cfn-nag 0.5.9 → 0.5.10
Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 49056f7c35d518daf6ffea04c5bad7627b40252c24d1e59a7ee5daece6e23235
|
4
|
+
data.tar.gz: bf127e2ce2d316de7a15731042f882b441f03087207bdc267e7c2fb42ede44b1
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 2dd96572fa02263506f8a82cd737ca5d1ce5d14ae17679245952594a74b3a715a45697f744a3eb0a0445191c69c7b520b89e5dc55e4051a8d3f110fefd604e1e
|
7
|
+
data.tar.gz: 5b5aaadb45c63d28b28230021edaf1672bad5211a423a6e93d97ebcce68bc2354e222397492f490784a0a112ec7a21c7cb039ce3f695c41c81b56ebabe8ee2d5
|
@@ -0,0 +1,60 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'cfn-nag/violation'
|
4
|
+
require_relative 'base'
|
5
|
+
|
6
|
+
class LambdaFunctionCloudWatchLogsRule < BaseRule
|
7
|
+
def rule_text
|
8
|
+
'Lambda functions require permission to write CloudWatch Logs'
|
9
|
+
end
|
10
|
+
|
11
|
+
def rule_type
|
12
|
+
Violation::WARNING
|
13
|
+
end
|
14
|
+
|
15
|
+
def rule_id
|
16
|
+
'W58'
|
17
|
+
end
|
18
|
+
|
19
|
+
def audit_impl(cfn_model)
|
20
|
+
# Iterate over each Lambda function
|
21
|
+
lambda_functions = cfn_model.resources_by_type('AWS::Lambda::Function')
|
22
|
+
violating_lambda_functions = lambda_functions.select do |lambda_function|
|
23
|
+
# Throw warning if no associated role object
|
24
|
+
next lambda_function if lambda_function.role_object.nil?
|
25
|
+
|
26
|
+
# Add lambda as violating if meets conditions
|
27
|
+
violating_role?(lambda_function.role_object)
|
28
|
+
end
|
29
|
+
|
30
|
+
violating_lambda_functions.map(&:logical_resource_id)
|
31
|
+
end
|
32
|
+
|
33
|
+
def managed_policies_include_cw_logs_access?(managed_policies)
|
34
|
+
!(managed_policies & ['arn:aws:iam::aws:policy/CloudWatchLogsFullAccess',
|
35
|
+
'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole']
|
36
|
+
).empty?
|
37
|
+
end
|
38
|
+
|
39
|
+
def inline_policies_include_cw_logs_access?(policies)
|
40
|
+
policies.select do |policy|
|
41
|
+
permissive_statements = policy.policy_document.statements.select do |statement|
|
42
|
+
statement.allows_action?('logs:CreateLogGroup') && \
|
43
|
+
statement.allows_action?('logs:CreateLogStream') && \
|
44
|
+
statement.allows_action?('logs:PutLogEvent')
|
45
|
+
end
|
46
|
+
!permissive_statements.empty?
|
47
|
+
end
|
48
|
+
end
|
49
|
+
|
50
|
+
def violating_role?(role)
|
51
|
+
# Iterate over each policy in role
|
52
|
+
permissive_policies = inline_policies_include_cw_logs_access?(role.policy_objects)
|
53
|
+
|
54
|
+
# Iterate over each managed policy in role
|
55
|
+
permissive_managed_policies = managed_policies_include_cw_logs_access?(role.managedPolicyArns)
|
56
|
+
|
57
|
+
# Check if any policies violated
|
58
|
+
permissive_policies.empty? && !permissive_managed_policies
|
59
|
+
end
|
60
|
+
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: cfn-nag
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.5.
|
4
|
+
version: 0.5.10
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Eric Kascic
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2020-02-
|
11
|
+
date: 2020-02-25 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: rake
|
@@ -239,6 +239,7 @@ files:
|
|
239
239
|
- lib/cfn-nag/custom_rules/KinesisFirehoseDeliveryStreamRedshiftDestinationConfigurationPasswordRule.rb
|
240
240
|
- lib/cfn-nag/custom_rules/KinesisFirehoseDeliveryStreamSplunkDestinationConfigurationHECTokenRule.rb
|
241
241
|
- lib/cfn-nag/custom_rules/KinesisStreamStreamEncryptionRule.rb
|
242
|
+
- lib/cfn-nag/custom_rules/LambdaFunctionCloudWatchLogsRule.rb
|
242
243
|
- lib/cfn-nag/custom_rules/LambdaPermissionEventSourceTokenRule.rb
|
243
244
|
- lib/cfn-nag/custom_rules/LambdaPermissionInvokeFunctionActionRule.rb
|
244
245
|
- lib/cfn-nag/custom_rules/LambdaPermissionWildcardPrincipalRule.rb
|