@intentius/chant-lexicon-aws 0.0.6 → 0.0.9

package/src/lint/post-synth/waw022.ts

@@ -0,0 +1,43 @@
+/**
+ * WAW022: Lambda Not in VPC
+ *
+ * Flags Lambda functions without VpcConfig.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { parseCFTemplate } from "./cf-refs";
+
+export function checkLambdaVpc(ctx: PostSynthContext): PostSynthDiagnostic[] {
+  const diagnostics: PostSynthDiagnostic[] = [];
+
+  for (const [_lexicon, output] of ctx.outputs) {
+    const template = parseCFTemplate(output);
+    if (!template?.Resources) continue;
+
+    for (const [logicalId, resource] of Object.entries(template.Resources)) {
+      if (resource.Type !== "AWS::Lambda::Function") continue;
+
+      const props = resource.Properties ?? {};
+      if (!("VpcConfig" in props)) {
+        diagnostics.push({
+          checkId: "WAW022",
+          severity: "warning",
+          message: `Lambda function "${logicalId}" is not configured with a VPC — consider adding VpcConfig for network isolation`,
+          entity: logicalId,
+          lexicon: "aws",
+        });
+      }
+    }
+  }
+
+  return diagnostics;
+}
+
+export const waw022: PostSynthCheck = {
+  id: "WAW022",
+  description: "Lambda function is not configured with a VPC — consider adding VpcConfig for network isolation",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    return checkLambdaVpc(ctx);
+  },
+};

package/src/lint/post-synth/waw023.test.ts

@@ -0,0 +1,53 @@
+import { describe, test, expect } from "bun:test";
+import { createPostSynthContext } from "@intentius/chant-test-utils";
+import { waw023, checkCloudFrontWaf } from "./waw023";
+
+function makeCtx(template: object) {
+  return createPostSynthContext({ aws: template });
+}
+
+describe("WAW023: CloudFront Without WAF", () => {
+  test("check metadata", () => {
+    expect(waw023.id).toBe("WAW023");
+    expect(waw023.description).toContain("WAF");
+  });
+
+  test("flags distribution without WebACLId", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyCF: {
+          Type: "AWS::CloudFront::Distribution",
+          Properties: {
+            DistributionConfig: {
+              Origins: [{ Id: "origin1", DomainName: "example.com" }],
+              DefaultCacheBehavior: { TargetOriginId: "origin1", ViewerProtocolPolicy: "redirect-to-https" },
+              Enabled: true,
+            },
+          },
+        },
+      },
+    });
+    const diags = checkCloudFrontWaf(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].checkId).toBe("WAW023");
+    expect(diags[0].severity).toBe("warning");
+  });
+
+  test("no diagnostic when WebACLId is present", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyCF: {
+          Type: "AWS::CloudFront::Distribution",
+          Properties: {
+            DistributionConfig: {
+              WebACLId: "arn:aws:wafv2:us-east-1:123456789012:global/webacl/my-acl/abc",
+              Enabled: true,
+            },
+          },
+        },
+      },
+    });
+    const diags = checkCloudFrontWaf(ctx);
+    expect(diags).toHaveLength(0);
+  });
+});

package/src/lint/post-synth/waw023.ts

@@ -0,0 +1,47 @@
+/**
+ * WAW023: CloudFront Without WAF
+ *
+ * Flags CloudFront distributions without WebACLId.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { parseCFTemplate } from "./cf-refs";
+
+export function checkCloudFrontWaf(ctx: PostSynthContext): PostSynthDiagnostic[] {
+  const diagnostics: PostSynthDiagnostic[] = [];
+
+  for (const [_lexicon, output] of ctx.outputs) {
+    const template = parseCFTemplate(output);
+    if (!template?.Resources) continue;
+
+    for (const [logicalId, resource] of Object.entries(template.Resources)) {
+      if (resource.Type !== "AWS::CloudFront::Distribution") continue;
+
+      const props = resource.Properties ?? {};
+      const distConfig = props.DistributionConfig;
+      if (typeof distConfig !== "object" || distConfig === null) continue;
+
+      const config = distConfig as Record<string, unknown>;
+      if (!("WebACLId" in config)) {
+        diagnostics.push({
+          checkId: "WAW023",
+          severity: "warning",
+          message: `CloudFront distribution "${logicalId}" has no WebACLId — consider attaching a WAF web ACL for protection`,
+          entity: logicalId,
+          lexicon: "aws",
+        });
+      }
+    }
+  }
+
+  return diagnostics;
+}
+
+export const waw023: PostSynthCheck = {
+  id: "WAW023",
+  description: "CloudFront distribution has no WAF web ACL — consider attaching one for protection",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    return checkCloudFrontWaf(ctx);
+  },
+};

package/src/lint/post-synth/waw024.test.ts

@@ -0,0 +1,64 @@
+import { describe, test, expect } from "bun:test";
+import { createPostSynthContext } from "@intentius/chant-test-utils";
+import { waw024, checkAlbAccessLogs } from "./waw024";
+
+function makeCtx(template: object) {
+  return createPostSynthContext({ aws: template });
+}
+
+describe("WAW024: ALB Without Access Logging", () => {
+  test("check metadata", () => {
+    expect(waw024.id).toBe("WAW024");
+    expect(waw024.description).toContain("access logging");
+  });
+
+  test("flags ALB without access logging", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyALB: {
+          Type: "AWS::ElasticLoadBalancingV2::LoadBalancer",
+          Properties: { Type: "application" },
+        },
+      },
+    });
+    const diags = checkAlbAccessLogs(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].checkId).toBe("WAW024");
+    expect(diags[0].severity).toBe("warning");
+  });
+
+  test("no diagnostic when access logging is enabled", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyALB: {
+          Type: "AWS::ElasticLoadBalancingV2::LoadBalancer",
+          Properties: {
+            LoadBalancerAttributes: [
+              { Key: "access_logs.s3.enabled", Value: "true" },
+              { Key: "access_logs.s3.bucket", Value: "my-logs-bucket" },
+            ],
+          },
+        },
+      },
+    });
+    const diags = checkAlbAccessLogs(ctx);
+    expect(diags).toHaveLength(0);
+  });
+
+  test("flags when access_logs.s3.enabled is false", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyALB: {
+          Type: "AWS::ElasticLoadBalancingV2::LoadBalancer",
+          Properties: {
+            LoadBalancerAttributes: [
+              { Key: "access_logs.s3.enabled", Value: "false" },
+            ],
+          },
+        },
+      },
+    });
+    const diags = checkAlbAccessLogs(ctx);
+    expect(diags).toHaveLength(1);
+  });
+});

package/src/lint/post-synth/waw024.ts

@@ -0,0 +1,54 @@
+/**
+ * WAW024: ALB Without Access Logging
+ *
+ * Flags Application Load Balancers without access logging enabled.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { parseCFTemplate } from "./cf-refs";
+
+export function checkAlbAccessLogs(ctx: PostSynthContext): PostSynthDiagnostic[] {
+  const diagnostics: PostSynthDiagnostic[] = [];
+
+  for (const [_lexicon, output] of ctx.outputs) {
+    const template = parseCFTemplate(output);
+    if (!template?.Resources) continue;
+
+    for (const [logicalId, resource] of Object.entries(template.Resources)) {
+      if (resource.Type !== "AWS::ElasticLoadBalancingV2::LoadBalancer") continue;
+
+      const props = resource.Properties ?? {};
+      const attrs = props.LoadBalancerAttributes;
+
+      let hasAccessLogs = false;
+      if (Array.isArray(attrs)) {
+        hasAccessLogs = attrs.some((attr) => {
+          if (typeof attr !== "object" || attr === null) return false;
+          const a = attr as Record<string, unknown>;
+          return a.Key === "access_logs.s3.enabled" && (a.Value === "true" || a.Value === true);
+        });
+      }
+
+      if (!hasAccessLogs) {
+        diagnostics.push({
+          checkId: "WAW024",
+          severity: "warning",
+          message: `Load balancer "${logicalId}" does not have access logging enabled — enable access_logs.s3.enabled for audit trails`,
+          entity: logicalId,
+          lexicon: "aws",
+        });
+      }
+    }
+  }
+
+  return diagnostics;
+}
+
+export const waw024: PostSynthCheck = {
+  id: "WAW024",
+  description: "Application Load Balancer does not have access logging enabled",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    return checkAlbAccessLogs(ctx);
+  },
+};

package/src/lint/post-synth/waw025.test.ts

@@ -0,0 +1,42 @@
+import { describe, test, expect } from "bun:test";
+import { createPostSynthContext } from "@intentius/chant-test-utils";
+import { waw025, checkSnsEncryption } from "./waw025";
+
+function makeCtx(template: object) {
+  return createPostSynthContext({ aws: template });
+}
+
+describe("WAW025: SNS Topic Not Encrypted", () => {
+  test("check metadata", () => {
+    expect(waw025.id).toBe("WAW025");
+    expect(waw025.description).toContain("encrypted");
+  });
+
+  test("flags topic without KmsMasterKeyId", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyTopic: {
+          Type: "AWS::SNS::Topic",
+          Properties: { TopicName: "my-topic" },
+        },
+      },
+    });
+    const diags = checkSnsEncryption(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].checkId).toBe("WAW025");
+    expect(diags[0].severity).toBe("warning");
+  });
+
+  test("no diagnostic when KmsMasterKeyId is set", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyTopic: {
+          Type: "AWS::SNS::Topic",
+          Properties: { KmsMasterKeyId: "alias/my-key" },
+        },
+      },
+    });
+    const diags = checkSnsEncryption(ctx);
+    expect(diags).toHaveLength(0);
+  });
+});

package/src/lint/post-synth/waw025.ts

@@ -0,0 +1,43 @@
+/**
+ * WAW025: SNS Topic Not Encrypted
+ *
+ * Flags SNS topics without KmsMasterKeyId.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { parseCFTemplate } from "./cf-refs";
+
+export function checkSnsEncryption(ctx: PostSynthContext): PostSynthDiagnostic[] {
+  const diagnostics: PostSynthDiagnostic[] = [];
+
+  for (const [_lexicon, output] of ctx.outputs) {
+    const template = parseCFTemplate(output);
+    if (!template?.Resources) continue;
+
+    for (const [logicalId, resource] of Object.entries(template.Resources)) {
+      if (resource.Type !== "AWS::SNS::Topic") continue;
+
+      const props = resource.Properties ?? {};
+      if (!("KmsMasterKeyId" in props)) {
+        diagnostics.push({
+          checkId: "WAW025",
+          severity: "warning",
+          message: `SNS topic "${logicalId}" is not encrypted — add KmsMasterKeyId for encryption at rest`,
+          entity: logicalId,
+          lexicon: "aws",
+        });
+      }
+    }
+  }
+
+  return diagnostics;
+}
+
+export const waw025: PostSynthCheck = {
+  id: "WAW025",
+  description: "SNS topic is not encrypted — add KmsMasterKeyId for encryption at rest",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    return checkSnsEncryption(ctx);
+  },
+};

package/src/lint/post-synth/waw026.test.ts

@@ -0,0 +1,54 @@
+import { describe, test, expect } from "bun:test";
+import { createPostSynthContext } from "@intentius/chant-test-utils";
+import { waw026, checkSqsEncryption } from "./waw026";
+
+function makeCtx(template: object) {
+  return createPostSynthContext({ aws: template });
+}
+
+describe("WAW026: SQS Queue Not Encrypted", () => {
+  test("check metadata", () => {
+    expect(waw026.id).toBe("WAW026");
+    expect(waw026.description).toContain("encrypted");
+  });
+
+  test("flags queue without encryption", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyQueue: {
+          Type: "AWS::SQS::Queue",
+          Properties: { QueueName: "my-queue" },
+        },
+      },
+    });
+    const diags = checkSqsEncryption(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].checkId).toBe("WAW026");
+  });
+
+  test("no diagnostic with SqsManagedSseEnabled", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyQueue: {
+          Type: "AWS::SQS::Queue",
+          Properties: { SqsManagedSseEnabled: true },
+        },
+      },
+    });
+    const diags = checkSqsEncryption(ctx);
+    expect(diags).toHaveLength(0);
+  });
+
+  test("no diagnostic with KmsMasterKeyId", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyQueue: {
+          Type: "AWS::SQS::Queue",
+          Properties: { KmsMasterKeyId: "alias/my-key" },
+        },
+      },
+    });
+    const diags = checkSqsEncryption(ctx);
+    expect(diags).toHaveLength(0);
+  });
+});

package/src/lint/post-synth/waw026.ts

@@ -0,0 +1,46 @@
+/**
+ * WAW026: SQS Queue Not Encrypted
+ *
+ * Flags SQS queues without SqsManagedSseEnabled or KmsMasterKeyId.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { parseCFTemplate } from "./cf-refs";
+
+export function checkSqsEncryption(ctx: PostSynthContext): PostSynthDiagnostic[] {
+  const diagnostics: PostSynthDiagnostic[] = [];
+
+  for (const [_lexicon, output] of ctx.outputs) {
+    const template = parseCFTemplate(output);
+    if (!template?.Resources) continue;
+
+    for (const [logicalId, resource] of Object.entries(template.Resources)) {
+      if (resource.Type !== "AWS::SQS::Queue") continue;
+
+      const props = resource.Properties ?? {};
+      const hasSseSqs = props.SqsManagedSseEnabled === true;
+      const hasKms = "KmsMasterKeyId" in props;
+
+      if (!hasSseSqs && !hasKms) {
+        diagnostics.push({
+          checkId: "WAW026",
+          severity: "warning",
+          message: `SQS queue "${logicalId}" is not encrypted — enable SqsManagedSseEnabled or set KmsMasterKeyId`,
+          entity: logicalId,
+          lexicon: "aws",
+        });
+      }
+    }
+  }
+
+  return diagnostics;
+}
+
+export const waw026: PostSynthCheck = {
+  id: "WAW026",
+  description: "SQS queue is not encrypted — enable SqsManagedSseEnabled or set KmsMasterKeyId",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    return checkSqsEncryption(ctx);
+  },
+};

package/src/lint/post-synth/waw027.test.ts

@@ -0,0 +1,63 @@
+import { describe, test, expect } from "bun:test";
+import { createPostSynthContext } from "@intentius/chant-test-utils";
+import { waw027, checkDynamoDbPitr } from "./waw027";
+
+function makeCtx(template: object) {
+  return createPostSynthContext({ aws: template });
+}
+
+describe("WAW027: DynamoDB Missing PITR", () => {
+  test("check metadata", () => {
+    expect(waw027.id).toBe("WAW027");
+    expect(waw027.description).toContain("point-in-time");
+  });
+
+  test("flags table without PITR", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyTable: {
+          Type: "AWS::DynamoDB::Table",
+          Properties: {
+            TableName: "my-table",
+            KeySchema: [{ AttributeName: "id", KeyType: "HASH" }],
+            AttributeDefinitions: [{ AttributeName: "id", AttributeType: "S" }],
+          },
+        },
+      },
+    });
+    const diags = checkDynamoDbPitr(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].checkId).toBe("WAW027");
+    expect(diags[0].severity).toBe("info");
+  });
+
+  test("no diagnostic when PITR is enabled", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyTable: {
+          Type: "AWS::DynamoDB::Table",
+          Properties: {
+            PointInTimeRecoverySpecification: { PointInTimeRecoveryEnabled: true },
+          },
+        },
+      },
+    });
+    const diags = checkDynamoDbPitr(ctx);
+    expect(diags).toHaveLength(0);
+  });
+
+  test("flags when PITR spec present but not enabled", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyTable: {
+          Type: "AWS::DynamoDB::Table",
+          Properties: {
+            PointInTimeRecoverySpecification: { PointInTimeRecoveryEnabled: false },
+          },
+        },
+      },
+    });
+    const diags = checkDynamoDbPitr(ctx);
+    expect(diags).toHaveLength(1);
+  });
+});

package/src/lint/post-synth/waw027.ts

@@ -0,0 +1,50 @@
+/**
+ * WAW027: DynamoDB Missing Point-in-Time Recovery
+ *
+ * Flags DynamoDB tables without PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { parseCFTemplate } from "./cf-refs";
+
+export function checkDynamoDbPitr(ctx: PostSynthContext): PostSynthDiagnostic[] {
+  const diagnostics: PostSynthDiagnostic[] = [];
+
+  for (const [_lexicon, output] of ctx.outputs) {
+    const template = parseCFTemplate(output);
+    if (!template?.Resources) continue;
+
+    for (const [logicalId, resource] of Object.entries(template.Resources)) {
+      if (resource.Type !== "AWS::DynamoDB::Table") continue;
+
+      const props = resource.Properties ?? {};
+      const pitrSpec = props.PointInTimeRecoverySpecification;
+
+      let pitrEnabled = false;
+      if (typeof pitrSpec === "object" && pitrSpec !== null) {
+        pitrEnabled = (pitrSpec as Record<string, unknown>).PointInTimeRecoveryEnabled === true;
+      }
+
+      if (!pitrEnabled) {
+        diagnostics.push({
+          checkId: "WAW027",
+          severity: "info",
+          message: `DynamoDB table "${logicalId}" does not have point-in-time recovery enabled — consider enabling for data protection`,
+          entity: logicalId,
+          lexicon: "aws",
+        });
+      }
+    }
+  }
+
+  return diagnostics;
+}
+
+export const waw027: PostSynthCheck = {
+  id: "WAW027",
+  description: "DynamoDB table does not have point-in-time recovery enabled",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    return checkDynamoDbPitr(ctx);
+  },
+};

package/src/lint/post-synth/waw028.test.ts

@@ -0,0 +1,68 @@
+import { describe, test, expect } from "bun:test";
+import { createPostSynthContext } from "@intentius/chant-test-utils";
+import { waw028, checkEbsEncryption } from "./waw028";
+
+function makeCtx(template: object) {
+  return createPostSynthContext({ aws: template });
+}
+
+describe("WAW028: EBS Volume Not Encrypted", () => {
+  test("check metadata", () => {
+    expect(waw028.id).toBe("WAW028");
+    expect(waw028.description).toContain("encrypted");
+  });
+
+  test("flags volume without Encrypted", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyVol: {
+          Type: "AWS::EC2::Volume",
+          Properties: { AvailabilityZone: "us-east-1a", Size: 100 },
+        },
+      },
+    });
+    const diags = checkEbsEncryption(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].checkId).toBe("WAW028");
+    expect(diags[0].severity).toBe("warning");
+  });
+
+  test("no diagnostic when Encrypted: true", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyVol: {
+          Type: "AWS::EC2::Volume",
+          Properties: { AvailabilityZone: "us-east-1a", Encrypted: true },
+        },
+      },
+    });
+    const diags = checkEbsEncryption(ctx);
+    expect(diags).toHaveLength(0);
+  });
+
+  test("flags Encrypted: false", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyVol: {
+          Type: "AWS::EC2::Volume",
+          Properties: { AvailabilityZone: "us-east-1a", Encrypted: false },
+        },
+      },
+    });
+    const diags = checkEbsEncryption(ctx);
+    expect(diags).toHaveLength(1);
+  });
+
+  test("skips intrinsic value for Encrypted", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyVol: {
+          Type: "AWS::EC2::Volume",
+          Properties: { AvailabilityZone: "us-east-1a", Encrypted: { Ref: "EncryptParam" } },
+        },
+      },
+    });
+    const diags = checkEbsEncryption(ctx);
+    expect(diags).toHaveLength(0);
+  });
+});

package/src/lint/post-synth/waw028.ts

@@ -0,0 +1,47 @@
+/**
+ * WAW028: EBS Volume Not Encrypted
+ *
+ * Flags EBS volumes without Encrypted: true.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { parseCFTemplate, isIntrinsic } from "./cf-refs";
+
+export function checkEbsEncryption(ctx: PostSynthContext): PostSynthDiagnostic[] {
+  const diagnostics: PostSynthDiagnostic[] = [];
+
+  for (const [_lexicon, output] of ctx.outputs) {
+    const template = parseCFTemplate(output);
+    if (!template?.Resources) continue;
+
+    for (const [logicalId, resource] of Object.entries(template.Resources)) {
+      if (resource.Type !== "AWS::EC2::Volume") continue;
+
+      const props = resource.Properties ?? {};
+      const encrypted = props.Encrypted;
+
+      if (isIntrinsic(encrypted)) continue;
+
+      if (encrypted !== true) {
+        diagnostics.push({
+          checkId: "WAW028",
+          severity: "warning",
+          message: `EBS volume "${logicalId}" does not have Encrypted: true — enable encryption at rest`,
+          entity: logicalId,
+          lexicon: "aws",
+        });
+      }
+    }
+  }
+
+  return diagnostics;
+}
+
+export const waw028: PostSynthCheck = {
+  id: "WAW028",
+  description: "EBS volume is not encrypted — enable encryption at rest",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    return checkEbsEncryption(ctx);
+  },
+};