Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fail on not utilizing NoEcho for MasterUserPassword in AWS::Redshift::Cluster #232

Merged
2 commits merged into from
Jun 21, 2019
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
# frozen_string_literal: true

require 'cfn-nag/violation'
require 'cfn-nag/util/enforce_reference_parameter'
require 'cfn-nag/util/enforce_string_or_dynamic_reference'
require_relative 'base'

class RedshiftClusterMasterUserPasswordRule < BaseRule
def rule_text
'Redshift Cluster master user password must be Ref to NoEcho Parameter. ' \
'Default credentials are not recommended'
end

def rule_type
Violation::FAILING_VIOLATION
end

def rule_id
'F35'
end

def audit_impl(cfn_model)
redshift_clusters = cfn_model.resources_by_type('AWS::Redshift::Cluster')
violating_redshift_clusters = redshift_clusters.select do |cluster|
if cluster.masterUserPassword.nil?
false
else
insecure_parameter?(cfn_model, cluster.masterUserPassword) ||
insecure_string_or_dynamic_reference?(cfn_model, cluster.masterUserPassword)
end
end

violating_redshift_clusters.map(&:logical_resource_id)
end
end
105 changes: 105 additions & 0 deletions spec/custom_rules/RedshiftClusterMasterUserPasswordRule_spec.rb
Original file line number Diff line number Diff line change
@@ -0,0 +1,105 @@
require 'spec_helper'
require 'cfn-model'
require 'cfn-nag/custom_rules/RedshiftClusterMasterUserPasswordRule'

describe RedshiftClusterMasterUserPasswordRule, :rule do
context 'Redshift Cluster without master user password set' do
it 'returns empty list' do
cfn_model = CfnParser.new.parse read_test_template(
'yaml/redshift_cluster/redshift_cluster_no_master_user_password.yml'
)

actual_logical_resource_ids =
RedshiftClusterMasterUserPasswordRule.new.audit_impl cfn_model
expected_logical_resource_ids = %w[]

expect(actual_logical_resource_ids).to eq expected_logical_resource_ids
end
end

context 'Redshift Cluster with parameter master user password with NoEcho' do
it 'returns empty list' do
cfn_model = CfnParser.new.parse read_test_template(
'yaml/redshift_cluster/' \
'redshift_cluster_master_user_password_parameter_noecho.yml'
)

actual_logical_resource_ids =
RedshiftClusterMasterUserPasswordRule.new.audit_impl cfn_model
expected_logical_resource_ids = %w[]

expect(actual_logical_resource_ids).to eq expected_logical_resource_ids
end
end

context 'Redshift Cluster with literal master user password in plaintext' do
it 'returns offending logical resource id for offending Redshift Cluster' do
cfn_model = CfnParser.new.parse read_test_template(
'yaml/redshift_cluster/' \
'redshift_cluster_master_user_password_plaintext.yml'
)

actual_logical_resource_ids =
RedshiftClusterMasterUserPasswordRule.new.audit_impl cfn_model
expected_logical_resource_ids = %w[RedshiftCluster]

expect(actual_logical_resource_ids).to eq expected_logical_resource_ids
end
end

context 'Redshift Cluster with parameter master user password with NoEcho ' \
'that has Default value' do
it 'returns offending logical resource id for offending Redshift Cluster' do
cfn_model = CfnParser.new.parse read_test_template(
'yaml/redshift_cluster/' \
'redshift_cluster_master_user_password_parameter_noecho_with_default.yml'
)
actual_logical_resource_ids =
RedshiftClusterMasterUserPasswordRule.new.audit_impl cfn_model
expected_logical_resource_ids = %w[RedshiftCluster]

expect(actual_logical_resource_ids).to eq expected_logical_resource_ids
end
end

context 'Redshift Cluster master user password from Secrets Manager' do
it 'returns empty list' do
cfn_model = CfnParser.new.parse read_test_template(
'yaml/redshift_cluster/' \
'redshift_cluster_master_user_password_secrets_manager.yml'
)
actual_logical_resource_ids =
RedshiftClusterMasterUserPasswordRule.new.audit_impl cfn_model
expected_logical_resource_ids = %w[]

expect(actual_logical_resource_ids).to eq expected_logical_resource_ids
end
end

context 'Redshift Cluster master user password from Secure Systems Manager' do
it 'returns empty list' do
cfn_model = CfnParser.new.parse read_test_template(
'yaml/redshift_cluster/' \
'redshift_cluster_master_user_password_ssm-secure.yml'
)
actual_logical_resource_ids =
RedshiftClusterMasterUserPasswordRule.new.audit_impl cfn_model
expected_logical_resource_ids = %w[]

expect(actual_logical_resource_ids).to eq expected_logical_resource_ids
end
end

context 'Redshift Cluster master user password from Systems Manager' do
it 'returns offending logical resource id for offending Redshift Cluster' do
cfn_model = CfnParser.new.parse read_test_template(
'yaml/redshift_cluster/redshift_cluster_master_user_password_ssm.yml'
)
actual_logical_resource_ids =
RedshiftClusterMasterUserPasswordRule.new.audit_impl cfn_model
expected_logical_resource_ids = %w[RedshiftCluster]

expect(actual_logical_resource_ids).to eq expected_logical_resource_ids
end
end
end
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
---
Parameters:
RedshiftClusterMasterUserPassword:
Type: String
NoEcho: True
Resources:
RedshiftCluster:
Type: AWS::Redshift::Cluster
Properties:
ClusterType: single-node
DBName: foobar
MasterUserPassword: !Ref RedshiftClusterMasterUserPassword
MasterUsername: admin
NodeType: dc2.large
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
---
Parameters:
RedshiftClusterMasterUserPassword:
Type: String
NoEcho: True
Default: b@dP@$sW0rD
Resources:
RedshiftCluster:
Type: AWS::Redshift::Cluster
Properties:
ClusterType: single-node
DBName: foobar
MasterUserPassword: !Ref RedshiftClusterMasterUserPassword
MasterUsername: admin
NodeType: dc2.large
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
---
Resources:
RedshiftCluster:
Type: AWS::Redshift::Cluster
Properties:
ClusterType: single-node
DBName: foobar
MasterUserPassword: b@dP@$sW0rD
MasterUsername: admin
NodeType: dc2.large
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
---
Resources:
RedshiftCluster:
Type: AWS::Redshift::Cluster
Properties:
ClusterType: single-node
DBName: foobar
MasterUserPassword: '{{resolve:secretsmanager:/redshift/cluster/masteruserpassword:SecretString:password}}'
MasterUsername: admin
NodeType: dc2.large
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
---
Resources:
RedshiftCluster:
Type: AWS::Redshift::Cluster
Properties:
ClusterType: single-node
DBName: foobar
MasterUserPassword: '{{resolve:ssm-secure:SecureSecretString:1}}'
MasterUsername: admin
NodeType: dc2.large
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
---
Resources:
RedshiftCluster:
Type: AWS::Redshift::Cluster
Properties:
ClusterType: single-node
DBName: foobar
MasterUserPassword: '{{resolve:ssm:UnsecureSecretString:1}}'
MasterUsername: admin
NodeType: dc2.large
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
---
Resources:
RedshiftCluster:
Type: AWS::Redshift::Cluster
Properties:
ClusterType: single-node
DBName: foobar
MasterUsername: admin
NodeType: dc2.large