-
Notifications
You must be signed in to change notification settings - Fork 176
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* init commit, bumped up clap to 3.0 * cargo audit for CI * reverting last commit + changing cargo-audit to not be part of build step, only ran every night * init commit bumping up to clap4 * cleaning some code up * temp commit * rebasing + fixing small bug * cleanup * adding help messages * adding more tests for test_command * more tests for prev engine * improving code style * typo * fixed unecessary match * cleaning up test command * fixes as per comments * fixes as per comments * fixed failing build
- Loading branch information
1 parent
db43976
commit 25fd2ec
Showing
20 changed files
with
987 additions
and
242 deletions.
There are no files selected for viewing
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
41 changes: 41 additions & 0 deletions
41
guard/resources/test-command/dir/s3_bucket_logging_enabled.guard
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
# | ||
##################################### | ||
## Gherkin ## | ||
##################################### | ||
# Rule Identifier: | ||
# S3_BUCKET_LOGGING_ENABLED | ||
# | ||
# Description: | ||
# Checks whether logging is enabled for your S3 buckets. | ||
# | ||
# Reports on: | ||
# AWS::S3::Bucket | ||
# | ||
# Evaluates: | ||
# AWS CloudFormation | ||
# | ||
# Rule Parameters: | ||
# NA | ||
# | ||
# Scenarios: | ||
# a) SKIP: when there are no S3 resource present | ||
# b) PASS: when all S3 resources Logging Configuration exists | ||
# c) FAIL: when all S3 resources have Logging Configuration is not set | ||
# d) SKIP: when metadata includes the suppression for rule S3_BUCKET_LOGGING_ENABLED | ||
|
||
# | ||
# Select all S3 resources from incoming template (payload) | ||
# | ||
|
||
let s3_buckets_bucket_logging_enabled = Resources.*[ Type == 'AWS::S3::Bucket' | ||
Metadata.guard.SuppressedRules not exists or | ||
Metadata.guard.SuppressedRules.* != "S3_BUCKET_LOGGING_ENABLED" | ||
] | ||
|
||
rule S3_BUCKET_LOGGING_ENABLED when %s3_buckets_bucket_logging_enabled !empty { | ||
%s3_buckets_bucket_logging_enabled.Properties.LoggingConfiguration exists | ||
<< | ||
Violation: S3 Bucket Logging needs to be configured to enable logging. | ||
Fix: Set the S3 Bucket property LoggingConfiguration to start logging into S3 bucket. | ||
>> | ||
} |
13 changes: 13 additions & 0 deletions
13
guard/resources/test-command/dir/s3_bucket_server_side_encryption_enabled.guard
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
let s3_buckets_server_side_encryption = Resources.*[ Type == 'AWS::S3::Bucket' | ||
Metadata.guard.SuppressedRules not exists or | ||
Metadata.guard.SuppressedRules.* != "S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED" | ||
] | ||
|
||
rule S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED when %s3_buckets_server_side_encryption !empty { | ||
%s3_buckets_server_side_encryption.Properties.BucketEncryption exists | ||
%s3_buckets_server_side_encryption.Properties.BucketEncryption.ServerSideEncryptionConfiguration[*].ServerSideEncryptionByDefault.SSEAlgorithm in ["aws:kms","AES256"] | ||
<< | ||
Violation: S3 Bucket must enable server-side encryption. | ||
Fix: Set the S3 Bucket property BucketEncryption.ServerSideEncryptionConfiguration.ServerSideEncryptionByDefault.SSEAlgorithm to either "aws:kms" or "AES256" | ||
>> | ||
} |
58 changes: 58 additions & 0 deletions
58
guard/resources/test-command/dir/tests/s3_bucket_logging_enabled_tests.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,58 @@ | ||
### | ||
# S3_BUCKET_LOGGING_ENABLED tests | ||
### | ||
--- | ||
- name: Empty, SKIP | ||
input: {} | ||
expectations: | ||
rules: | ||
S3_BUCKET_LOGGING_ENABLED: SKIP | ||
|
||
- name: No resources, SKIP | ||
input: | ||
Resources: {} | ||
expectations: | ||
rules: | ||
S3_BUCKET_LOGGING_ENABLED: SKIP | ||
|
||
- name: S3 Bucket with Logging Configuration present in resource, PASS | ||
input: | ||
Resources: | ||
ExampleS3: | ||
Type: AWS::S3::Bucket | ||
Properties: | ||
BucketName: my-bucket | ||
VersioningConfiguration: | ||
Status: Enabled | ||
LoggingConfiguration: | ||
DestinationBucketName: !Ref LoggingBucket | ||
LogFilePrefix: testing-logs | ||
expectations: | ||
rules: | ||
S3_BUCKET_LOGGING_ENABLED: PASS | ||
|
||
- name: S3 Bucket with Logging Configuration missing, FAIL | ||
input: | ||
Resources: | ||
ExampleS3: | ||
Type: AWS::S3::Bucket | ||
Properties: | ||
BucketName: my-bucket | ||
expectations: | ||
rules: | ||
S3_BUCKET_LOGGING_ENABLED: FAIL | ||
|
||
- name: S3 Bucket with Logging Configuration missing with suppression, SKIP | ||
input: | ||
Resources: | ||
ExampleS3: | ||
Type: AWS::S3::Bucket | ||
Metadata: | ||
guard: | ||
SuppressedRules: | ||
- S3_BUCKET_LOGGING_ENABLED | ||
Properties: | ||
BucketName: my-bucket | ||
expectations: | ||
rules: | ||
S3_BUCKET_LOGGING_ENABLED: SKIP |
Oops, something went wrong.