Skip to content

Commit

Permalink
Migrate batch cfn cognito dlm resources to cfn-guard ruleset (#265)
Browse files Browse the repository at this point in the history
  • Loading branch information
@ysdholak
ysdholak authored Mar 20, 2024
1 parent feb2caa commit 5f4a972
Show file tree
Hide file tree
Showing 10 changed files with 2,150 additions and 0 deletions.
50 changes: 50 additions & 0 deletions rules/aws/aws_batch/batch_job_container_properties_privileged_rule.guard
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
#
#####################################
## AWS Solutions ##
#####################################
# Rule Identifier:
# BATCH_JOB_CONTAINER_PROPERTIES_PRIVILEGED_RULE
#
# Description:
# Batch Job Definition Container Properties should not have Privileged set to true
#
# Reports on:
# AWS::Batch::JobDefinition
#
# Evaluates:
# AWS CloudFormation
#
# Rule Parameters:
# NA
#
# CFN_NAG Rule Id:
# W34
#
# Scenarios:
# a) SKIP: when there is no Batch Job resource present.
# b) PASS: when Batch Job resources does not have container properties or privileged is set to false.
# c) FAIL: when Batch Job resources does have container properties and privileged is set to true.
# d) SKIP: when metadata has rule suppression for BATCH_JOB_CONTAINER_PROPERTIES_PRIVILEGED_RULE

#
# Select all Batch Job Definition resources from incoming template (payload)
#
let batch_job_container_properties_privileged_rule = Resources.*[ Type == 'AWS::Batch::JobDefinition'
Metadata.cfn_nag.rules_to_suppress not exists or
Metadata.cfn_nag.rules_to_suppress.*.id != "W34"
Metadata.guard.SuppressedRules not exists or
Metadata.guard.SuppressedRules.* != "BATCH_JOB_CONTAINER_PROPERTIES_PRIVILEGED_RULE"
]

rule BATCH_JOB_CONTAINER_PROPERTIES_PRIVILEGED_RULE when %batch_job_container_properties_privileged_rule !empty {
let violations = %batch_job_container_properties_privileged_rule[
Type == 'AWS::Batch::JobDefinition'
Properties.ContainerProperties exists
Properties.ContainerProperties.Privileged == true
]
%violations empty
<<
Violation: Batch job definition resource has container properties set to true
Fix: set privileged to false or remove privileged field to make it false by default.
>>
}
207 changes: 207 additions & 0 deletions rules/aws/aws_batch/tests/batch_job_container_properties_privileged_rule_tests.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,207 @@
###
# BATCH_JOB_CONTAINER_PROPERTIES_PRIVILEGED_RULE tests
###
---
- name: Empty
input: {}
expectations:
rules:
BATCH_JOB_CONTAINER_PROPERTIES_PRIVILEGED_RULE: SKIP

- name: No resources
input:
Resources: {}
expectations:
rules:
BATCH_JOB_CONTAINER_PROPERTIES_PRIVILEGED_RULE: SKIP

- name: Batch Job resource with no container properties
input:
Resources:
JobDefinition:
Type: AWS::Batch::JobDefinition
Properties:
Type: container
JobDefinitionName: nvidia-smi
Parameters: Json
Timeout: 6000
expectations:
rules:
BATCH_JOB_CONTAINER_PROPERTIES_PRIVILEGED_RULE: PASS

- name: Batch Job resource with container properties and privileged set to false
input:
Resources:
JobDefinition:
Type: AWS::Batch::JobDefinition
Properties:
Type: container
JobDefinitionName: nvidia-smi
ContainerProperties:
MountPoints:
- ReadOnly: false
SourceVolume: nvidia
ContainerPath: /usr/local/nvidia
Volumes:
- Host:
SourcePath: /var/lib/nvidia-docker/volumes/nvidia_driver/latest
Name: nvidia
Command:
- nvidia-smi
Privileged: false
JobRoleArn: String
ReadonlyRootFilesystem: true
ResourceRequirements:
- Type: MEMORY
Value: '2000'
- Type: VCPU
Value: '2'
Image: nvidia/cuda
expectations:
rules:
BATCH_JOB_CONTAINER_PROPERTIES_PRIVILEGED_RULE: PASS

- name: Batch Job resource with container properties and privileged set to true
input:
Resources:
JobDefinition:
Type: AWS::Batch::JobDefinition
Properties:
Type: container
JobDefinitionName: nvidia-smi
ContainerProperties:
MountPoints:
- ReadOnly: false
SourceVolume: nvidia
ContainerPath: /usr/local/nvidia
Volumes:
- Host:
SourcePath: /var/lib/nvidia-docker/volumes/nvidia_driver/latest
Name: nvidia
Command:
- nvidia-smi
Privileged: true
JobRoleArn: String
ReadonlyRootFilesystem: true
ResourceRequirements:
- Type: MEMORY
Value: '2000'
- Type: VCPU
Value: '2'
Image: nvidia/cuda
expectations:
rules:
BATCH_JOB_CONTAINER_PROPERTIES_PRIVILEGED_RULE: FAIL

- name: CFN_NAG suppression for W34
input:
Resources:
JobDefinition:
Type: AWS::Batch::JobDefinition
Properties:
Type: container
JobDefinitionName: nvidia-smi
ContainerProperties:
MountPoints:
- ReadOnly: false
SourceVolume: nvidia
ContainerPath: /usr/local/nvidia
Volumes:
- Host:
SourcePath: /var/lib/nvidia-docker/volumes/nvidia_driver/latest
Name: nvidia
Command:
- nvidia-smi
Privileged: true
JobRoleArn: String
ReadonlyRootFilesystem: true
ResourceRequirements:
- Type: MEMORY
Value: '2000'
- Type: VCPU
Value: '2'
Image: nvidia/cuda
Metadata:
cfn_nag:
rules_to_suppress:
- id: W34
reason: Suppressed to test suppression works and skips this test
expectations:
rules:
BATCH_JOB_CONTAINER_PROPERTIES_PRIVILEGED_RULE: SKIP

- name: Guard suppression for BATCH_JOB_CONTAINER_PROPERTIES_PRIVILEGED_RULE
input:
Resources:
JobDefinition:
Type: AWS::Batch::JobDefinition
Properties:
Type: container
JobDefinitionName: nvidia-smi
ContainerProperties:
MountPoints:
- ReadOnly: false
SourceVolume: nvidia
ContainerPath: /usr/local/nvidia
Volumes:
- Host:
SourcePath: /var/lib/nvidia-docker/volumes/nvidia_driver/latest
Name: nvidia
Command:
- nvidia-smi
Privileged: true
JobRoleArn: String
ReadonlyRootFilesystem: true
ResourceRequirements:
- Type: MEMORY
Value: '2000'
- Type: VCPU
Value: '2'
Image: nvidia/cuda
Metadata:
guard:
SuppressedRules:
- BATCH_JOB_CONTAINER_PROPERTIES_PRIVILEGED_RULE
expectations:
rules:
BATCH_JOB_CONTAINER_PROPERTIES_PRIVILEGED_RULE: SKIP

- name: Guard and CFN_NAG suppression for W34 & BATCH_JOB_CONTAINER_PROPERTIES_PRIVILEGED_RULE
input:
Resources:
JobDefinition:
Type: AWS::Batch::JobDefinition
Properties:
Type: container
JobDefinitionName: nvidia-smi
ContainerProperties:
MountPoints:
- ReadOnly: false
SourceVolume: nvidia
ContainerPath: /usr/local/nvidia
Volumes:
- Host:
SourcePath: /var/lib/nvidia-docker/volumes/nvidia_driver/latest
Name: nvidia
Command:
- nvidia-smi
Privileged: true
JobRoleArn: String
ReadonlyRootFilesystem: true
ResourceRequirements:
- Type: MEMORY
Value: '2000'
- Type: VCPU
Value: '2'
Image: nvidia/cuda
Metadata:
cfn_nag:
rules_to_suppress:
- id: W34
reason: Suppressed to test suppression works and skips this test
guard:
SuppressedRules:
- BATCH_JOB_CONTAINER_PROPERTIES_PRIVILEGED_RULE
expectations:
rules:
BATCH_JOB_CONTAINER_PROPERTIES_PRIVILEGED_RULE: SKIP
131 changes: 131 additions & 0 deletions rules/aws/aws_cloudformation/cfn_no_explicit_resource_names.guard
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,131 @@
#
#####################################
## AWS Solutions ##
#####################################
# Rule Identifier:
# CFN_NO_EXPLICIT_RESOURCE_NAMES
#
# Description:
# Checks that the template does not explicitely name resources.
#
# Reports on:
# Various
#
# Evaluates:
# AWS CloudFormation
#
# Rule Parameters:
# NA
#
# CFN_NAG Rule Id:
# W28
#
# Scenarios:
# a) SKIP: when none of the covered resources types are present
# b) PASS: when none of the applicable types have static resource names
# c) FAIL: when any applicable types has a static resource name
# d) SKIP: when metada has rule suppression for CFN_NO_EXPLICIT_RESOURCE_NAMES or CFN_NAG W28

let applicable_types = [
"AWS::ApiGateway::ApiKey",
"AWS::CloudWatch::Alarm",
"AWS::CodeDeploy::DeploymentConfig",
"AWS::CodeDeploy::DeploymentGroup",
"AWS::DynamoDB::Table",
"AWS::EC2::SecurityGroup",
"AWS::ECR::Repository",
"AWS::ElasticLoadBalancingV2::LoadBalancer",
"AWS::Elasticsearch::Domain",
"AWS::IAM::Group",
"AWS::IAM::ManagedPolicy",
"AWS::IAM::Role",
"AWS::Kinesis::Stream",
"AWS::RDS::DBInstance"
]

# Select applicable resources less suppressed resources
let cloudformation_no_static_name_resources = Resources.*[Type in %applicable_types
Metadata.cfn_nag.rules_to_suppress not exists or
Metadata.cfn_nag.rules_to_suppress.*.id != "W28"
Metadata.guard.SuppressedRules not exists or
Metadata.guard.SuppressedRules.* != "CFN_NO_EXPLICIT_RESOURCE_NAMES"
]

rule CFN_NO_EXPLICIT_RESOURCE_NAMES
when %cloudformation_no_static_name_resources !empty {
AWS::ApiGateway::ApiKey {
Properties{
Name empty
}
}
AWS::CloudWatch::Alarm {
Properties{
AlarmName empty
}
}
AWS::CodeDeploy::DeploymentConfig {
Properties{
DeploymentConfigName empty
}
}
AWS::CodeDeploy::DeploymentGroup {
Properties{
DeploymentGroupName empty
}
}
AWS::DynamoDB::Table {
Properties{
TableName empty
}
}
AWS::EC2::SecurityGroup {
Properties{
GroupName empty
}
}
AWS::ECR::Repository {
Properties{
RepositoryName empty
}
}
AWS::ElasticLoadBalancingV2::LoadBalancer {
Properties{
Name empty
}
}
AWS::Elasticsearch::Domain {
Properties{
DomainName empty
}
}
AWS::IAM::Group {
Properties{
GroupName empty
}
}
AWS::IAM::ManagedPolicy {
Properties{
ManagedPolicyName empty
}
}
AWS::IAM::Role {
Properties{
RoleName empty
}
}
AWS::Kinesis::Stream {
Properties{
Name empty
}
}
AWS::RDS::DBInstance {
Properties{
DBInstanceIdentifier empty
}
}
%cloudformation_no_static_name_resources not empty
<<
Violation: Resource found with an explicit name, this disallows updates that require replacement of this resource.
Fix: Remove static name from the resource
>>
}
Loading

0 comments on commit 5f4a972

Please sign in to comment.