cfn-nag 0.5.28 → 0.5.29

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. checksums.yaml +4 -4
  2. data/lib/cfn-nag/custom_rules/ApiGatewayAccessLoggingRule.rb +25 -2
  3. data/lib/cfn-nag/custom_rules/ApiGatewayStageAccessLoggingRule.rb +26 -0
  4. metadata +3 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 3c4a52da85cbdeefb7d7283f69fc753bad3123fc3a24794c1b6be64711491f0b
4
- data.tar.gz: ff67b04edb5444d1c1686ec1db1873cfd0938259f2bebf7c3b8c9a1a38e4ef7e
3
+ metadata.gz: 6c3d6f5ec2ba6ffde6f2cd53128c4daa7549288509bb845f96c7523cbb3336a9
4
+ data.tar.gz: 4be67a19a9e8f59c7ba4e656aa78480a586583f171e7358626ee7ee217241704
5
5
  SHA512:
6
- metadata.gz: ee1342976006ea4fddf47a9154961540e5d59160721e28de1ba4b0dcb0743bb177f9fbe15494cd158f403d06c17208649809a2d836d40d5b37d81a8da9c64421
7
- data.tar.gz: c5bc544b1dc4b8a18c89317395a5ca3fde8e8e081b167cf065bb231055de243fb0d938228edae44528188718075f439ab3a335130172c738e6f947dafda5064f
6
+ metadata.gz: 4fc9edc0e7d726e08af73dc73728fbe8a121531abf7f007f9f26508881ebc15a3acd751c3baa51b05d0eef1af1aae996ee0661b5995e543be7d6150982e76f65
7
+ data.tar.gz: 2ce54994df8076d40a7870b81c9b5ca84d51738ee8b0d6a667402ccdac280aa984c9b116a034945abb5188198587dcc06f5eef16e3b757e8d542bdcf069a5012
data/lib/cfn-nag/custom_rules/ApiGatewayAccessLoggingRule.rb CHANGED
@@ -5,7 +5,8 @@ require_relative 'base'
5
5
 
6
6
  class ApiGatewayAccessLoggingRule < BaseRule
7
7
  def rule_text
8
- 'ApiGateway should have access logging configured'
8
+ 'ApiGateway Deployment resource should have AccessLogSetting property configured when creating an ' \
9
+ 'API Stage itself (through specifying the StageName and StageDescription properties).'
9
10
  end
10
11
 
11
12
  def rule_type
@@ -17,10 +18,32 @@ class ApiGatewayAccessLoggingRule < BaseRule
17
18
  end
18
19
 
19
20
  def audit_impl(cfn_model)
21
+ stage_deployment_ids = stage_deployments_with_logging(cfn_model)
22
+
20
23
  violating_deployments = cfn_model.resources_by_type('AWS::ApiGateway::Deployment').select do |deployment|
21
- deployment.stageDescription.nil? || deployment.stageDescription['AccessLogSetting'].nil?
24
+ violating_deployment?(deployment, stage_deployment_ids)
22
25
  end
23
26
 
24
27
  violating_deployments.map(&:logical_resource_id)
25
28
  end
29
+
30
+ private
31
+
32
+ def violating_deployment?(deployment, stage_deployment_ids)
33
+ if deployment.stageDescription.nil?
34
+ !stage_deployment_ids.include?(deployment.logical_resource_id)
35
+ else
36
+ deployment.stageDescription['AccessLogSetting'].nil?
37
+ end
38
+ end
39
+
40
+ def stage_deployments_with_logging(cfn_model)
41
+ stage_deployment_ids = []
42
+ cfn_model.resources_by_type('AWS::ApiGateway::Stage').each do |stage|
43
+ unless stage.accessLogSetting.nil? && stage.deploymentId.nil?
44
+ stage_deployment_ids.push(References.resolve_resource_id(stage.deploymentId))
45
+ end
46
+ end
47
+ stage_deployment_ids
48
+ end
26
49
  end
data/lib/cfn-nag/custom_rules/ApiGatewayStageAccessLoggingRule.rb ADDED
@@ -0,0 +1,26 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'cfn-nag/violation'
4
+ require_relative 'base'
5
+
6
+ class ApiGatewayStageAccessLoggingRule < BaseRule
7
+ def rule_text
8
+ 'AWS::ApiGateway::Stage should have the AccessLogSetting property defined.'
9
+ end
10
+
11
+ def rule_type
12
+ Violation::WARNING
13
+ end
14
+
15
+ def rule_id
16
+ 'W69'
17
+ end
18
+
19
+ def audit_impl(cfn_model)
20
+ violating_api_gateway_stages = cfn_model.resources_by_type('AWS::ApiGateway::Stage').select do |api_stage|
21
+ api_stage.accessLogSetting.nil?
22
+ end
23
+
24
+ violating_api_gateway_stages.map(&:logical_resource_id)
25
+ end
26
+ end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: cfn-nag
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.5.28
4
+ version: 0.5.29
5
5
  platform: ruby
6
6
  authors:
7
7
  - Eric Kascic
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2020-03-17 00:00:00.000000000 Z
11
+ date: 2020-03-18 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rake
@@ -184,6 +184,7 @@ files:
184
184
  - lib/cfn-nag/custom_rules/ApiGatewayDeploymentUsagePlanRule.rb
185
185
  - lib/cfn-nag/custom_rules/ApiGatewayMethodAuthorizationTypeRule.rb
186
186
  - lib/cfn-nag/custom_rules/ApiGatewaySecurityPolicyRule.rb
187
+ - lib/cfn-nag/custom_rules/ApiGatewayStageAccessLoggingRule.rb
187
188
  - lib/cfn-nag/custom_rules/ApiGatewayStageUsagePlanRule.rb
188
189
  - lib/cfn-nag/custom_rules/ApiGatewayV2AccessLoggingRule.rb
189
190
  - lib/cfn-nag/custom_rules/AppStreamDirectoryConfigServiceAccountCredentialsAccountPasswordRule.rb