Backwards compatibility for 3 redudant deleted rules

aws-cloudformation · Mar 25, 2024 · 446012b · 446012b
1 parent fcd8daf
commit 446012b
Show file tree

Hide file tree

Showing 6 changed files with 84 additions and 19 deletions.
diff --git a/rules/aws/amazon_ec2/encrypted_volumes.guard b/rules/aws/amazon_ec2/encrypted_volumes.guard
@@ -6,7 +6,7 @@
 #    ENCRYPTED_VOLUMES
 #
 # Description:
-#    Checks if the EBS volumes that are in an attached state are encrypted. 
+#    Checks if the EBS volumes that are in an attached state are encrypted.
 #
 # Reports on:
 #    AWS::EC2::Volume
@@ -22,18 +22,20 @@
 #
 # Scenarios:
 # a) SKIP: when there are no EBS volume resources present
-# b) PASS: when all EBS volumes have the KmsKeyId property set or the Encrypted property set to true 
+# b) PASS: when all EBS volumes have the KmsKeyId property set or the Encrypted property set to true
 # c) FAIL: when any EC2 volumes do not have the KmsKeyId or Encrypted property set
 # e) SKIP: hen metadata includes the suppression for rule ENCRYPTED_VOLUMES
 
 #
 # Select all EC2 Instance resources from incoming template (payload)
 #
-let ebs_volumes_encrypted = Resources.*[ Type == 'AWS::EC2::Volume' 
-  Metadata.cfn_nag.rules_to_suppress not exists or 
+let ebs_volumes_encrypted = Resources.*[ Type == 'AWS::EC2::Volume'
+  Metadata.cfn_nag.rules_to_suppress not exists or
   Metadata.cfn_nag.rules_to_suppress.*.id != "F1"
   Metadata.guard.SuppressedRules not exists or
   Metadata.guard.SuppressedRules.* != "ENCRYPTED_VOLUMES"
+  Metadata.guard.SuppressedRules not exists or
+  Metadata.guard.SuppressedRules.* != "EC2_EBS_ENCRYPTION_BY_DEFAULT"
 ]
 
 rule ENCRYPTED_VOLUMES when %ebs_volumes_encrypted !empty {
@@ -45,7 +47,7 @@ rule ENCRYPTED_VOLUMES when %ebs_volumes_encrypted !empty {
   %violations empty
   <<
     Violation: EBS volumes in an attached state must be encrypted.
-    Fix: Set the KmsKeyId property to a key ID, key alias, key ARN, or alias ARN 
-		or set the Encrypted property to true to encrypt the volume with the account default key or AWS managed key. 
+    Fix: Set the KmsKeyId property to a key ID, key alias, key ARN, or alias ARN
+		or set the Encrypted property to true to encrypt the volume with the account default key or AWS managed key.
   >>
-}
+}
diff --git a/rules/aws/amazon_ec2/tests/encrypted_volumes_tests.yml b/rules/aws/amazon_ec2/tests/encrypted_volumes_tests.yml
@@ -98,3 +98,19 @@
   expectations:
     rules:
       ENCRYPTED_VOLUMES: SKIP
+
+- name: EC2 Volume without KmsKeyId or Encrypted properties set but rule EC2_EBS_ENCRYPTION_BY_DEFAULT suppressed, SKIP
+  input:
+    Resources:
+      ExampleVolume:
+        Type: AWS::EC2::Volume
+        Metadata:
+          guard:
+            SuppressedRules:
+              - EC2_EBS_ENCRYPTION_BY_DEFAULT
+        Properties:
+          AvailabilityZone: !Ref pAz
+          Size: !Ref pSize
+  expectations:
+    rules:
+      ENCRYPTED_VOLUMES: SKIP
diff --git a/rules/aws/amazon_rds/rds_storage_encrypted.guard b/rules/aws/amazon_rds/rds_storage_encrypted.guard
@@ -33,10 +33,12 @@
 # Select all RDS instance resources from incoming template (payload)
 #
 let aws_rds_instances_storage_encrypted = Resources.*[ Type in [ /AWS::RDS::DBInstance/, /AWS::RDS::DBCluster/ ]
-  Metadata.cfn_nag.rules_to_suppress not exists or 
+  Metadata.cfn_nag.rules_to_suppress not exists or
   Metadata.cfn_nag.rules_to_suppress.*.id !in [ "F26", "F27" ]
   Metadata.guard.SuppressedRules not exists or
   Metadata.guard.SuppressedRules.* != "RDS_STORAGE_ENCRYPTED"
+  Metadata.guard.SuppressedRules not exists or
+  Metadata.guard.SuppressedRules.* != "RDS_SNAPSHOT_ENCRYPTED"
 ]
 
 

diff --git a/rules/aws/amazon_rds/tests/rds_storage_encrypted_tests.yml b/rules/aws/amazon_rds/tests/rds_storage_encrypted_tests.yml
@@ -179,3 +179,21 @@
   expectations:
     rules:
       RDS_STORAGE_ENCRYPTED: SKIP
+
+- name: RDS_SNAPSHOT_ENCRYPTED Guard suppressed, SKIP
+  input:
+    Resources:
+      ExampleRDS:
+        Type: AWS::RDS::DBInstance
+        Metadata:
+          guard:
+            SuppressedRules:
+            - RDS_SNAPSHOT_ENCRYPTED
+        Properties:
+          DBInstanceClass: !Ref DBInstanceType
+          SourceDBInstanceIdentifier: !Ref SourceDBInstanceIdentifier
+          SourceRegion: !Ref SourceRegion
+          KmsKeyId: !Ref MyKey
+  expectations:
+    rules:
+      RDS_STORAGE_ENCRYPTED: SKIP
diff --git a/rules/aws/elasticache/elasticache_replication_group_transit_encryption.guard b/rules/aws/elasticache/elasticache_replication_group_transit_encryption.guard
@@ -33,7 +33,9 @@ let elasticache_replication_group_transit_encryption = Resources.*[ Type == 'AWS
   Metadata.cfn_nag.rules_to_suppress not exists or
   Metadata.cfn_nag.rules_to_suppress.*.id != "F33"
   Metadata.guard.SuppressedRules not exists or
-  Metadata.guard.SuppressedRules.* != "ELASTICACHE_REPLICATION_GROUP_ENCRYPTION_AT_REST"
+  Metadata.guard.SuppressedRules.* != "ELASTICACHE_REPLICATION_GROUP_ENCRYPTION_IN_TRANSIT"
+  Metadata.guard.SuppressedRules not exists or
+  Metadata.guard.SuppressedRules.* != "ELASTICACHE_REDIS_CLUSTER_AUTOMATIC_BACKUP_CHECK"
   Properties.Engine == "redis"
   Properties.EngineVersion not in [ /^2\..*/, /^3\.1\..*/, /^3\.2\.5$/ ] # v3.2.6 or 4.x+
 ]

diff --git a/rules/aws/elasticache/tests/elasticache_replication_group_transit_encryption_tests.yml b/rules/aws/elasticache/tests/elasticache_replication_group_transit_encryption_tests.yml
@@ -14,7 +14,7 @@
   expectations:
     rules:
       ELASTICACHE_REPLICATION_GROUP_ENCRYPTION_IN_TRANSIT: SKIP
-    
+
 - name: Elasticache old (ignored) version 2.x, SKIP
   input:
     Resources:
@@ -24,7 +24,7 @@
           ReplicationGroupDescription: my description
           NumCacheClusters: '2'
           Engine: redis
-          CacheNodeType: cache.m3.medium    
+          CacheNodeType: cache.m3.medium
           AutomaticFailoverEnabled: 'true'
           CacheSubnetGroupName: subnetgroup
           EngineVersion: 2.8.6
@@ -44,7 +44,7 @@
           ReplicationGroupDescription: my description
           NumCacheClusters: '2'
           Engine: redis
-          CacheNodeType: cache.m3.medium    
+          CacheNodeType: cache.m3.medium
           AutomaticFailoverEnabled: 'true'
           CacheSubnetGroupName: subnetgroup
           EngineVersion: 3.2.5
@@ -64,7 +64,7 @@
           ReplicationGroupDescription: my description
           NumCacheClusters: '2'
           Engine: redis
-          CacheNodeType: cache.m3.medium    
+          CacheNodeType: cache.m3.medium
           AutomaticFailoverEnabled: 'true'
           CacheSubnetGroupName: subnetgroup
           EngineVersion: 4.0.10
@@ -85,7 +85,7 @@
           ReplicationGroupDescription: my description
           NumCacheClusters: '2'
           Engine: redis
-          CacheNodeType: cache.m3.medium    
+          CacheNodeType: cache.m3.medium
           AutomaticFailoverEnabled: 'true'
           CacheSubnetGroupName: subnetgroup
           EngineVersion: 4.0.10
@@ -107,7 +107,7 @@
           ReplicationGroupDescription: my description
           NumCacheClusters: '2'
           Engine: redis
-          CacheNodeType: cache.m3.medium    
+          CacheNodeType: cache.m3.medium
           AutomaticFailoverEnabled: 'true'
           CacheSubnetGroupName: subnetgroup
           EngineVersion: 4.0.10
@@ -132,7 +132,7 @@
           ReplicationGroupDescription: my description
           NumCacheClusters: '2'
           Engine: redis
-          CacheNodeType: cache.m3.medium    
+          CacheNodeType: cache.m3.medium
           AutomaticFailoverEnabled: 'true'
           CacheSubnetGroupName: subnetgroup
           EngineVersion: 4.0.10
@@ -161,7 +161,7 @@
           ReplicationGroupDescription: my description
           NumCacheClusters: '2'
           Engine: redis
-          CacheNodeType: cache.m3.medium    
+          CacheNodeType: cache.m3.medium
           AutomaticFailoverEnabled: 'true'
           CacheSubnetGroupName: subnetgroup
           EngineVersion: 4.0.10
@@ -176,6 +176,31 @@
     rules:
       ELASTICACHE_REPLICATION_GROUP_ENCRYPTION_IN_TRANSIT: SKIP
 
+- name: ELASTICACHE_REDIS_CLUSTER_AUTOMATIC_BACKUP_CHECK Guard Suppression, SKIP
+  input:
+    Resources:
+      myReplicationGroup:
+        Type: 'AWS::ElastiCache::ReplicationGroup'
+        Properties:
+          AtRestEncryptionEnabled: false
+          ReplicationGroupDescription: my description
+          NumCacheClusters: '2'
+          Engine: redis
+          CacheNodeType: cache.m3.medium
+          AutomaticFailoverEnabled: 'true'
+          CacheSubnetGroupName: subnetgroup
+          EngineVersion: 4.0.10
+          PreferredMaintenanceWindow: 'wed:09:25-wed:22:30'
+          SnapshotRetentionLimit: '4'
+          SnapshotWindow: '03:30-05:30'
+        Metadata:
+          guard:
+            SuppressedRules:
+            - ELASTICACHE_REDIS_CLUSTER_AUTOMATIC_BACKUP_CHECK: Suppressed for a very good reason
+  expectations:
+    rules:
+      ELASTICACHE_REPLICATION_GROUP_ENCRYPTION_IN_TRANSIT: SKIP
+
 - name: CFN_NAG & Guard Suppression, SKIP
   input:
     Resources:
@@ -185,7 +210,7 @@
           ReplicationGroupDescription: my description
           NumCacheClusters: '2'
           Engine: redis
-          CacheNodeType: cache.m3.medium    
+          CacheNodeType: cache.m3.medium
           AutomaticFailoverEnabled: 'true'
           CacheSubnetGroupName: subnetgroup
           EngineVersion: 4.0.10
@@ -202,4 +227,4 @@
             - ELASTICACHE_REPLICATION_GROUP_ENCRYPTION_IN_TRANSIT: Suppressed for a very good reason
   expectations:
     rules:
-      ELASTICACHE_REPLICATION_GROUP_ENCRYPTION_IN_TRANSIT: SKIP
+      ELASTICACHE_REPLICATION_GROUP_ENCRYPTION_IN_TRANSIT: SKIP