Migrate AWS cfn-authentication lambda opensource_service secrets_mana…

…ger resources to cfn-guard ruleset (#270)

rules/aws/all_resources/cfn_authentication_rule.guard

@@ -0,0 +1,58 @@
+#
+#####################################
+##          AWS Solutions          ##
+#####################################
+# Rule Identifier:
+#    CFN_AUTHENTICATION_RULE
+#
+# Description:
+#   Specifying credentials in the template itself is probably not the safest thing.
+#
+# Reports on:
+#    All Resources
+#
+# Evaluates:
+#    AWS CloudFormation
+#
+# Rule Parameters:
+#    NA
+#
+# CFN_NAG Rule Id:
+#   W1
+#
+# Scenarios:
+# a) SKIP: when there are no resource present
+# b) PASS: When no resources specifies credentials in template.
+# c) FAIL: When any resource specifies credentials in template.
+# d) SKIP: when metadata has rule suppression for CFN_AUTHENTICATION_RULE
+
+#
+# Select all Security Group resources from incoming template (payload)
+#
+let cfn_authentication_rule = Resources.Metadata
+let skip_cfn_authentication = %cfn_authentication_rule[
+      "AWS::CloudFormation::Authentication" exists
+      Metadata.cfn_nag.rules_to_suppress not exists or
+      Metadata.cfn_nag.rules_to_suppress.*.id != "W1"
+      Metadata.guard.SuppressedRules not exists or
+      Metadata.guard.SuppressedRules.* != "CFN_AUTHENTICATION_RULE"
+]
+
+rule CFN_AUTHENTICATION_RULE when
+    %cfn_authentication_rule !empty
+    %skip_cfn_authentication !empty
+ {
+  let violation = %cfn_authentication_rule[
+    "AWS::CloudFormation::Authentication".*.accessKeyId exists
+    OR
+    "AWS::CloudFormation::Authentication".*.password exists
+    OR
+    "AWS::CloudFormation::Authentication".*.secretKey exists
+  ]
+
+  %violation empty
+  <<
+    Violation: CFN template has sensitive credentials defined.
+    Fix: Remove sensitive credentials.
+  >>
+}

rules/aws/all_resources/tests/cfn_authentication_rule_tests.yml

@@ -0,0 +1,279 @@
+###
+# CFN_AUTHENTICATION_RULE tests
+###
+---
+- name: Empty
+  input: {}
+  expectations:
+    rules:
+      CFN_AUTHENTICATION_RULE: SKIP
+
+- name: No resources
+  input:
+    Resources: {}
+  expectations:
+    rules:
+      CFN_AUTHENTICATION_RULE: SKIP
+
+- name: CFN Insensitive authentication
+  input:
+    Resources:
+        RootRole:
+          Type: "AWS::IAM::Role"
+          Properties:
+           AssumeRolePolicyDocument:
+             Version: "2012-10-17"
+             Statement:
+               - Effect: "Allow"
+                 Principal:
+                   Service:
+                     - "ec2.amazonaws.com"
+                   AWS: "arn:aws:iam::324320755747:root"
+                 Action:
+                   - "sts:AssumeRole"
+        EC2I4LBA1:
+          Type: "AWS::EC2::Instance"
+          Properties:
+            ImageId: "ami-6df1e514"
+            InstanceType: "t2.micro"
+            SubnetId:
+              "Ref": "subnetId"
+        Metadata:
+          Type: AWS::CloudFormation::Authentication
+          AWS::CloudFormation::Authentication:
+            testS3:
+              type: "s3"
+              roleName: !Ref RootRole
+              buckets:
+                - "somebucket333"
+  expectations:
+    rules:
+      CFN_AUTHENTICATION_RULE: PASS
+
+- name: CFN Sensitive authentication
+  input:
+    Resources:
+      RootRole:
+        Type: "AWS::IAM::Role"
+        Properties:
+          AssumeRolePolicyDocument:
+            Version: "2012-10-17"
+            Statement:
+              - Effect: "Allow"
+                Principal:
+                  Service:
+                    - "ec2.amazonaws.com"
+                  AWS: "arn:aws:iam::324320755747:root"
+                Action:
+                  - "sts:AssumeRole"
+      EC2I4LBA1:
+        Type: "AWS::EC2::Instance"
+        Properties:
+          ImageId: "ami-6df1e514"
+          InstanceType: "t2.micro"
+          SubnetId:
+            "Ref": "subnetId"
+      Metadata:
+        Type: AWS::CloudFormation::Authentication
+        AWS::CloudFormation::Authentication:
+          testBasic:
+            type: "basic"
+            username: "testUsername1"
+            password: "sensitive_password"
+            uris:
+              - "http://www.example.com/test"
+  expectations:
+    rules:
+      CFN_AUTHENTICATION_RULE: FAIL
+
+- name: CFN does not contains Metadata Resource
+  input:
+    Resources:
+        RootRole:
+          Type: "AWS::IAM::Role"
+          Properties:
+           AssumeRolePolicyDocument:
+             Version: "2012-10-17"
+             Statement:
+               - Effect: "Allow"
+                 Principal:
+                   Service:
+                     - "ec2.amazonaws.com"
+                   AWS: "arn:aws:iam::324320755747:root"
+                 Action:
+                   - "sts:AssumeRole"
+        EC2I4LBA1:
+          Type: "AWS::EC2::Instance"
+          Properties:
+            ImageId: "ami-6df1e514"
+            InstanceType: "t2.micro"
+            SubnetId:
+              "Ref": "subnetId"
+  expectations:
+    rules:
+      CFN_AUTHENTICATION_RULE: SKIP
+
+- name: CFN_NAG suppression for W1
+  input:
+    Resources:
+      RootRole:
+        Type: "AWS::IAM::Role"
+        Properties:
+          AssumeRolePolicyDocument:
+            Version: "2012-10-17"
+            Statement:
+              - Effect: "Allow"
+                Principal:
+                  Service:
+                    - "ec2.amazonaws.com"
+                  AWS: "arn:aws:iam::324320755747:root"
+                Action:
+                  - "sts:AssumeRole"
+        Metadata:
+          cfn_nag:
+            rules_to_suppress:
+              - id: W1
+                reason: Suppressed to test suppression works and skips this test
+          guard:
+            SuppressedRules:
+              - CFN_AUTHENTICATION_RULE
+      EC2I4LBA1:
+        Type: "AWS::EC2::Instance"
+        Properties:
+          ImageId: "ami-6df1e514"
+          InstanceType: "t2.micro"
+          SubnetId:
+            "Ref": "subnetId"
+        Metadata:
+          cfn_nag:
+            rules_to_suppress:
+              - id: W1
+                reason: Suppressed to test suppression works and skips this test
+          guard:
+            SuppressedRules:
+              - CFN_AUTHENTICATION_RULE
+      Metadata:
+        Type: AWS::CloudFormation::Authentication
+        AWS::CloudFormation::Authentication:
+          testBasic:
+            type: "basic"
+            username: "testUsername1"
+            password: "sensitive_password"
+            uris:
+              - "http://www.example.com/test"
+        Metadata:
+          cfn_nag:
+            rules_to_suppress:
+              - id: W1
+                reason: Suppressed to test suppression works and skips this test
+  expectations:
+    rules:
+      CFN_AUTHENTICATION_RULE: SKIP
+
+- name: Guard suppression for CFN_AUTHENTICATION_RULE
+  input:
+    Resources:
+      RootRole:
+        Type: "AWS::IAM::Role"
+        Properties:
+          AssumeRolePolicyDocument:
+            Version: "2012-10-17"
+            Statement:
+              - Effect: "Allow"
+                Principal:
+                  Service:
+                    - "ec2.amazonaws.com"
+                  AWS: "arn:aws:iam::324320755747:root"
+                Action:
+                  - "sts:AssumeRole"
+        Metadata:
+          guard:
+            SuppressedRules:
+              - CFN_AUTHENTICATION_RULE
+      EC2I4LBA1:
+        Type: "AWS::EC2::Instance"
+        Properties:
+          ImageId: "ami-6df1e514"
+          InstanceType: "t2.micro"
+          SubnetId:
+            "Ref": "subnetId"
+        Metadata:
+          guard:
+            SuppressedRules:
+              - CFN_AUTHENTICATION_RULE
+      Metadata:
+        Type: AWS::CloudFormation::Authentication
+        AWS::CloudFormation::Authentication:
+          testBasic:
+            type: "basic"
+            username: "testUsername1"
+            password: "sensitive_password"
+            uris:
+              - "http://www.example.com/test"
+        Metadata:
+          guard:
+            SuppressedRules:
+              - CFN_AUTHENTICATION_RULE
+  expectations:
+    rules:
+      CFN_AUTHENTICATION_RULE: SKIP
+
+- name: Guard and CFN_NAG suppression for W1 & CFN_AUTHENTICATION_RULE
+  input:
+    Resources:
+      RootRole:
+        Type: "AWS::IAM::Role"
+        Properties:
+          AssumeRolePolicyDocument:
+            Version: "2012-10-17"
+            Statement:
+              - Effect: "Allow"
+                Principal:
+                  Service:
+                    - "ec2.amazonaws.com"
+                  AWS: "arn:aws:iam::324320755747:root"
+                Action:
+                  - "sts:AssumeRole"
+        Metadata:
+          cfn_nag:
+            rules_to_suppress:
+              - id: W1
+                reason: Suppressed to test suppression works and skips this test
+          guard:
+            SuppressedRules:
+              - CFN_AUTHENTICATION_RULE
+      EC2I4LBA1:
+        Type: "AWS::EC2::Instance"
+        Properties:
+          ImageId: "ami-6df1e514"
+          InstanceType: "t2.micro"
+          SubnetId:
+            "Ref": "subnetId"
+        Metadata:
+          cfn_nag:
+            rules_to_suppress:
+              - id: W1
+                reason: Suppressed to test suppression works and skips this test
+          guard:
+            SuppressedRules:
+              - CFN_AUTHENTICATION_RULE
+      Metadata:
+        Type: AWS::CloudFormation::Authentication
+        AWS::CloudFormation::Authentication:
+          testBasic:
+            type: "basic"
+            username: "testUsername1"
+            password: "sensitive_password"
+            uris:
+              - "http://www.example.com/test"
+        Metadata:
+          cfn_nag:
+            rules_to_suppress:
+              - id: W1
+                reason: Suppressed to test suppression works and skips this test
+          guard:
+            SuppressedRules:
+              - CFN_AUTHENTICATION_RULE
+  expectations:
+    rules:
+      CFN_AUTHENTICATION_RULE: SKIP

rules/aws/lambda/lambda_concurrency_check.guard

@@ -27,6 +27,8 @@
 # Select all AWS Lambda Function resources from incoming template (payload)
 #
 let aws_lambda_functions_concurrency = Resources.*[ Type == 'AWS::Lambda::Function' 
+  Metadata.cfn_nag.rules_to_suppress not exists or 
+  Metadata.cfn_nag.rules_to_suppress.*.id != "W92"
   Metadata.guard.SuppressedRules not exists or
   Metadata.guard.SuppressedRules.* != "LAMBDA_CONCURRENCY_CHECK"
 ]

rules/aws/lambda/lambda_inside_vpc.guard

@@ -27,6 +27,8 @@
 # Select all AWS Lambda Function resources from incoming template (payload)
 #
 let aws_lambda_functions_inside_vpc = Resources.*[ Type == 'AWS::Lambda::Function' 
+  Metadata.cfn_nag.rules_to_suppress not exists or 
+  Metadata.cfn_nag.rules_to_suppress.*.id != "W89"
   Metadata.guard.SuppressedRules not exists or
   Metadata.guard.SuppressedRules.* != "LAMBDA_INSIDE_VPC"
 ]