cfn-nag 0.5.51 → 0.5.52

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: e7c09b60d23d5ce8c90dc3ed80503e13ec37e7bb2abfaa4f097a03c8fbe89efc
4
- data.tar.gz: d4e9653b007f3217bc08b4ece398547fdbe8043fa80d8e34fa63b211cb682cc1
3
+ metadata.gz: f4b9eb45747f5ec1deca9253cad20da6dcbf0c91ae6187047b1b45c26ca81249
4
+ data.tar.gz: 9a858a259cfaed6b69ffe9822e6c4d8e76bd6dafd595c0e04adea3103d7ed314
5
5
  SHA512:
6
- metadata.gz: 7a9eb038bdbdb39be10a2a7e1ce0b74b8e6686a89cce19440b6e7ea3aa2142b1e2e1f3da85978e2971929d0f3c874c3eae4fbad16ebda1870fb7d0e209ff6a4b
7
- data.tar.gz: 436b1125a82cc2f5631039f3694619e78a205cc2f127602ecf87e63c219d9e80998b38fd5b81b75d377f8575d0ae61bc78d79a1fbdfaedf324a5e3ab974adfc6
6
+ metadata.gz: ae8d208114433bcb943ef8fe83317357bbb2a4cf32aab10a913d57aeb629190e50192636caf456bb77e8e2e02c73e458e432538024390d0a92f53a3d52f0928f
7
+ data.tar.gz: 91dc43d9c713a04404422dda8bc7005c9a808e1f21a89389012d05a2ea90c1c70f823946f04488d48417e611b81f6cd84408f56c4ca351f16cd9768d239bf0ba
@@ -1,13 +1,17 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  require 'cfn-nag/violation'
4
- require_relative 'base'
4
+ require_relative 'boolean_base_rule'
5
5
 
6
- class EbsVolumeEncryptionKeyRule < BaseRule
6
+ class EbsVolumeEncryptionKeyRule < BooleanBaseRule
7
7
  def rule_text
8
8
  'EBS Volume should specify a KmsKeyId value'
9
9
  end
10
10
 
11
+ def resource_type
12
+ 'AWS::EC2::Volume'
13
+ end
14
+
11
15
  def rule_type
12
16
  Violation::WARNING
13
17
  end
@@ -16,12 +20,7 @@ class EbsVolumeEncryptionKeyRule < BaseRule
16
20
  'W37'
17
21
  end
18
22
 
19
- def audit_impl(cfn_model)
20
- violating_volumes = cfn_model.resources_by_type('AWS::EC2::Volume')
21
- .select do |volume|
22
- volume.kmsKeyId.nil? || volume.kmsKeyId == { 'Ref' => 'AWS::NoValue' }
23
- end
24
-
25
- violating_volumes.map(&:logical_resource_id)
23
+ def boolean_property
24
+ :kmsKeyId
26
25
  end
27
26
  end
@@ -0,0 +1,26 @@
1
+ # frozen_string_literal: true
2
+
3
+ require 'cfn-nag/violation'
4
+ require_relative 'boolean_base_rule'
5
+
6
+ class SecretsManagerSecretKmsKeyIdRule < BooleanBaseRule
7
+ def rule_text
8
+ 'Secrets Manager Secret should explicitly specify KmsKeyId'
9
+ end
10
+
11
+ def rule_type
12
+ Violation::FAILING_VIOLATION
13
+ end
14
+
15
+ def rule_id
16
+ 'F81'
17
+ end
18
+
19
+ def resource_type
20
+ 'AWS::SecretsManager::Secret'
21
+ end
22
+
23
+ def boolean_property
24
+ :kmsKeyId
25
+ end
26
+ end
@@ -1,13 +1,17 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  require 'cfn-nag/violation'
4
- require_relative 'base'
4
+ require_relative 'boolean_base_rule'
5
5
 
6
- class SnsTopicKmsMasterKeyIdRule < BaseRule
6
+ class SnsTopicKmsMasterKeyIdRule < BooleanBaseRule
7
7
  def rule_text
8
8
  'SNS Topic should specify KmsMasterKeyId property'
9
9
  end
10
10
 
11
+ def resource_type
12
+ 'AWS::SNS::Topic'
13
+ end
14
+
11
15
  def rule_type
12
16
  Violation::WARNING
13
17
  end
@@ -16,11 +20,7 @@ class SnsTopicKmsMasterKeyIdRule < BaseRule
16
20
  'W47'
17
21
  end
18
22
 
19
- def audit_impl(cfn_model)
20
- violating_sns_topics = cfn_model.resources_by_type('AWS::SNS::Topic').select do |topic|
21
- topic.kmsMasterKeyId.nil?
22
- end
23
-
24
- violating_sns_topics.map(&:logical_resource_id)
23
+ def boolean_property
24
+ :kmsMasterKeyId
25
25
  end
26
26
  end
@@ -1,13 +1,17 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  require 'cfn-nag/violation'
4
- require_relative 'base'
4
+ require_relative 'boolean_base_rule'
5
5
 
6
- class SqsQueueKmsMasterKeyIdRule < BaseRule
6
+ class SqsQueueKmsMasterKeyIdRule < BooleanBaseRule
7
7
  def rule_text
8
8
  'SQS Queue should specify KmsMasterKeyId property'
9
9
  end
10
10
 
11
+ def resource_type
12
+ 'AWS::SQS::Queue'
13
+ end
14
+
11
15
  def rule_type
12
16
  Violation::WARNING
13
17
  end
@@ -16,11 +20,7 @@ class SqsQueueKmsMasterKeyIdRule < BaseRule
16
20
  'W48'
17
21
  end
18
22
 
19
- def audit_impl(cfn_model)
20
- violating_sqs_queues = cfn_model.resources_by_type('AWS::SQS::Queue').select do |sqs_queue|
21
- sqs_queue.kmsMasterKeyId.nil?
22
- end
23
-
24
- violating_sqs_queues.map(&:logical_resource_id)
23
+ def boolean_property
24
+ :kmsMasterKeyId
25
25
  end
26
26
  end
@@ -4,6 +4,11 @@ require 'cfn-nag/violation'
4
4
  require_relative 'base'
5
5
  require 'cfn-nag/util/truthy.rb'
6
6
 
7
+ ##
8
+ # Derive from this rule to ensure that a resource
9
+ # always has a given property declared, and if it does, it's not set to false
10
+ # this does double duty for existence and being boolean/not false... strictly speaking
11
+ # it could be broken out but it does work this way
7
12
  class BooleanBaseRule < BaseRule
8
13
  def resource_type
9
14
  raise 'must implement in subclass'
@@ -17,7 +22,8 @@ class BooleanBaseRule < BaseRule
17
22
  resources = cfn_model.resources_by_type(resource_type)
18
23
 
19
24
  violating_resources = resources.select do |resource|
20
- not_truthy?(resource.send(boolean_property))
25
+ boolean_property_value = resource.send(boolean_property)
26
+ not_truthy?(boolean_property_value) || boolean_property_value == { 'Ref' => 'AWS::NoValue' }
21
27
  end
22
28
 
23
29
  violating_resources.map(&:logical_resource_id)
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: cfn-nag
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.5.51
4
+ version: 0.5.52
5
5
  platform: ruby
6
6
  authors:
7
7
  - Eric Kascic
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2020-04-28 00:00:00.000000000 Z
11
+ date: 2020-04-29 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rake
@@ -297,6 +297,7 @@ files:
297
297
  - lib/cfn-nag/custom_rules/S3BucketPublicReadWriteAclRule.rb
298
298
  - lib/cfn-nag/custom_rules/SageMakerEndpointConfigKmsKeyIdRule.rb
299
299
  - lib/cfn-nag/custom_rules/SageMakerNotebookInstanceKmsKeyIdRule.rb
300
+ - lib/cfn-nag/custom_rules/SecretsManagerSecretKmsKeyIdRule.rb
300
301
  - lib/cfn-nag/custom_rules/SecurityGroupEgressAllProtocolsRule.rb
301
302
  - lib/cfn-nag/custom_rules/SecurityGroupEgressOpenToWorldRule.rb
302
303
  - lib/cfn-nag/custom_rules/SecurityGroupEgressPortRangeRule.rb