Skip to content

Commit

Permalink
Migrate AWS CodeBuild Dax DynamoDb ELB ELB_V2 ElasticCache resources …
Browse files Browse the repository at this point in the history 
…to cfn-guard ruleset (#268)
  • Loading branch information
@ysdholak
ysdholak authored Mar 20, 2024
1 parent 44e2c0f commit 6d23585
Show file tree
Hide file tree
Showing 24 changed files with 1,808 additions and 136 deletions.
46 changes: 46 additions & 0 deletions rules/aws/codebuild/codebuild_encryption_key_rule.guard
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
#
#####################################
## AWS Solutions ##
#####################################
# Rule Identifier:
# CODEBUILD_ENCRYPTION_KEY_RULE
#
# Description:
# CodeBuild project should specify an EncryptionKey value
#
# Reports on:
# AWS::CodeBuild::Project
#
# Evaluates:
# AWS CloudFormation
#
# Rule Parameters:
# NA
#
# CFN_NAG Rule Id:
# W32
#
# Scenarios:
# a) SKIP: when there is no CodeBuild Project resource present.
# b) PASS: when CodeBuild Project resources have Encryption Key.
# c) FAIL: when CodeBuild Project resources does have Encryption Key.
# d) SKIP: when metadata has rule suppression for CODEBUILD_ENCRYPTION_KEY_RULE

#
# Select all CodeBuild Project resources from incoming template (payload)
#
let codebuild_encryption_key_rule = Resources.*[ Type == 'AWS::CodeBuild::Project'
Metadata.cfn_nag.rules_to_suppress not exists or
Metadata.cfn_nag.rules_to_suppress.*.id != "W32"
Metadata.guard.SuppressedRules not exists or
Metadata.guard.SuppressedRules.* != "CODEBUILD_ENCRYPTION_KEY_RULE"
]

rule CODEBUILD_ENCRYPTION_KEY_RULE when %codebuild_encryption_key_rule !empty {
%codebuild_encryption_key_rule.Type == 'AWS::CodeBuild::Project'
%codebuild_encryption_key_rule.Properties.EncryptionKey exists
<<
Violation: CodeBuild project encryption key does not exist
Fix: Specify encryption key value
>>
}
194 changes: 194 additions & 0 deletions rules/aws/codebuild/tests/codebuild_encryption_key_rule_tests.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,194 @@
###
# CODEBUILD_ENCRYPTION_KEY_RULE tests
###
---
- name: Empty
input: {}
expectations:
rules:
CODEBUILD_ENCRYPTION_KEY_RULE: SKIP

- name: No resources
input:
Resources: {}
expectations:
rules:
CODEBUILD_ENCRYPTION_KEY_RULE: SKIP

- name: CodeBuild project with Encryption Key
input:
Resources:
Project:
Type: AWS::CodeBuild::Project
Properties:
Name: myProjectName
Description: A description about my project
ServiceRole: !GetAtt ServiceRole.Arn
EncryptionKey: 'TestEncryptionKey'
Artifacts:
Type: no_artifacts
Environment:
Type: LINUX_CONTAINER
ComputeType: BUILD_GENERAL1_SMALL
Image: aws/codebuild/java:openjdk-8
EnvironmentVariables:
- Name: varName
Type: varType
Value: varValue
Source:
Location: codebuild-demo-test/0123ab9a371ebf0187b0fe5614fbb72c
Type: S3
TimeoutInMinutes: 10
Tags:
- Key: Key1
Value: Value1
- Key: Key2
Value: Value2
expectations:
rules:
CODEBUILD_ENCRYPTION_KEY_RULE: PASS

- name: CodeBuild project where Encryption Key does not exist
input:
Resources:
Project:
Type: AWS::CodeBuild::Project
Properties:
Name: myProjectName
Description: A description about my project
ServiceRole: !GetAtt ServiceRole.Arn
Artifacts:
Type: no_artifacts
Environment:
Type: LINUX_CONTAINER
ComputeType: BUILD_GENERAL1_SMALL
Image: aws/codebuild/java:openjdk-8
EnvironmentVariables:
- Name: varName
Type: varType
Value: varValue
Source:
Location: codebuild-demo-test/0123ab9a371ebf0187b0fe5614fbb72c
Type: S3
TimeoutInMinutes: 10
Tags:
- Key: Key1
Value: Value1
- Key: Key2
Value: Value2
expectations:
rules:
CODEBUILD_ENCRYPTION_KEY_RULE: FAIL

- name: CFN_NAG suppression for W32
input:
Resources:
Project:
Type: AWS::CodeBuild::Project
Properties:
Name: myProjectName
Description: A description about my project
ServiceRole: !GetAtt ServiceRole.Arn
Artifacts:
Type: no_artifacts
Environment:
Type: LINUX_CONTAINER
ComputeType: BUILD_GENERAL1_SMALL
Image: aws/codebuild/java:openjdk-8
EnvironmentVariables:
- Name: varName
Type: varType
Value: varValue
Source:
Location: codebuild-demo-test/0123ab9a371ebf0187b0fe5614fbb72c
Type: S3
TimeoutInMinutes: 10
Tags:
- Key: Key1
Value: Value1
- Key: Key2
Value: Value2
Metadata:
cfn_nag:
rules_to_suppress:
- id: W32
reason: Suppressed to test suppression works and skips this test
expectations:
rules:
CODEBUILD_ENCRYPTION_KEY_RULE: SKIP

- name: Guard suppression for CODEBUILD_ENCRYPTION_KEY_RULE
input:
Resources:
Project:
Type: AWS::CodeBuild::Project
Properties:
Name: myProjectName
Description: A description about my project
ServiceRole: !GetAtt ServiceRole.Arn
Artifacts:
Type: no_artifacts
Environment:
Type: LINUX_CONTAINER
ComputeType: BUILD_GENERAL1_SMALL
Image: aws/codebuild/java:openjdk-8
EnvironmentVariables:
- Name: varName
Type: varType
Value: varValue
Source:
Location: codebuild-demo-test/0123ab9a371ebf0187b0fe5614fbb72c
Type: S3
TimeoutInMinutes: 10
Tags:
- Key: Key1
Value: Value1
- Key: Key2
Value: Value2
Metadata:
guard:
SuppressedRules:
- CODEBUILD_ENCRYPTION_KEY_RULE
expectations:
rules:
CODEBUILD_ENCRYPTION_KEY_RULE: SKIP

- name: Guard and CFN_NAG suppression for W32 & CODEBUILD_ENCRYPTION_KEY_RULE
input:
Resources:
Project:
Type: AWS::CodeBuild::Project
Properties:
Name: myProjectName
Description: A description about my project
ServiceRole: !GetAtt ServiceRole.Arn
Artifacts:
Type: no_artifacts
Environment:
Type: LINUX_CONTAINER
ComputeType: BUILD_GENERAL1_SMALL
Image: aws/codebuild/java:openjdk-8
EnvironmentVariables:
- Name: varName
Type: varType
Value: varValue
Source:
Location: codebuild-demo-test/0123ab9a371ebf0187b0fe5614fbb72c
Type: S3
TimeoutInMinutes: 10
Tags:
- Key: Key1
Value: Value1
- Key: Key2
Value: Value2
Metadata:
cfn_nag:
rules_to_suppress:
- id: W32
reason: Suppressed to test suppression works and skips this test
guard:
SuppressedRules:
- CODEBUILD_ENCRYPTION_KEY_RULE
expectations:
rules:
CODEBUILD_ENCRYPTION_KEY_RULE: SKIP
4 changes: 3 additions & 1 deletion rules/aws/dax/dax_encryption_enabled.guard
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,9 @@
#

let dax_clusters_encryption = Resources.*[ Type == "AWS::DAX::Cluster"
Metadata.guard.SuppressedRules not exists or
Metadata.cfn_nag.rules_to_suppress not exists or
Metadata.cfn_nag.rules_to_suppress.*.id != "W83"
Metadata.guard.SuppressedRules not exists or
Metadata.guard.SuppressedRules.* != "DAX_ENCRYPTION_ENABLED"
]

Expand Down
22 changes: 22 additions & 0 deletions rules/aws/dax/tests/dax_encryption_enabled_tests.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,28 @@
rules:
DAX_ENCRYPTION_ENABLED: SKIP

- name: Scenario b) SSESpecification not provided but rule suppressed, SKIP
input:
Resources:
daxCluster:
Type: AWS::DAX::Cluster
Metadata:
cfn_nag:
rules_to_suppress:
- id: W83
reason: Suppressed for a very good reason
Properties:
ClusterName: "MyDAXCluster"
NodeType: "dax.r3.large"
ReplicationFactor: 1
IAMRoleARN: "arn:aws:iam::111122223333:role/DaxAccess"
Description: "DAX cluster created with CloudFormation"
SubnetGroupName: !Ref subnetGroup
ClusterEndpointEncryptionType: TLS
expectations:
rules:
DAX_ENCRYPTION_ENABLED: SKIP

- name: Scenario c) SSESpecification configuration missing, FAIL
input:
Resources:
Expand Down
54 changes: 54 additions & 0 deletions rules/aws/dynamodb/dynamodb_billing_mode_rule.guard
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
#
#####################################
## AWS Solutions ##
#####################################
# Rule Identifier:
# DYNAMODB_BILLING_MODE_RULE
#
# Description:
# DynamoDB table should have billing mode set to either PAY_PER_REQUEST or PROVISIONED.
#
# Reports on:
# AWS::DynamoDB::Table
#
# Evaluates:
# AWS CloudFormation
#
# Rule Parameters:
# NA
#
# CFN_NAG Rule Id:
# W73
#
# Scenarios:
# a) SKIP: when there are no DynamoDb Table resources present
# b) PASS: When all DynamoDb Table resources uses billingMode as PAY_PER_REQUEST or PROVISIONED
# c) FAIL: When any DynamoDb Table resources uses billingMode not as PAY_PER_REQUEST or PROVISIONED or billingMode is not specified.
# d) SKIP: when metadata has rule suppression for DYNAMODB_BILLING_MODE_RULE

#
# Select all DynamoDb Table resources from incoming template (payload)
#
let dynamodb_billing_mode_rule = Resources.*[ Type == 'AWS::DynamoDB::Table'
Metadata.cfn_nag.rules_to_suppress not exists or
Metadata.cfn_nag.rules_to_suppress.*.id != "W73"
Metadata.guard.SuppressedRules not exists or
Metadata.guard.SuppressedRules.* != "DYNAMODB_BILLING_MODE_RULE"
]

rule DYNAMODB_BILLING_MODE_RULE when %dynamodb_billing_mode_rule !empty {
let violations = %dynamodb_billing_mode_rule[
Properties.BillingMode !exists
OR
Properties {
BillingMode != 'PAY_PER_REQUEST'
BillingMode != 'PROVISIONED'
}
]

%violations empty
<<
Violation: DynamoDb Table resources uses billingMode not as PAY_PER_REQUEST or PROVISIONED or billingMode is not specified.
Fix: Specify billingMode as PAY_PER_REQUEST or PROVISIONED.
>>
}
2 changes: 2 additions & 0 deletions rules/aws/dynamodb/dynamodb_pitr_enabled.guard
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,8 @@
# Select all DynamoDB Table resources from incoming template (payload)
#
let dynamodb_pitr_enabled = Resources.*[ Type == "AWS::DynamoDB::Table"
Metadata.cfn_nag.rules_to_suppress not exists or
Metadata.cfn_nag.rules_to_suppress.*.id != "W78"
Metadata.guard.SuppressedRules not exists or
Metadata.guard.SuppressedRules.* != "DYNAMODB_PITR_ENABLED"
]
Expand Down
2 changes: 2 additions & 0 deletions rules/aws/dynamodb/dynamodb_table_encrypted_kms.guard
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,8 @@
# d) PASS: when all DynamoDB Tables are encrypted with KMS

let dynamodb_table_encrypted_kms = Resources.*[ Type == "AWS::DynamoDB::Table"
Metadata.cfn_nag.rules_to_suppress not exists or
Metadata.cfn_nag.rules_to_suppress.*.id != "W74"
Metadata.guard.SuppressedRules not exists or
Metadata.guard.SuppressedRules.* != "DYNAMODB_TABLE_ENCRYPTED_KMS"
]
Expand Down
Loading

0 comments on commit 6d23585

Please sign in to comment.