992a01d45957ee8981b3bb99dcf35379a6ddbe8fb
+  metadata.gz: 38e89b36905cb8573192787400cec3f43255637f1a9285bd4a72e63f55bc978bacdff0c59bbb6ce4d0f5fd222319e95076e1fe95153dcfc23527a8a8e6edaf56
+  data.tar.gz: 621c466546551f7157be0a0008205d558f3c61094b066b5375b5186829ef59ce964e61190134217dceaa0a46c810554a60bab935fdfe4edc218c96cdb07df43e

data/lib/cfn-nag/custom_rules/ElasticLoadBalancerV2ListenerProtocolRule.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+require 'cfn-nag/violation'
+require_relative 'base'
+
+class ElasticLoadBalancerV2ListenerProtocolRule < BaseRule
+  def rule_text
+    'Elastic Load Balancer V2 Listener Protocol should use HTTPS for ALBs'
+  end
+
+  def rule_type
+    Violation::WARNING
+  end
+
+  def rule_id
+    'W56'
+  end
+
+  def audit_impl(cfn_model)
+    violating_listeners = cfn_model.resources_by_type('AWS::ElasticLoadBalancingV2::Listener')
+                                   .select do |listener|
+      listener.protocol == 'HTTP'
+    end
+
+    violating_listeners.map(&:logical_resource_id)
+  end
+end

data/lib/cfn-nag/custom_rules/ElasticLoadBalancerV2ListenerSslPolicyRule.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+require 'cfn-nag/violation'
+require_relative 'base'
+
+class ElasticLoadBalancerV2ListenerSslPolicyRule < BaseRule
+  def rule_text
+    'Elastic Load Balancer V2 Listener SslPolicy should use TLS 1.2'
+  end
+
+  def rule_type
+    Violation::WARNING
+  end
+
+  def rule_id
+    'W55'
+  end
+
+  def audit_impl(cfn_model)
+    violating_listeners = cfn_model.resources_by_type('AWS::ElasticLoadBalancingV2::Listener')
+                                   .select do |listener|
+      violating_listeners?(listener)
+    end
+
+    violating_listeners.map(&:logical_resource_id)
+  end
+
+  private
+
+  def violating_listeners?(listener)
+    if %w[HTTPS TLS].include?(listener.protocol)
+      listener.sSLPolicy.nil? ||
+        %w[ELBSecurityPolicy-2016-08 ELBSecurityPolicy-TLS-1-0-2015-04
+           ELBSecurityPolicy-TLS-1-1-2017-01 ELBSecurityPolicy-FS-2018-06
+           ELBSecurityPolicy-FS-1-1-2019-08 ELBSecurityPolicy-2015]
+          .include?(listener.sSLPolicy)
+    else
+      false
+    end
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cfn-nag
 version: !ruby/object:Gem::Version
-  version: 0.4.81
+  version: 0.4.82
 platform: ruby
 authors:
 - Eric Kascic
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-02-03 00:00:00.000000000 Z
+date: 2020-02-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -190,6 +190,8 @@ files:
 - lib/cfn-nag/custom_rules/ElastiCacheReplicationGroupTransitEncryptionRule.rb
 - lib/cfn-nag/custom_rules/ElasticLoadBalancerAccessLoggingRule.rb
 - lib/cfn-nag/custom_rules/ElasticLoadBalancerV2AccessLoggingRule.rb
+- lib/cfn-nag/custom_rules/ElasticLoadBalancerV2ListenerProtocolRule.rb
+- lib/cfn-nag/custom_rules/ElasticLoadBalancerV2ListenerSslPolicyRule.rb
 - lib/cfn-nag/custom_rules/ElasticsearchDomainEncryptionAtRestOptionsRule.rb
 - lib/cfn-nag/custom_rules/IAMUserLoginProfilePasswordRule.rb
 - lib/cfn-nag/custom_rules/IamManagedPolicyNotActionRule.rb