diff --git a/rules/aws/amazon_ec2/encrypted_volumes.guard b/rules/aws/amazon_ec2/encrypted_volumes.guard index abd98dc..6693419 100644 --- a/rules/aws/amazon_ec2/encrypted_volumes.guard +++ b/rules/aws/amazon_ec2/encrypted_volumes.guard @@ -6,7 +6,7 @@ # ENCRYPTED_VOLUMES # # Description: -# Checks if the EBS volumes that are in an attached state are encrypted. +# Checks if the EBS volumes that are in an attached state are encrypted. # # Reports on: # AWS::EC2::Volume @@ -22,18 +22,20 @@ # # Scenarios: # a) SKIP: when there are no EBS volume resources present -# b) PASS: when all EBS volumes have the KmsKeyId property set or the Encrypted property set to true +# b) PASS: when all EBS volumes have the KmsKeyId property set or the Encrypted property set to true # c) FAIL: when any EC2 volumes do not have the KmsKeyId or Encrypted property set # e) SKIP: hen metadata includes the suppression for rule ENCRYPTED_VOLUMES # # Select all EC2 Instance resources from incoming template (payload) # -let ebs_volumes_encrypted = Resources.*[ Type == 'AWS::EC2::Volume' - Metadata.cfn_nag.rules_to_suppress not exists or +let ebs_volumes_encrypted = Resources.*[ Type == 'AWS::EC2::Volume' + Metadata.cfn_nag.rules_to_suppress not exists or Metadata.cfn_nag.rules_to_suppress.*.id != "F1" Metadata.guard.SuppressedRules not exists or Metadata.guard.SuppressedRules.* != "ENCRYPTED_VOLUMES" + Metadata.guard.SuppressedRules not exists or + Metadata.guard.SuppressedRules.* != "EC2_EBS_ENCRYPTION_BY_DEFAULT" ] rule ENCRYPTED_VOLUMES when %ebs_volumes_encrypted !empty { @@ -45,7 +47,7 @@ rule ENCRYPTED_VOLUMES when %ebs_volumes_encrypted !empty { %violations empty << Violation: EBS volumes in an attached state must be encrypted. - Fix: Set the KmsKeyId property to a key ID, key alias, key ARN, or alias ARN - or set the Encrypted property to true to encrypt the volume with the account default key or AWS managed key. + Fix: Set the KmsKeyId property to a key ID, key alias, key ARN, or alias ARN + or set the Encrypted property to true to encrypt the volume with the account default key or AWS managed key. >> -} \ No newline at end of file +} diff --git a/rules/aws/amazon_ec2/tests/encrypted_volumes_tests.yml b/rules/aws/amazon_ec2/tests/encrypted_volumes_tests.yml index d333ea3..b8f2b39 100644 --- a/rules/aws/amazon_ec2/tests/encrypted_volumes_tests.yml +++ b/rules/aws/amazon_ec2/tests/encrypted_volumes_tests.yml @@ -98,3 +98,19 @@ expectations: rules: ENCRYPTED_VOLUMES: SKIP + +- name: EC2 Volume without KmsKeyId or Encrypted properties set but rule EC2_EBS_ENCRYPTION_BY_DEFAULT suppressed, SKIP + input: + Resources: + ExampleVolume: + Type: AWS::EC2::Volume + Metadata: + guard: + SuppressedRules: + - EC2_EBS_ENCRYPTION_BY_DEFAULT + Properties: + AvailabilityZone: !Ref pAz + Size: !Ref pSize + expectations: + rules: + ENCRYPTED_VOLUMES: SKIP diff --git a/rules/aws/amazon_rds/rds_storage_encrypted.guard b/rules/aws/amazon_rds/rds_storage_encrypted.guard index c4f2e41..e4b9e9f 100644 --- a/rules/aws/amazon_rds/rds_storage_encrypted.guard +++ b/rules/aws/amazon_rds/rds_storage_encrypted.guard @@ -33,10 +33,12 @@ # Select all RDS instance resources from incoming template (payload) # let aws_rds_instances_storage_encrypted = Resources.*[ Type in [ /AWS::RDS::DBInstance/, /AWS::RDS::DBCluster/ ] - Metadata.cfn_nag.rules_to_suppress not exists or + Metadata.cfn_nag.rules_to_suppress not exists or Metadata.cfn_nag.rules_to_suppress.*.id !in [ "F26", "F27" ] Metadata.guard.SuppressedRules not exists or Metadata.guard.SuppressedRules.* != "RDS_STORAGE_ENCRYPTED" + Metadata.guard.SuppressedRules not exists or + Metadata.guard.SuppressedRules.* != "RDS_SNAPSHOT_ENCRYPTED" ] diff --git a/rules/aws/amazon_rds/tests/rds_storage_encrypted_tests.yml b/rules/aws/amazon_rds/tests/rds_storage_encrypted_tests.yml index baa8a1a..3c78551 100644 --- a/rules/aws/amazon_rds/tests/rds_storage_encrypted_tests.yml +++ b/rules/aws/amazon_rds/tests/rds_storage_encrypted_tests.yml @@ -179,3 +179,21 @@ expectations: rules: RDS_STORAGE_ENCRYPTED: SKIP + +- name: RDS_SNAPSHOT_ENCRYPTED Guard suppressed, SKIP + input: + Resources: + ExampleRDS: + Type: AWS::RDS::DBInstance + Metadata: + guard: + SuppressedRules: + - RDS_SNAPSHOT_ENCRYPTED + Properties: + DBInstanceClass: !Ref DBInstanceType + SourceDBInstanceIdentifier: !Ref SourceDBInstanceIdentifier + SourceRegion: !Ref SourceRegion + KmsKeyId: !Ref MyKey + expectations: + rules: + RDS_STORAGE_ENCRYPTED: SKIP diff --git a/rules/aws/elasticache/elasticache_replication_group_transit_encryption.guard b/rules/aws/elasticache/elasticache_replication_group_transit_encryption.guard index 158e2d4..4b8c84b 100644 --- a/rules/aws/elasticache/elasticache_replication_group_transit_encryption.guard +++ b/rules/aws/elasticache/elasticache_replication_group_transit_encryption.guard @@ -33,7 +33,9 @@ let elasticache_replication_group_transit_encryption = Resources.*[ Type == 'AWS Metadata.cfn_nag.rules_to_suppress not exists or Metadata.cfn_nag.rules_to_suppress.*.id != "F33" Metadata.guard.SuppressedRules not exists or - Metadata.guard.SuppressedRules.* != "ELASTICACHE_REPLICATION_GROUP_ENCRYPTION_AT_REST" + Metadata.guard.SuppressedRules.* != "ELASTICACHE_REPLICATION_GROUP_ENCRYPTION_IN_TRANSIT" + Metadata.guard.SuppressedRules not exists or + Metadata.guard.SuppressedRules.* != "ELASTICACHE_REDIS_CLUSTER_AUTOMATIC_BACKUP_CHECK" Properties.Engine == "redis" Properties.EngineVersion not in [ /^2\..*/, /^3\.1\..*/, /^3\.2\.5$/ ] # v3.2.6 or 4.x+ ] diff --git a/rules/aws/elasticache/tests/elasticache_replication_group_transit_encryption_tests.yml b/rules/aws/elasticache/tests/elasticache_replication_group_transit_encryption_tests.yml index dbf9f31..e08af77 100644 --- a/rules/aws/elasticache/tests/elasticache_replication_group_transit_encryption_tests.yml +++ b/rules/aws/elasticache/tests/elasticache_replication_group_transit_encryption_tests.yml @@ -14,7 +14,7 @@ expectations: rules: ELASTICACHE_REPLICATION_GROUP_ENCRYPTION_IN_TRANSIT: SKIP - + - name: Elasticache old (ignored) version 2.x, SKIP input: Resources: @@ -24,7 +24,7 @@ ReplicationGroupDescription: my description NumCacheClusters: '2' Engine: redis - CacheNodeType: cache.m3.medium + CacheNodeType: cache.m3.medium AutomaticFailoverEnabled: 'true' CacheSubnetGroupName: subnetgroup EngineVersion: 2.8.6 @@ -44,7 +44,7 @@ ReplicationGroupDescription: my description NumCacheClusters: '2' Engine: redis - CacheNodeType: cache.m3.medium + CacheNodeType: cache.m3.medium AutomaticFailoverEnabled: 'true' CacheSubnetGroupName: subnetgroup EngineVersion: 3.2.5 @@ -64,7 +64,7 @@ ReplicationGroupDescription: my description NumCacheClusters: '2' Engine: redis - CacheNodeType: cache.m3.medium + CacheNodeType: cache.m3.medium AutomaticFailoverEnabled: 'true' CacheSubnetGroupName: subnetgroup EngineVersion: 4.0.10 @@ -85,7 +85,7 @@ ReplicationGroupDescription: my description NumCacheClusters: '2' Engine: redis - CacheNodeType: cache.m3.medium + CacheNodeType: cache.m3.medium AutomaticFailoverEnabled: 'true' CacheSubnetGroupName: subnetgroup EngineVersion: 4.0.10 @@ -107,7 +107,7 @@ ReplicationGroupDescription: my description NumCacheClusters: '2' Engine: redis - CacheNodeType: cache.m3.medium + CacheNodeType: cache.m3.medium AutomaticFailoverEnabled: 'true' CacheSubnetGroupName: subnetgroup EngineVersion: 4.0.10 @@ -132,7 +132,7 @@ ReplicationGroupDescription: my description NumCacheClusters: '2' Engine: redis - CacheNodeType: cache.m3.medium + CacheNodeType: cache.m3.medium AutomaticFailoverEnabled: 'true' CacheSubnetGroupName: subnetgroup EngineVersion: 4.0.10 @@ -161,7 +161,7 @@ ReplicationGroupDescription: my description NumCacheClusters: '2' Engine: redis - CacheNodeType: cache.m3.medium + CacheNodeType: cache.m3.medium AutomaticFailoverEnabled: 'true' CacheSubnetGroupName: subnetgroup EngineVersion: 4.0.10 @@ -176,6 +176,31 @@ rules: ELASTICACHE_REPLICATION_GROUP_ENCRYPTION_IN_TRANSIT: SKIP +- name: ELASTICACHE_REDIS_CLUSTER_AUTOMATIC_BACKUP_CHECK Guard Suppression, SKIP + input: + Resources: + myReplicationGroup: + Type: 'AWS::ElastiCache::ReplicationGroup' + Properties: + AtRestEncryptionEnabled: false + ReplicationGroupDescription: my description + NumCacheClusters: '2' + Engine: redis + CacheNodeType: cache.m3.medium + AutomaticFailoverEnabled: 'true' + CacheSubnetGroupName: subnetgroup + EngineVersion: 4.0.10 + PreferredMaintenanceWindow: 'wed:09:25-wed:22:30' + SnapshotRetentionLimit: '4' + SnapshotWindow: '03:30-05:30' + Metadata: + guard: + SuppressedRules: + - ELASTICACHE_REDIS_CLUSTER_AUTOMATIC_BACKUP_CHECK: Suppressed for a very good reason + expectations: + rules: + ELASTICACHE_REPLICATION_GROUP_ENCRYPTION_IN_TRANSIT: SKIP + - name: CFN_NAG & Guard Suppression, SKIP input: Resources: @@ -185,7 +210,7 @@ ReplicationGroupDescription: my description NumCacheClusters: '2' Engine: redis - CacheNodeType: cache.m3.medium + CacheNodeType: cache.m3.medium AutomaticFailoverEnabled: 'true' CacheSubnetGroupName: subnetgroup EngineVersion: 4.0.10 @@ -202,4 +227,4 @@ - ELASTICACHE_REPLICATION_GROUP_ENCRYPTION_IN_TRANSIT: Suppressed for a very good reason expectations: rules: - ELASTICACHE_REPLICATION_GROUP_ENCRYPTION_IN_TRANSIT: SKIP \ No newline at end of file + ELASTICACHE_REPLICATION_GROUP_ENCRYPTION_IN_TRANSIT: SKIP