Skip to content

Commit

Permalink
feat: CloudFrontDistributionHttpsViewerNoOutdatedSSL rule (#716)
Browse files Browse the repository at this point in the history
  • Loading branch information
dontirun committed Mar 15, 2022
1 parent 1ed1330 commit a4a3de6
Show file tree
Hide file tree
Showing 6 changed files with 217 additions and 67 deletions.
3 changes: 2 additions & 1 deletion RULES.md
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,8 @@ The [AWS Solutions Library](https://aws.amazon.com/solutions/) offers a collecti
| AwsSolutions-ATH1 | The Athena workgroup does not encrypt query results. | Encrypting query results stored in S3 helps secure data to meet compliance requirements for data-at-rest encryption. |
| AwsSolutions-CB4 | The CodeBuild project does not use an AWS KMS key for encryption. | Using an AWS KMS key helps follow the standard security advice of granting least privilege to objects generated by the project. |
| AwsSolutions-C91 | The Cloud9 instance does not use a no-ingress EC2 instance with AWS Systems Manager. | SSM adds an additional layer of protection as it allows operators to control access through IAM permissions and does not require opening inbound ports. |
| AwsSolutions-CFR3 | The CloudFront distributions does not have access logging enabled. | Enabling access logs helps operators track all viewer requests for the content delivered through the Content Delivery Network. |
| AwsSolutions-CFR3 | The CloudFront distribution does not have access logging enabled. | Enabling access logs helps operators track all viewer requests for the content delivered through the Content Delivery Network. |
| AwsSolutions-CFR4 | The CloudFront distribution allows for SSLv3 or TLSv1 for HTTPS viewer connections. | Vulnerabilities have been and continue to be discovered in the deprecated SSL and TLS protocols. Help protect viewer connections by specifying a viewer certificate that enforces a minimum of TLSv1.1 or TLSv1.2 in the security policy. Distributions that use that use the default CloudFront viewer certificate or use 'vip' for the `SslSupportMethod` are non-compliant with this rule, as the minimum security policy is set to TLSv1 regardless of the specified `MinimumProtocolVersion` |
| AwsSolutions-CFR5 | The CloudFront distributions uses SSLv3 or TLSv1 for communication to the origin. | Vulnerabilities have been and continue to be discovered in the deprecated SSL and TLS protocols. Using a security policy with minimum TLSv1.1 or TLSv1.2 and appropriate security ciphers for HTTPS helps protect viewer connections. |
| AwsSolutions-CFR6 | The CloudFront distribution does not use an origin access identity an S3 origin. | Origin access identities help with security by restricting any direct access to objects through S3 URLs. |
| AwsSolutions-COG1 | The Cognito user pool does not have a password policy that minimally specify a password length of at least 8 characters, as well as requiring uppercase, numeric, and special characters. | Strong password policies increase system security by encouraging users to create reliable and secure passwords. |
Expand Down
12 changes: 11 additions & 1 deletion src/packs/aws-solutions.ts
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ import { Cloud9InstanceNoIngressSystemsManager } from '../rules/cloud9';
import {
CloudFrontDistributionAccessLogging,
CloudFrontDistributionGeoRestrictions,
CloudFrontDistributionHttpsViewerNoOutdatedSSL,
CloudFrontDistributionNoOutdatedSSL,
CloudFrontDistributionS3OriginAccessIdentity,
CloudFrontDistributionWAFIntegration,
Expand Down Expand Up @@ -845,13 +846,22 @@ export class AwsSolutionsChecks extends NagPack {
});
this.applyRule({
ruleSuffixOverride: 'CFR3',
info: 'The CloudFront distributions does not have access logging enabled.',
info: 'The CloudFront distribution does not have access logging enabled.',
explanation:
'Enabling access logs helps operators track all viewer requests for the content delivered through the Content Delivery Network.',
level: NagMessageLevel.ERROR,
rule: CloudFrontDistributionAccessLogging,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'CFR4',
info: 'The CloudFront distribution allows for SSLv3 or TLSv1 for HTTPS viewer connections.',
explanation:
"Vulnerabilities have been and continue to be discovered in the deprecated SSL and TLS protocols. Help protect viewer connections by specifying a viewer certificate that enforces a minimum of TLSv1.1 or TLSv1.2 in the security policy. Distributions that use that use the default CloudFront viewer certificate or use 'vip' for the 'SslSupportMethod' are non-compliant with this rule, as the minimum security policy is set to TLSv1 regardless of the specified 'MinimumProtocolVersion'.",
level: NagMessageLevel.ERROR,
rule: CloudFrontDistributionHttpsViewerNoOutdatedSSL,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'CFR5',
info: 'The CloudFront distributions uses SSLv3 or TLSv1 for communication to the origin.',
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
/*
Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
SPDX-License-Identifier: Apache-2.0
*/
import { parse } from 'path';
import { CfnDistribution } from '@aws-cdk/aws-cloudfront';
import { CfnResource, Stack } from '@aws-cdk/core';
import { NagRuleCompliance } from '../../nag-rules';

/**
* CloudFront distributions use a security policy with minimum TLSv1.1 or TLSv1.2 and appropriate security ciphers for HTTPS viewer connections
* @param node the CfnResource to check
*/
export default Object.defineProperty(
(node: CfnResource): NagRuleCompliance => {
if (node instanceof CfnDistribution) {
const distributionConfig = Stack.of(node).resolve(
node.distributionConfig
);
const viewerCertificate = Stack.of(node).resolve(
distributionConfig.viewerCertificate
);
if (viewerCertificate === undefined) {
return NagRuleCompliance.NON_COMPLIANT;
}
const minimumProtocolVersion = Stack.of(node).resolve(
viewerCertificate.minimumProtocolVersion
);
const sslSupportMethod = Stack.of(node).resolve(
viewerCertificate.sslSupportMethod
);
const cloudFrontDefaultCertificate = Stack.of(node).resolve(
viewerCertificate.cloudFrontDefaultCertificate
);
const outdatedProtocols = ['SSLv3', 'TLSv1', 'TLSv1_2016'];
if (
cloudFrontDefaultCertificate === true ||
sslSupportMethod === undefined ||
sslSupportMethod.toLowerCase() === 'vip' ||
minimumProtocolVersion === undefined ||
outdatedProtocols
.map((x) => x.toLowerCase())
.includes(minimumProtocolVersion.toLowerCase())
) {
return NagRuleCompliance.NON_COMPLIANT;
}
return NagRuleCompliance.COMPLIANT;
} else {
return NagRuleCompliance.NOT_APPLICABLE;
}
},
'name',
{ value: parse(__filename).name }
);
1 change: 1 addition & 0 deletions src/rules/cloudfront/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ SPDX-License-Identifier: Apache-2.0
*/
export { default as CloudFrontDistributionAccessLogging } from './CloudFrontDistributionAccessLogging';
export { default as CloudFrontDistributionGeoRestrictions } from './CloudFrontDistributionGeoRestrictions';
export { default as CloudFrontDistributionHttpsViewerNoOutdatedSSL } from './CloudFrontDistributionHttpsViewerNoOutdatedSSL';
export { default as CloudFrontDistributionNoOutdatedSSL } from './CloudFrontDistributionNoOutdatedSSL';
export { default as CloudFrontDistributionS3OriginAccessIdentity } from './CloudFrontDistributionS3OriginAccessIdentity';
export { default as CloudFrontDistributionWAFIntegration } from './CloudFrontDistributionWAFIntegration';
1 change: 1 addition & 0 deletions test/Packs.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,7 @@ describe('Check NagPack Details', () => {
'AwsSolutions-CB4',
'AwsSolutions-C91',
'AwsSolutions-CFR3',
'AwsSolutions-CFR4',
'AwsSolutions-CFR5',
'AwsSolutions-CFR6',
'AwsSolutions-COG1',
Expand Down
Loading

0 comments on commit a4a3de6

Please sign in to comment.