From 2744e05501155006602e98d69fc91bb3e86ab1bd Mon Sep 17 00:00:00 2001 From: KLEstes Date: Sat, 10 Aug 2019 21:32:20 -0500 Subject: [PATCH 1/3] #278 - first stab --- .../custom_rules/S3BucketEncryptionSetRule.rb | 29 +++++++++++++++++++ .../S3BucketEncriptionSetRule_spec.rb | 16 ++++++++++ .../s3_bucket/buckets_with_no_encryption.json | 28 ++++++++++++++++++ 3 files changed, 73 insertions(+) create mode 100644 lib/cfn-nag/custom_rules/S3BucketEncryptionSetRule.rb create mode 100644 spec/custom_rules/S3BucketEncriptionSetRule_spec.rb create mode 100644 spec/test_templates/json/s3_bucket/buckets_with_no_encryption.json diff --git a/lib/cfn-nag/custom_rules/S3BucketEncryptionSetRule.rb b/lib/cfn-nag/custom_rules/S3BucketEncryptionSetRule.rb new file mode 100644 index 00000000..b5a67e67 --- /dev/null +++ b/lib/cfn-nag/custom_rules/S3BucketEncryptionSetRule.rb @@ -0,0 +1,29 @@ +# frozen_string_literal: true + +require 'cfn-nag/violation' +require_relative 'base' + +#TODO: assign/check unique W rule number + +class S3BucketEncryptionSetRule < BaseRule + def rule_text + 'S3 Bucket should have encryption option set' + end + + def rule_type + Violation::WARNING + end + + def rule_id + 'W40' + end + + def audit_impl(cfn_model) + violating_buckets = cfn_model.resources_by_type('AWS::S3::Bucket').each do |bucket| + bucket.bucketEncryption.nil? + end + + violating_buckets.map(&:logical_resource_id) + end + +end diff --git a/spec/custom_rules/S3BucketEncriptionSetRule_spec.rb b/spec/custom_rules/S3BucketEncriptionSetRule_spec.rb new file mode 100644 index 00000000..309d7080 --- /dev/null +++ b/spec/custom_rules/S3BucketEncriptionSetRule_spec.rb @@ -0,0 +1,16 @@ +require 'spec_helper' +require 'cfn-model' +require 'cfn-nag/custom_rules/S3BucketEncryptionSetRule' + +describe S3BucketEncryptionSetRule do + context 's3 bucket with encryption set' do + it 'returns offending logical resource id' do + cfn_model = CfnParser.new.parse read_test_template('json/s3_bucket/buckets_with_no_encryption.json') + + actual_logical_resource_ids = S3BucketEncryptionSetRule.new.audit_impl cfn_model + expected_logical_resource_ids = %w[S3BucketEncryptionNotSet] + + expect(actual_logical_resource_ids).to eq expected_logical_resource_ids + end + end +end diff --git a/spec/test_templates/json/s3_bucket/buckets_with_no_encryption.json b/spec/test_templates/json/s3_bucket/buckets_with_no_encryption.json new file mode 100644 index 00000000..d32b02d2 --- /dev/null +++ b/spec/test_templates/json/s3_bucket/buckets_with_no_encryption.json @@ -0,0 +1,28 @@ +{ + "Resources": { + "S3BucketEncryptionNotSet" : { + "Type" : "AWS::S3::Bucket", + "Properties" : { + "BucketName" : "fakebucketfakebucket", + "AccessControl": "BucketOwnerRead" + } + }, + + "S3BucketEncryptionSSSet" : { + "Type" : "AWS::S3::Bucket", + "Properties" : { + "BucketName" : "anotherfakebucketasdfa", + "AccessControl": "BucketOwnerRead", + "BucketEncryption": { + "ServerSideEncryptionConfiguration": [ + { + "ServerSideEncryptionByDefault": { + "SSEAlgorithm": "AES256" + } + } + ] + } + } + } + } +} \ No newline at end of file From c8805eea9bd2c555103f80440989443c1cf76ac8 Mon Sep 17 00:00:00 2001 From: KLEstes Date: Mon, 12 Aug 2019 17:49:37 -0500 Subject: [PATCH 2/3] #278 Fixed mispelled filename --- ...EncriptionSetRule_spec.rb => S3BucketEncyptionSetRule_spec.rb} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename spec/custom_rules/{S3BucketEncriptionSetRule_spec.rb => S3BucketEncyptionSetRule_spec.rb} (100%) diff --git a/spec/custom_rules/S3BucketEncriptionSetRule_spec.rb b/spec/custom_rules/S3BucketEncyptionSetRule_spec.rb similarity index 100% rename from spec/custom_rules/S3BucketEncriptionSetRule_spec.rb rename to spec/custom_rules/S3BucketEncyptionSetRule_spec.rb From 466bb17b5f85dfd66812076ab1d8b2d7d0d864af Mon Sep 17 00:00:00 2001 From: KLEstes Date: Mon, 12 Aug 2019 20:05:16 -0500 Subject: [PATCH 3/3] #278 Rubocop sated. --- lib/cfn-nag/custom_rules/S3BucketEncryptionSetRule.rb | 9 +++------ spec/custom_rules/S3BucketEncyptionSetRule_spec.rb | 2 +- .../json/s3_bucket/buckets_with_no_encryption.json | 6 +++--- 3 files changed, 7 insertions(+), 10 deletions(-) diff --git a/lib/cfn-nag/custom_rules/S3BucketEncryptionSetRule.rb b/lib/cfn-nag/custom_rules/S3BucketEncryptionSetRule.rb index b5a67e67..ac5a2b7e 100644 --- a/lib/cfn-nag/custom_rules/S3BucketEncryptionSetRule.rb +++ b/lib/cfn-nag/custom_rules/S3BucketEncryptionSetRule.rb @@ -3,8 +3,6 @@ require 'cfn-nag/violation' require_relative 'base' -#TODO: assign/check unique W rule number - class S3BucketEncryptionSetRule < BaseRule def rule_text 'S3 Bucket should have encryption option set' @@ -15,15 +13,14 @@ def rule_type end def rule_id - 'W40' + 'W41' end def audit_impl(cfn_model) - violating_buckets = cfn_model.resources_by_type('AWS::S3::Bucket').each do |bucket| - bucket.bucketEncryption.nil? + violating_buckets = cfn_model.resources_by_type('AWS::S3::Bucket').select do |bucket| + bucket.bucketEncryption.nil? end violating_buckets.map(&:logical_resource_id) end - end diff --git a/spec/custom_rules/S3BucketEncyptionSetRule_spec.rb b/spec/custom_rules/S3BucketEncyptionSetRule_spec.rb index 309d7080..15170f2c 100644 --- a/spec/custom_rules/S3BucketEncyptionSetRule_spec.rb +++ b/spec/custom_rules/S3BucketEncyptionSetRule_spec.rb @@ -13,4 +13,4 @@ expect(actual_logical_resource_ids).to eq expected_logical_resource_ids end end -end +end \ No newline at end of file diff --git a/spec/test_templates/json/s3_bucket/buckets_with_no_encryption.json b/spec/test_templates/json/s3_bucket/buckets_with_no_encryption.json index d32b02d2..dc5a5609 100644 --- a/spec/test_templates/json/s3_bucket/buckets_with_no_encryption.json +++ b/spec/test_templates/json/s3_bucket/buckets_with_no_encryption.json @@ -3,15 +3,15 @@ "S3BucketEncryptionNotSet" : { "Type" : "AWS::S3::Bucket", "Properties" : { - "BucketName" : "fakebucketfakebucket", + "BucketName" : "fakebucketfaaaake", "AccessControl": "BucketOwnerRead" } }, - "S3BucketEncryptionSSSet" : { + "Green_S3BucketEncryptionSet" : { "Type" : "AWS::S3::Bucket", "Properties" : { - "BucketName" : "anotherfakebucketasdfa", + "BucketName" : "encryptedfakebucket", "AccessControl": "BucketOwnerRead", "BucketEncryption": { "ServerSideEncryptionConfiguration": [