cfn-nag 0.5.9 → 0.5.10

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 661501decc0716404f48b7ae0f32fe15d8dbf83f055f06621e1b141abef79d16
-  data.tar.gz: 1b6bd094f53f2677b2aad5147a36741bf5a992a2a4e3f0e82b6045cdb5f386b3
+  metadata.gz: 49056f7c35d518daf6ffea04c5bad7627b40252c24d1e59a7ee5daece6e23235
+  data.tar.gz: bf127e2ce2d316de7a15731042f882b441f03087207bdc267e7c2fb42ede44b1
 SHA512:
-  metadata.gz: 3804c8c29a12dea262375b7dc2282f3401172c888b578c920710e203efea09c692f46853d2376eff3775700c5b04fe5a1d72a192a094a6f29ba3a22bce6df940
-  data.tar.gz: c563367bcbdaa51b404feb1287fc3db1739f9207012967eaec61fb952b86157733caf2730e6aadd95e6a906934606e897a47315a46102519308f875582ecc29d
+  metadata.gz: 2dd96572fa02263506f8a82cd737ca5d1ce5d14ae17679245952594a74b3a715a45697f744a3eb0a0445191c69c7b520b89e5dc55e4051a8d3f110fefd604e1e
+  data.tar.gz: 5b5aaadb45c63d28b28230021edaf1672bad5211a423a6e93d97ebcce68bc2354e222397492f490784a0a112ec7a21c7cb039ce3f695c41c81b56ebabe8ee2d5

data/lib/cfn-nag/custom_rules/LambdaFunctionCloudWatchLogsRule.rb

@@ -0,0 +1,60 @@
+# frozen_string_literal: true
+
+require 'cfn-nag/violation'
+require_relative 'base'
+
+class LambdaFunctionCloudWatchLogsRule < BaseRule
+  def rule_text
+    'Lambda functions require permission to write CloudWatch Logs'
+  end
+
+  def rule_type
+    Violation::WARNING
+  end
+
+  def rule_id
+    'W58'
+  end
+
+  def audit_impl(cfn_model)
+    # Iterate over each Lambda function
+    lambda_functions = cfn_model.resources_by_type('AWS::Lambda::Function')
+    violating_lambda_functions = lambda_functions.select do |lambda_function|
+      # Throw warning if no associated role object
+      next lambda_function if lambda_function.role_object.nil?
+
+      # Add lambda as violating if meets conditions
+      violating_role?(lambda_function.role_object)
+    end
+
+    violating_lambda_functions.map(&:logical_resource_id)
+  end
+
+  def managed_policies_include_cw_logs_access?(managed_policies)
+    !(managed_policies & ['arn:aws:iam::aws:policy/CloudWatchLogsFullAccess',
+                          'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole']
+     ).empty?
+  end
+
+  def inline_policies_include_cw_logs_access?(policies)
+    policies.select do |policy|
+      permissive_statements = policy.policy_document.statements.select do |statement|
+        statement.allows_action?('logs:CreateLogGroup') && \
+          statement.allows_action?('logs:CreateLogStream') && \
+          statement.allows_action?('logs:PutLogEvent')
+      end
+      !permissive_statements.empty?
+    end
+  end
+
+  def violating_role?(role)
+    # Iterate over each policy in role
+    permissive_policies = inline_policies_include_cw_logs_access?(role.policy_objects)
+
+    # Iterate over each managed policy in role
+    permissive_managed_policies = managed_policies_include_cw_logs_access?(role.managedPolicyArns)
+
+    # Check if any policies violated
+    permissive_policies.empty? && !permissive_managed_policies
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cfn-nag
 version: !ruby/object:Gem::Version
-  version: 0.5.9
+  version: 0.5.10
 platform: ruby
 authors:
 - Eric Kascic
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-02-21 00:00:00.000000000 Z
+date: 2020-02-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -239,6 +239,7 @@ files:
 - lib/cfn-nag/custom_rules/KinesisFirehoseDeliveryStreamRedshiftDestinationConfigurationPasswordRule.rb
 - lib/cfn-nag/custom_rules/KinesisFirehoseDeliveryStreamSplunkDestinationConfigurationHECTokenRule.rb
 - lib/cfn-nag/custom_rules/KinesisStreamStreamEncryptionRule.rb
+- lib/cfn-nag/custom_rules/LambdaFunctionCloudWatchLogsRule.rb
 - lib/cfn-nag/custom_rules/LambdaPermissionEventSourceTokenRule.rb
 - lib/cfn-nag/custom_rules/LambdaPermissionInvokeFunctionActionRule.rb
 - lib/cfn-nag/custom_rules/LambdaPermissionWildcardPrincipalRule.rb