cfn-nag 0.5.33 → 0.5.34

Sign up to get free protection for your applications and to get access to all the features.
Files changed (3) hide show
  1. checksums.yaml +4 -4
  2. data/lib/cfn-nag/custom_rules/CloudfrontMinimumProtocolVersionRule.rb +41 -0
  3. metadata +3 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: d26301e0a7300e00b20d5e36cbea860498138a5a6b58b11700de040221820c22
4
- data.tar.gz: f31fd4913ebade626ac34ff207fffb3d1c2fc3203a24ea08cebd860505156685
3
+ metadata.gz: e1deb828110ef98e15fcffe2c1f3645fcb35570a40d37b85178361c31e015218
4
+ data.tar.gz: c721f2801a1d26453df7ade776dcfea8cca18970176dff171e7348a29bb5cc1e
5
5
  SHA512:
6
- metadata.gz: e908b0a203b5722fb5d3131d9d3f27361d14a6bba959a7cd7f00a755d70d472583743c9258e7fe695eda3ee9c107e946e9e1ef5072e2dfa4c34533da1eecf98e
7
- data.tar.gz: eb0ee9d5cba3dd1eb202d0c5be20c5b1b4a83ca25a6142b208d0898f1c66e69f3b010a493f89da9324e15a9071c264e1099a99d23372823a9bc28ae11477fd8b
6
+ metadata.gz: e3e088f5addf8a9372ba584f9bcbbe15b89c94419577c9c546e84fa20967107b5da2ded0a6cd4edf5894e65656a084a2aee3d7290499cab1586877049454ca78
7
+ data.tar.gz: 907006ecef680f5f3d971c4396cf6f5fa58c379f8dd9e6206f70090a69fd3a08f2072916ed51a29f6c0c2ea280c2af831ceec5b9bd069c805dcba73540d77731
data/lib/cfn-nag/custom_rules/CloudfrontMinimumProtocolVersionRule.rb ADDED
@@ -0,0 +1,41 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'cfn-nag/violation'
4
+ require_relative 'base'
5
+
6
+ class CloudfrontMinimumProtocolVersionRule < BaseRule
7
+ def rule_text
8
+ 'Cloudfront should use minimum protocol version TLS 1.2'
9
+ end
10
+
11
+ def rule_type
12
+ Violation::WARNING
13
+ end
14
+
15
+ def rule_id
16
+ 'W70'
17
+ end
18
+
19
+ def audit_impl(cfn_model)
20
+ violating_distributions = cfn_model.resources_by_type('AWS::CloudFront::Distribution')
21
+ .select do |dist|
22
+ dist.distributionConfig['ViewerCertificate'].nil? || tls_version?(dist.distributionConfig['ViewerCertificate'])
23
+ end
24
+
25
+ violating_distributions.map(&:logical_resource_id)
26
+ end
27
+
28
+ private
29
+
30
+ def tls_version?(viewer_certificate)
31
+ cert_has_bad_tls_version?(viewer_certificate) || override_tls_config?(viewer_certificate)
32
+ end
33
+
34
+ def cert_has_bad_tls_version?(viewer_certificate)
35
+ viewer_certificate['MinimumProtocolVersion'].nil? || viewer_certificate['MinimumProtocolVersion'] != 'TLSv1.2_2018'
36
+ end
37
+
38
+ def override_tls_config?(viewer_certificate)
39
+ !viewer_certificate['CloudFrontDefaultCertificate'].nil? && viewer_certificate['CloudFrontDefaultCertificate']
40
+ end
41
+ end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: cfn-nag
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.5.33
4
+ version: 0.5.34
5
5
  platform: ruby
6
6
  authors:
7
7
  - Eric Kascic
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2020-03-27 00:00:00.000000000 Z
11
+ date: 2020-04-08 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rake
@@ -191,6 +191,7 @@ files:
191
191
  - lib/cfn-nag/custom_rules/BatchJobDefinitionContainerPropertiesPrivilegedRule.rb
192
192
  - lib/cfn-nag/custom_rules/CloudFormationAuthenticationRule.rb
193
193
  - lib/cfn-nag/custom_rules/CloudFrontDistributionAccessLoggingRule.rb
194
+ - lib/cfn-nag/custom_rules/CloudfrontMinimumProtocolVersionRule.rb
194
195
  - lib/cfn-nag/custom_rules/CodeBuildEncryptionKeyRule.rb
195
196
  - lib/cfn-nag/custom_rules/CodePipelineWebhookAuthenticationConfigurationSecretTokenRule.rb
196
197
  - lib/cfn-nag/custom_rules/CognitoIdentityPoolAllowUnauthenticatedIdentitiesRule.rb