@intentius/chant-lexicon-aws 0.0.6 → 0.0.9

package/src/lint/post-synth/waw018.ts

@@ -0,0 +1,71 @@
+/**
+ * WAW018: S3 Public Access Not Blocked
+ *
+ * Flags S3 buckets missing PublicAccessBlockConfiguration or with any flag set to false.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { parseCFTemplate, isIntrinsic } from "./cf-refs";
+
+const REQUIRED_FLAGS = [
+  "BlockPublicAcls",
+  "BlockPublicPolicy",
+  "IgnorePublicAcls",
+  "RestrictPublicBuckets",
+] as const;
+
+export function checkS3PublicAccess(ctx: PostSynthContext): PostSynthDiagnostic[] {
+  const diagnostics: PostSynthDiagnostic[] = [];
+
+  for (const [_lexicon, output] of ctx.outputs) {
+    const template = parseCFTemplate(output);
+    if (!template?.Resources) continue;
+
+    for (const [logicalId, resource] of Object.entries(template.Resources)) {
+      if (resource.Type !== "AWS::S3::Bucket") continue;
+
+      const props = resource.Properties ?? {};
+      const pab = props.PublicAccessBlockConfiguration;
+
+      if (!pab) {
+        diagnostics.push({
+          checkId: "WAW018",
+          severity: "error",
+          message: `S3 bucket "${logicalId}" is missing PublicAccessBlockConfiguration — all public access should be blocked`,
+          entity: logicalId,
+          lexicon: "aws",
+        });
+        continue;
+      }
+
+      if (isIntrinsic(pab)) continue;
+
+      if (typeof pab === "object" && pab !== null) {
+        const config = pab as Record<string, unknown>;
+        for (const flag of REQUIRED_FLAGS) {
+          const value = config[flag];
+          if (value === false) {
+            diagnostics.push({
+              checkId: "WAW018",
+              severity: "error",
+              message: `S3 bucket "${logicalId}" has ${flag} set to false — all public access should be blocked`,
+              entity: logicalId,
+              lexicon: "aws",
+            });
+          }
+        }
+      }
+    }
+  }
+
+  return diagnostics;
+}
+
+export const waw018: PostSynthCheck = {
+  id: "WAW018",
+  description: "S3 bucket missing public access block — all public access should be blocked",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    return checkS3PublicAccess(ctx);
+  },
+};

package/src/lint/post-synth/waw019.test.ts

@@ -0,0 +1,138 @@
+import { describe, test, expect } from "bun:test";
+import { createPostSynthContext } from "@intentius/chant-test-utils";
+import { waw019, checkUnrestrictedIngress } from "./waw019";
+
+function makeCtx(template: object) {
+  return createPostSynthContext({ aws: template });
+}
+
+describe("WAW019: Security Group Unrestricted Ingress", () => {
+  test("check metadata", () => {
+    expect(waw019.id).toBe("WAW019");
+    expect(waw019.description).toContain("ingress");
+  });
+
+  test("flags SG with 0.0.0.0/0 on port 22", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MySG: {
+          Type: "AWS::EC2::SecurityGroup",
+          Properties: {
+            SecurityGroupIngress: [
+              { IpProtocol: "tcp", FromPort: 22, ToPort: 22, CidrIp: "0.0.0.0/0" },
+            ],
+          },
+        },
+      },
+    });
+    const diags = checkUnrestrictedIngress(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].checkId).toBe("WAW019");
+    expect(diags[0].severity).toBe("error");
+  });
+
+  test("flags SG with ::/0 on port 3389", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MySG: {
+          Type: "AWS::EC2::SecurityGroup",
+          Properties: {
+            SecurityGroupIngress: [
+              { IpProtocol: "tcp", FromPort: 3389, ToPort: 3389, CidrIpv6: "::/0" },
+            ],
+          },
+        },
+      },
+    });
+    const diags = checkUnrestrictedIngress(ctx);
+    expect(diags).toHaveLength(1);
+  });
+
+  test("flags wide port range containing sensitive port", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MySG: {
+          Type: "AWS::EC2::SecurityGroup",
+          Properties: {
+            SecurityGroupIngress: [
+              { IpProtocol: "tcp", FromPort: 0, ToPort: 65535, CidrIp: "0.0.0.0/0" },
+            ],
+          },
+        },
+      },
+    });
+    const diags = checkUnrestrictedIngress(ctx);
+    expect(diags).toHaveLength(1);
+  });
+
+  test("no diagnostic for restricted CIDR", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MySG: {
+          Type: "AWS::EC2::SecurityGroup",
+          Properties: {
+            SecurityGroupIngress: [
+              { IpProtocol: "tcp", FromPort: 22, ToPort: 22, CidrIp: "10.0.0.0/8" },
+            ],
+          },
+        },
+      },
+    });
+    const diags = checkUnrestrictedIngress(ctx);
+    expect(diags).toHaveLength(0);
+  });
+
+  test("no diagnostic for non-sensitive port with open CIDR", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MySG: {
+          Type: "AWS::EC2::SecurityGroup",
+          Properties: {
+            SecurityGroupIngress: [
+              { IpProtocol: "tcp", FromPort: 443, ToPort: 443, CidrIp: "0.0.0.0/0" },
+            ],
+          },
+        },
+      },
+    });
+    const diags = checkUnrestrictedIngress(ctx);
+    expect(diags).toHaveLength(0);
+  });
+
+  test("checks standalone SecurityGroupIngress resources", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyIngress: {
+          Type: "AWS::EC2::SecurityGroupIngress",
+          Properties: {
+            GroupId: { Ref: "MySG" },
+            IpProtocol: "tcp",
+            FromPort: 5432,
+            ToPort: 5432,
+            CidrIp: "0.0.0.0/0",
+          },
+        },
+      },
+    });
+    const diags = checkUnrestrictedIngress(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].entity).toBe("MyIngress");
+  });
+
+  test("handles missing port range (all ports)", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MySG: {
+          Type: "AWS::EC2::SecurityGroup",
+          Properties: {
+            SecurityGroupIngress: [
+              { IpProtocol: "-1", CidrIp: "0.0.0.0/0" },
+            ],
+          },
+        },
+      },
+    });
+    const diags = checkUnrestrictedIngress(ctx);
+    expect(diags).toHaveLength(1);
+  });
+});

package/src/lint/post-synth/waw019.ts

@@ -0,0 +1,82 @@
+/**
+ * WAW019: Security Group Unrestricted Ingress
+ *
+ * Flags security groups with 0.0.0.0/0 or ::/0 ingress on sensitive ports
+ * (SSH 22, RDP 3389, MySQL 3306, PostgreSQL 5432).
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { parseCFTemplate, getSecurityGroupIngress, portRangeContainsSensitive, isIntrinsic } from "./cf-refs";
+
+const SENSITIVE_PORTS = [22, 3389, 3306, 5432];
+const OPEN_CIDRS = new Set(["0.0.0.0/0", "::/0"]);
+
+function checkIngressRule(
+  rule: Record<string, unknown>,
+  logicalId: string,
+  diagnostics: PostSynthDiagnostic[],
+): void {
+  const cidrIp = rule.CidrIp;
+  const cidrIpv6 = rule.CidrIpv6;
+
+  const hasOpenCidr =
+    (typeof cidrIp === "string" && OPEN_CIDRS.has(cidrIp)) ||
+    (typeof cidrIpv6 === "string" && OPEN_CIDRS.has(cidrIpv6));
+
+  if (!hasOpenCidr) return;
+
+  if (portRangeContainsSensitive(rule.FromPort, rule.ToPort, SENSITIVE_PORTS)) {
+    const cidr = typeof cidrIp === "string" && OPEN_CIDRS.has(cidrIp) ? cidrIp : cidrIpv6;
+    const fromPort = rule.FromPort;
+    const toPort = rule.ToPort;
+    const portDesc = fromPort !== undefined && toPort !== undefined
+      ? ` on ports ${fromPort}-${toPort}`
+      : " on all ports";
+
+    diagnostics.push({
+      checkId: "WAW019",
+      severity: "error",
+      message: `Security group "${logicalId}" allows unrestricted ingress from ${cidr}${portDesc} — restrict to specific CIDR ranges`,
+      entity: logicalId,
+      lexicon: "aws",
+    });
+  }
+}
+
+export function checkUnrestrictedIngress(ctx: PostSynthContext): PostSynthDiagnostic[] {
+  const diagnostics: PostSynthDiagnostic[] = [];
+
+  for (const [_lexicon, output] of ctx.outputs) {
+    const template = parseCFTemplate(output);
+    if (!template?.Resources) continue;
+
+    for (const [logicalId, resource] of Object.entries(template.Resources)) {
+      // Check inline SecurityGroupIngress on EC2::SecurityGroup
+      if (resource.Type === "AWS::EC2::SecurityGroup") {
+        const rules = getSecurityGroupIngress(resource);
+        for (const rule of rules) {
+          checkIngressRule(rule, logicalId, diagnostics);
+        }
+      }
+
+      // Check standalone SecurityGroupIngress resources
+      if (resource.Type === "AWS::EC2::SecurityGroupIngress") {
+        const props = resource.Properties ?? {};
+        if (!isIntrinsic(props)) {
+          checkIngressRule(props as Record<string, unknown>, logicalId, diagnostics);
+        }
+      }
+    }
+  }
+
+  return diagnostics;
+}
+
+export const waw019: PostSynthCheck = {
+  id: "WAW019",
+  description: "Security group allows unrestricted ingress on sensitive ports (SSH, RDP, database)",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    return checkUnrestrictedIngress(ctx);
+  },
+};

package/src/lint/post-synth/waw020.test.ts

@@ -0,0 +1,125 @@
+import { describe, test, expect } from "bun:test";
+import { createPostSynthContext } from "@intentius/chant-test-utils";
+import { waw020, checkIamWildcardAction } from "./waw020";
+
+function makeCtx(template: object) {
+  return createPostSynthContext({ aws: template });
+}
+
+describe("WAW020: IAM Wildcard Action", () => {
+  test("check metadata", () => {
+    expect(waw020.id).toBe("WAW020");
+    expect(waw020.description).toContain("wildcard");
+  });
+
+  test("flags IAM::Policy with Action: '*'", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyPolicy: {
+          Type: "AWS::IAM::Policy",
+          Properties: {
+            PolicyDocument: {
+              Statement: [{ Effect: "Allow", Action: "*", Resource: "*" }],
+            },
+          },
+        },
+      },
+    });
+    const diags = checkIamWildcardAction(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].checkId).toBe("WAW020");
+    expect(diags[0].severity).toBe("warning");
+  });
+
+  test("flags IAM::Role with wildcard in inline Policies", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyRole: {
+          Type: "AWS::IAM::Role",
+          Properties: {
+            AssumeRolePolicyDocument: {
+              Statement: [{ Effect: "Allow", Principal: { Service: "lambda.amazonaws.com" }, Action: "sts:AssumeRole" }],
+            },
+            Policies: [
+              {
+                PolicyName: "admin",
+                PolicyDocument: {
+                  Statement: [{ Effect: "Allow", Action: "*", Resource: "*" }],
+                },
+              },
+            ],
+          },
+        },
+      },
+    });
+    const diags = checkIamWildcardAction(ctx);
+    expect(diags).toHaveLength(1);
+  });
+
+  test("flags wildcard in Action array", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyPolicy: {
+          Type: "AWS::IAM::ManagedPolicy",
+          Properties: {
+            PolicyDocument: {
+              Statement: [{ Effect: "Allow", Action: ["s3:GetObject", "*"], Resource: "*" }],
+            },
+          },
+        },
+      },
+    });
+    const diags = checkIamWildcardAction(ctx);
+    expect(diags).toHaveLength(1);
+  });
+
+  test("no diagnostic for specific actions", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyPolicy: {
+          Type: "AWS::IAM::Policy",
+          Properties: {
+            PolicyDocument: {
+              Statement: [{ Effect: "Allow", Action: ["s3:GetObject", "s3:PutObject"], Resource: "arn:aws:s3:::my-bucket/*" }],
+            },
+          },
+        },
+      },
+    });
+    const diags = checkIamWildcardAction(ctx);
+    expect(diags).toHaveLength(0);
+  });
+
+  test("no diagnostic for non-IAM resources", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyBucket: {
+          Type: "AWS::S3::Bucket",
+          Properties: { BucketName: "test" },
+        },
+      },
+    });
+    const diags = checkIamWildcardAction(ctx);
+    expect(diags).toHaveLength(0);
+  });
+
+  test("emits one diagnostic per resource even with multiple wildcard statements", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyPolicy: {
+          Type: "AWS::IAM::Policy",
+          Properties: {
+            PolicyDocument: {
+              Statement: [
+                { Effect: "Allow", Action: "*", Resource: "*" },
+                { Effect: "Allow", Action: "*", Resource: "arn:aws:s3:::*" },
+              ],
+            },
+          },
+        },
+      },
+    });
+    const diags = checkIamWildcardAction(ctx);
+    expect(diags).toHaveLength(1);
+  });
+});

package/src/lint/post-synth/waw020.ts

@@ -0,0 +1,64 @@
+/**
+ * WAW020: IAM Wildcard Action
+ *
+ * Flags IAM policies with Action: "*" in any statement.
+ * Checks IAM::Policy, IAM::Role, and IAM::ManagedPolicy resource types.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { parseCFTemplate, walkPolicyStatements, isIntrinsic } from "./cf-refs";
+
+const IAM_TYPES = new Set([
+  "AWS::IAM::Policy",
+  "AWS::IAM::Role",
+  "AWS::IAM::ManagedPolicy",
+]);
+
+function hasWildcardAction(statement: Record<string, unknown>): boolean {
+  const action = statement.Action;
+  if (action === "*") return true;
+  if (Array.isArray(action)) {
+    return action.some((a) => a === "*");
+  }
+  return false;
+}
+
+export function checkIamWildcardAction(ctx: PostSynthContext): PostSynthDiagnostic[] {
+  const diagnostics: PostSynthDiagnostic[] = [];
+
+  for (const [_lexicon, output] of ctx.outputs) {
+    const template = parseCFTemplate(output);
+    if (!template?.Resources) continue;
+
+    for (const [logicalId, resource] of Object.entries(template.Resources)) {
+      if (!IAM_TYPES.has(resource.Type)) continue;
+
+      const statements = walkPolicyStatements(resource);
+      for (const stmt of statements) {
+        if (isIntrinsic(stmt.Action)) continue;
+
+        if (hasWildcardAction(stmt)) {
+          diagnostics.push({
+            checkId: "WAW020",
+            severity: "warning",
+            message: `IAM resource "${logicalId}" has a policy statement with Action: "*" — use specific actions following least privilege`,
+            entity: logicalId,
+            lexicon: "aws",
+          });
+          break; // One diagnostic per resource
+        }
+      }
+    }
+  }
+
+  return diagnostics;
+}
+
+export const waw020: PostSynthCheck = {
+  id: "WAW020",
+  description: "IAM policy uses wildcard Action — use specific actions following least privilege",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    return checkIamWildcardAction(ctx);
+  },
+};

package/src/lint/post-synth/waw021.test.ts

@@ -0,0 +1,81 @@
+import { describe, test, expect } from "bun:test";
+import { createPostSynthContext } from "@intentius/chant-test-utils";
+import { waw021, checkRdsEncryption } from "./waw021";
+
+function makeCtx(template: object) {
+  return createPostSynthContext({ aws: template });
+}
+
+describe("WAW021: RDS Storage Not Encrypted", () => {
+  test("check metadata", () => {
+    expect(waw021.id).toBe("WAW021");
+    expect(waw021.description).toContain("encrypted");
+  });
+
+  test("flags DBInstance without StorageEncrypted", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyDB: {
+          Type: "AWS::RDS::DBInstance",
+          Properties: { DBInstanceClass: "db.t3.micro", Engine: "mysql" },
+        },
+      },
+    });
+    const diags = checkRdsEncryption(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].checkId).toBe("WAW021");
+    expect(diags[0].severity).toBe("error");
+  });
+
+  test("flags DBCluster without StorageEncrypted", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyCluster: {
+          Type: "AWS::RDS::DBCluster",
+          Properties: { Engine: "aurora-mysql" },
+        },
+      },
+    });
+    const diags = checkRdsEncryption(ctx);
+    expect(diags).toHaveLength(1);
+  });
+
+  test("no diagnostic when StorageEncrypted: true", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyDB: {
+          Type: "AWS::RDS::DBInstance",
+          Properties: { StorageEncrypted: true, DBInstanceClass: "db.t3.micro" },
+        },
+      },
+    });
+    const diags = checkRdsEncryption(ctx);
+    expect(diags).toHaveLength(0);
+  });
+
+  test("flags StorageEncrypted: false", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyDB: {
+          Type: "AWS::RDS::DBInstance",
+          Properties: { StorageEncrypted: false, DBInstanceClass: "db.t3.micro" },
+        },
+      },
+    });
+    const diags = checkRdsEncryption(ctx);
+    expect(diags).toHaveLength(1);
+  });
+
+  test("skips intrinsic value for StorageEncrypted", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyDB: {
+          Type: "AWS::RDS::DBInstance",
+          Properties: { StorageEncrypted: { Ref: "EncryptParam" } },
+        },
+      },
+    });
+    const diags = checkRdsEncryption(ctx);
+    expect(diags).toHaveLength(0);
+  });
+});

package/src/lint/post-synth/waw021.ts

@@ -0,0 +1,53 @@
+/**
+ * WAW021: RDS Storage Not Encrypted
+ *
+ * Flags RDS instances and clusters without StorageEncrypted: true.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { parseCFTemplate, isIntrinsic } from "./cf-refs";
+
+const RDS_TYPES = new Set([
+  "AWS::RDS::DBInstance",
+  "AWS::RDS::DBCluster",
+]);
+
+export function checkRdsEncryption(ctx: PostSynthContext): PostSynthDiagnostic[] {
+  const diagnostics: PostSynthDiagnostic[] = [];
+
+  for (const [_lexicon, output] of ctx.outputs) {
+    const template = parseCFTemplate(output);
+    if (!template?.Resources) continue;
+
+    for (const [logicalId, resource] of Object.entries(template.Resources)) {
+      if (!RDS_TYPES.has(resource.Type)) continue;
+
+      const props = resource.Properties ?? {};
+      const encrypted = props.StorageEncrypted;
+
+      // Skip if it's an intrinsic (can't statically verify)
+      if (isIntrinsic(encrypted)) continue;
+
+      if (encrypted !== true) {
+        diagnostics.push({
+          checkId: "WAW021",
+          severity: "error",
+          message: `RDS resource "${logicalId}" (${resource.Type}) does not have StorageEncrypted: true — enable encryption at rest`,
+          entity: logicalId,
+          lexicon: "aws",
+        });
+      }
+    }
+  }
+
+  return diagnostics;
+}
+
+export const waw021: PostSynthCheck = {
+  id: "WAW021",
+  description: "RDS instance or cluster storage is not encrypted — enable encryption at rest",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    return checkRdsEncryption(ctx);
+  },
+};

package/src/lint/post-synth/waw022.test.ts

@@ -0,0 +1,54 @@
+import { describe, test, expect } from "bun:test";
+import { createPostSynthContext } from "@intentius/chant-test-utils";
+import { waw022, checkLambdaVpc } from "./waw022";
+
+function makeCtx(template: object) {
+  return createPostSynthContext({ aws: template });
+}
+
+describe("WAW022: Lambda Not in VPC", () => {
+  test("check metadata", () => {
+    expect(waw022.id).toBe("WAW022");
+    expect(waw022.description).toContain("VPC");
+  });
+
+  test("flags Lambda without VpcConfig", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyFunc: {
+          Type: "AWS::Lambda::Function",
+          Properties: { FunctionName: "test", Runtime: "nodejs20.x", Handler: "index.handler" },
+        },
+      },
+    });
+    const diags = checkLambdaVpc(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].checkId).toBe("WAW022");
+    expect(diags[0].severity).toBe("warning");
+  });
+
+  test("no diagnostic when VpcConfig is present", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyFunc: {
+          Type: "AWS::Lambda::Function",
+          Properties: {
+            VpcConfig: { SubnetIds: ["subnet-123"], SecurityGroupIds: ["sg-123"] },
+          },
+        },
+      },
+    });
+    const diags = checkLambdaVpc(ctx);
+    expect(diags).toHaveLength(0);
+  });
+
+  test("no diagnostic for non-Lambda resources", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyBucket: { Type: "AWS::S3::Bucket", Properties: {} },
+      },
+    });
+    const diags = checkLambdaVpc(ctx);
+    expect(diags).toHaveLength(0);
+  });
+});