Class: LambdaFunctionCloudWatchLogsRule
- Defined in:
- lib/cfn-nag/custom_rules/LambdaFunctionCloudWatchLogsRule.rb
Instance Method Summary collapse
- #audit_impl(cfn_model) ⇒ Object
- #inline_policies_include_cw_logs_access?(policies) ⇒ Boolean
- #managed_policies_include_cw_logs_access?(managed_policies) ⇒ Boolean
- #rule_id ⇒ Object
- #rule_text ⇒ Object
- #rule_type ⇒ Object
- #violating_role?(role) ⇒ Boolean
Methods inherited from BaseRule
Instance Method Details
#audit_impl(cfn_model) ⇒ Object
19 20 21 22 23 24 25 26 27 28 29 30 31 |
# File 'lib/cfn-nag/custom_rules/LambdaFunctionCloudWatchLogsRule.rb', line 19 def audit_impl(cfn_model) # Iterate over each Lambda function lambda_functions = cfn_model.resources_by_type('AWS::Lambda::Function') violating_lambda_functions = lambda_functions.select do |lambda_function| # Throw warning if no associated role object next lambda_function if lambda_function.role_object.nil? # Add lambda as violating if meets conditions violating_role?(lambda_function.role_object) end violating_lambda_functions.map(&:logical_resource_id) end |
#inline_policies_include_cw_logs_access?(policies) ⇒ Boolean
44 45 46 47 48 49 50 51 52 53 |
# File 'lib/cfn-nag/custom_rules/LambdaFunctionCloudWatchLogsRule.rb', line 44 def inline_policies_include_cw_logs_access?(policies) policies.select do |policy| permissive_statements = policy.policy_document.statements.select do |statement| statement.allows_action?('logs:CreateLogGroup') && \ statement.allows_action?('logs:CreateLogStream') && \ statement.allows_action?('logs:PutLogEvents') end !permissive_statements.empty? end end |
#managed_policies_include_cw_logs_access?(managed_policies) ⇒ Boolean
33 34 35 36 37 38 39 40 41 42 |
# File 'lib/cfn-nag/custom_rules/LambdaFunctionCloudWatchLogsRule.rb', line 33 def managed_policies_include_cw_logs_access?(managed_policies) !(managed_policies & ['arn:aws:iam::aws:policy/CloudWatchLogsFullAccess', 'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole', 'arn:aws:iam::aws:policy/service-role/AWSLambdaDynamoDBExecutionRole', 'arn:aws:iam::aws:policy/AWSLambdaExecute', 'arn:aws:iam::aws:policy/service-role/AWSLambdaKinesisExecutionRole', 'arn:aws:iam::aws:policy/service-role/AWSLambdaSQSQueueExecutionRole', 'arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole'] ).empty? end |
#rule_id ⇒ Object
15 16 17 |
# File 'lib/cfn-nag/custom_rules/LambdaFunctionCloudWatchLogsRule.rb', line 15 def rule_id 'W58' end |
#rule_text ⇒ Object
7 8 9 |
# File 'lib/cfn-nag/custom_rules/LambdaFunctionCloudWatchLogsRule.rb', line 7 def rule_text 'Lambda functions require permission to write CloudWatch Logs' end |
#rule_type ⇒ Object
11 12 13 |
# File 'lib/cfn-nag/custom_rules/LambdaFunctionCloudWatchLogsRule.rb', line 11 def rule_type Violation::WARNING end |
#violating_role?(role) ⇒ Boolean
55 56 57 58 59 60 61 62 63 64 |
# File 'lib/cfn-nag/custom_rules/LambdaFunctionCloudWatchLogsRule.rb', line 55 def violating_role?(role) # Iterate over each policy in role permissive_policies = inline_policies_include_cw_logs_access?(role.policy_objects) # Iterate over each managed policy in role permissive_managed_policies = managed_policies_include_cw_logs_access?(role.managedPolicyArns) # Check if any policies violated permissive_policies.empty? && !permissive_managed_policies end |