feat: NZIM-v36-1022-20 NagPack #1068
Conversation
dontirun
changed the title
There was a problem hiding this comment.
Did an initial review. Thanks for putting this together @mrpackethead! We'll want to wait for the conformance pack to actually get released before we release this so that we can confirm that we aren't missing anything. That being said, doesn't hurt to get the review started early!
Some additional comments for things that are currently missing for release
- The included and excluded rules for the pack listed in the [RULES(https://github.com/cdklabs/cdk-nag/blob/main/RULES.md) file
- A Pack Test. This is important so that we don't inadvertently 'lose' rules in the case of internal refactoring.
- If we need to write any new rules (which we may), the rules will also need their own unit tests as well
Any new rules that we write
|
On the change to the Rules.md file, i can do some of the work now, and then come back and add the Links once the docs are published. |
|
@dontirun , I've added a couple of sample lines to the the RULES.md, Before i do all of them, can we check that the sample lines are in the right format? |
|
It looks like there are seven new rules to create. Some of these will be easy, others less so. A temporary file ( nzismRulestoCreate ) cloudfront-default-root-object-configured |
|
EC2SecurityGroupOnlyTcp443 checks security groups to see if they only have tcp 443 open |
Is this an implementation of I don't think we should be implementing this rule since it's highly dependent on business logic. The config rule takes in an input list because it is supposed to be tuned to business logic |
The nzism specifically calls out that only tcp/443 shoudl be open. |
|
Have added rules for cloudfront-default-root-object-configured and added them to the nzism pak. included lambda-function-public-access-prohibited from the rule that was recently added. Excluded the other rules, as they are not resolvable at synth time. To do, Hopefully will get an answer about the tcp443 inbound security group rule, and then will be able to decide what we will do. |
|
Tests for EC2IMDv2 are not yet completed. |
|
@dontirun, I think this is ready to go now. |
src/rules/ec2/EC2IMDSv2.ts
Outdated
| function hasHttpTokens(node: CfnLaunchTemplate): boolean { | ||
| const launchTemplateData: CfnLaunchTemplate.LaunchTemplateDataProperty = | ||
| Stack.of(node).resolve(node.launchTemplateData); | ||
| const meta = Stack.of(node).resolve( | ||
| launchTemplateData.metadataOptions | ||
| ) as CfnLaunchTemplate.MetadataOptionsProperty; | ||
|
|
||
| if (meta == undefined) { | ||
| return false; | ||
| } | ||
|
|
||
| if (meta.httpTokens === 'required') { | ||
| return true; | ||
| } | ||
| return false; | ||
| } | ||
|
|
||
| function launchConfigurationhasTokens(node: CfnLaunchConfiguration): boolean { | ||
| if (node.metadataOptions != undefined) { | ||
| const meta: CfnLaunchTemplate.MetadataOptionsProperty = Stack.of( | ||
| node | ||
| ).resolve( | ||
| node.metadataOptions | ||
| ) as CfnLaunchTemplate.MetadataOptionsProperty; | ||
|
|
||
| if (meta.httpTokens === 'required') { | ||
| return true; | ||
| } | ||
| } | ||
| return false; | ||
| } |
There was a problem hiding this comment.
This can be simplified
| function hasHttpTokens(node: CfnLaunchTemplate): boolean { | |
| const launchTemplateData: CfnLaunchTemplate.LaunchTemplateDataProperty = | |
| Stack.of(node).resolve(node.launchTemplateData); | |
| const meta = Stack.of(node).resolve( | |
| launchTemplateData.metadataOptions | |
| ) as CfnLaunchTemplate.MetadataOptionsProperty; | |
| if (meta == undefined) { | |
| return false; | |
| } | |
| if (meta.httpTokens === 'required') { | |
| return true; | |
| } | |
| return false; | |
| } | |
| function launchConfigurationhasTokens(node: CfnLaunchConfiguration): boolean { | |
| if (node.metadataOptions != undefined) { | |
| const meta: CfnLaunchTemplate.MetadataOptionsProperty = Stack.of( | |
| node | |
| ).resolve( | |
| node.metadataOptions | |
| ) as CfnLaunchTemplate.MetadataOptionsProperty; | |
| if (meta.httpTokens === 'required') { | |
| return true; | |
| } | |
| } | |
| return false; | |
| } | |
| function hasHttpTokens(node: CfnLaunchTemplate | CfnLaunchConfiguration): boolean { | |
| const metaLocation = node instanceof CfnLaunchTemplate ? Stack.of(node).resolve(node.launchTemplateData) : node; | |
| const meta = Stack.of(node).resolve(metaLocation.metadataOptions) | |
| return Stack.of(node).resolve(meta?.httpTokens) === 'required' | |
| } |
src/rules/ec2/EC2IMDSv2.ts
Outdated
| for (const child of Stack.of(node).node.findAll()) { | ||
| if (child instanceof CfnLaunchConfiguration) { | ||
| if ( | ||
| child.launchConfigurationName === nodeLaunchConfigurationName && |
There was a problem hiding this comment.
This isn't accounting for the case where the user provides a Ref for the the Launch Configuration Name, the name is also not a required field on a launch configuration.
I propose the following
function isMatchingLaunchConfiguration(
node: CfnLaunchConfiguration,
launchConfigurationName: string,
): boolean {
const resolvedTemplateName = NagRules.resolveResourceFromInstrinsic(node, launchConfigurationName)
return resolvedTemplateName === node.launchConfigurationName || resolvedTemplateName === resolvedTemplateName
}
.github/workflows/build.yml
Outdated
| @@ -161,34 +161,6 @@ jobs: | |||
| run: cd .repo && npx projen package:python | |||
There was a problem hiding this comment.
Run npx projen locally (don't need to run the entire build process) and commit the change so that these build files return to normal
|
Andrew / Arun - Is there an ETA on when this PR may be finalised? I have a couple of organizations interested in using this feature. |
|
@chindaws There is no ETA. This is a community led contribution by @mrpackethead. I'll give @mrpackethead a chance to respond, but if this is something you would like and @mrpackethead is no longer working on this then I would say that this PR is available for someone else to pick up and continue working on |
@chindaws , get in touch with me if theres a reason to progress this. I could be convinced to do it if there was a need. |
Fixes #1067