cfn-nag 0.5.7 → 0.5.8

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7ae234544b790a090d593ea456cb8a876a1442d22963ed34d01ab2fbab39eba7
-  data.tar.gz: 272abf096df313f4e1a4ad78f607883662fff33a2b1eaa04cc67472521364c26
+  metadata.gz: 46ca3c01306210417a6b799110a493830eaa246303b43273967c45c33a53dd3c
+  data.tar.gz: d4673a00221c5af2df0d9455612970c8d6e26cabfccca2de4239e8e1bed784ea
 SHA512:
-  metadata.gz: 521129144be6dca8c60c3ee85272414ebadda272e9ad91786b0d67a01cdf1fe2f77404e960752f51b4a2a688c427356fd7f8930e6ba4ca7a44253fafe3d7ad7c
-  data.tar.gz: b302e4ad017764ab0ff94d37f73fd0e616aeee3a31b27dac931074f25840cf4e4983a5991f9aea631ce42960dd86678d15e0df6ebc114fbfe5e8be6f4f8bc227
+  metadata.gz: 75a097a2e7fc8dfa1df6a908eb0bcca07121aa7a84076f7c8a47229662ad11fedfe40e413a45c315ccc587f9bd1f0b4ce5eede6c00d294d6102611cb0688e72a
+  data.tar.gz: b455ffd05c9940b0a3c429fb3207e0964db01b759cb913778b1c96b6086deea0e50c8dc3c5829f869907269ed04e02109a5cdac0adc14378d5ae9c4d4e098f01

data/lib/cfn-nag/custom_rules/CognitoIdentityPoolAllowUnauthenticatedIdentitiesRule.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+require 'cfn-nag/violation'
+require 'cfn-nag/util/truthy'
+require_relative 'base'
+
+class CognitoIdentityPoolAllowUnauthenticatedIdentitiesRule < BaseRule
+  def rule_text
+    'AWS::Cognito::IdentityPool AllowUnauthenticatedIdentities property should be false ' \
+    'but CAN be true if proper restrictive IAM roles and permissions are established for unauthenticated users.'
+  end
+
+  def rule_type
+    Violation::WARNING
+  end
+
+  def rule_id
+    'W57'
+  end
+
+  def audit_impl(cfn_model)
+    violating_identity_pools = cfn_model.resources_by_type('AWS::Cognito::IdentityPool').select do |identity_pool|
+      violating_identity_pool?(identity_pool)
+    end
+
+    violating_identity_pools.map(&:logical_resource_id)
+  end
+
+  private
+
+  def violations?(property_value)
+    truthy?(property_value)
+  end
+
+  def violating_identity_pool?(identity_pool)
+    violations?(identity_pool.allowUnauthenticatedIdentities)
+  end
+end

data/lib/cfn-nag/custom_rules/CognitoUserPoolMfaConfigurationOnorOptionalRule.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+require 'cfn-nag/violation'
+require 'cfn-nag/util/truthy'
+require_relative 'base'
+
+class CognitoUserPoolMfaConfigurationOnorOptionalRule < BaseRule
+  def rule_text
+    "AWS Cognito UserPool should have MfaConfiguration set to 'ON' (MUST be wrapped in quotes) or at least 'OPTIONAL'"
+  end
+
+  def rule_type
+    Violation::FAILING_VIOLATION
+  end
+
+  def rule_id
+    'F78'
+  end
+
+  def audit_impl(cfn_model)
+    violating_userpools = cfn_model.resources_by_type('AWS::Cognito::UserPool').select do |userpool|
+      violating_userpool?(userpool)
+    end
+
+    violating_userpools.map(&:logical_resource_id)
+  end
+
+  private
+
+  def violating_userpool?(user_pool)
+    user_pool.mfaConfiguration.to_s.casecmp('off').zero?
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cfn-nag
 version: !ruby/object:Gem::Version
-  version: 0.5.7
+  version: 0.5.8
 platform: ruby
 authors:
 - Eric Kascic
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-02-14 00:00:00.000000000 Z
+date: 2020-02-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -188,6 +188,8 @@ files:
 - lib/cfn-nag/custom_rules/CloudFrontDistributionAccessLoggingRule.rb
 - lib/cfn-nag/custom_rules/CodeBuildEncryptionKeyRule.rb
 - lib/cfn-nag/custom_rules/CodePipelineWebhookAuthenticationConfigurationSecretTokenRule.rb
+- lib/cfn-nag/custom_rules/CognitoIdentityPoolAllowUnauthenticatedIdentitiesRule.rb
+- lib/cfn-nag/custom_rules/CognitoUserPoolMfaConfigurationOnorOptionalRule.rb
 - lib/cfn-nag/custom_rules/DMSEndpointMongoDbSettingsPasswordRule.rb
 - lib/cfn-nag/custom_rules/DMSEndpointPasswordRule.rb
 - lib/cfn-nag/custom_rules/DirectoryServiceMicrosoftADPasswordRule.rb