cfn-nag 0.5.28 → 0.5.29
Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 6c3d6f5ec2ba6ffde6f2cd53128c4daa7549288509bb845f96c7523cbb3336a9
|
|
4
|
+
data.tar.gz: 4be67a19a9e8f59c7ba4e656aa78480a586583f171e7358626ee7ee217241704
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 4fc9edc0e7d726e08af73dc73728fbe8a121531abf7f007f9f26508881ebc15a3acd751c3baa51b05d0eef1af1aae996ee0661b5995e543be7d6150982e76f65
|
|
7
|
+
data.tar.gz: 2ce54994df8076d40a7870b81c9b5ca84d51738ee8b0d6a667402ccdac280aa984c9b116a034945abb5188198587dcc06f5eef16e3b757e8d542bdcf069a5012
|
|
@@ -5,7 +5,8 @@ require_relative 'base'
|
|
|
5
5
|
|
|
6
6
|
class ApiGatewayAccessLoggingRule < BaseRule
|
|
7
7
|
def rule_text
|
|
8
|
-
'ApiGateway should have
|
|
8
|
+
'ApiGateway Deployment resource should have AccessLogSetting property configured when creating an ' \
|
|
9
|
+
'API Stage itself (through specifying the StageName and StageDescription properties).'
|
|
9
10
|
end
|
|
10
11
|
|
|
11
12
|
def rule_type
|
|
@@ -17,10 +18,32 @@ class ApiGatewayAccessLoggingRule < BaseRule
|
|
|
17
18
|
end
|
|
18
19
|
|
|
19
20
|
def audit_impl(cfn_model)
|
|
21
|
+
stage_deployment_ids = stage_deployments_with_logging(cfn_model)
|
|
22
|
+
|
|
20
23
|
violating_deployments = cfn_model.resources_by_type('AWS::ApiGateway::Deployment').select do |deployment|
|
|
21
|
-
deployment
|
|
24
|
+
violating_deployment?(deployment, stage_deployment_ids)
|
|
22
25
|
end
|
|
23
26
|
|
|
24
27
|
violating_deployments.map(&:logical_resource_id)
|
|
25
28
|
end
|
|
29
|
+
|
|
30
|
+
private
|
|
31
|
+
|
|
32
|
+
def violating_deployment?(deployment, stage_deployment_ids)
|
|
33
|
+
if deployment.stageDescription.nil?
|
|
34
|
+
!stage_deployment_ids.include?(deployment.logical_resource_id)
|
|
35
|
+
else
|
|
36
|
+
deployment.stageDescription['AccessLogSetting'].nil?
|
|
37
|
+
end
|
|
38
|
+
end
|
|
39
|
+
|
|
40
|
+
def stage_deployments_with_logging(cfn_model)
|
|
41
|
+
stage_deployment_ids = []
|
|
42
|
+
cfn_model.resources_by_type('AWS::ApiGateway::Stage').each do |stage|
|
|
43
|
+
unless stage.accessLogSetting.nil? && stage.deploymentId.nil?
|
|
44
|
+
stage_deployment_ids.push(References.resolve_resource_id(stage.deploymentId))
|
|
45
|
+
end
|
|
46
|
+
end
|
|
47
|
+
stage_deployment_ids
|
|
48
|
+
end
|
|
26
49
|
end
|
|
@@ -0,0 +1,26 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
require 'cfn-nag/violation'
|
|
4
|
+
require_relative 'base'
|
|
5
|
+
|
|
6
|
+
class ApiGatewayStageAccessLoggingRule < BaseRule
|
|
7
|
+
def rule_text
|
|
8
|
+
'AWS::ApiGateway::Stage should have the AccessLogSetting property defined.'
|
|
9
|
+
end
|
|
10
|
+
|
|
11
|
+
def rule_type
|
|
12
|
+
Violation::WARNING
|
|
13
|
+
end
|
|
14
|
+
|
|
15
|
+
def rule_id
|
|
16
|
+
'W69'
|
|
17
|
+
end
|
|
18
|
+
|
|
19
|
+
def audit_impl(cfn_model)
|
|
20
|
+
violating_api_gateway_stages = cfn_model.resources_by_type('AWS::ApiGateway::Stage').select do |api_stage|
|
|
21
|
+
api_stage.accessLogSetting.nil?
|
|
22
|
+
end
|
|
23
|
+
|
|
24
|
+
violating_api_gateway_stages.map(&:logical_resource_id)
|
|
25
|
+
end
|
|
26
|
+
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: cfn-nag
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.5.
|
|
4
|
+
version: 0.5.29
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Eric Kascic
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2020-03-
|
|
11
|
+
date: 2020-03-18 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rake
|
|
@@ -184,6 +184,7 @@ files:
|
|
|
184
184
|
- lib/cfn-nag/custom_rules/ApiGatewayDeploymentUsagePlanRule.rb
|
|
185
185
|
- lib/cfn-nag/custom_rules/ApiGatewayMethodAuthorizationTypeRule.rb
|
|
186
186
|
- lib/cfn-nag/custom_rules/ApiGatewaySecurityPolicyRule.rb
|
|
187
|
+
- lib/cfn-nag/custom_rules/ApiGatewayStageAccessLoggingRule.rb
|
|
187
188
|
- lib/cfn-nag/custom_rules/ApiGatewayStageUsagePlanRule.rb
|
|
188
189
|
- lib/cfn-nag/custom_rules/ApiGatewayV2AccessLoggingRule.rb
|
|
189
190
|
- lib/cfn-nag/custom_rules/AppStreamDirectoryConfigServiceAccountCredentialsAccountPasswordRule.rb
|