feat(sast): Adding typescript cdk part 6 paz (#6149)

* Start adding typescript policies - checkov/cdk/checks/typescript/S3PublicACLRead.yaml

* adding checkov/cdk/checks/typescript/S3RestrictPublicBuckets.yaml

* Adding SNSTopicEncryption

* adding checkov/cdk/checks/typescript/SQSQueueEncryption.yaml

* adding checkov/cdk/checks/typescript/SecretManagerSecretEncrypted.yaml

* adding checkov/cdk/checks/typescript/SecurityGroupRuleDescription.yaml

* checkov/cdk/checks/typescript/TransferServerIsPublic.yaml

* checkov/cdk/checks/typescript/VPCEndpointAcceptanceConfigured.yaml

* checkov/cdk/checks/typescript/WAFEnabled.yaml

* checkov/cdk/checks/typescript/WorkspaceRootVolumeEncrypted.yaml

* Adding last policy

---------

Co-authored-by: pazbechor <pbechor@paloaltonetworks.com>

cdk_integration_tests/src/typescript/S3PublicACLRead/fail__3__.ts

@@ -0,0 +1,34 @@
+import { App, Stack, StackProps } from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+import * as s3 from 'aws-cdk-lib/aws-s3';
+
+class S3BucketExampleStack extends Stack {
+    constructor(scope: Construct, id: string, props?: StackProps) {
+        super(scope, id, props);
+
+        // Bucket with PUBLIC_READ access - Match
+        new s3.Bucket(this, 'MyPublicReadBucket', {
+            accessControl: s3.BucketAccessControl.PUBLIC_READ,
+        });
+
+        new s3.Bucket(this, 'MyPrivateReadBucket');
+
+        // Bucket with PUBLIC_READ_WRITE access
+        new s3.Bucket(this, 'MyPublicReadWriteBucket', {
+            accessControl: s3.BucketAccessControl.PUBLIC_READ_WRITE,
+        });
+
+        // Bucket with publicReadAccess set to true
+        new s3.Bucket(this, 'MyPublicReadAccessBucket', {
+            publicReadAccess: true,
+        });
+
+        // Bucket with publicReadAccess set to true
+        new s3.Bucket(this, 'MyPublicReadAccessBucket', {
+            publicReadAccess: false,
+        });
+    }
+}
+
+const app = new App();
+new S3BucketExampleStack(app, 'S3BucketExampleStack');

cdk_integration_tests/src/typescript/S3PublicACLRead/pass.ts

@@ -0,0 +1,30 @@
+import { App, Stack, StackProps } from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+import * as s3 from 'aws-cdk-lib/aws-s3';
+
+class S3BucketExampleStack extends Stack {
+    constructor(scope: Construct, id: string, props?: StackProps) {
+        super(scope, id, props);
+
+        // Bucket with PUBLIC_READ access - Match
+        new s3.Bucket(this, 'MyPublicReadBucket');
+
+        new s3.Bucket(this, 'MyPrivateReadBucket');
+
+        // Bucket with PUBLIC_READ_WRITE access
+        new s3.Bucket(this, 'MyPublicReadWriteBucket', {
+            accessControl: s3.BucketAccessControl.Private,
+        });
+
+        // Bucket with publicReadAccess set to true
+        new s3.Bucket(this, 'MyPublicReadAccessBucket', {});
+
+        // Bucket with publicReadAccess set to true
+        new s3.Bucket(this, 'MyPublicReadAccessBucket', {
+            publicReadAccess: false,
+        });
+    }
+}
+
+const app = new App();
+new S3BucketExampleStack(app, 'S3BucketExampleStack');

cdk_integration_tests/src/typescript/S3RestrictPublicBuckets/fail__2__.ts

@@ -0,0 +1,43 @@
+import * as cdk from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+import * as s3 from 'aws-cdk-lib/aws-s3';
+
+class S3BucketWithPublicAccessStack extends cdk.Stack {
+    constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+        super(scope, id, props);
+
+        new s3.Bucket(this, 'aaa', {
+            versioned: false, // You can enable versioning if needed
+            removalPolicy: cdk.RemovalPolicy.DESTROY, // Change this according to your retention policy
+            blockPublicAccess: new s3.BlockPublicAccess({
+                blockPublicAcls: true,
+                blockPublicPolicy: true,
+                ignorePublicAcls: true,
+                restrictPublicBuckets: false,
+            }),
+        });
+    }
+}
+
+class PublicS3BucketStack extends cdk.Stack {
+    constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+        super(scope, id, props);
+
+        new s3.CfnBucket(this, 'PublicBucket', {
+            versioningConfiguration: {
+                status: 'Suspended', // You can enable versioning if needed
+            },
+            publicAccessBlockConfiguration: {
+                blockPublicAcls: true,
+                blockPublicPolicy: true,
+                ignorePublicAcls: true,
+                restrictPublicBuckets: false,
+            },
+        });
+    }
+}
+
+const app = new cdk.App();
+new S3BucketWithPublicAccessStack(app, 'S3BucketWithPublicAccessStack');
+new PublicS3BucketStack(app, 'PublicS3BucketStack');
+app.synth();

cdk_integration_tests/src/typescript/S3RestrictPublicBuckets/pass.ts

@@ -0,0 +1,38 @@
+import * as cdk from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+import * as s3 from 'aws-cdk-lib/aws-s3';
+
+class S3BucketWithPublicAccessStack extends cdk.Stack {
+    constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+        super(scope, id, props);
+
+        new s3.Bucket(this, 'aaa', {
+            versioned: false, // You can enable versioning if needed
+            removalPolicy: cdk.RemovalPolicy.DESTROY, // Change this according to your retention policy
+            blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL, // Enforce all public access restrictions
+        });
+    }
+}
+
+class PublicS3BucketStack extends cdk.Stack {
+    constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+        super(scope, id, props);
+
+        new s3.CfnBucket(this, 'PublicBucket', {
+            versioningConfiguration: {
+                status: 'Suspended', // You can enable versioning if needed
+            },
+            publicAccessBlockConfiguration: {
+                blockPublicAcls: true,
+                blockPublicPolicy: true,
+                ignorePublicAcls: true,
+                restrictPublicBuckets: true,
+      },
+    });
+  }
+}
+
+const app = new cdk.App();
+new S3BucketWithPublicAccessStack(app, 'S3BucketWithPublicAccessStack');
+new PublicS3BucketStack(app, 'PublicS3BucketStack');
+app.synth();

cdk_integration_tests/src/typescript/SNSTopicEncryption/fail.ts

@@ -0,0 +1,17 @@
+import { App, Stack } from 'aws-cdk-lib';
+import * as sns from 'aws-cdk-lib/aws-sns';
+import { Construct } from 'constructs';
+
+class MyStack extends Stack {
+  constructor(scope: Construct, id: string, props?: {}) {
+    super(scope, id, props);
+
+    new sns.Topic(this, 'Topic', {
+      topicName: 'my-topic',
+    });
+  }
+}
+
+const app = new App();
+new MyStack(app, 'MyStack');
+app.synth();

cdk_integration_tests/src/typescript/SNSTopicEncryption/pass.ts

@@ -0,0 +1,23 @@
+import { App, Stack } from 'aws-cdk-lib';
+import * as sns from 'aws-cdk-lib/aws-sns';
+import * as kms from 'aws-cdk-lib/aws-kms';
+import { Construct } from 'constructs';
+
+class MyStack extends Stack {
+  constructor(scope: Construct, id: string, props?: {}) {
+    super(scope, id, props);
+
+    // Create a new KMS Key
+    const key = new kms.Key(this, 'MyKey');
+
+    // Create a new SNS Topic using the KMS Key for encryption
+    new sns.Topic(this, 'Topic', {
+      topicName: 'my-topic',
+      masterKey: key,
+    });
+  }
+}
+
+const app = new App();
+new MyStack(app, 'MyStack');
+app.synth();

cdk_integration_tests/src/typescript/SQSQueueEncryption/fail__2__.ts

@@ -0,0 +1,33 @@
+import { App, Stack } from 'aws-cdk-lib';
+import { Construct } from 'constructs';
+import * as sqs from 'aws-cdk-lib/aws-sqs';
+
+class SqsQueueWithKmsKeyStack extends Stack {
+  constructor(scope: Construct, id: string, props?: {}) {
+    super(scope, id, props);
+
+    new sqs.Queue(this, "MySqsQueue", {
+      encryption: sqs.QueueEncryption.KMS,
+      visibilityTimeout: cdk.Duration.seconds(300) // Other properties for the queue
+    });
+  }
+}
+
+const app = new App();
+new SqsQueueWithKmsKeyStack(app, "SqsQueueWithKmsKeyStack");
+app.synth();
+
+class SqsQueueWithKmsKeyIdStack extends Stack {
+  constructor(scope: Construct, id: string, props?: {}) {
+    super(scope, id, props);
+
+    var mySqs = new sqs.CfnQueue(this, "MySqsQueue", {
+      visibilityTimeout: 300  // Other properties for the queue
+      // Specify the KMS key ID if needed here, e.g., kmsMasterKeyId: 'alias/aws/sqs'
+    });
+  }
+}
+
+const app2 = new App();
+new SqsQueueWithKmsKeyIdStack(app2, "SqsQueueWithKmsKeyIdStack");
+app2.synth();

cdk_integration_tests/src/typescript/SQSQueueEncryption/pass.ts

@@ -0,0 +1,50 @@
+import { App, Stack } from 'aws-cdk-lib';
+import * as sqs from 'aws-cdk-lib/aws-sqs';
+import * as kms from 'aws-cdk-lib/aws-kms';
+import * as cfn from 'aws-cdk-lib/aws-cloudformation';
+import { Construct } from 'constructs';
+
+class SqsQueueWithKmsKeyStack extends Stack {
+  constructor(scope: Construct, id: string, props?: {}) {
+    super(scope, id, props);
+
+    // Create a KMS key for encryption
+    const kmsKey = new kms.Key(this, 'MyKmsKey', {
+      enableKeyRotation: true,
+    });
+
+    // Create an SQS queue with KMS encryption
+    new sqs.Queue(this, 'MySqsQueue', {
+      encryption: sqs.QueueEncryption.KMS,
+      encryptionMasterKey: kmsKey,
+      visibilityTimeout: cdk.Duration.seconds(300), // Other properties for the queue
+    });
+  }
+}
+
+const app = new App();
+new SqsQueueWithKmsKeyStack(app, 'SqsQueueWithKmsKeyStack');
+app.synth();
+
+
+class SqsQueueWithKmsKeyIdStack extends Stack {
+  constructor(scope: Construct, id: string, props?: {}) {
+    super(scope, id, props);
+
+    // Define a custom KMS key
+    const kmsKey = new cfn.CfnCustomResource(this, 'MyKmsKeyResource', {
+      serviceToken: 'arn:aws:lambda:<your-region>:<your-account>:function/<your-lambda-function>',
+      // Add other properties as needed
+    });
+
+    // Define an SQS queue with a specific KmsMasterKeyId
+    new sqs.CfnQueue(this, 'MySqsQueue', {
+      kmsMasterKeyId: kmsKey.getAtt('KmsKeyId').toString(),
+      visibilityTimeout: 300, // Other properties for the queue
+    });
+  }
+}
+
+const app2 = new App();
+new SqsQueueWithKmsKeyIdStack(app2, 'SqsQueueWithKmsKeyIdStack');
+app2.synth();

cdk_integration_tests/src/typescript/SecretManagerSecretEncrypted/fail__2__.ts

@@ -0,0 +1,32 @@
+import { App, Stack } from 'aws-cdk-lib';
+import * as secretsmanager from 'aws-cdk-lib/aws-secretsmanager';
+import * as kms from 'aws-cdk-lib/aws-kms';
+import { Construct } from 'constructs';
+
+class MySecretsStack extends Stack {
+  constructor(scope: Construct, id: string, props?: {}) {
+    super(scope, id, props);
+
+    // Define a SecretsManager secret with KMS key ID
+    const mySecret = new secretsmanager.Secret(this, 'MySecret', {
+      secretName: 'MySecretName',
+      encryptionKey: kms.Key.fromKeyArn(this, 'MyKmsKey', 'arn:aws:kms:REGION:ACCOUNT_ID:key/aws/KMS_KEY_ID'),
+    });
+  }
+}
+
+class MySecretsStack2 extends Stack {
+  constructor(scope: Construct, id: string, props?: {}) {
+    super(scope, id, props);
+
+    // Define a SecretsManager secret without specifying KMS key ID
+    const mySecret = new secretsmanager.Secret(this, 'MySecret', {
+      secretName: 'MySecretName',
+    });
+  }
+}
+
+const app = new App();
+new MySecretsStack(app, "MySecretsStack");
+new MySecretsStack2(app, "MySecretsStack2");
+app.synth();

cdk_integration_tests/src/typescript/SecretManagerSecretEncrypted/pass.ts

@@ -0,0 +1,21 @@
+import { App, Stack } from 'aws-cdk-lib';
+import * as secretsmanager from 'aws-cdk-lib/aws-secretsmanager';
+import * as kms from 'aws-cdk-lib/aws-kms';
+import { Construct } from 'constructs';
+
+class MySecretsStack extends Stack {
+  constructor(scope: Construct, id: string, props?: {}) {
+    super(scope, id, props);
+
+    // Define a SecretsManager secret with KMS key ID
+    const mySecret = new secretsmanager.Secret(this, 'MySecret', {
+      secretName: 'MySecretName',
+      encryptionKey: kms.Key.fromKeyArn(this, 'MyKmsKey', 'arn:aws:kms:REGION:ACCOUNT_ID:key/KMS_KEY_ID'),
+    });
+  }
+}
+
+
+const app = new App();
+new MySecretsStack(app, "MySecretsStack");
+app.synth();