Comments (6)
Awesome, again, thanks a lot!
from cloudformation-guard.
Hi @polothy can you please provide the rules file you used?
Sorry about that, missed the hyperlink you provided!
Will begin to investigate and update this thread soon.
from cloudformation-guard.
Hey @polothy just a heads up this seems to be documented in our Known Issues . Bullet point 3.
A current workaround to this would be setting output to either json or yaml.
from cloudformation-guard.
Another workaround to this would be rewriting the rule to not use an !empty check.
The following guard file uses a parameterized rule to accomplish this.
let s3_buckets_policies_ssl_requests_only = Resources.*[ Type == 'AWS::S3::BucketPolicy'
Metadata.guard.SuppressedRules not exists or
Metadata.guard.SuppressedRules.* != "S3_BUCKET_SSL_REQUESTS_ONLY"
]
%s3_buckets_policies_ssl_requests_only !empty
let statements = %s3_buckets_policies_ssl_requests_only[*].Properties.PolicyDocument.Statement[*]
when %statements !empty {
S3_BUCKET_SSL_REQUESTS_ONLY(%statements)
<<
Violation: Bucket policies must feature a statement to enforce TLS usage.
Fix: Set a bucket policy statement to '"Action":"s3:*","Effect":"Deny","Principal":"*","Resource":"*","Condition":{"Bool":{"aws:SecureTransport":false}}' .
>>
}
rule S3_BUCKET_SSL_REQUESTS_ONLY(statements) {
some %statements[*] {
Effect == 'Deny'
Condition {
Bool.'aws:SecureTransport' == false
}
}
}
Note: It's still possible to accomplish this without the use of a parameterized rule but it leads to redundant custom error messages (since messages need to be set on the check, you'd need to have it after both the Effect == 'Deny', as well as the check on
Bool.'aws:SecureTransport' == false.
If you use the rule written this way you would get the following output
443.yaml Status = FAIL
FAILED rules
443.guard/default FAIL
---
Evaluating data 443.yaml against rules 443.guard
Number of non-compliant resources 1
Resource = ExampleS3 {
Type = AWS::S3::BucketPolicy
Rule = 443.guard/default {
ALL {
Rule = S3_BUCKET_SSL_REQUESTS_ONLY {
Message {
Violation: Bucket policies must feature a statement to enforce TLS usage.
Fix: Set a bucket policy statement to '"Action":"s3:*","Effect":"Deny","Principal":"*","Resource":"*","Condition":{"Bool":{"aws:SecureTransport":false}}' .
}
ALL {
Check = Effect EQUALS "Deny" {
ComparisonError {
Error = Check was not compliant as property value [Path=/Resources/ExampleS3/Properties/PolicyDocument/Statement/0/Effect[L:9,C:20] Value="Allow"] not equal to value [Path=[L:0,C:0] Value="Deny"].
PropertyPath = /Resources/ExampleS3/Properties/PolicyDocument/Statement/0/Effect[L:9,C:20]
Operator = EQUAL
Value = "Allow"
ComparedWith = "Deny"
Code:
7. Version: "2012-10-17"
8. Statement:
9. - Sid: "AWSLogDeliveryWrite"
10. Effect: "Allow"
11. Principal:
12. Service:
}
}
Check = Bool.aws:SecureTransport EQUALS false {
RequiredPropertyError {
PropertyPath = /Resources/ExampleS3/Properties/PolicyDocument/Statement/0/Condition[L:16,C:14]
MissingProperty = Bool.aws:SecureTransport
Reason = Could not find key Bool inside struct at path /Resources/ExampleS3/Properties/PolicyDocument/Statement/0/Condition[L:16,C:14]
Code:
14. Action: "s3:PutObject"
15. Resource: "*"
16. Condition:
17. StringEquals:
18. "s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
}
}
}
}
from cloudformation-guard.
This is a lot better, thank you! Updated my copy of the rule and it passes all tests.
Do you think this line is necessary?
%s3_buckets_policies_ssl_requests_only !empty
I removed it and the tests still passed. It's the only part I don't understand in the re-write.
from cloudformation-guard.
No, sorry about that. That was a typo I left behind when refactoring the rules! Glad I could help.
from cloudformation-guard.
Related Issues (20)
- [Documentation] Update docs for all public facing functions, and structs
- [BUG] SAM CLI deployed lambda returns InvalidEntryPoint error HOT 3
- [Enhancement] Add support to retrieve the key of a given node HOT 2
- [BUG] '!=' does not work as expected even for same type while using 2 literals. HOT 2
- [Enhancement] Make variables mutable HOT 1
- [Enhancement] Support for CloudFormation Pseudo Parameters HOT 1
- [GENERAL ISSUE] String concatenation with literal and variable HOT 2
- [BUG] OR is not working HOT 8
- [BUG] "true" does not equal true HOT 2
- Best practice for cfn-guard rules for CDK synthesized resources that are wrapped in a CustomResource, e.g. aws-eks.Cluster HOT 1
- [BUG] Problem with --show-summary HOT 2
- Question about specificity in wildcards. HOT 4
- Trying to search an If statement for a value HOT 2
- [GENERAL ISSUE] cfn-guard and Terraform JSON output HOT 2
- [Enhancement] Introduce date-time and or parse_timestamp (to epoch) function (parser). HOT 2
- [BUG] cfn-guard-lambda breaks on parsing templates with `verbose: false` HOT 4
- Current tagging strategy does not work well with pre-commit autoupdate HOT 6
- [BUG] When using cfn-guard with pre-commit, repeated `--rules` are ignored HOT 3
- [Enhancement] Github action should support single rule and template files for validation HOT 1
- [GENERAL ISSUE] Missing Documentation for Input Parameters Feature HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cloudformation-guard.