Skip to content

Commit

Permalink
intial changes from review
Browse files Browse the repository at this point in the history
  • Loading branch information
@mrpackethead
mrpackethead committed Sep 4, 2023
1 parent ab58498 commit acbf422
Show file tree
Hide file tree
Showing 6 changed files with 66 additions and 220 deletions.
75 changes: 0 additions & 75 deletions src/packs/nzism-v36-1022-20.ts
View file

Large diffs are not rendered by default.

13 changes: 2 additions & 11 deletions src/rules/ec2/EC2SecurityGroupOnlyTcp443.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,16 +8,15 @@ import { CfnSecurityGroupIngress, CfnSecurityGroup } from 'aws-cdk-lib/aws-ec2';
import { NagRuleCompliance, NagRules } from '../../nag-rules';

/**
* Security Groups should only allow inbound access to tcp443
* Security Groups only allow inbound access to traffic using TCP on port 443
* @param node the CfnResource to check
*/
export default Object.defineProperty(
(node: CfnResource): NagRuleCompliance => {
if (node instanceof CfnSecurityGroup) {
const ingressRules = Stack.of(node).resolve(node.securityGroupIngress);

if (ingressRules != undefined) {
//For each ingress rule, check that only TCP 443 is allowed from 0/0
if (ingressRules) {
for (const rule of ingressRules) {
const resolvedcidrIp = NagRules.resolveIfPrimitive(
node,
Expand All @@ -28,16 +27,12 @@ export default Object.defineProperty(
Stack.of(node).resolve(rule).cidrIpv6
);

// if ipv4
if (resolvedcidrIp) {
// if the rule is not open to the world, it is compliant
if (!resolvedcidrIp.includes('/0')) {
return NagRuleCompliance.COMPLIANT;
}
}
// if ipv6
if (resolvedcidrIpv6) {
// if the rule is not open to the world, it is compliant
if (!resolvedcidrIpv6.includes('/0')) {
return NagRuleCompliance.COMPLIANT;
}
Expand Down Expand Up @@ -67,16 +62,12 @@ export default Object.defineProperty(
const resolvedcidrIp = NagRules.resolveIfPrimitive(node, node.cidrIp);
const resolvedcidrIpv6 = NagRules.resolveIfPrimitive(node, node.cidrIpv6);

// if ipv4
if (resolvedcidrIp) {
// if the rule is not open to the world, it is compliant
if (!resolvedcidrIp.includes('/0')) {
return NagRuleCompliance.COMPLIANT;
}
}
// if ipv6
if (resolvedcidrIpv6) {
// if the rule is not open to the world, it is compliant
if (!resolvedcidrIpv6.includes('/0')) {
return NagRuleCompliance.COMPLIANT;
}
Expand Down
52 changes: 0 additions & 52 deletions src/rules/s3/S3BucketServerSideEncryptionEnabled.ts
View file

This file was deleted.

1 change: 0 additions & 1 deletion src/rules/s3/index.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,4 +12,3 @@ export { default as S3BucketSSLRequestsOnly } from './S3BucketSSLRequestsOnly';
export { default as S3BucketVersioningEnabled } from './S3BucketVersioningEnabled';
export { default as S3DefaultEncryptionKMS } from './S3DefaultEncryptionKMS';
export { default as S3WebBucketOAIAccess } from './S3WebBucketOAIAccess';
export { default as S3BucketServerSideEncryptionEnabled } from './S3BucketServerSideEncryptionEnabled';
129 changes: 64 additions & 65 deletions test/Packs.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -648,74 +648,73 @@ describe('Check NagPack Details', () => {
});
test('Pack contains expected warning and error rules', () => {
const expectedWarnings = [
'NZISM3.6-CLOUDFRONT_REQUIRES_ROOT_OBJECT',
'NZISM3.6-CLOUDTRAIL_REQUIRES_ENCRYPTION',
'NZISM3.6-EBS_VOLUME_ENCRYPTED',
'NZISM3.6-ECS_TASK_DEFINITION_PRIVLIDGED',
'NZISM3.6-EFS_ENCRYPTION_REQUIRED',
'NZISM3.6-ELASTIC_BEANSTALK_UPDATES',
'NZISM3.6-IAM_NO_ADMIN_ACCESS',
'NZISM3.6-KMS_KEY_ROTATION',
'NZISM3.6-OPENSEARCH_ENCRYPTION_AT_REST',
'NZISM3.6-RDS_MINOR_PATCHING',
'NZISM3.6-RDS_STORAGE',
'NZISM3.6-S3_KMS_ENCRYPTION',
'NZISM3.6-S3_POLICY_SSL',
'NZISM3.6-S3_PUBLIC_ACCESS',
'NZISM3.6-S3_PUBLIC_READ',
'NZISM3.6-S3_PUBLIC_WRITE',
'NZISM3.6-S3_SERVERSIDE_ENCRYPTION',
'NZISM3.6-SAGEMAKER_ENDPOINT_KMS',
'NZISM3.6-SAGEMAKER_NOTEBOOK_KMS',
'NZISM3.6-SECRET_KMS',
'NZISM3.6-SECURITYGROUP_ONLY_TCP443',
'NZISM3.6-SNS_KMS',
'NZISM3.6-CloudFrontDefaultRootObjectConfigured',
'NZISM3.6-CloudTrailEncryptionEnabled',
'NZISM3.6-EC2EBSVolumeEncrypted',
'NZISM3.6-EC2SecurityGroupOnlyTcp443',
'NZISM3.6-ECSTaskDefinitionUserForHostMode',
'NZISM3.6-EFSEncrypted',
'NZISM3.6-ElasticBeanstalkManagedUpdatesEnabled',
'NZISM3.6-IAMPolicyNoStatementsWithAdminAccess',
'NZISM3.6-KMSBackingKeyRotationEnabled',
'NZISM3.6-OpenSearchEncryptedAtRest',
'NZISM3.6-RDSAutomaticMinorVersionUpgradeEnabled',
'NZISM3.6-RDSStorageEncrypted',
'NZISM3.6-S3BucketLevelPublicAccessProhibited',
'NZISM3.6-S3BucketPublicReadProhibited',
'NZISM3.6-S3BucketPublicWriteProhibited',
'NZISM3.6-S3BucketSSLRequestsOnly',
'NZISM3.6-S3DefaultEncryptionKMS',
'NZISM3.6-SNSEncryptedKMS',
'NZISM3.6-SageMakerEndpointConfigurationKMSKeyConfigured',
'NZISM3.6-SageMakerNotebookInstanceKMSKeyConfigured',
'NZISM3.6-SecretsManagerUsingKMSKey',
];

const expectedErrors = [
'NZISM3.6-ALB_HTTP_TO_HTTPS_REDIRECTION',
'NZISM3.6-ALB_REQUIRES_WAF',
'NZISM3.6-API_GATEWAY_LOGGING',
'NZISM3.6-CLOUDFRONT_DISTRIBUTION_LOGGING',
'NZISM3.6-CLOUDFRONT_OUTDATED_SSL',
'NZISM3.6-CLOUDFRONT_REQUIRES_WAF',
'NZISM3.6-CLOUDTRAIL_LOGFILE_VALIDATION',
'NZISM3.6-CLOUDTRAIL_REQUIRES_CLOUDWATCH',
'NZISM3.6-CLOUDWATCH_ENCRYPT_WITH_KMS',
'NZISM3.6-CLOUDWATCH_RETENTION_PERIOD',
'NZISM3.6-DMS_REPLICATION_NOT_PUBLIC',
'NZISM3.6-DYNAMODB_AUTOSCALING',
'NZISM3.6-DYNAMODB_MUST_HAVE_POINTINTIME_RECOVERY',
'NZISM3.6-DYNAMODB_REQUIRES_BACKUP',
'NZISM3.6-EBS_NOT_IN_BACKUP',
'NZISM3.6-EC2IMDVS2_ENABLED',
'NZISM3.6-EC2_MUST_BE_IN_VPC',
'NZISM3.6-EC2_MUST_NOT_HAVE_PUBLIC_IP',
'NZISM3.6-EFS_BACKUP_PLAN_REQUIRED',
'NZISM3.6-ELB_CROSS_ZONE_LOADBALANCING',
'NZISM3.6-ELB_HTTPS_LISTENER_ONLY',
'NZISM3.6-ELB_LOGGING_ENABLED',
'NZISM3.6-LAMBDA_NO_PUBLIC_ACCESS',
'NZISM3.6-OPENSEARCH_MUST_BE_ON_VPC',
'NZISM3.6-OPENSEARCH_NODE_TO_NODE_ENCRYPTION',
'NZISM3.6-RDS_BACKUP',
'NZISM3.6-RDS_DELETION_PROTECTION',
'NZISM3.6-RDS_LOGGING',
'NZISM3.6-RDS_MULTIAZ',
'NZISM3.6-RDS_PUBLIC_ACCESS',
'NZISM3.6-REDIS_BACKUP',
'NZISM3.6-REDSHIFT_BACKUP',
'NZISM3.6-REDSHIFT_ENCRYPTION',
'NZISM3.6-REDSHIFT_LOGGING',
'NZISM3.6-REDSHIFT_MAINTAINANCE',
'NZISM3.6-REDSHIFT_NOT_PUBLIC',
'NZISM3.6-S3_SEVER_ACCESS_LOGS',
'NZISM3.6-S3_VERSIONING',
'NZISM3.6-SAGEMAKER_NOTEBOOK_NO_INTERNET_ACCESS',
'NZISM3.6-UNRESTRICTED_SSH',
'NZISM3.6-VPC_DEFAULT_SECURITY_GROUP_CLOSED',
'NZISM3.6-VPC_FLOW_LOG',
'NZISM3.6-WAF_LOGGING',
'NZISM3.6-ALBHttpToHttpsRedirection',
'NZISM3.6-ALBWAFEnabled',
'NZISM3.6-APIGWExecutionLoggingEnabled',
'NZISM3.6-CloudFrontDistributionAccessLogging',
'NZISM3.6-CloudFrontDistributionHttpsViewerNoOutdatedSSL',
'NZISM3.6-CloudFrontDistributionWAFIntegration',
'NZISM3.6-CloudTrailCloudWatchLogsEnabled',
'NZISM3.6-CloudTrailLogFileValidationEnabled',
'NZISM3.6-CloudWatchLogGroupEncrypted',
'NZISM3.6-CloudWatchLogGroupRetentionPeriod',
'NZISM3.6-DMSReplicationNotPublic',
'NZISM3.6-DynamoDBAutoScalingEnabled',
'NZISM3.6-DynamoDBInBackupPlan',
'NZISM3.6-DynamoDBPITREnabled',
'NZISM3.6-EC2EBSInBackupPlan',
'NZISM3.6-EC2IMDSv2Enabled',
'NZISM3.6-EC2InstanceNoPublicIp',
'NZISM3.6-EC2InstancesInVPC',
'NZISM3.6-EC2RestrictedSSH',
'NZISM3.6-EFSInBackupPlan',
'NZISM3.6-ELBCrossZoneLoadBalancingEnabled',
'NZISM3.6-ELBLoggingEnabled',
'NZISM3.6-ELBTlsHttpsListenersOnly',
'NZISM3.6-ElastiCacheRedisClusterAutomaticBackup',
'NZISM3.6-LambdaFunctionPublicAccessProhibited',
'NZISM3.6-OpenSearchInVPCOnly',
'NZISM3.6-OpenSearchNodeToNodeEncryption',
'NZISM3.6-RDSInBackupPlan',
'NZISM3.6-RDSInstanceDeletionProtectionEnabled',
'NZISM3.6-RDSInstancePublicAccess',
'NZISM3.6-RDSLoggingEnabled',
'NZISM3.6-RDSMultiAZSupport',
'NZISM3.6-RedshiftBackupEnabled',
'NZISM3.6-RedshiftClusterConfiguration',
'NZISM3.6-RedshiftClusterMaintenanceSettings',
'NZISM3.6-RedshiftClusterPublicAccess',
'NZISM3.6-RedshiftRequireTlsSSL',
'NZISM3.6-S3BucketLoggingEnabled',
'NZISM3.6-S3BucketVersioningEnabled',
'NZISM3.6-SageMakerNotebookNoDirectInternetAccess',
'NZISM3.6-VPCDefaultSecurityGroupClosed',
'NZISM3.6-VPCFlowLogsEnabled',
'NZISM3.6-WAFv2LoggingEnabled',
];
jest.spyOn(pack, 'applyRule');
const stack = new Stack();
Expand Down
16 changes: 0 additions & 16 deletions test/rules/S3.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,6 @@ import {
S3BucketVersioningEnabled,
S3DefaultEncryptionKMS,
S3WebBucketOAIAccess,
S3BucketServerSideEncryptionEnabled,
} from '../../src/rules/s3';

const testPack = new TestPack([
Expand All @@ -49,7 +48,6 @@ const testPack = new TestPack([
S3BucketVersioningEnabled,
S3DefaultEncryptionKMS,
S3WebBucketOAIAccess,
S3BucketServerSideEncryptionEnabled,
]);
let stack: Stack;

Expand Down Expand Up @@ -256,20 +254,6 @@ describe('Amazon Simple Storage Service (S3)', () => {
});
});

describe('S3BucketServerSideEncryptionEnabled: S3 Buckets have default server-side encryption enabled', () => {
const ruleId = 'S3BucketServerSideEncryptionEnabled';
test('Noncompliance 1', () => {
new Bucket(stack, 'rBucket');
validateStack(stack, ruleId, TestType.NON_COMPLIANCE);
});
test('Compliance', () => {
new Bucket(stack, 'rBucket', {
encryption: BucketEncryption.S3_MANAGED,
});
validateStack(stack, ruleId, TestType.COMPLIANCE);
});
});

describe('S3BucketReplicationEnabled: S3 Buckets have replication enabled', () => {
const ruleId = 'S3BucketReplicationEnabled';
test('Noncompliance 1', () => {
Expand Down

0 comments on commit acbf422

Please sign in to comment.