diff --git a/README.md b/README.md index f3f3bef74c..30ce17098c 100644 --- a/README.md +++ b/README.md @@ -304,7 +304,7 @@ Error: Suppression path "/this/construct/path" did not match any resource. This See [this issue](https://github.com/aws/aws-cdk/issues/18440) for more information.
- Example) Supressing Violations in Pipelines + Example) Suppressing Violations in Pipelines `example-app.ts` diff --git a/RULES.md b/RULES.md index 58f8b681fb..5d28cd202d 100644 --- a/RULES.md +++ b/RULES.md @@ -68,7 +68,7 @@ The [AWS Solutions Library](https://aws.amazon.com/solutions/) offers a collecti | AwsSolutions-DOC3 | The Document DB cluster does not have the username and password stored in Secrets Manager. | Secrets Manager enables operators to replace hardcoded credentials in your code, including passwords, with an API call to Secrets Manager to retrieve the secret programmatically. This helps ensure the secret can't be compromised by someone examining system code, because the secret no longer exists in the code. Also, operators can configure Secrets Manager to automatically rotate the secret for you according to a specified schedule. This enables you to replace long-term secrets with short-term ones, significantly reducing the risk of compromise. | | AwsSolutions-DOC4 | The Document DB cluster does not have a reasonable minimum backup retention period configured. | The retention period represents the number of days to retain automated snapshots. A minimum retention period of 7 days is recommended but can be adjust to meet system requirements. | | AwsSolutions-DOC5 | The Document DB cluster does not have authenticate, createIndex, and dropCollection Log Exports enabled. | This allows operators to use CloudWatch to view logs to help diagnose problems in the database. The events recorded by the AWS DocumentDB audit logs include successful and failed authentication attempts, creating indexes or dropping a collection in a database within the DocumentDB cluster. This is a granular rule that returns individual findings that can be suppressed with `appliesTo`. The findings are in the format `LogExport::` for exported logs. Example: `appliesTo: ['LogExport::authenticate']`. | -| AwsSolutions-EB1 | The Elastic Beanstalk environment is not configured to use a specific VPC. | Use a non-default VPC in order to seperate your environment from default resources. | +| AwsSolutions-EB1 | The Elastic Beanstalk environment is not configured to use a specific VPC. | Use a non-default VPC in order to separate your environment from default resources. | | AwsSolutions-EB3 | The Elastic Beanstalk environment does not have managed updates enabled. | Enable managed platform updates for beanstalk environments in order to receive bug fixes, software updates and new features. Managed platform updates perform immutable environment updates. | | AwsSolutions-EC23 | The Security Group allows for 0.0.0.0/0 or ::/0 inbound access. | Large port ranges, when open, expose instances to unwanted attacks. More than that, they make traceability of vulnerabilities very difficult. For instance, your web servers may only require 80 and 443 ports to be open, but not all. One of the most common mistakes observed is when all ports for 0.0.0.0/0 range are open in a rush to access the instance. EC2 instances must expose only to those ports enabled on the corresponding security group level. | | AwsSolutions-EC26 | The resource creates one or more EBS volumes that have encryption disabled. | With EBS encryption, you aren't required to build, maintain, and secure your own key management infrastructure. EBS encryption uses KMS keys when creating encrypted volumes and snapshots. This helps protect data at rest. | @@ -136,13 +136,13 @@ The [AWS Solutions Library](https://aws.amazon.com/solutions/) offers a collecti | AwsSolutions-RS8 | The Redshift cluster is publicly accessible. | Disabling public accessibility helps minimize security risks. | | AwsSolutions-RS9 | The Redshift cluster does not have version upgrade enabled. | Version Upgrade must enabled to enable the cluster to automatically receive upgrades during the maintenance window. | | AwsSolutions-RS10 | The Redshift cluster does not have a retention period for automated snapshots configured. | The retention period represents the number of days to retain automated snapshots. A positive retention period should be set to configure this feature. | -| AwsSolutions-RS11 | The Redshift cluster does not have user activity logging enabled. | User activity logging logs each query before it is performed on the clusters databse. To enable this feature associate a Resdhsift Cluster Parameter Group with the "enable_user_activity_logging" parameter set to "true". | +| AwsSolutions-RS11 | The Redshift cluster does not have user activity logging enabled. | User activity logging logs each query before it is performed on the clusters database. To enable this feature associate a Redshift Cluster Parameter Group with the "enable_user_activity_logging" parameter set to "true". | | AwsSolutions-S1 | The S3 Bucket has server access logs disabled. | The bucket should have server access logging enabled to provide detailed records for the requests that are made to the bucket. | | AwsSolutions-S2 | The S3 Bucket does not have public access restricted and blocked. | The bucket should have public access restricted and blocked to prevent unauthorized access. | | AwsSolutions-S5 | The S3 static website bucket either has an open world bucket policy or does not use a CloudFront Origin Access Identity (OAI) in the bucket policy for limited getObject and/or putObject permissions. | An OAI allows you to provide access to content in your S3 static website bucket through CloudFront URLs without enabling public access through an open bucket policy, disabling S3 Block Public Access settings, and/or through object ACLs. | | AwsSolutions-S10 | The S3 Bucket or bucket policy does not require requests to use SSL. | You can use HTTPS (TLS) to help prevent potential attackers from eavesdropping on or manipulating network traffic using person-in-the-middle or similar attacks. You should allow only encrypted connections over HTTPS (TLS) using the aws:SecureTransport condition on Amazon S3 bucket policies. | | AwsSolutions-SF1 | The Step Function does not log "ALL" events to CloudWatch Logs. | Logging "ALL" events to CloudWatch logs help operators troubleshoot and audit systems. | -| AwsSolutions-SF2 | The Step Function does not have X-Ray tracing enabled. | X-ray provides an end-to-end view of how an application is performing. This helps operators to discover performance issues, detect permission problems, and track requests made to and from other AWS services. | +| AwsSolutions-SF2 | The Step Function does not have X-Ray tracing enabled. | X-Ray provides an end-to-end view of how an application is performing. This helps operators to discover performance issues, detect permission problems, and track requests made to and from other AWS services. | | AwsSolutions-SM1 | The SageMaker notebook instance is not provisioned inside a VPC. | Provisioning the notebook instances inside a VPC enables the notebook to access VPC-only resources such as EFS file systems. | | AwsSolutions-SM2 | The SageMaker notebook instance does not have an encrypted storage volume. | Encrypting storage volumes helps protect SageMaker data-at-rest. | | AwsSolutions-SM3 | The SageMaker notebook instance has direct internet access enabled. | Disabling public accessibility helps minimize security risks. | @@ -319,7 +319,7 @@ The [Operational Best Practices for NIST 800-53 rev 4](https://docs.aws.amazon.c | [NIST.800.53.R4-ALBWAFEnabled](https://docs.aws.amazon.com/config/latest/developerguide/alb-waf-enabled.html) | The ALB is not associated with AWS WAFv2 web ACL. | A WAF helps to protect your web applications or APIs against common web exploits. These web exploits may affect availability, compromise security, or consume excessive resources within your environment. | SC-7, SI-4(a)(b)(c) | | [NIST.800.53.R4-APIGWCacheEnabledAndEncrypted](https://docs.aws.amazon.com/config/latest/developerguide/api-gw-cache-enabled-and-encrypted.html) | The API Gateway stage does not have caching enabled and encrypted for all methods. | To help protect data at rest, ensure encryption is enabled for your API Gateway stage's cache. Because sensitive data can be captured for the API method, enable encryption at rest to help protect that data. | SC-13, SC-28 | | [NIST.800.53.R4-APIGWExecutionLoggingEnabled](https://docs.aws.amazon.com/config/latest/developerguide/api-gw-execution-logging-enabled.html) | The API Gateway stage does not have execution logging enabled for all methods. | API Gateway logging displays detailed views of users who accessed the API and the way they accessed the API. This insight enables visibility of user activities. | AU-2(a)(d), AU-3, AU-12(a)(c) | -| [NIST.800.53.R4-AutoScalingGroupELBHealthCheckRequired](https://docs.aws.amazon.com/config/latest/developerguide/autoscaling-group-elb-healthcheck-required.html) | The Auto Scaling group (which is associated with a load balancer) does not utilize ELB healthchecks. | The Elastic Load Balancer (ELB) health checks for Amazon Elastic Compute Cloud (Amazon EC2) Auto Scaling groups support maintenance of adequate capacity and availability. | SC-5 | +| [NIST.800.53.R4-AutoScalingGroupELBHealthCheckRequired](https://docs.aws.amazon.com/config/latest/developerguide/autoscaling-group-elb-healthcheck-required.html) | The Auto Scaling group (which is associated with a load balancer) does not utilize ELB health checks. | The Elastic Load Balancer (ELB) health checks for Amazon Elastic Compute Cloud (Amazon EC2) Auto Scaling groups support maintenance of adequate capacity and availability. | SC-5 | | [NIST.800.53.R4-CloudTrailCloudWatchLogsEnabled](https://docs.aws.amazon.com/config/latest/developerguide/cloud-trail-cloud-watch-logs-enabled.html) | The trail does not have CloudWatch logs enabled. | Use Amazon CloudWatch to centrally collect and manage log event activity. Inclusion of AWS CloudTrail data provides details of API call activity within your AWS account. | AC-2(4), AC-2(g), AU-2(a)(d), AU-3, AU-6(1)(3), AU-7(1), AU-12(a)(c), CA-7(a)(b), SI-4(2), SI-4(4), SI-4(5), SI-4(a)(b)(c) | | [NIST.800.53.R4-CloudTrailEncryptionEnabled](https://docs.aws.amazon.com/config/latest/developerguide/cloud-trail-encryption-enabled.html) | The trail does not have encryption enabled. | Because sensitive data may exist and to help protect data at rest, ensure encryption is enabled for your AWS CloudTrail trails. | AU-9, SC-13, SC-28 | | [NIST.800.53.R4-CloudTrailLogFileValidationEnabled](https://docs.aws.amazon.com/config/latest/developerguide/cloud-trail-log-file-validation-enabled.html) | The trail does not have log file validation enabled. | Utilize AWS CloudTrail log file validation to check the integrity of CloudTrail logs. Log file validation helps determine if a log file was modified or deleted or unchanged after CloudTrail delivered it. This feature is built using industry standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital signing. This makes it computationally infeasible to modify, delete or forge CloudTrail log files without detection. | AU-9, SC-13, SC-28 | @@ -447,7 +447,7 @@ The [Operational Best Practices for NIST 800-53 rev 5](https://docs.aws.amazon.c | [NIST.800.53.R5-APIGWCacheEnabledAndEncrypted](https://docs.aws.amazon.com/config/latest/developerguide/api-gw-cache-enabled-and-encrypted.html) | The API Gateway stage does not have caching enabled and encrypted for all methods. | To help protect data at rest, ensure encryption is enabled for your API Gateway stage's cache. Because sensitive data can be captured for the API method, enable encryption at rest to help protect that data. | AU-9(3), CP-9d, SC-8(3), SC-8(4), SC-13a, SC-28(1), SI-19(4) | | [NIST.800.53.R5-APIGWExecutionLoggingEnabled](https://docs.aws.amazon.com/config/latest/developerguide/api-gw-execution-logging-enabled.html) | The API Gateway stage does not have execution logging enabled for all methods. | API Gateway logging displays detailed views of users who accessed the API and the way they accessed the API. This insight enables visibility of user activities. | AC-4(26), AU-2b, AU-3a, AU-3b, AU-3c, AU-3d, AU-3e, AU-3f, AU-6(3), AU-6(4), AU-6(6), AU-6(9), AU-8b, AU-10, AU-12a, AU-12c, AU-12(1), AU-12(2), AU-12(3), AU-12(4), AU-14a, AU-14b, AU-14b, AU-14(3), CA-7b, CM-5(1)(b), IA-3(3)(b), MA-4(1)(a), PM-14a.1, PM-14b, PM-31, SC-7(9)(b), SI-4(17), SI-7(8) | | [NIST.800.53.R5-APIGWSSLEnabled](https://docs.aws.amazon.com/config/latest/developerguide/api-gw-ssl-enabled.html) | The API Gateway REST API stage is not configured with SSL certificates. | Ensure Amazon API Gateway REST API stages are configured with SSL certificates to allow backend systems to authenticate that requests originate from API Gateway. | AC-4, AC-4(22), AC-17(2), AC-24(1), AU-9(3), CA-9b, IA-5(1)(c), PM-17b, SC-7(4)(b), SC-7(4)(g), SC-8, SC-8(1), SC-8(2), SC-8(3), SC-8(4), SC-8(5), SC-13a, SC-23, SI-1a.2, SI-1a.2, SI-1c.2 | -| [NIST.800.53.R5-AutoScalingGroupELBHealthCheckRequired](https://docs.aws.amazon.com/config/latest/developerguide/autoscaling-group-elb-healthcheck-required.html) | The Auto Scaling group (which is associated with a load balancer) does not utilize ELB healthchecks. | The Elastic Load Balancer (ELB) health checks for Amazon Elastic Compute Cloud (Amazon EC2) Auto Scaling groups support maintenance of adequate capacity and availability. The load balancer periodically sends pings, attempts connections, or sends requests to test Amazon EC2 instances health in an auto-scaling group. If an instance is not reporting back, traffic is sent to a new Amazon EC2 instance. | AU-12(3), AU-14a, AU-14b, CA-2(2), CA-7, CA-7b, CM-6a, CM-9b, PM-14a.1, PM-14b, PM-31, SC-6, SC-36(1)(a), SI-2a | +| [NIST.800.53.R5-AutoScalingGroupELBHealthCheckRequired](https://docs.aws.amazon.com/config/latest/developerguide/autoscaling-group-elb-healthcheck-required.html) | The Auto Scaling group (which is associated with a load balancer) does not utilize ELB health checks. | The Elastic Load Balancer (ELB) health checks for Amazon Elastic Compute Cloud (Amazon EC2) Auto Scaling groups support maintenance of adequate capacity and availability. The load balancer periodically sends pings, attempts connections, or sends requests to test Amazon EC2 instances health in an auto-scaling group. If an instance is not reporting back, traffic is sent to a new Amazon EC2 instance. | AU-12(3), AU-14a, AU-14b, CA-2(2), CA-7, CA-7b, CM-6a, CM-9b, PM-14a.1, PM-14b, PM-31, SC-6, SC-36(1)(a), SI-2a | | [NIST.800.53.R5-AutoScalingLaunchConfigPublicIpDisabled](https://docs.aws.amazon.com/config/latest/developerguide/autoscaling-launch-config-public-ip-disabled.html) | The Auto Scaling launch configuration does not have public IP addresses disabled. | If you configure your Network Interfaces with a public IP address, then the associated resources to those Network Interfaces are reachable from the internet. EC2 resources should not be publicly accessible, as this may allow unintended access to your applications or servers. | AC-3, AC-4(21), CM-6a, SC-7(3) | | [NIST.800.53.R5-CloudTrailCloudWatchLogsEnabled](https://docs.aws.amazon.com/config/latest/developerguide/cloud-trail-cloud-watch-logs-enabled.html) | The trail does not have CloudWatch logs enabled. | Use Amazon CloudWatch to centrally collect and manage log event activity. Inclusion of AWS CloudTrail data provides details of API call activity within your AWS account. | AC-2(4), AC-3(1), AC-3(10), AC-4(26), AC-6(9), AU-2b, AU-3a, AU-3b, AU-3c, AU-3d, AU-3e, AU-3f, AU-4(1), AU-6(1), AU-6(3), AU-6(4), AU-6(5), AU-6(6), AU-6(9), AU-7(1), AU-8b, AU-9(7), AU-10, AU-12a, AU-12c, AU-12(1), AU-12(2), AU-12(3), AU-12(4), AU-14a, AU-14b, AU-14b, AU-14(3), AU-16, CA-7b, CM-5(1)(b), CM-6a, CM-9b, IA-3(3)(b), MA-4(1)(a), PM-14a.1, PM-14b, PM-31, SC-7(9)(b), SI-1(1)(c), SI-3(8)(b), SI-4(2), SI-4(17), SI-4(20), SI-7(8), SI-10(1)(c) | | [NIST.800.53.R5-CloudTrailEncryptionEnabled](https://docs.aws.amazon.com/config/latest/developerguide/cloud-trail-encryption-enabled.html) | The trail does not have encryption enabled. | Because sensitive data may exist and to help protect data at rest, ensure encryption is enabled for your AWS CloudTrail trails. | AU-9(3), CM-6a, CM-9b, CP-9d, SC-8(3), SC-8(4), SC-13a, SC-28(1), SI-19(4) | @@ -592,7 +592,7 @@ The [Operational Best Practices for PCI DSS 3.2.1](https://docs.aws.amazon.com/c | [PCI.DSS.321-APIGWCacheEnabledAndEncrypted](https://docs.aws.amazon.com/config/latest/developerguide/api-gw-cache-enabled-and-encrypted.html) | The API Gateway stage does not have caching enabled and encrypted for all methods. | To help protect data at rest, ensure encryption is enabled for your API Gateway stage's cache. Because sensitive data can be captured for the API method, enable encryption at rest to help protect that data. | 3.4 | | [PCI.DSS.321-APIGWExecutionLoggingEnabled](https://docs.aws.amazon.com/config/latest/developerguide/api-gw-execution-logging-enabled.html) | The API Gateway stage does not have execution logging enabled for all methods. | API Gateway logging displays detailed views of users who accessed the API and the way they accessed the API. This insight enables visibility of user activities. | 10.1, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6, 10.5.4 | | [PCI.DSS.321-APIGWSSLEnabled](https://docs.aws.amazon.com/config/latest/developerguide/api-gw-ssl-enabled.html) | The API Gateway REST API stage is not configured with SSL certificates. | Ensure Amazon API Gateway REST API stages are configured with SSL certificates to allow backend systems to authenticate that requests originate from API Gateway. | 2.3, 4.1, 8.2.1 | -| [PCI.DSS.321-AutoScalingGroupELBHealthCheckRequired](https://docs.aws.amazon.com/config/latest/developerguide/autoscaling-group-elb-healthcheck-required.html) | The Auto Scaling group (which is associated with a load balancer) does not utilize ELB healthchecks. | The Elastic Load Balancer (ELB) health checks for Amazon Elastic Compute Cloud (Amazon EC2) Auto Scaling groups support maintenance of adequate capacity and availability. The load balancer periodically sends pings, attempts connections, or sends requests to test Amazon EC2 instances health in an auto-scaling group. If an instance is not reporting back, traffic is sent to a new Amazon EC2 instance. | 2.2 | +| [PCI.DSS.321-AutoScalingGroupELBHealthCheckRequired](https://docs.aws.amazon.com/config/latest/developerguide/autoscaling-group-elb-healthcheck-required.html) | The Auto Scaling group (which is associated with a load balancer) does not utilize ELB health checks. | The Elastic Load Balancer (ELB) health checks for Amazon Elastic Compute Cloud (Amazon EC2) Auto Scaling groups support maintenance of adequate capacity and availability. The load balancer periodically sends pings, attempts connections, or sends requests to test Amazon EC2 instances health in an auto-scaling group. If an instance is not reporting back, traffic is sent to a new Amazon EC2 instance. | 2.2 | | [PCI.DSS.321-AutoScalingLaunchConfigPublicIpDisabled](https://docs.aws.amazon.com/config/latest/developerguide/autoscaling-launch-config-public-ip-disabled.html) | The Auto Scaling launch configuration does not have public IP addresses disabled. | If you configure your Network Interfaces with a public IP address, then the associated resources to those Network Interfaces are reachable from the internet. EC2 resources should not be publicly accessible, as this may allow unintended access to your applications or servers. | 1.2, 1.2.1, 1.3, 1.3.1, 1.3.2, 1.3.4, 1.3.6, 2.2.2 | | [PCI.DSS.321-CloudTrailCloudWatchLogsEnabled](https://docs.aws.amazon.com/config/latest/developerguide/cloud-trail-cloud-watch-logs-enabled.html) | The trail does not have CloudWatch logs enabled. | Use Amazon CloudWatch to centrally collect and manage log event activity. Inclusion of AWS CloudTrail data provides details of API call activity within your AWS account. | 2.2, 10.1, 10.2.1, 10.2.2, 10.2.3, 10.2.5, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6, 10.5.3, 10.5.4 | | [PCI.DSS.321-CloudTrailEncryptionEnabled](https://docs.aws.amazon.com/config/latest/developerguide/cloud-trail-encryption-enabled.html) | The trail does not have encryption enabled. | Because sensitive data may exist and to help protect data at rest, ensure encryption is enabled for your AWS CloudTrail trails. | 2.2, 3.4, 10.5 | diff --git a/docs/IgnoreSuppressionConditions.md b/docs/IgnoreSuppressionConditions.md index 5e13ae9583..a4879b0344 100644 --- a/docs/IgnoreSuppressionConditions.md +++ b/docs/IgnoreSuppressionConditions.md @@ -9,7 +9,7 @@ As a [NagPack](./NagPack.md) author or user, you can optionally create a conditi ## Creating A Condition -Conditions implement the `INagSuppressionIgnore` interface. They return a message string when the `createMessage()` method is called. If the method returns a non-empty string the suppression is ignored. Conversely if the method returns an empty string the suppression is allowed. +Conditions implement the `INagSuppressionIgnore` interface. They return a message string when the `createMessage()` method is called. If the method returns a non-empty string the suppression is ignored. Conversely, if the method returns an empty string the suppression is allowed. Here is an example of a re-usable condition class that ignores a suppression if the suppression reason doesn't contain the word `Arun` diff --git a/docs/NagLogger.md b/docs/NagLogger.md index bc4c950770..d6b9e34f1f 100644 --- a/docs/NagLogger.md +++ b/docs/NagLogger.md @@ -12,7 +12,7 @@ SPDX-License-Identifier: Apache-2.0 `NagLogger`s implement the `INagLogger` interface. Corresponding `INagLogger` method of a loggers is called after a `CfnResource` is evaluated against a `NagRule`. Each of these methods are passed information that relate to the validation state. 1. The `onCompliance` method is called when a CfnResource passes the compliance check for a given rule. -2. The `onNonCompliance` method is called when a CfnResource does not pass the compliance check for a given rule and the the rule violation is not suppressed by the user. +2. The `onNonCompliance` method is called when a CfnResource does not pass the compliance check for a given rule and the rule violation is not suppressed by the user. 3. The `onSuppressed` method is called when a CfnResource does not pass the compliance check for a given rule **and** the rule violation is suppressed by the user. 4. The `onError` method is called when a rule throws an error during while validating a CfnResource for compliance. 5. The `onSuppressedError` method is called when a rule throws an error during while validating a CfnResource for compliance **and** the error is suppressed. diff --git a/docs/NagPack.md b/docs/NagPack.md index 92fa144854..f59806bd26 100644 --- a/docs/NagPack.md +++ b/docs/NagPack.md @@ -5,7 +5,7 @@ SPDX-License-Identifier: Apache-2.0 # NagPack -A `NagPack` is a named collection of [rules](./RuleCreation.md) that can be used to validate your stacks and applications. All of the [pre-built packs](../README.md#available-packs) are `NagPacks`. +A `NagPack` is a named collection of [rules](./RuleCreation.md) that can be used to validate your stacks and applications. All of the [pre-built packs](../README.md#available-rules-and-packs) are `NagPacks`. ## Creating a NagPack diff --git a/docs/RuleCreation.md b/docs/RuleCreation.md index fefde6ef78..3bab0b6af2 100644 --- a/docs/RuleCreation.md +++ b/docs/RuleCreation.md @@ -15,7 +15,7 @@ A rule returns a `NagRuleResult` which is either a `NagRuleCompliance` status or - `NagRuleCompliance.COMPLIANT` - The resource that **meets** the requirements. - `NagRuleCompliance.NOT_APPLICABLE` - The rule **does not apply** to the given resource. - Ex. The current resource is a S3 Bucket but the rule is for validating DMS Replication Instances. -- `NagRuleFindings` A a string array with a list of all findings. +- `NagRuleFindings` A string array with a list of all findings. ```typescript import { CfnResource } from 'aws-cdk-lib'; diff --git a/src/nag-logger.ts b/src/nag-logger.ts index 126b1f8f88..fc95d306d2 100644 --- a/src/nag-logger.ts +++ b/src/nag-logger.ts @@ -297,7 +297,7 @@ export class NagReportLogger implements INagLogger { body = JSON.stringify({ lines: [] } as NagReportSchema); } else { throw new Error( - `Unrecognized ouput format ${format} for the NagReportLogger` + `Unrecognized output format ${format} for the NagReportLogger` ); } writeFileSync(filePath, body); @@ -368,7 +368,7 @@ export class NagReportLogger implements INagLogger { writeFileSync(filePath, JSON.stringify(report)); } else { throw new Error( - `Unrecognized ouput format ${format} for the NagReportLogger` + `Unrecognized output format ${format} for the NagReportLogger` ); } } diff --git a/src/packs/aws-solutions.ts b/src/packs/aws-solutions.ts index 0e44033586..06e5cfe4aa 100644 --- a/src/packs/aws-solutions.ts +++ b/src/packs/aws-solutions.ts @@ -223,7 +223,7 @@ export class AwsSolutionsChecks extends NagPack { ruleSuffixOverride: 'EB1', info: 'The Elastic Beanstalk environment is not configured to use a specific VPC.', explanation: - 'Use a non-default VPC in order to seperate your environment from default resources.', + 'Use a non-default VPC in order to separate your environment from default resources.', level: NagMessageLevel.ERROR, rule: ElasticBeanstalkVPCSpecified, node: node, @@ -725,7 +725,7 @@ export class AwsSolutionsChecks extends NagPack { ruleSuffixOverride: 'RS11', info: 'The Redshift cluster does not have user activity logging enabled.', explanation: - 'User activity logging logs each query before it is performed on the clusters databse. To enable this feature associate a Resdhsift Cluster Parameter Group with the "enable_user_activity_logging" parameter set to "true".', + 'User activity logging logs each query before it is performed on the clusters database. To enable this feature associate a Redshift Cluster Parameter Group with the "enable_user_activity_logging" parameter set to "true".', level: NagMessageLevel.ERROR, rule: RedshiftClusterUserActivityLogging, node: node, @@ -1326,7 +1326,7 @@ export class AwsSolutionsChecks extends NagPack { ruleSuffixOverride: 'SF2', info: 'The Step Function does not have X-Ray tracing enabled.', explanation: - 'X-ray provides an end-to-end view of how an application is performing. This helps operators to discover performance issues, detect permission problems, and track requests made to and from other AWS services.', + 'X-Ray provides an end-to-end view of how an application is performing. This helps operators to discover performance issues, detect permission problems, and track requests made to and from other AWS services.', level: NagMessageLevel.ERROR, rule: StepFunctionStateMachineXray, node: node, diff --git a/src/packs/nist-800-53-r5.ts b/src/packs/nist-800-53-r5.ts index 0f0968a276..79af7ce3d3 100644 --- a/src/packs/nist-800-53-r5.ts +++ b/src/packs/nist-800-53-r5.ts @@ -211,7 +211,7 @@ export class NIST80053R5Checks extends NagPack { */ private checkAutoScaling(node: CfnResource): void { this.applyRule({ - info: 'The Auto Scaling group (which is associated with a load balancer) does not utilize ELB healthchecks - (Control IDs: AU-12(3), AU-14a, AU-14b, CA-2(2), CA-7, CA-7b, CM-6a, CM-9b, PM-14a.1, PM-14b, PM-31, SC-6, SC-36(1)(a), SI-2a).', + info: 'The Auto Scaling group (which is associated with a load balancer) does not utilize ELB health checks - (Control IDs: AU-12(3), AU-14a, AU-14b, CA-2(2), CA-7, CA-7b, CM-6a, CM-9b, PM-14a.1, PM-14b, PM-31, SC-6, SC-36(1)(a), SI-2a).', explanation: 'The Elastic Load Balancer (ELB) health checks for Amazon Elastic Compute Cloud (Amazon EC2) Auto Scaling groups support maintenance of adequate capacity and availability. The load balancer periodically sends pings, attempts connections, or sends requests to test Amazon EC2 instances health in an auto-scaling group. If an instance is not reporting back, traffic is sent to a new Amazon EC2 instance.', level: NagMessageLevel.ERROR, diff --git a/src/packs/pci-dss-321.ts b/src/packs/pci-dss-321.ts index 6cf85a17f3..460441dd62 100644 --- a/src/packs/pci-dss-321.ts +++ b/src/packs/pci-dss-321.ts @@ -191,7 +191,7 @@ export class PCIDSS321Checks extends NagPack { */ private checkAutoScaling(node: CfnResource): void { this.applyRule({ - info: 'The Auto Scaling group (which is associated with a load balancer) does not utilize ELB healthchecks - (Control ID: 2.2).', + info: 'The Auto Scaling group (which is associated with a load balancer) does not utilize ELB health checks - (Control ID: 2.2).', explanation: 'The Elastic Load Balancer (ELB) health checks for Amazon Elastic Compute Cloud (Amazon EC2) Auto Scaling groups support maintenance of adequate capacity and availability. The load balancer periodically sends pings, attempts connections, or sends requests to test Amazon EC2 instances health in an auto-scaling group. If an instance is not reporting back, traffic is sent to a new Amazon EC2 instance.', level: NagMessageLevel.ERROR,