cfn-nag 0.5.51 → 0.5.52
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/cfn-nag/custom_rules/EbsVolumeEncryptionKeyRule.rb +8 -9
- data/lib/cfn-nag/custom_rules/SecretsManagerSecretKmsKeyIdRule.rb +26 -0
- data/lib/cfn-nag/custom_rules/SnsTopicKmsMasterKeyIdRule.rb +8 -8
- data/lib/cfn-nag/custom_rules/SqsQueueKmsMasterKeyIdRule.rb +8 -8
- data/lib/cfn-nag/custom_rules/boolean_base_rule.rb +7 -1
- metadata +3 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: f4b9eb45747f5ec1deca9253cad20da6dcbf0c91ae6187047b1b45c26ca81249
|
4
|
+
data.tar.gz: 9a858a259cfaed6b69ffe9822e6c4d8e76bd6dafd595c0e04adea3103d7ed314
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: ae8d208114433bcb943ef8fe83317357bbb2a4cf32aab10a913d57aeb629190e50192636caf456bb77e8e2e02c73e458e432538024390d0a92f53a3d52f0928f
|
7
|
+
data.tar.gz: 91dc43d9c713a04404422dda8bc7005c9a808e1f21a89389012d05a2ea90c1c70f823946f04488d48417e611b81f6cd84408f56c4ca351f16cd9768d239bf0ba
|
@@ -1,13 +1,17 @@
|
|
1
1
|
# frozen_string_literal: true
|
2
2
|
|
3
3
|
require 'cfn-nag/violation'
|
4
|
-
require_relative '
|
4
|
+
require_relative 'boolean_base_rule'
|
5
5
|
|
6
|
-
class EbsVolumeEncryptionKeyRule <
|
6
|
+
class EbsVolumeEncryptionKeyRule < BooleanBaseRule
|
7
7
|
def rule_text
|
8
8
|
'EBS Volume should specify a KmsKeyId value'
|
9
9
|
end
|
10
10
|
|
11
|
+
def resource_type
|
12
|
+
'AWS::EC2::Volume'
|
13
|
+
end
|
14
|
+
|
11
15
|
def rule_type
|
12
16
|
Violation::WARNING
|
13
17
|
end
|
@@ -16,12 +20,7 @@ class EbsVolumeEncryptionKeyRule < BaseRule
|
|
16
20
|
'W37'
|
17
21
|
end
|
18
22
|
|
19
|
-
def
|
20
|
-
|
21
|
-
.select do |volume|
|
22
|
-
volume.kmsKeyId.nil? || volume.kmsKeyId == { 'Ref' => 'AWS::NoValue' }
|
23
|
-
end
|
24
|
-
|
25
|
-
violating_volumes.map(&:logical_resource_id)
|
23
|
+
def boolean_property
|
24
|
+
:kmsKeyId
|
26
25
|
end
|
27
26
|
end
|
@@ -0,0 +1,26 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require 'cfn-nag/violation'
|
4
|
+
require_relative 'boolean_base_rule'
|
5
|
+
|
6
|
+
class SecretsManagerSecretKmsKeyIdRule < BooleanBaseRule
|
7
|
+
def rule_text
|
8
|
+
'Secrets Manager Secret should explicitly specify KmsKeyId'
|
9
|
+
end
|
10
|
+
|
11
|
+
def rule_type
|
12
|
+
Violation::FAILING_VIOLATION
|
13
|
+
end
|
14
|
+
|
15
|
+
def rule_id
|
16
|
+
'F81'
|
17
|
+
end
|
18
|
+
|
19
|
+
def resource_type
|
20
|
+
'AWS::SecretsManager::Secret'
|
21
|
+
end
|
22
|
+
|
23
|
+
def boolean_property
|
24
|
+
:kmsKeyId
|
25
|
+
end
|
26
|
+
end
|
@@ -1,13 +1,17 @@
|
|
1
1
|
# frozen_string_literal: true
|
2
2
|
|
3
3
|
require 'cfn-nag/violation'
|
4
|
-
require_relative '
|
4
|
+
require_relative 'boolean_base_rule'
|
5
5
|
|
6
|
-
class SnsTopicKmsMasterKeyIdRule <
|
6
|
+
class SnsTopicKmsMasterKeyIdRule < BooleanBaseRule
|
7
7
|
def rule_text
|
8
8
|
'SNS Topic should specify KmsMasterKeyId property'
|
9
9
|
end
|
10
10
|
|
11
|
+
def resource_type
|
12
|
+
'AWS::SNS::Topic'
|
13
|
+
end
|
14
|
+
|
11
15
|
def rule_type
|
12
16
|
Violation::WARNING
|
13
17
|
end
|
@@ -16,11 +20,7 @@ class SnsTopicKmsMasterKeyIdRule < BaseRule
|
|
16
20
|
'W47'
|
17
21
|
end
|
18
22
|
|
19
|
-
def
|
20
|
-
|
21
|
-
topic.kmsMasterKeyId.nil?
|
22
|
-
end
|
23
|
-
|
24
|
-
violating_sns_topics.map(&:logical_resource_id)
|
23
|
+
def boolean_property
|
24
|
+
:kmsMasterKeyId
|
25
25
|
end
|
26
26
|
end
|
@@ -1,13 +1,17 @@
|
|
1
1
|
# frozen_string_literal: true
|
2
2
|
|
3
3
|
require 'cfn-nag/violation'
|
4
|
-
require_relative '
|
4
|
+
require_relative 'boolean_base_rule'
|
5
5
|
|
6
|
-
class SqsQueueKmsMasterKeyIdRule <
|
6
|
+
class SqsQueueKmsMasterKeyIdRule < BooleanBaseRule
|
7
7
|
def rule_text
|
8
8
|
'SQS Queue should specify KmsMasterKeyId property'
|
9
9
|
end
|
10
10
|
|
11
|
+
def resource_type
|
12
|
+
'AWS::SQS::Queue'
|
13
|
+
end
|
14
|
+
|
11
15
|
def rule_type
|
12
16
|
Violation::WARNING
|
13
17
|
end
|
@@ -16,11 +20,7 @@ class SqsQueueKmsMasterKeyIdRule < BaseRule
|
|
16
20
|
'W48'
|
17
21
|
end
|
18
22
|
|
19
|
-
def
|
20
|
-
|
21
|
-
sqs_queue.kmsMasterKeyId.nil?
|
22
|
-
end
|
23
|
-
|
24
|
-
violating_sqs_queues.map(&:logical_resource_id)
|
23
|
+
def boolean_property
|
24
|
+
:kmsMasterKeyId
|
25
25
|
end
|
26
26
|
end
|
@@ -4,6 +4,11 @@ require 'cfn-nag/violation'
|
|
4
4
|
require_relative 'base'
|
5
5
|
require 'cfn-nag/util/truthy.rb'
|
6
6
|
|
7
|
+
##
|
8
|
+
# Derive from this rule to ensure that a resource
|
9
|
+
# always has a given property declared, and if it does, it's not set to false
|
10
|
+
# this does double duty for existence and being boolean/not false... strictly speaking
|
11
|
+
# it could be broken out but it does work this way
|
7
12
|
class BooleanBaseRule < BaseRule
|
8
13
|
def resource_type
|
9
14
|
raise 'must implement in subclass'
|
@@ -17,7 +22,8 @@ class BooleanBaseRule < BaseRule
|
|
17
22
|
resources = cfn_model.resources_by_type(resource_type)
|
18
23
|
|
19
24
|
violating_resources = resources.select do |resource|
|
20
|
-
|
25
|
+
boolean_property_value = resource.send(boolean_property)
|
26
|
+
not_truthy?(boolean_property_value) || boolean_property_value == { 'Ref' => 'AWS::NoValue' }
|
21
27
|
end
|
22
28
|
|
23
29
|
violating_resources.map(&:logical_resource_id)
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: cfn-nag
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.5.
|
4
|
+
version: 0.5.52
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Eric Kascic
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2020-04-
|
11
|
+
date: 2020-04-29 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: rake
|
@@ -297,6 +297,7 @@ files:
|
|
297
297
|
- lib/cfn-nag/custom_rules/S3BucketPublicReadWriteAclRule.rb
|
298
298
|
- lib/cfn-nag/custom_rules/SageMakerEndpointConfigKmsKeyIdRule.rb
|
299
299
|
- lib/cfn-nag/custom_rules/SageMakerNotebookInstanceKmsKeyIdRule.rb
|
300
|
+
- lib/cfn-nag/custom_rules/SecretsManagerSecretKmsKeyIdRule.rb
|
300
301
|
- lib/cfn-nag/custom_rules/SecurityGroupEgressAllProtocolsRule.rb
|
301
302
|
- lib/cfn-nag/custom_rules/SecurityGroupEgressOpenToWorldRule.rb
|
302
303
|
- lib/cfn-nag/custom_rules/SecurityGroupEgressPortRangeRule.rb
|