Top Level Namespace
Defined Under Namespace
Modules: IpAddr, ViolationFiltering Classes: AlexaASKSkillAuthenticationConfigurationClientSecretRule, AlexaASKSkillAuthenticationConfigurationRefreshTokenRule, AmazonMQBrokerEncryptionOptionsRule, AmazonMQBrokerUsersPasswordRule, AmplifyAppAccessTokenRule, AmplifyAppBasicAuthConfigPasswordRule, AmplifyAppOauthTokenRule, AmplifyBranchBasicAuthConfigPasswordRule, ApiGatewayAccessLoggingRule, ApiGatewayV2AccessLoggingRule, AppStreamDirectoryConfigServiceAccountCredentialsAccountPasswordRule, BaseRule, BatchJobDefinitionContainerPropertiesPrivilegedRule, BlackListLoader, BooleanBaseRule, CfnNag, CfnNagConfig, CfnNagExecutor, CfnNagLogging, CfnNagRuleDumper, CloudFormationAuthenticationRule, CloudFrontDistributionAccessLoggingRule, CodeBuildEncryptionKeyRule, ColoredStdoutResults, CustomRuleLoader, DMSEndpointMongoDbSettingsPasswordRule, DMSEndpointPasswordRule, DirectoryServiceMicrosoftADPasswordRule, DirectoryServiceSimpleADPasswordRule, EC2SubnetMapPublicIpOnLaunchRule, EFSFileSystemEncryptedRule, EMRClusterKerberosAttributesADDomainJoinPasswordRule, EMRClusterKerberosAttributesCrossRealmTrustPrincipalPasswordRule, EMRClusterKerberosAttributesKdcAdminPasswordRule, EbsVolumeEncryptionKeyRule, EbsVolumeHasSseRule, ElastiCacheReplicationGroupAtRestEncryptionRule, ElastiCacheReplicationGroupTransitEncryptionRule, ElasticLoadBalancerAccessLoggingRule, ElasticLoadBalancerV2AccessLoggingRule, ElasticsearchDomainEncryptionAtRestOptionsRule, IAMUserLoginProfilePasswordRule, IamManagedPolicyNotActionRule, IamManagedPolicyNotResourceRule, IamManagedPolicyPassRoleWildcardResourceRule, IamManagedPolicyWildcardActionRule, IamManagedPolicyWildcardResourceRule, IamPolicyNotActionRule, IamPolicyNotResourceRule, IamPolicyPassRoleWildcardResourceRule, IamPolicyWildcardActionRule, IamPolicyWildcardResourceRule, IamRoleAdministratorAccessPolicyRule, IamRoleElevatedManagedPolicyRule, IamRoleNotActionOnPermissionsPolicyRule, IamRoleNotActionOnTrustPolicyRule, IamRoleNotPrincipalOnTrustPolicyRule, IamRoleNotResourceOnPermissionsPolicyRule, IamRolePassRoleWildcardResourceRule, IamRoleWildcardActionOnPermissionsPolicyRule, IamRoleWildcardActionOnTrustPolicyRule, IamRoleWildcardResourceOnPermissionsPolicyRule, IamUserLoginProfilePasswordResetRule, IotPolicyWildcardActionRule, IotPolicyWildcardResourceRule, JmesPathDiscovery, JmesPathEvaluator, JsonResults, KMSKeyRotationRule, KMSKeyWildcardPrincipalRule, KinesisFirehoseDeliveryStreamRedshiftDestinationConfigurationPasswordRule, KinesisFirehoseDeliveryStreamSplunkDestinationConfigurationHECTokenRule, KinesisStreamStreamEncryptionRule, LambdaPermissionInvokeFunctionActionRule, LambdaPermissionWildcardPrincipalRule, ManagedPolicyOnUserRule, MissingBucketPolicyRule, NeptuneDBClusterStorageEncryptedRule, OpsWorksAppAppSourcePasswordRule, OpsWorksAppSslConfigurationPrivateKeyRule, OpsWorksStackCustomCookbooksSourcePasswordRule, OpsWorksStackRdsDbInstancesDbPasswordRule, Options, PassRoleBaseRule, PasswordBaseRule, PinpointAPNSChannelPrivateKeyRule, PinpointAPNSChannelTokenKeyRule, PinpointAPNSSandboxChannelPrivateKeyRule, PinpointAPNSSandboxChannelTokenKeyRule, PinpointAPNSVoipChannelPrivateKeyRule, PinpointAPNSVoipChannelTokenKeyRule, PinpointAPNSVoipSandboxChannelPrivateKeyRule, PinpointAPNSVoipSandboxChannelTokenKeyRule, PolicyOnUserRule, ProfileLoader, RDSDBClusterMasterUserPasswordRule, RDSDBClusterStorageEncryptedRule, RDSDBInstanceMasterUserPasswordRule, RDSDBInstanceMasterUsernameRule, RDSDBInstanceStorageEncryptedRule, RDSInstancePubliclyAccessibleRule, RedshiftClusterEncryptedRule, RedshiftClusterMasterUserPasswordRule, ResourceWithExplicitNameRule, RuleDefinition, RuleIdSet, RuleRegistry, RulesView, S3BucketAccessLoggingRule, S3BucketEncryptionSetRule, S3BucketPolicyNotActionRule, S3BucketPolicyNotPrincipalRule, S3BucketPolicyWildcardActionRule, S3BucketPolicyWildcardPrincipalRule, S3BucketPublicReadAclRule, S3BucketPublicReadWriteAclRule, SecurityGroupEgressAllProtocolsRule, SecurityGroupEgressOpenToWorldRule, SecurityGroupEgressPortRangeRule, SecurityGroupIngressAllProtocolsRule, SecurityGroupIngressCidrNon32Rule, SecurityGroupIngressOpenToWorldRule, SecurityGroupIngressPortRangeRule, SecurityGroupMissingEgressRule, SecurityGroupRuleDescriptionRule, SimpleStdoutResults, SnsTopicKmsMasterKeyIdRule, SnsTopicPolicyNotActionRule, SnsTopicPolicyNotPrincipalRule, SnsTopicPolicyWildcardPrincipalRule, SqsQueueKmsMasterKeyIdRule, SqsQueuePolicyNotActionRule, SqsQueuePolicyNotPrincipalRule, SqsQueuePolicyWildcardActionRule, SqsQueuePolicyWildcardPrincipalRule, StdoutResults, SubPropertyWithListPasswordBaseRule, TemplateDiscovery, UserHasInlinePolicyRule, UserMissingGroupRule, Violation, WafWebAclDefaultActionRule, WorkspacesWorkspaceEncryptionRule
Instance Method Summary collapse
-
#blank?(str) ⇒ Boolean
Checks a string for being missing, empty, or only containing spaces.
-
#insecure_parameter?(cfn_model, key_to_check) ⇒ Boolean
Returns false if the provided key_to_check is a no-echo parameter without a default value; true otherwise.
-
#insecure_string_or_dynamic_reference?(_cfn_model, key_to_check) ⇒ Boolean
Returns false if the provided key_to_check is a dynamic reference to SSM Secure or Secrets Manager; true otherwise.
- #not_truthy?(string) ⇒ Boolean
-
#truthy?(string) ⇒ Boolean
Checks a string for truthiness.
-
#wildcard_patterns(input, pattern_types: %w[front back both]) ⇒ Object
Create array of wildcard patterns for a given input string.
Instance Method Details
#blank?(str) ⇒ Boolean
Checks a string for being missing, empty, or only containing spaces
4 5 6 |
# File 'lib/cfn-nag/util/blank.rb', line 4 def blank?(str) str.nil? || str.to_s.strip == '' end |
#insecure_parameter?(cfn_model, key_to_check) ⇒ Boolean
Returns false if the provided key_to_check is a no-echo parameter without a default value; true otherwise. Only applicable for a hash
8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 |
# File 'lib/cfn-nag/util/enforce_reference_parameter.rb', line 8 def insecure_parameter?(cfn_model, key_to_check) # We only want to perform the check against a hash return false unless key_to_check.is_a? Hash # We don't care if any other intrinsic function is used here. We only want to # verify that Ref is being used properly return false unless key_to_check.key? 'Ref' # Check if the key parameter is Ref and if that corresponding reference is # setup securely by stating NoEcho=true & Default is not present if cfn_model.parameters.key? key_to_check['Ref'] parameter = cfn_model.parameters[key_to_check['Ref']] if truthy?(parameter.noEcho) && parameter.default.nil? return false end end # Return true if key_to_check is a hash and/or a key Ref that does not have # the NoEcho parameter set to true and a Default parameter that is not nil true end |
#insecure_string_or_dynamic_reference?(_cfn_model, key_to_check) ⇒ Boolean
Returns false if the provided key_to_check is a dynamic reference to SSM Secure or Secrets Manager; true otherwise. Only applicable for a string
6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
# File 'lib/cfn-nag/util/enforce_string_or_dynamic_reference.rb', line 6 def insecure_string_or_dynamic_reference?(_cfn_model, key_to_check) # We only want to perform the check agains a string return false unless key_to_check.is_a? String # Check if string starts with a Dynamic Reference pointing to SecretsManager # or SSM Secure if key_to_check.start_with?( '{{resolve:secretsmanager:', '{{resolve:ssm-secure:' ) # Verify that the secure string ends properly with the double curly braces if key_to_check.end_with? '}}' return false end end # Retrun true if key_to_check is a string and is not calling a secured # dynamic reference pattern (Secrets Manager or SSM-Secure) true end |
#not_truthy?(string) ⇒ Boolean
9 10 11 |
# File 'lib/cfn-nag/util/truthy.rb', line 9 def not_truthy?(string) string.nil? || string.to_s.casecmp('false').zero? end |
#truthy?(string) ⇒ Boolean
Checks a string for truthiness. Any cased ‘true’ will evaluate to a true boolean. Any other string _at all_ results in false.
5 6 7 |
# File 'lib/cfn-nag/util/truthy.rb', line 5 def truthy?(string) string.to_s.casecmp('true').zero? end |
#wildcard_patterns(input, pattern_types: %w[front back both]) ⇒ Object
Create array of wildcard patterns for a given input string
5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
# File 'lib/cfn-nag/util/wildcard_patterns.rb', line 5 def wildcard_patterns(input, pattern_types: %w[front back both]) input_string = input.to_s results = [input_string] pattern_types.each do |pattern_type| case pattern_type when 'front' results += wildcard_front(input_string) when 'back' results += wildcard_back(input_string) when 'both' results += wildcard_front_back(input_string) else raise "no pattern of type: #{pattern_type}. Use one or more of: front, back, both" end end results + ['*'] end |