@intentius/chant-lexicon-aws 0.0.8 → 0.0.9

package/src/lint/post-synth/waw020.test.ts

@@ -0,0 +1,125 @@
+import { describe, test, expect } from "bun:test";
+import { createPostSynthContext } from "@intentius/chant-test-utils";
+import { waw020, checkIamWildcardAction } from "./waw020";
+
+function makeCtx(template: object) {
+  return createPostSynthContext({ aws: template });
+}
+
+describe("WAW020: IAM Wildcard Action", () => {
+  test("check metadata", () => {
+    expect(waw020.id).toBe("WAW020");
+    expect(waw020.description).toContain("wildcard");
+  });
+
+  test("flags IAM::Policy with Action: '*'", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyPolicy: {
+          Type: "AWS::IAM::Policy",
+          Properties: {
+            PolicyDocument: {
+              Statement: [{ Effect: "Allow", Action: "*", Resource: "*" }],
+            },
+          },
+        },
+      },
+    });
+    const diags = checkIamWildcardAction(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].checkId).toBe("WAW020");
+    expect(diags[0].severity).toBe("warning");
+  });
+
+  test("flags IAM::Role with wildcard in inline Policies", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyRole: {
+          Type: "AWS::IAM::Role",
+          Properties: {
+            AssumeRolePolicyDocument: {
+              Statement: [{ Effect: "Allow", Principal: { Service: "lambda.amazonaws.com" }, Action: "sts:AssumeRole" }],
+            },
+            Policies: [
+              {
+                PolicyName: "admin",
+                PolicyDocument: {
+                  Statement: [{ Effect: "Allow", Action: "*", Resource: "*" }],
+                },
+              },
+            ],
+          },
+        },
+      },
+    });
+    const diags = checkIamWildcardAction(ctx);
+    expect(diags).toHaveLength(1);
+  });
+
+  test("flags wildcard in Action array", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyPolicy: {
+          Type: "AWS::IAM::ManagedPolicy",
+          Properties: {
+            PolicyDocument: {
+              Statement: [{ Effect: "Allow", Action: ["s3:GetObject", "*"], Resource: "*" }],
+            },
+          },
+        },
+      },
+    });
+    const diags = checkIamWildcardAction(ctx);
+    expect(diags).toHaveLength(1);
+  });
+
+  test("no diagnostic for specific actions", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyPolicy: {
+          Type: "AWS::IAM::Policy",
+          Properties: {
+            PolicyDocument: {
+              Statement: [{ Effect: "Allow", Action: ["s3:GetObject", "s3:PutObject"], Resource: "arn:aws:s3:::my-bucket/*" }],
+            },
+          },
+        },
+      },
+    });
+    const diags = checkIamWildcardAction(ctx);
+    expect(diags).toHaveLength(0);
+  });
+
+  test("no diagnostic for non-IAM resources", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyBucket: {
+          Type: "AWS::S3::Bucket",
+          Properties: { BucketName: "test" },
+        },
+      },
+    });
+    const diags = checkIamWildcardAction(ctx);
+    expect(diags).toHaveLength(0);
+  });
+
+  test("emits one diagnostic per resource even with multiple wildcard statements", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyPolicy: {
+          Type: "AWS::IAM::Policy",
+          Properties: {
+            PolicyDocument: {
+              Statement: [
+                { Effect: "Allow", Action: "*", Resource: "*" },
+                { Effect: "Allow", Action: "*", Resource: "arn:aws:s3:::*" },
+              ],
+            },
+          },
+        },
+      },
+    });
+    const diags = checkIamWildcardAction(ctx);
+    expect(diags).toHaveLength(1);
+  });
+});

package/src/lint/post-synth/waw020.ts

@@ -0,0 +1,64 @@
+/**
+ * WAW020: IAM Wildcard Action
+ *
+ * Flags IAM policies with Action: "*" in any statement.
+ * Checks IAM::Policy, IAM::Role, and IAM::ManagedPolicy resource types.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { parseCFTemplate, walkPolicyStatements, isIntrinsic } from "./cf-refs";
+
+const IAM_TYPES = new Set([
+  "AWS::IAM::Policy",
+  "AWS::IAM::Role",
+  "AWS::IAM::ManagedPolicy",
+]);
+
+function hasWildcardAction(statement: Record<string, unknown>): boolean {
+  const action = statement.Action;
+  if (action === "*") return true;
+  if (Array.isArray(action)) {
+    return action.some((a) => a === "*");
+  }
+  return false;
+}
+
+export function checkIamWildcardAction(ctx: PostSynthContext): PostSynthDiagnostic[] {
+  const diagnostics: PostSynthDiagnostic[] = [];
+
+  for (const [_lexicon, output] of ctx.outputs) {
+    const template = parseCFTemplate(output);
+    if (!template?.Resources) continue;
+
+    for (const [logicalId, resource] of Object.entries(template.Resources)) {
+      if (!IAM_TYPES.has(resource.Type)) continue;
+
+      const statements = walkPolicyStatements(resource);
+      for (const stmt of statements) {
+        if (isIntrinsic(stmt.Action)) continue;
+
+        if (hasWildcardAction(stmt)) {
+          diagnostics.push({
+            checkId: "WAW020",
+            severity: "warning",
+            message: `IAM resource "${logicalId}" has a policy statement with Action: "*" — use specific actions following least privilege`,
+            entity: logicalId,
+            lexicon: "aws",
+          });
+          break; // One diagnostic per resource
+        }
+      }
+    }
+  }
+
+  return diagnostics;
+}
+
+export const waw020: PostSynthCheck = {
+  id: "WAW020",
+  description: "IAM policy uses wildcard Action — use specific actions following least privilege",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    return checkIamWildcardAction(ctx);
+  },
+};

package/src/lint/post-synth/waw021.test.ts

@@ -0,0 +1,81 @@
+import { describe, test, expect } from "bun:test";
+import { createPostSynthContext } from "@intentius/chant-test-utils";
+import { waw021, checkRdsEncryption } from "./waw021";
+
+function makeCtx(template: object) {
+  return createPostSynthContext({ aws: template });
+}
+
+describe("WAW021: RDS Storage Not Encrypted", () => {
+  test("check metadata", () => {
+    expect(waw021.id).toBe("WAW021");
+    expect(waw021.description).toContain("encrypted");
+  });
+
+  test("flags DBInstance without StorageEncrypted", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyDB: {
+          Type: "AWS::RDS::DBInstance",
+          Properties: { DBInstanceClass: "db.t3.micro", Engine: "mysql" },
+        },
+      },
+    });
+    const diags = checkRdsEncryption(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].checkId).toBe("WAW021");
+    expect(diags[0].severity).toBe("error");
+  });
+
+  test("flags DBCluster without StorageEncrypted", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyCluster: {
+          Type: "AWS::RDS::DBCluster",
+          Properties: { Engine: "aurora-mysql" },
+        },
+      },
+    });
+    const diags = checkRdsEncryption(ctx);
+    expect(diags).toHaveLength(1);
+  });
+
+  test("no diagnostic when StorageEncrypted: true", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyDB: {
+          Type: "AWS::RDS::DBInstance",
+          Properties: { StorageEncrypted: true, DBInstanceClass: "db.t3.micro" },
+        },
+      },
+    });
+    const diags = checkRdsEncryption(ctx);
+    expect(diags).toHaveLength(0);
+  });
+
+  test("flags StorageEncrypted: false", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyDB: {
+          Type: "AWS::RDS::DBInstance",
+          Properties: { StorageEncrypted: false, DBInstanceClass: "db.t3.micro" },
+        },
+      },
+    });
+    const diags = checkRdsEncryption(ctx);
+    expect(diags).toHaveLength(1);
+  });
+
+  test("skips intrinsic value for StorageEncrypted", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyDB: {
+          Type: "AWS::RDS::DBInstance",
+          Properties: { StorageEncrypted: { Ref: "EncryptParam" } },
+        },
+      },
+    });
+    const diags = checkRdsEncryption(ctx);
+    expect(diags).toHaveLength(0);
+  });
+});

package/src/lint/post-synth/waw021.ts

@@ -0,0 +1,53 @@
+/**
+ * WAW021: RDS Storage Not Encrypted
+ *
+ * Flags RDS instances and clusters without StorageEncrypted: true.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { parseCFTemplate, isIntrinsic } from "./cf-refs";
+
+const RDS_TYPES = new Set([
+  "AWS::RDS::DBInstance",
+  "AWS::RDS::DBCluster",
+]);
+
+export function checkRdsEncryption(ctx: PostSynthContext): PostSynthDiagnostic[] {
+  const diagnostics: PostSynthDiagnostic[] = [];
+
+  for (const [_lexicon, output] of ctx.outputs) {
+    const template = parseCFTemplate(output);
+    if (!template?.Resources) continue;
+
+    for (const [logicalId, resource] of Object.entries(template.Resources)) {
+      if (!RDS_TYPES.has(resource.Type)) continue;
+
+      const props = resource.Properties ?? {};
+      const encrypted = props.StorageEncrypted;
+
+      // Skip if it's an intrinsic (can't statically verify)
+      if (isIntrinsic(encrypted)) continue;
+
+      if (encrypted !== true) {
+        diagnostics.push({
+          checkId: "WAW021",
+          severity: "error",
+          message: `RDS resource "${logicalId}" (${resource.Type}) does not have StorageEncrypted: true — enable encryption at rest`,
+          entity: logicalId,
+          lexicon: "aws",
+        });
+      }
+    }
+  }
+
+  return diagnostics;
+}
+
+export const waw021: PostSynthCheck = {
+  id: "WAW021",
+  description: "RDS instance or cluster storage is not encrypted — enable encryption at rest",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    return checkRdsEncryption(ctx);
+  },
+};

package/src/lint/post-synth/waw022.test.ts

@@ -0,0 +1,54 @@
+import { describe, test, expect } from "bun:test";
+import { createPostSynthContext } from "@intentius/chant-test-utils";
+import { waw022, checkLambdaVpc } from "./waw022";
+
+function makeCtx(template: object) {
+  return createPostSynthContext({ aws: template });
+}
+
+describe("WAW022: Lambda Not in VPC", () => {
+  test("check metadata", () => {
+    expect(waw022.id).toBe("WAW022");
+    expect(waw022.description).toContain("VPC");
+  });
+
+  test("flags Lambda without VpcConfig", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyFunc: {
+          Type: "AWS::Lambda::Function",
+          Properties: { FunctionName: "test", Runtime: "nodejs20.x", Handler: "index.handler" },
+        },
+      },
+    });
+    const diags = checkLambdaVpc(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].checkId).toBe("WAW022");
+    expect(diags[0].severity).toBe("warning");
+  });
+
+  test("no diagnostic when VpcConfig is present", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyFunc: {
+          Type: "AWS::Lambda::Function",
+          Properties: {
+            VpcConfig: { SubnetIds: ["subnet-123"], SecurityGroupIds: ["sg-123"] },
+          },
+        },
+      },
+    });
+    const diags = checkLambdaVpc(ctx);
+    expect(diags).toHaveLength(0);
+  });
+
+  test("no diagnostic for non-Lambda resources", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyBucket: { Type: "AWS::S3::Bucket", Properties: {} },
+      },
+    });
+    const diags = checkLambdaVpc(ctx);
+    expect(diags).toHaveLength(0);
+  });
+});

package/src/lint/post-synth/waw022.ts

@@ -0,0 +1,43 @@
+/**
+ * WAW022: Lambda Not in VPC
+ *
+ * Flags Lambda functions without VpcConfig.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { parseCFTemplate } from "./cf-refs";
+
+export function checkLambdaVpc(ctx: PostSynthContext): PostSynthDiagnostic[] {
+  const diagnostics: PostSynthDiagnostic[] = [];
+
+  for (const [_lexicon, output] of ctx.outputs) {
+    const template = parseCFTemplate(output);
+    if (!template?.Resources) continue;
+
+    for (const [logicalId, resource] of Object.entries(template.Resources)) {
+      if (resource.Type !== "AWS::Lambda::Function") continue;
+
+      const props = resource.Properties ?? {};
+      if (!("VpcConfig" in props)) {
+        diagnostics.push({
+          checkId: "WAW022",
+          severity: "warning",
+          message: `Lambda function "${logicalId}" is not configured with a VPC — consider adding VpcConfig for network isolation`,
+          entity: logicalId,
+          lexicon: "aws",
+        });
+      }
+    }
+  }
+
+  return diagnostics;
+}
+
+export const waw022: PostSynthCheck = {
+  id: "WAW022",
+  description: "Lambda function is not configured with a VPC — consider adding VpcConfig for network isolation",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    return checkLambdaVpc(ctx);
+  },
+};

package/src/lint/post-synth/waw023.test.ts

@@ -0,0 +1,53 @@
+import { describe, test, expect } from "bun:test";
+import { createPostSynthContext } from "@intentius/chant-test-utils";
+import { waw023, checkCloudFrontWaf } from "./waw023";
+
+function makeCtx(template: object) {
+  return createPostSynthContext({ aws: template });
+}
+
+describe("WAW023: CloudFront Without WAF", () => {
+  test("check metadata", () => {
+    expect(waw023.id).toBe("WAW023");
+    expect(waw023.description).toContain("WAF");
+  });
+
+  test("flags distribution without WebACLId", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyCF: {
+          Type: "AWS::CloudFront::Distribution",
+          Properties: {
+            DistributionConfig: {
+              Origins: [{ Id: "origin1", DomainName: "example.com" }],
+              DefaultCacheBehavior: { TargetOriginId: "origin1", ViewerProtocolPolicy: "redirect-to-https" },
+              Enabled: true,
+            },
+          },
+        },
+      },
+    });
+    const diags = checkCloudFrontWaf(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].checkId).toBe("WAW023");
+    expect(diags[0].severity).toBe("warning");
+  });
+
+  test("no diagnostic when WebACLId is present", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyCF: {
+          Type: "AWS::CloudFront::Distribution",
+          Properties: {
+            DistributionConfig: {
+              WebACLId: "arn:aws:wafv2:us-east-1:123456789012:global/webacl/my-acl/abc",
+              Enabled: true,
+            },
+          },
+        },
+      },
+    });
+    const diags = checkCloudFrontWaf(ctx);
+    expect(diags).toHaveLength(0);
+  });
+});

package/src/lint/post-synth/waw023.ts

@@ -0,0 +1,47 @@
+/**
+ * WAW023: CloudFront Without WAF
+ *
+ * Flags CloudFront distributions without WebACLId.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { parseCFTemplate } from "./cf-refs";
+
+export function checkCloudFrontWaf(ctx: PostSynthContext): PostSynthDiagnostic[] {
+  const diagnostics: PostSynthDiagnostic[] = [];
+
+  for (const [_lexicon, output] of ctx.outputs) {
+    const template = parseCFTemplate(output);
+    if (!template?.Resources) continue;
+
+    for (const [logicalId, resource] of Object.entries(template.Resources)) {
+      if (resource.Type !== "AWS::CloudFront::Distribution") continue;
+
+      const props = resource.Properties ?? {};
+      const distConfig = props.DistributionConfig;
+      if (typeof distConfig !== "object" || distConfig === null) continue;
+
+      const config = distConfig as Record<string, unknown>;
+      if (!("WebACLId" in config)) {
+        diagnostics.push({
+          checkId: "WAW023",
+          severity: "warning",
+          message: `CloudFront distribution "${logicalId}" has no WebACLId — consider attaching a WAF web ACL for protection`,
+          entity: logicalId,
+          lexicon: "aws",
+        });
+      }
+    }
+  }
+
+  return diagnostics;
+}
+
+export const waw023: PostSynthCheck = {
+  id: "WAW023",
+  description: "CloudFront distribution has no WAF web ACL — consider attaching one for protection",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    return checkCloudFrontWaf(ctx);
+  },
+};

package/src/lint/post-synth/waw024.test.ts

@@ -0,0 +1,64 @@
+import { describe, test, expect } from "bun:test";
+import { createPostSynthContext } from "@intentius/chant-test-utils";
+import { waw024, checkAlbAccessLogs } from "./waw024";
+
+function makeCtx(template: object) {
+  return createPostSynthContext({ aws: template });
+}
+
+describe("WAW024: ALB Without Access Logging", () => {
+  test("check metadata", () => {
+    expect(waw024.id).toBe("WAW024");
+    expect(waw024.description).toContain("access logging");
+  });
+
+  test("flags ALB without access logging", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyALB: {
+          Type: "AWS::ElasticLoadBalancingV2::LoadBalancer",
+          Properties: { Type: "application" },
+        },
+      },
+    });
+    const diags = checkAlbAccessLogs(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].checkId).toBe("WAW024");
+    expect(diags[0].severity).toBe("warning");
+  });
+
+  test("no diagnostic when access logging is enabled", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyALB: {
+          Type: "AWS::ElasticLoadBalancingV2::LoadBalancer",
+          Properties: {
+            LoadBalancerAttributes: [
+              { Key: "access_logs.s3.enabled", Value: "true" },
+              { Key: "access_logs.s3.bucket", Value: "my-logs-bucket" },
+            ],
+          },
+        },
+      },
+    });
+    const diags = checkAlbAccessLogs(ctx);
+    expect(diags).toHaveLength(0);
+  });
+
+  test("flags when access_logs.s3.enabled is false", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyALB: {
+          Type: "AWS::ElasticLoadBalancingV2::LoadBalancer",
+          Properties: {
+            LoadBalancerAttributes: [
+              { Key: "access_logs.s3.enabled", Value: "false" },
+            ],
+          },
+        },
+      },
+    });
+    const diags = checkAlbAccessLogs(ctx);
+    expect(diags).toHaveLength(1);
+  });
+});

package/src/lint/post-synth/waw024.ts

@@ -0,0 +1,54 @@
+/**
+ * WAW024: ALB Without Access Logging
+ *
+ * Flags Application Load Balancers without access logging enabled.
+ */
+
+import type { PostSynthCheck, PostSynthContext, PostSynthDiagnostic } from "@intentius/chant/lint/post-synth";
+import { parseCFTemplate } from "./cf-refs";
+
+export function checkAlbAccessLogs(ctx: PostSynthContext): PostSynthDiagnostic[] {
+  const diagnostics: PostSynthDiagnostic[] = [];
+
+  for (const [_lexicon, output] of ctx.outputs) {
+    const template = parseCFTemplate(output);
+    if (!template?.Resources) continue;
+
+    for (const [logicalId, resource] of Object.entries(template.Resources)) {
+      if (resource.Type !== "AWS::ElasticLoadBalancingV2::LoadBalancer") continue;
+
+      const props = resource.Properties ?? {};
+      const attrs = props.LoadBalancerAttributes;
+
+      let hasAccessLogs = false;
+      if (Array.isArray(attrs)) {
+        hasAccessLogs = attrs.some((attr) => {
+          if (typeof attr !== "object" || attr === null) return false;
+          const a = attr as Record<string, unknown>;
+          return a.Key === "access_logs.s3.enabled" && (a.Value === "true" || a.Value === true);
+        });
+      }
+
+      if (!hasAccessLogs) {
+        diagnostics.push({
+          checkId: "WAW024",
+          severity: "warning",
+          message: `Load balancer "${logicalId}" does not have access logging enabled — enable access_logs.s3.enabled for audit trails`,
+          entity: logicalId,
+          lexicon: "aws",
+        });
+      }
+    }
+  }
+
+  return diagnostics;
+}
+
+export const waw024: PostSynthCheck = {
+  id: "WAW024",
+  description: "Application Load Balancer does not have access logging enabled",
+
+  check(ctx: PostSynthContext): PostSynthDiagnostic[] {
+    return checkAlbAccessLogs(ctx);
+  },
+};

package/src/lint/post-synth/waw025.test.ts

@@ -0,0 +1,42 @@
+import { describe, test, expect } from "bun:test";
+import { createPostSynthContext } from "@intentius/chant-test-utils";
+import { waw025, checkSnsEncryption } from "./waw025";
+
+function makeCtx(template: object) {
+  return createPostSynthContext({ aws: template });
+}
+
+describe("WAW025: SNS Topic Not Encrypted", () => {
+  test("check metadata", () => {
+    expect(waw025.id).toBe("WAW025");
+    expect(waw025.description).toContain("encrypted");
+  });
+
+  test("flags topic without KmsMasterKeyId", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyTopic: {
+          Type: "AWS::SNS::Topic",
+          Properties: { TopicName: "my-topic" },
+        },
+      },
+    });
+    const diags = checkSnsEncryption(ctx);
+    expect(diags).toHaveLength(1);
+    expect(diags[0].checkId).toBe("WAW025");
+    expect(diags[0].severity).toBe("warning");
+  });
+
+  test("no diagnostic when KmsMasterKeyId is set", () => {
+    const ctx = makeCtx({
+      Resources: {
+        MyTopic: {
+          Type: "AWS::SNS::Topic",
+          Properties: { KmsMasterKeyId: "alias/my-key" },
+        },
+      },
+    });
+    const diags = checkSnsEncryption(ctx);
+    expect(diags).toHaveLength(0);
+  });
+});