Top Level Namespace

Defined Under Namespace

Modules: IpAddr, ViolationFiltering Classes: AmazonMQBrokerUserPasswordRule, AmplifyAppBasicAuthConfigPasswordRule, ApiGatewayAccessLoggingRule, BaseRule, BatchJobDefinitionContainerPropertiesPrivilegedRule, BlackListLoader, BooleanBaseRule, CfnNag, CfnNagConfig, CfnNagExecutor, CfnNagLogging, CfnNagRuleDumper, CloudFormationAuthenticationRule, CloudFrontDistributionAccessLoggingRule, CodeBuildEncryptionKeyRule, ColoredStdoutResults, CustomRuleLoader, DMSEndpointPasswordRule, DirectoryServiceMicrosoftADPasswordRule, DirectoryServiceSimpleADPasswordRule, EC2SubnetMapPublicIpOnLaunchRule, EFSFileSystemEncryptedRule, EbsVolumeEncryptionKeyRule, EbsVolumeHasSseRule, ElastiCacheReplicationGroupAtRestEncryptionRule, ElastiCacheReplicationGroupTransitEncryptionRule, ElasticLoadBalancerAccessLoggingRule, IamManagedPolicyNotActionRule, IamManagedPolicyNotResourceRule, IamManagedPolicyPassRoleWildcardResourceRule, IamManagedPolicyWildcardActionRule, IamManagedPolicyWildcardResourceRule, IamPolicyNotActionRule, IamPolicyNotResourceRule, IamPolicyPassRoleWildcardResourceRule, IamPolicyWildcardActionRule, IamPolicyWildcardResourceRule, IamRoleAdministratorAccessPolicyRule, IamRoleElevatedManagedPolicyRule, IamRoleNotActionOnPermissionsPolicyRule, IamRoleNotActionOnTrustPolicyRule, IamRoleNotPrincipalOnTrustPolicyRule, IamRoleNotResourceOnPermissionsPolicyRule, IamRolePassRoleWildcardResourceRule, IamRoleWildcardActionOnPermissionsPolicyRule, IamRoleWildcardActionOnTrustPolicyRule, IamRoleWildcardResourceOnPermissionsPolicyRule, IamUserLoginProfilePasswordResetRule, IamUserLoginProfilePasswordRule, IotPolicyWildcardActionRule, IotPolicyWildcardResourceRule, JmesPathDiscovery, JmesPathEvaluator, JsonResults, KMSKeyRotationRule, LambdaPermissionInvokeFunctionActionRule, LambdaPermissionWildcardPrincipalRule, ManagedPolicyOnUserRule, MissingBucketPolicyRule, NeptuneDBClusterStorageEncryptedRule, OpsWorksStackRdsDbInstancePasswordRule, Options, PassRoleBaseRule, PasswordBaseRule, PolicyOnUserRule, ProfileLoader, RDSDBClusterMasterUserPasswordRule, RDSDBClusterStorageEncryptedRule, RDSDBInstanceMasterUserPasswordRule, RDSDBInstanceMasterUsernameRule, RDSDBInstanceStorageEncryptedRule, RDSInstancePubliclyAccessibleRule, RedshiftClusterEncryptedRule, RedshiftClusterMasterUserPasswordRule, ResourceWithExplicitNameRule, RuleDefinition, RuleIdSet, RuleRegistry, RulesView, S3BucketAccessLoggingRule, S3BucketEncryptionSetRule, S3BucketPolicyNotActionRule, S3BucketPolicyNotPrincipalRule, S3BucketPolicyWildcardActionRule, S3BucketPolicyWildcardPrincipalRule, S3BucketPublicReadAclRule, S3BucketPublicReadWriteAclRule, SecurityGroupEgressAllProtocolsRule, SecurityGroupEgressOpenToWorldRule, SecurityGroupEgressPortRangeRule, SecurityGroupIngressAllProtocolsRule, SecurityGroupIngressCidrNon32Rule, SecurityGroupIngressOpenToWorldRule, SecurityGroupIngressPortRangeRule, SecurityGroupMissingEgressRule, SecurityGroupRuleDescriptionRule, SimpleStdoutResults, SnsTopicPolicyNotActionRule, SnsTopicPolicyNotPrincipalRule, SnsTopicPolicyWildcardPrincipalRule, SqsQueuePolicyNotActionRule, SqsQueuePolicyNotPrincipalRule, SqsQueuePolicyWildcardActionRule, SqsQueuePolicyWildcardPrincipalRule, StdoutResults, TemplateDiscovery, UserHasInlinePolicyRule, UserMissingGroupRule, Violation, WafWebAclDefaultActionRule, WorkspacesWorkspaceEncryptionRule

Instance Method Summary

• #blank?(str) ⇒ Boolean

  Checks a string for being missing, empty, or only containing spaces.

• #insecure_parameter?(cfn_model, key_to_check) ⇒ Boolean

  Returns false if the provided key_to_check is a no-echo parameter without a default value; true otherwise.

• #insecure_string_or_dynamic_reference?(_cfn_model, key_to_check) ⇒ Boolean

  Returns false if the provided key_to_check is a dynamic reference to SSM Secure or Secrets Manager; true otherwise.

• #not_truthy?(string) ⇒ Boolean
• #truthy?(string) ⇒ Boolean

  Checks a string for truthiness.

• #wildcard_patterns(input, pattern_types: %w[front back both]) ⇒ Object

  Create array of wildcard patterns for a given input string.

Instance Method Details

#blank?(str) ⇒ Boolean

Checks a string for being missing, empty, or only containing spaces

Returns:

• (Boolean)

# File 'lib/cfn-nag/util/blank.rb', line 4

def blank?(str)
  str.nil? || str.to_s.strip == ''
end

#insecure_parameter?(cfn_model, key_to_check) ⇒ Boolean

Returns false if the provided key_to_check is a no-echo parameter without a default value; true otherwise. Only applicable for a hash

Returns:

• (Boolean)

# File 'lib/cfn-nag/util/enforce_reference_parameter.rb', line 8

def insecure_parameter?(cfn_model, key_to_check)
  # We only want to perform the check against a hash
  return false unless key_to_check.is_a? Hash

  # We don't care if any other intrinsic function is used here. We only want to
  # verify that Ref is being used properly
  return false unless key_to_check.key? 'Ref'

  # Check if the key parameter is Ref and if that corresponding reference is
  # setup securely by stating NoEcho=true & Default is not present
  if cfn_model.parameters.key? key_to_check['Ref']
    parameter = cfn_model.parameters[key_to_check['Ref']]
    if truthy?(parameter.noEcho) && parameter.default.nil?
      return false
    end
  end

  # Return true if key_to_check is a hash and/or a key Ref that does not have
  # the NoEcho parameter set to true and a Default parameter that is not nil
  true
end

#insecure_string_or_dynamic_reference?(_cfn_model, key_to_check) ⇒ Boolean

Returns false if the provided key_to_check is a dynamic reference to SSM Secure or Secrets Manager; true otherwise. Only applicable for a string

Returns:

• (Boolean)

# File 'lib/cfn-nag/util/enforce_string_or_dynamic_reference.rb', line 6

def insecure_string_or_dynamic_reference?(_cfn_model, key_to_check)
  # We only want to perform the check agains a string
  return false unless key_to_check.is_a? String

  # Check if string starts with a Dynamic Reference pointing to SecretsManager
  # or SSM Secure
  if key_to_check.start_with?(
    '{{resolve:secretsmanager:',
    '{{resolve:ssm-secure:'
  )
    # Verify that the secure string ends properly with the double curly braces
    if key_to_check.end_with? '}}'
      return false
    end
  end

  # Retrun true if key_to_check is a string and is not calling a secured
  # dynamic reference pattern (Secrets Manager or SSM-Secure)
  true
end

#not_truthy?(string) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/cfn-nag/util/truthy.rb', line 9

def not_truthy?(string)
  string.nil? || string.to_s.casecmp('false').zero?
end

#truthy?(string) ⇒ Boolean

Checks a string for truthiness. Any cased ‘true’ will evaluate to a true boolean. Any other string _at all_ results in false.

Returns:

• (Boolean)

# File 'lib/cfn-nag/util/truthy.rb', line 5

def truthy?(string)
  string.to_s.casecmp('true').zero?
end

#wildcard_patterns(input, pattern_types: %w[front back both]) ⇒ Object

Create array of wildcard patterns for a given input string

# File 'lib/cfn-nag/util/wildcard_patterns.rb', line 5

def wildcard_patterns(input, pattern_types: %w[front back both])
  input_string = input.to_s
  results = [input_string]
  pattern_types.each do |pattern_type|
    case pattern_type
    when 'front'
      results += wildcard_front(input_string)
    when 'back'
      results += wildcard_back(input_string)
    when 'both'
      results += wildcard_front_back(input_string)
    else
      raise "no pattern of type: #{pattern_type}. Use one or more of: front, back, both"
    end
  end
  results + ['*']
end