Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Migrate batch cfn cognito dlm resources to cfn-guard ruleset #265

Merged
merged 1 commit into from
Mar 20, 2024
+2,150 −0
Merged

feat: Migrate batch cfn cognito dlm resources to cfn-guard ruleset #265

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
50 changes: 50 additions & 0 deletions rules/aws/aws_batch/batch_job_container_properties_privileged_rule.guard
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
#
#####################################
## AWS Solutions ##
#####################################
# Rule Identifier:
# BATCH_JOB_CONTAINER_PROPERTIES_PRIVILEGED_RULE
#
# Description:
# Batch Job Definition Container Properties should not have Privileged set to true
#
# Reports on:
# AWS::Batch::JobDefinition
#
# Evaluates:
# AWS CloudFormation
#
# Rule Parameters:
# NA
#
# CFN_NAG Rule Id:
# W34
#
# Scenarios:
# a) SKIP: when there is no Batch Job resource present.
# b) PASS: when Batch Job resources does not have container properties or privileged is set to false.
# c) FAIL: when Batch Job resources does have container properties and privileged is set to true.
# d) SKIP: when metadata has rule suppression for BATCH_JOB_CONTAINER_PROPERTIES_PRIVILEGED_RULE

#
# Select all Batch Job Definition resources from incoming template (payload)
#
let batch_job_container_properties_privileged_rule = Resources.*[ Type == 'AWS::Batch::JobDefinition'
Metadata.cfn_nag.rules_to_suppress not exists or
Metadata.cfn_nag.rules_to_suppress.*.id != "W34"
Metadata.guard.SuppressedRules not exists or
Metadata.guard.SuppressedRules.* != "BATCH_JOB_CONTAINER_PROPERTIES_PRIVILEGED_RULE"
]

rule BATCH_JOB_CONTAINER_PROPERTIES_PRIVILEGED_RULE when %batch_job_container_properties_privileged_rule !empty {
let violations = %batch_job_container_properties_privileged_rule[
Type == 'AWS::Batch::JobDefinition'
Properties.ContainerProperties exists
Properties.ContainerProperties.Privileged == true
]
%violations empty
<<
Violation: Batch job definition resource has container properties set to true
Fix: set privileged to false or remove privileged field to make it false by default.
>>
}
207 changes: 207 additions & 0 deletions rules/aws/aws_batch/tests/batch_job_container_properties_privileged_rule_tests.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,207 @@
###
# BATCH_JOB_CONTAINER_PROPERTIES_PRIVILEGED_RULE tests
###
---
- name: Empty
input: {}
expectations:
rules:
BATCH_JOB_CONTAINER_PROPERTIES_PRIVILEGED_RULE: SKIP

- name: No resources
input:
Resources: {}
expectations:
rules:
BATCH_JOB_CONTAINER_PROPERTIES_PRIVILEGED_RULE: SKIP

- name: Batch Job resource with no container properties
input:
Resources:
JobDefinition:
Type: AWS::Batch::JobDefinition
Properties:
Type: container
JobDefinitionName: nvidia-smi
Parameters: Json
Timeout: 6000
expectations:
rules:
BATCH_JOB_CONTAINER_PROPERTIES_PRIVILEGED_RULE: PASS

- name: Batch Job resource with container properties and privileged set to false
input:
Resources:
JobDefinition:
Type: AWS::Batch::JobDefinition
Properties:
Type: container
JobDefinitionName: nvidia-smi
ContainerProperties:
MountPoints:
- ReadOnly: false
SourceVolume: nvidia
ContainerPath: /usr/local/nvidia
Volumes:
- Host:
SourcePath: /var/lib/nvidia-docker/volumes/nvidia_driver/latest
Name: nvidia
Command:
- nvidia-smi
Privileged: false
JobRoleArn: String
ReadonlyRootFilesystem: true
ResourceRequirements:
- Type: MEMORY
Value: '2000'
- Type: VCPU
Value: '2'
Image: nvidia/cuda
expectations:
rules:
BATCH_JOB_CONTAINER_PROPERTIES_PRIVILEGED_RULE: PASS

- name: Batch Job resource with container properties and privileged set to true
input:
Resources:
JobDefinition:
Type: AWS::Batch::JobDefinition
Properties:
Type: container
JobDefinitionName: nvidia-smi
ContainerProperties:
MountPoints:
- ReadOnly: false
SourceVolume: nvidia
ContainerPath: /usr/local/nvidia
Volumes:
- Host:
SourcePath: /var/lib/nvidia-docker/volumes/nvidia_driver/latest
Name: nvidia
Command:
- nvidia-smi
Privileged: true
JobRoleArn: String
ReadonlyRootFilesystem: true
ResourceRequirements:
- Type: MEMORY
Value: '2000'
- Type: VCPU
Value: '2'
Image: nvidia/cuda
expectations:
rules:
BATCH_JOB_CONTAINER_PROPERTIES_PRIVILEGED_RULE: FAIL

- name: CFN_NAG suppression for W34
input:
Resources:
JobDefinition:
Type: AWS::Batch::JobDefinition
Properties:
Type: container
JobDefinitionName: nvidia-smi
ContainerProperties:
MountPoints:
- ReadOnly: false
SourceVolume: nvidia
ContainerPath: /usr/local/nvidia
Volumes:
- Host:
SourcePath: /var/lib/nvidia-docker/volumes/nvidia_driver/latest
Name: nvidia
Command:
- nvidia-smi
Privileged: true
JobRoleArn: String
ReadonlyRootFilesystem: true
ResourceRequirements:
- Type: MEMORY
Value: '2000'
- Type: VCPU
Value: '2'
Image: nvidia/cuda
Metadata:
cfn_nag:
rules_to_suppress:
- id: W34
reason: Suppressed to test suppression works and skips this test
expectations:
rules:
BATCH_JOB_CONTAINER_PROPERTIES_PRIVILEGED_RULE: SKIP

- name: Guard suppression for BATCH_JOB_CONTAINER_PROPERTIES_PRIVILEGED_RULE
input:
Resources:
JobDefinition:
Type: AWS::Batch::JobDefinition
Properties:
Type: container
JobDefinitionName: nvidia-smi
ContainerProperties:
MountPoints:
- ReadOnly: false
SourceVolume: nvidia
ContainerPath: /usr/local/nvidia
Volumes:
- Host:
SourcePath: /var/lib/nvidia-docker/volumes/nvidia_driver/latest
Name: nvidia
Command:
- nvidia-smi
Privileged: true
JobRoleArn: String
ReadonlyRootFilesystem: true
ResourceRequirements:
- Type: MEMORY
Value: '2000'
- Type: VCPU
Value: '2'
Image: nvidia/cuda
Metadata:
guard:
SuppressedRules:
- BATCH_JOB_CONTAINER_PROPERTIES_PRIVILEGED_RULE
expectations:
rules:
BATCH_JOB_CONTAINER_PROPERTIES_PRIVILEGED_RULE: SKIP

- name: Guard and CFN_NAG suppression for W34 & BATCH_JOB_CONTAINER_PROPERTIES_PRIVILEGED_RULE
input:
Resources:
JobDefinition:
Type: AWS::Batch::JobDefinition
Properties:
Type: container
JobDefinitionName: nvidia-smi
ContainerProperties:
MountPoints:
- ReadOnly: false
SourceVolume: nvidia
ContainerPath: /usr/local/nvidia
Volumes:
- Host:
SourcePath: /var/lib/nvidia-docker/volumes/nvidia_driver/latest
Name: nvidia
Command:
- nvidia-smi
Privileged: true
JobRoleArn: String
ReadonlyRootFilesystem: true
ResourceRequirements:
- Type: MEMORY
Value: '2000'
- Type: VCPU
Value: '2'
Image: nvidia/cuda
Metadata:
cfn_nag:
rules_to_suppress:
- id: W34
reason: Suppressed to test suppression works and skips this test
guard:
SuppressedRules:
- BATCH_JOB_CONTAINER_PROPERTIES_PRIVILEGED_RULE
expectations:
rules:
BATCH_JOB_CONTAINER_PROPERTIES_PRIVILEGED_RULE: SKIP
131 changes: 131 additions & 0 deletions rules/aws/aws_cloudformation/cfn_no_explicit_resource_names.guard
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,131 @@
#
#####################################
## AWS Solutions ##
#####################################
# Rule Identifier:
# CFN_NO_EXPLICIT_RESOURCE_NAMES
#
# Description:
# Checks that the template does not explicitely name resources.
#
# Reports on:
# Various
#
# Evaluates:
# AWS CloudFormation
#
# Rule Parameters:
# NA
#
# CFN_NAG Rule Id:
# W28
#
# Scenarios:
# a) SKIP: when none of the covered resources types are present
# b) PASS: when none of the applicable types have static resource names
# c) FAIL: when any applicable types has a static resource name
# d) SKIP: when metada has rule suppression for CFN_NO_EXPLICIT_RESOURCE_NAMES or CFN_NAG W28

let applicable_types = [
"AWS::ApiGateway::ApiKey",
"AWS::CloudWatch::Alarm",
"AWS::CodeDeploy::DeploymentConfig",
"AWS::CodeDeploy::DeploymentGroup",
"AWS::DynamoDB::Table",
"AWS::EC2::SecurityGroup",
"AWS::ECR::Repository",
"AWS::ElasticLoadBalancingV2::LoadBalancer",
"AWS::Elasticsearch::Domain",
"AWS::IAM::Group",
"AWS::IAM::ManagedPolicy",
"AWS::IAM::Role",
"AWS::Kinesis::Stream",
"AWS::RDS::DBInstance"
]

# Select applicable resources less suppressed resources
let cloudformation_no_static_name_resources = Resources.*[Type in %applicable_types
Metadata.cfn_nag.rules_to_suppress not exists or
Metadata.cfn_nag.rules_to_suppress.*.id != "W28"
Metadata.guard.SuppressedRules not exists or
Metadata.guard.SuppressedRules.* != "CFN_NO_EXPLICIT_RESOURCE_NAMES"
]

rule CFN_NO_EXPLICIT_RESOURCE_NAMES
when %cloudformation_no_static_name_resources !empty {
AWS::ApiGateway::ApiKey {
Properties{
Name empty
}
}
AWS::CloudWatch::Alarm {
Properties{
AlarmName empty
}
}
AWS::CodeDeploy::DeploymentConfig {
Properties{
DeploymentConfigName empty
}
}
AWS::CodeDeploy::DeploymentGroup {
Properties{
DeploymentGroupName empty
}
}
AWS::DynamoDB::Table {
Properties{
TableName empty
}
}
AWS::EC2::SecurityGroup {
Properties{
GroupName empty
}
}
AWS::ECR::Repository {
Properties{
RepositoryName empty
}
}
AWS::ElasticLoadBalancingV2::LoadBalancer {
Properties{
Name empty
}
}
AWS::Elasticsearch::Domain {
Properties{
DomainName empty
}
}
AWS::IAM::Group {
Properties{
GroupName empty
}
}
AWS::IAM::ManagedPolicy {
Properties{
ManagedPolicyName empty
}
}
AWS::IAM::Role {
Properties{
RoleName empty
}
}
AWS::Kinesis::Stream {
Properties{
Name empty
}
}
AWS::RDS::DBInstance {
Properties{
DBInstanceIdentifier empty
}
}
%cloudformation_no_static_name_resources not empty
<<
Violation: Resource found with an explicit name, this disallows updates that require replacement of this resource.
Fix: Remove static name from the resource
>>
}
Loading
Loading