Class: LambdaFunctionCloudWatchLogsRule

Inherits:

BaseRule

Object
BaseRule
LambdaFunctionCloudWatchLogsRule

show all

Defined in:: lib/cfn-nag/custom_rules/LambdaFunctionCloudWatchLogsRule.rb

Instance Method Summary collapse

Methods inherited from BaseRule

#audit

Instance Method Details

#audit_impl(cfn_model) ⇒ `Object`

# File 'lib/cfn-nag/custom_rules/LambdaFunctionCloudWatchLogsRule.rb', line 19

def audit_impl(cfn_model)
  # Iterate over each Lambda function
  lambda_functions = cfn_model.resources_by_type('AWS::Lambda::Function')
  violating_lambda_functions = lambda_functions.select do |lambda_function|
    # Throw warning if no associated role object
    next lambda_function if lambda_function.role_object.nil?

    # Add lambda as violating if meets conditions
    violating_role?(lambda_function.role_object)
  end

  violating_lambda_functions.map(&:logical_resource_id)
end

#inline_policies_include_cw_logs_access?(policies) ⇒ `Boolean`

Returns:

(Boolean)

# File 'lib/cfn-nag/custom_rules/LambdaFunctionCloudWatchLogsRule.rb', line 44

def inline_policies_include_cw_logs_access?(policies)
  policies.select do |policy|
    permissive_statements = policy.policy_document.statements.select do |statement|
      statement.allows_action?('logs:CreateLogGroup') && \
        statement.allows_action?('logs:CreateLogStream') && \
        statement.allows_action?('logs:PutLogEvents')
    end
    !permissive_statements.empty?
  end
end

#managed_policies_include_cw_logs_access?(managed_policies) ⇒ `Boolean`

Returns:

(Boolean)

# File 'lib/cfn-nag/custom_rules/LambdaFunctionCloudWatchLogsRule.rb', line 33

def managed_policies_include_cw_logs_access?(managed_policies)
  !(managed_policies & ['arn:aws:iam::aws:policy/CloudWatchLogsFullAccess',
                        'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole',
                        'arn:aws:iam::aws:policy/service-role/AWSLambdaDynamoDBExecutionRole',
                        'arn:aws:iam::aws:policy/AWSLambdaExecute',
                        'arn:aws:iam::aws:policy/service-role/AWSLambdaKinesisExecutionRole',
                        'arn:aws:iam::aws:policy/service-role/AWSLambdaSQSQueueExecutionRole',
                        'arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole']
   ).empty?
end

#rule_id ⇒ `Object`



15
16
17

# File 'lib/cfn-nag/custom_rules/LambdaFunctionCloudWatchLogsRule.rb', line 15

def rule_id
  'W58'
end

#rule_text ⇒ `Object`



7
8
9

# File 'lib/cfn-nag/custom_rules/LambdaFunctionCloudWatchLogsRule.rb', line 7

def rule_text
  'Lambda functions require permission to write CloudWatch Logs'
end

#rule_type ⇒ `Object`



11
12
13

# File 'lib/cfn-nag/custom_rules/LambdaFunctionCloudWatchLogsRule.rb', line 11

def rule_type
  Violation::WARNING
end

#violating_role?(role) ⇒ `Boolean`

Returns:

(Boolean)

# File 'lib/cfn-nag/custom_rules/LambdaFunctionCloudWatchLogsRule.rb', line 55

def violating_role?(role)
  # Iterate over each policy in role
  permissive_policies = inline_policies_include_cw_logs_access?(role.policy_objects)

  # Iterate over each managed policy in role
  permissive_managed_policies = managed_policies_include_cw_logs_access?(role.managedPolicyArns)

  # Check if any policies violated
  permissive_policies.empty? && !permissive_managed_policies
end

Class: LambdaFunctionCloudWatchLogsRule

Instance Method Summary collapse

Methods inherited from BaseRule

Instance Method Details

#audit_impl(cfn_model) ⇒ Object

#inline_policies_include_cw_logs_access?(policies) ⇒ Boolean

#managed_policies_include_cw_logs_access?(managed_policies) ⇒ Boolean

#rule_id ⇒ Object

#rule_text ⇒ Object

#rule_type ⇒ Object

#violating_role?(role) ⇒ Boolean

#audit_impl(cfn_model) ⇒ `Object`

#inline_policies_include_cw_logs_access?(policies) ⇒ `Boolean`

#managed_policies_include_cw_logs_access?(managed_policies) ⇒ `Boolean`

#rule_id ⇒ `Object`

#rule_text ⇒ `Object`

#rule_type ⇒ `Object`

#violating_role?(role) ⇒ `Boolean`