cfn-nag 0.5.51 → 0.5.52
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/cfn-nag/custom_rules/EbsVolumeEncryptionKeyRule.rb +8 -9
- data/lib/cfn-nag/custom_rules/SecretsManagerSecretKmsKeyIdRule.rb +26 -0
- data/lib/cfn-nag/custom_rules/SnsTopicKmsMasterKeyIdRule.rb +8 -8
- data/lib/cfn-nag/custom_rules/SqsQueueKmsMasterKeyIdRule.rb +8 -8
- data/lib/cfn-nag/custom_rules/boolean_base_rule.rb +7 -1
- metadata +3 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: f4b9eb45747f5ec1deca9253cad20da6dcbf0c91ae6187047b1b45c26ca81249
|
4
|
+
data.tar.gz: 9a858a259cfaed6b69ffe9822e6c4d8e76bd6dafd595c0e04adea3103d7ed314
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: ae8d208114433bcb943ef8fe83317357bbb2a4cf32aab10a913d57aeb629190e50192636caf456bb77e8e2e02c73e458e432538024390d0a92f53a3d52f0928f
|
7
|
+
data.tar.gz: 91dc43d9c713a04404422dda8bc7005c9a808e1f21a89389012d05a2ea90c1c70f823946f04488d48417e611b81f6cd84408f56c4ca351f16cd9768d239bf0ba
|
@@ -1,13 +1,17 @@
|
|
1
1
|
# frozen_string_literal: true
|
2
2
|
|
3
3
|
require 'cfn-nag/violation'
|
4
|
-
require_relative '
|
4
|
+
require_relative 'boolean_base_rule'
|
5
5
|
|
6
|
-
class EbsVolumeEncryptionKeyRule <
|
6
|
+
class EbsVolumeEncryptionKeyRule < BooleanBaseRule
|
7
7
|
def rule_text
|
8
8
|
'EBS Volume should specify a KmsKeyId value'
|
9
9
|
end
|
10
10
|
|
11
|
+
def resource_type
|
12
|
+
'AWS::EC2::Volume'
|
13
|
+
end
|
14
|
+
|
11
15
|
def rule_type
|
12
16
|
Violation::WARNING
|
13
17
|
end
|
@@ -16,12 +20,7 @@ class EbsVolumeEncryptionKeyRule < BaseRule
|
|
16
20
|
'W37'
|
17
21
|
end
|
18
22
|
|
19
|
-
def
|
20
|
-
|
21
|
-
.select do |volume|
|
22
|
-
volume.kmsKeyId.nil? || volume.kmsKeyId == { 'Ref' => 'AWS::NoValue' }
|
23
|
-
end
|
24
|
-
|
25
|
-
violating_volumes.map(&:logical_resource_id)
|
23
|
+
def boolean_property
|
24
|
+
:kmsKeyId
|
26
25
|
end
|
27
26
|
end
|
@@ -0,0 +1,26 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'cfn-nag/violation'
|
4
|
+
require_relative 'boolean_base_rule'
|
5
|
+
|
6
|
+
class SecretsManagerSecretKmsKeyIdRule < BooleanBaseRule
|
7
|
+
def rule_text
|
8
|
+
'Secrets Manager Secret should explicitly specify KmsKeyId'
|
9
|
+
end
|
10
|
+
|
11
|
+
def rule_type
|
12
|
+
Violation::FAILING_VIOLATION
|
13
|
+
end
|
14
|
+
|
15
|
+
def rule_id
|
16
|
+
'F81'
|
17
|
+
end
|
18
|
+
|
19
|
+
def resource_type
|
20
|
+
'AWS::SecretsManager::Secret'
|
21
|
+
end
|
22
|
+
|
23
|
+
def boolean_property
|
24
|
+
:kmsKeyId
|
25
|
+
end
|
26
|
+
end
|
@@ -1,13 +1,17 @@
|
|
1
1
|
# frozen_string_literal: true
|
2
2
|
|
3
3
|
require 'cfn-nag/violation'
|
4
|
-
require_relative '
|
4
|
+
require_relative 'boolean_base_rule'
|
5
5
|
|
6
|
-
class SnsTopicKmsMasterKeyIdRule <
|
6
|
+
class SnsTopicKmsMasterKeyIdRule < BooleanBaseRule
|
7
7
|
def rule_text
|
8
8
|
'SNS Topic should specify KmsMasterKeyId property'
|
9
9
|
end
|
10
10
|
|
11
|
+
def resource_type
|
12
|
+
'AWS::SNS::Topic'
|
13
|
+
end
|
14
|
+
|
11
15
|
def rule_type
|
12
16
|
Violation::WARNING
|
13
17
|
end
|
@@ -16,11 +20,7 @@ class SnsTopicKmsMasterKeyIdRule < BaseRule
|
|
16
20
|
'W47'
|
17
21
|
end
|
18
22
|
|
19
|
-
def
|
20
|
-
|
21
|
-
topic.kmsMasterKeyId.nil?
|
22
|
-
end
|
23
|
-
|
24
|
-
violating_sns_topics.map(&:logical_resource_id)
|
23
|
+
def boolean_property
|
24
|
+
:kmsMasterKeyId
|
25
25
|
end
|
26
26
|
end
|
@@ -1,13 +1,17 @@
|
|
1
1
|
# frozen_string_literal: true
|
2
2
|
|
3
3
|
require 'cfn-nag/violation'
|
4
|
-
require_relative '
|
4
|
+
require_relative 'boolean_base_rule'
|
5
5
|
|
6
|
-
class SqsQueueKmsMasterKeyIdRule <
|
6
|
+
class SqsQueueKmsMasterKeyIdRule < BooleanBaseRule
|
7
7
|
def rule_text
|
8
8
|
'SQS Queue should specify KmsMasterKeyId property'
|
9
9
|
end
|
10
10
|
|
11
|
+
def resource_type
|
12
|
+
'AWS::SQS::Queue'
|
13
|
+
end
|
14
|
+
|
11
15
|
def rule_type
|
12
16
|
Violation::WARNING
|
13
17
|
end
|
@@ -16,11 +20,7 @@ class SqsQueueKmsMasterKeyIdRule < BaseRule
|
|
16
20
|
'W48'
|
17
21
|
end
|
18
22
|
|
19
|
-
def
|
20
|
-
|
21
|
-
sqs_queue.kmsMasterKeyId.nil?
|
22
|
-
end
|
23
|
-
|
24
|
-
violating_sqs_queues.map(&:logical_resource_id)
|
23
|
+
def boolean_property
|
24
|
+
:kmsMasterKeyId
|
25
25
|
end
|
26
26
|
end
|
@@ -4,6 +4,11 @@ require 'cfn-nag/violation'
|
|
4
4
|
require_relative 'base'
|
5
5
|
require 'cfn-nag/util/truthy.rb'
|
6
6
|
|
7
|
+
##
|
8
|
+
# Derive from this rule to ensure that a resource
|
9
|
+
# always has a given property declared, and if it does, it's not set to false
|
10
|
+
# this does double duty for existence and being boolean/not false... strictly speaking
|
11
|
+
# it could be broken out but it does work this way
|
7
12
|
class BooleanBaseRule < BaseRule
|
8
13
|
def resource_type
|
9
14
|
raise 'must implement in subclass'
|
@@ -17,7 +22,8 @@ class BooleanBaseRule < BaseRule
|
|
17
22
|
resources = cfn_model.resources_by_type(resource_type)
|
18
23
|
|
19
24
|
violating_resources = resources.select do |resource|
|
20
|
-
|
25
|
+
boolean_property_value = resource.send(boolean_property)
|
26
|
+
not_truthy?(boolean_property_value) || boolean_property_value == { 'Ref' => 'AWS::NoValue' }
|
21
27
|
end
|
22
28
|
|
23
29
|
violating_resources.map(&:logical_resource_id)
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: cfn-nag
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.5.
|
4
|
+
version: 0.5.52
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Eric Kascic
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2020-04-
|
11
|
+
date: 2020-04-29 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: rake
|
@@ -297,6 +297,7 @@ files:
|
|
297
297
|
- lib/cfn-nag/custom_rules/S3BucketPublicReadWriteAclRule.rb
|
298
298
|
- lib/cfn-nag/custom_rules/SageMakerEndpointConfigKmsKeyIdRule.rb
|
299
299
|
- lib/cfn-nag/custom_rules/SageMakerNotebookInstanceKmsKeyIdRule.rb
|
300
|
+
- lib/cfn-nag/custom_rules/SecretsManagerSecretKmsKeyIdRule.rb
|
300
301
|
- lib/cfn-nag/custom_rules/SecurityGroupEgressAllProtocolsRule.rb
|
301
302
|
- lib/cfn-nag/custom_rules/SecurityGroupEgressOpenToWorldRule.rb
|
302
303
|
- lib/cfn-nag/custom_rules/SecurityGroupEgressPortRangeRule.rb
|