Comments (5)
commented on August 21, 2024
Do you want to enforce that any sns topic policy must have "aws:PrincipalOrgID"==xxx?
from cfn-model.
pju-d2si
commented on August 21, 2024
Thank for your reply
Just add condition for check if wildcard for policy (sns policy or another policy)
If condition contain principalorgid
unless "aws:PrincipalOrgID"==xxx
Check wildcard in principal
from cfn-model.
commented on August 21, 2024
@pju-d2si so your best bet with the existing code base is to write a custom rule. given that XXX is something you'd like to parameterize... there's not really a great way to make that bit easy to change at runtime. I appreciate you reaching out with this use case and I will try to consider a more generic way to support parameterizing rules.
That said, the following code is probably a good bit of the ways toward what you want. To be honest I did not test this code - but if you send me an actual template I will spend the time to test it.
To use this, you would save the code in a file, update xxxxx to the proper value and then you could put the file in a directory and point the cli to use that custom rule directory.
require 'cfn-nag/violation'
require_relative 'base'
class SnsTopicPolicyWildcardPrincipalWithOrgConditionRule < BaseRule
def rule_text
'SNS topic policy should not allow * principal unless the PrincipalOrgID is set properly'
end
def rule_type
Violation::FAILING_VIOLATION
end
def rule_id
'F3333'
end
def audit_impl(cfn_model)
org_condition_arr = {
'StringEquals' => {
'aws:PrincipalOrgID' => [
legal_organization
]
}
}
org_condition = {
'StringEquals' => {
'aws:PrincipalOrgID'=> legal_organization
}
}
violating_topic_policies = cfn_model.resources_by_type('AWS::SNS::TopicPolicy').select do |topic_policy|
# use the raw version instead of the objectified version which doesn't deal with Condition
policy_condition = topic_policy.policyDocument['Condition']
unless [org_condition_arr, org_condition].include?(policy_condition)
!topic_policy.policy_document.wildcard_allowed_principals.empty?
end
end
violating_topic_policies.map(&:logical_resource_id)
end
private
def legal_organization
'o-xxxxxx'
end
end
from cfn-model.
pju-d2si
commented on August 21, 2024
thank you,
this requires to modify the standard rules that you have coded, we will continue to overwrite the standard rules pending a more generic integration
Thank you for your help
from cfn-model.
commented on August 21, 2024
You have a few options for suppressing F18 in favor of this new rule. The easiest path is to put the original rule F18 on a global blacklist, and then add this rule as a custom rule - this will effectively replace F18 with the new rule.
You could also use resource-level suppressions (via metadata) or use the profile concept to only include the rules you care about (and leave out F18).
from cfn-model.
Related Issues (20)
- cfnparser does not handle YAML documents that _sort-of_ look like JSON
- is_s3_uri not nil safe HOT 1
- Exception when parsing Serverless::Function with implicit code HOT 1
- Deploy script does not manage versions properly.
- Custom resources other than AWS/Custom cause a cfn_nag exception HOT 4
- Parse the Globals section
- Group resource managed policy arn's can point to comma-delimited list
- Crashes when using Fn::If to decide a set of Resource Properties HOT 1
- Add support for CFN_NAG issue #73
- Investigate better support for transforms HOT 1
- Add CHANGELOG
- Fix VSCode Port conflict for cfn_model HOT 1
- Add support for computing FindInMap
- Add support for at least partial eval of !Sub
- "Second level" references to FnIf and Parameters are not resolved
- Stop using the last argument as keyword parameters in serverless.rb HOT 2
- ReservedConcurrentExecutions property not recognized
- Support for Containerized Lambda Functions
- Add `cfn_model.outputs`, `cfn_model.interface`, `cfn_model.conditions`, etc
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cfn-model.