Class: LambdaFunctionCloudWatchLogsRule

Inherits:
BaseRule show all
Defined in:
lib/cfn-nag/custom_rules/LambdaFunctionCloudWatchLogsRule.rb

Instance Method Summary collapse

Methods inherited from BaseRule

#audit

Instance Method Details

#audit_impl(cfn_model) ⇒ Object


19
20
21
22
23
24
25
26
27
28
29
30
31
# File 'lib/cfn-nag/custom_rules/LambdaFunctionCloudWatchLogsRule.rb', line 19

def audit_impl(cfn_model)
  # Iterate over each Lambda function
  lambda_functions = cfn_model.resources_by_type('AWS::Lambda::Function')
  violating_lambda_functions = lambda_functions.select do |lambda_function|
    # Throw warning if no associated role object
    next lambda_function if lambda_function.role_object.nil?

    # Add lambda as violating if meets conditions
    violating_role?(lambda_function.role_object)
  end

  violating_lambda_functions.map(&:logical_resource_id)
end

#inline_policies_include_cw_logs_access?(policies) ⇒ Boolean

Returns:

  • (Boolean)

44
45
46
47
48
49
50
51
52
53
# File 'lib/cfn-nag/custom_rules/LambdaFunctionCloudWatchLogsRule.rb', line 44

def inline_policies_include_cw_logs_access?(policies)
  policies.select do |policy|
    permissive_statements = policy.policy_document.statements.select do |statement|
      statement.allows_action?('logs:CreateLogGroup') && \
        statement.allows_action?('logs:CreateLogStream') && \
        statement.allows_action?('logs:PutLogEvents')
    end
    !permissive_statements.empty?
  end
end

#managed_policies_include_cw_logs_access?(managed_policies) ⇒ Boolean

Returns:

  • (Boolean)

33
34
35
36
37
38
39
40
41
42
# File 'lib/cfn-nag/custom_rules/LambdaFunctionCloudWatchLogsRule.rb', line 33

def managed_policies_include_cw_logs_access?(managed_policies)
  !(managed_policies & ['arn:aws:iam::aws:policy/CloudWatchLogsFullAccess',
                        'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole',
                        'arn:aws:iam::aws:policy/service-role/AWSLambdaDynamoDBExecutionRole',
                        'arn:aws:iam::aws:policy/AWSLambdaExecute',
                        'arn:aws:iam::aws:policy/service-role/AWSLambdaKinesisExecutionRole',
                        'arn:aws:iam::aws:policy/service-role/AWSLambdaSQSQueueExecutionRole',
                        'arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole']
   ).empty?
end

#rule_idObject


15
16
17
# File 'lib/cfn-nag/custom_rules/LambdaFunctionCloudWatchLogsRule.rb', line 15

def rule_id
  'W58'
end

#rule_textObject


7
8
9
# File 'lib/cfn-nag/custom_rules/LambdaFunctionCloudWatchLogsRule.rb', line 7

def rule_text
  'Lambda functions require permission to write CloudWatch Logs'
end

#rule_typeObject


11
12
13
# File 'lib/cfn-nag/custom_rules/LambdaFunctionCloudWatchLogsRule.rb', line 11

def rule_type
  Violation::WARNING
end

#violating_role?(role) ⇒ Boolean

Returns:

  • (Boolean)

55
56
57
58
59
60
61
62
63
64
# File 'lib/cfn-nag/custom_rules/LambdaFunctionCloudWatchLogsRule.rb', line 55

def violating_role?(role)
  # Iterate over each policy in role
  permissive_policies = inline_policies_include_cw_logs_access?(role.policy_objects)

  # Iterate over each managed policy in role
  permissive_managed_policies = managed_policies_include_cw_logs_access?(role.managedPolicyArns)

  # Check if any policies violated
  permissive_policies.empty? && !permissive_managed_policies
end