cfn-nag 0.5.51 → 0.5.52

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e7c09b60d23d5ce8c90dc3ed80503e13ec37e7bb2abfaa4f097a03c8fbe89efc
-  data.tar.gz: d4e9653b007f3217bc08b4ece398547fdbe8043fa80d8e34fa63b211cb682cc1
+  metadata.gz: f4b9eb45747f5ec1deca9253cad20da6dcbf0c91ae6187047b1b45c26ca81249
+  data.tar.gz: 9a858a259cfaed6b69ffe9822e6c4d8e76bd6dafd595c0e04adea3103d7ed314
 SHA512:
-  metadata.gz: 7a9eb038bdbdb39be10a2a7e1ce0b74b8e6686a89cce19440b6e7ea3aa2142b1e2e1f3da85978e2971929d0f3c874c3eae4fbad16ebda1870fb7d0e209ff6a4b
-  data.tar.gz: 436b1125a82cc2f5631039f3694619e78a205cc2f127602ecf87e63c219d9e80998b38fd5b81b75d377f8575d0ae61bc78d79a1fbdfaedf324a5e3ab974adfc6
+  metadata.gz: ae8d208114433bcb943ef8fe83317357bbb2a4cf32aab10a913d57aeb629190e50192636caf456bb77e8e2e02c73e458e432538024390d0a92f53a3d52f0928f
+  data.tar.gz: 91dc43d9c713a04404422dda8bc7005c9a808e1f21a89389012d05a2ea90c1c70f823946f04488d48417e611b81f6cd84408f56c4ca351f16cd9768d239bf0ba

data/lib/cfn-nag/custom_rules/EbsVolumeEncryptionKeyRule.rb

@@ -1,13 +1,17 @@
 # frozen_string_literal: true
 
 require 'cfn-nag/violation'
-require_relative 'base'
+require_relative 'boolean_base_rule'
 
-class EbsVolumeEncryptionKeyRule < BaseRule
+class EbsVolumeEncryptionKeyRule < BooleanBaseRule
   def rule_text
     'EBS Volume should specify a KmsKeyId value'
   end
 
+  def resource_type
+    'AWS::EC2::Volume'
+  end
+
   def rule_type
     Violation::WARNING
   end
@@ -16,12 +20,7 @@ class EbsVolumeEncryptionKeyRule < BaseRule
     'W37'
   end
 
-  def audit_impl(cfn_model)
-    violating_volumes = cfn_model.resources_by_type('AWS::EC2::Volume')
-                                 .select do |volume|
-      volume.kmsKeyId.nil? || volume.kmsKeyId == { 'Ref' => 'AWS::NoValue' }
-    end
-
-    violating_volumes.map(&:logical_resource_id)
+  def boolean_property
+    :kmsKeyId
   end
 end

data/lib/cfn-nag/custom_rules/SecretsManagerSecretKmsKeyIdRule.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+require 'cfn-nag/violation'
+require_relative 'boolean_base_rule'
+
+class SecretsManagerSecretKmsKeyIdRule < BooleanBaseRule
+  def rule_text
+    'Secrets Manager Secret should explicitly specify KmsKeyId'
+  end
+
+  def rule_type
+    Violation::FAILING_VIOLATION
+  end
+
+  def rule_id
+    'F81'
+  end
+
+  def resource_type
+    'AWS::SecretsManager::Secret'
+  end
+
+  def boolean_property
+    :kmsKeyId
+  end
+end

data/lib/cfn-nag/custom_rules/SnsTopicKmsMasterKeyIdRule.rb

@@ -1,13 +1,17 @@
 # frozen_string_literal: true
 
 require 'cfn-nag/violation'
-require_relative 'base'
+require_relative 'boolean_base_rule'
 
-class SnsTopicKmsMasterKeyIdRule < BaseRule
+class SnsTopicKmsMasterKeyIdRule < BooleanBaseRule
   def rule_text
     'SNS Topic should specify KmsMasterKeyId property'
   end
 
+  def resource_type
+    'AWS::SNS::Topic'
+  end
+
   def rule_type
     Violation::WARNING
   end
@@ -16,11 +20,7 @@ class SnsTopicKmsMasterKeyIdRule < BaseRule
     'W47'
   end
 
-  def audit_impl(cfn_model)
-    violating_sns_topics = cfn_model.resources_by_type('AWS::SNS::Topic').select do |topic|
-      topic.kmsMasterKeyId.nil?
-    end
-
-    violating_sns_topics.map(&:logical_resource_id)
+  def boolean_property
+    :kmsMasterKeyId
   end
 end

data/lib/cfn-nag/custom_rules/SqsQueueKmsMasterKeyIdRule.rb

@@ -1,13 +1,17 @@
 # frozen_string_literal: true
 
 require 'cfn-nag/violation'
-require_relative 'base'
+require_relative 'boolean_base_rule'
 
-class SqsQueueKmsMasterKeyIdRule < BaseRule
+class SqsQueueKmsMasterKeyIdRule < BooleanBaseRule
   def rule_text
     'SQS Queue should specify KmsMasterKeyId property'
   end
 
+  def resource_type
+    'AWS::SQS::Queue'
+  end
+
   def rule_type
     Violation::WARNING
   end
@@ -16,11 +20,7 @@ class SqsQueueKmsMasterKeyIdRule < BaseRule
     'W48'
   end
 
-  def audit_impl(cfn_model)
-    violating_sqs_queues = cfn_model.resources_by_type('AWS::SQS::Queue').select do |sqs_queue|
-      sqs_queue.kmsMasterKeyId.nil?
-    end
-
-    violating_sqs_queues.map(&:logical_resource_id)
+  def boolean_property
+    :kmsMasterKeyId
   end
 end

data/lib/cfn-nag/custom_rules/boolean_base_rule.rb

@@ -4,6 +4,11 @@ require 'cfn-nag/violation'
 require_relative 'base'
 require 'cfn-nag/util/truthy.rb'
 
+##
+# Derive from this rule to ensure that a resource
+# always has a given property declared, and if it does, it's not set to false
+# this does double duty for existence and being boolean/not false... strictly speaking
+# it could be broken out but it does work this way
 class BooleanBaseRule < BaseRule
   def resource_type
     raise 'must implement in subclass'
@@ -17,7 +22,8 @@ class BooleanBaseRule < BaseRule
     resources = cfn_model.resources_by_type(resource_type)
 
     violating_resources = resources.select do |resource|
-      not_truthy?(resource.send(boolean_property))
+      boolean_property_value = resource.send(boolean_property)
+      not_truthy?(boolean_property_value) || boolean_property_value == { 'Ref' => 'AWS::NoValue' }
     end
 
     violating_resources.map(&:logical_resource_id)

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cfn-nag
 version: !ruby/object:Gem::Version
-  version: 0.5.51
+  version: 0.5.52
 platform: ruby
 authors:
 - Eric Kascic
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-04-28 00:00:00.000000000 Z
+date: 2020-04-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -297,6 +297,7 @@ files:
 - lib/cfn-nag/custom_rules/S3BucketPublicReadWriteAclRule.rb
 - lib/cfn-nag/custom_rules/SageMakerEndpointConfigKmsKeyIdRule.rb
 - lib/cfn-nag/custom_rules/SageMakerNotebookInstanceKmsKeyIdRule.rb
+- lib/cfn-nag/custom_rules/SecretsManagerSecretKmsKeyIdRule.rb
 - lib/cfn-nag/custom_rules/SecurityGroupEgressAllProtocolsRule.rb
 - lib/cfn-nag/custom_rules/SecurityGroupEgressOpenToWorldRule.rb
 - lib/cfn-nag/custom_rules/SecurityGroupEgressPortRangeRule.rb