-
Notifications
You must be signed in to change notification settings - Fork 1.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(sast): Adding typescript cdk part 6 paz (#6149)
* Start adding typescript policies - checkov/cdk/checks/typescript/S3PublicACLRead.yaml * adding checkov/cdk/checks/typescript/S3RestrictPublicBuckets.yaml * Adding SNSTopicEncryption * adding checkov/cdk/checks/typescript/SQSQueueEncryption.yaml * adding checkov/cdk/checks/typescript/SecretManagerSecretEncrypted.yaml * adding checkov/cdk/checks/typescript/SecurityGroupRuleDescription.yaml * checkov/cdk/checks/typescript/TransferServerIsPublic.yaml * checkov/cdk/checks/typescript/VPCEndpointAcceptanceConfigured.yaml * checkov/cdk/checks/typescript/WAFEnabled.yaml * checkov/cdk/checks/typescript/WorkspaceRootVolumeEncrypted.yaml * Adding last policy --------- Co-authored-by: pazbechor <pbechor@paloaltonetworks.com>
- Loading branch information
Showing
33 changed files
with
970 additions
and
0 deletions.
There are no files selected for viewing
34 changes: 34 additions & 0 deletions
34
cdk_integration_tests/src/typescript/S3PublicACLRead/fail__3__.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
import { App, Stack, StackProps } from 'aws-cdk-lib'; | ||
import { Construct } from 'constructs'; | ||
import * as s3 from 'aws-cdk-lib/aws-s3'; | ||
|
||
class S3BucketExampleStack extends Stack { | ||
constructor(scope: Construct, id: string, props?: StackProps) { | ||
super(scope, id, props); | ||
|
||
// Bucket with PUBLIC_READ access - Match | ||
new s3.Bucket(this, 'MyPublicReadBucket', { | ||
accessControl: s3.BucketAccessControl.PUBLIC_READ, | ||
}); | ||
|
||
new s3.Bucket(this, 'MyPrivateReadBucket'); | ||
|
||
// Bucket with PUBLIC_READ_WRITE access | ||
new s3.Bucket(this, 'MyPublicReadWriteBucket', { | ||
accessControl: s3.BucketAccessControl.PUBLIC_READ_WRITE, | ||
}); | ||
|
||
// Bucket with publicReadAccess set to true | ||
new s3.Bucket(this, 'MyPublicReadAccessBucket', { | ||
publicReadAccess: true, | ||
}); | ||
|
||
// Bucket with publicReadAccess set to true | ||
new s3.Bucket(this, 'MyPublicReadAccessBucket', { | ||
publicReadAccess: false, | ||
}); | ||
} | ||
} | ||
|
||
const app = new App(); | ||
new S3BucketExampleStack(app, 'S3BucketExampleStack'); |
30 changes: 30 additions & 0 deletions
30
cdk_integration_tests/src/typescript/S3PublicACLRead/pass.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
import { App, Stack, StackProps } from 'aws-cdk-lib'; | ||
import { Construct } from 'constructs'; | ||
import * as s3 from 'aws-cdk-lib/aws-s3'; | ||
|
||
class S3BucketExampleStack extends Stack { | ||
constructor(scope: Construct, id: string, props?: StackProps) { | ||
super(scope, id, props); | ||
|
||
// Bucket with PUBLIC_READ access - Match | ||
new s3.Bucket(this, 'MyPublicReadBucket'); | ||
|
||
new s3.Bucket(this, 'MyPrivateReadBucket'); | ||
|
||
// Bucket with PUBLIC_READ_WRITE access | ||
new s3.Bucket(this, 'MyPublicReadWriteBucket', { | ||
accessControl: s3.BucketAccessControl.Private, | ||
}); | ||
|
||
// Bucket with publicReadAccess set to true | ||
new s3.Bucket(this, 'MyPublicReadAccessBucket', {}); | ||
|
||
// Bucket with publicReadAccess set to true | ||
new s3.Bucket(this, 'MyPublicReadAccessBucket', { | ||
publicReadAccess: false, | ||
}); | ||
} | ||
} | ||
|
||
const app = new App(); | ||
new S3BucketExampleStack(app, 'S3BucketExampleStack'); |
43 changes: 43 additions & 0 deletions
43
cdk_integration_tests/src/typescript/S3RestrictPublicBuckets/fail__2__.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
import * as cdk from 'aws-cdk-lib'; | ||
import { Construct } from 'constructs'; | ||
import * as s3 from 'aws-cdk-lib/aws-s3'; | ||
|
||
class S3BucketWithPublicAccessStack extends cdk.Stack { | ||
constructor(scope: Construct, id: string, props?: cdk.StackProps) { | ||
super(scope, id, props); | ||
|
||
new s3.Bucket(this, 'aaa', { | ||
versioned: false, // You can enable versioning if needed | ||
removalPolicy: cdk.RemovalPolicy.DESTROY, // Change this according to your retention policy | ||
blockPublicAccess: new s3.BlockPublicAccess({ | ||
blockPublicAcls: true, | ||
blockPublicPolicy: true, | ||
ignorePublicAcls: true, | ||
restrictPublicBuckets: false, | ||
}), | ||
}); | ||
} | ||
} | ||
|
||
class PublicS3BucketStack extends cdk.Stack { | ||
constructor(scope: Construct, id: string, props?: cdk.StackProps) { | ||
super(scope, id, props); | ||
|
||
new s3.CfnBucket(this, 'PublicBucket', { | ||
versioningConfiguration: { | ||
status: 'Suspended', // You can enable versioning if needed | ||
}, | ||
publicAccessBlockConfiguration: { | ||
blockPublicAcls: true, | ||
blockPublicPolicy: true, | ||
ignorePublicAcls: true, | ||
restrictPublicBuckets: false, | ||
}, | ||
}); | ||
} | ||
} | ||
|
||
const app = new cdk.App(); | ||
new S3BucketWithPublicAccessStack(app, 'S3BucketWithPublicAccessStack'); | ||
new PublicS3BucketStack(app, 'PublicS3BucketStack'); | ||
app.synth(); |
38 changes: 38 additions & 0 deletions
38
cdk_integration_tests/src/typescript/S3RestrictPublicBuckets/pass.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
import * as cdk from 'aws-cdk-lib'; | ||
import { Construct } from 'constructs'; | ||
import * as s3 from 'aws-cdk-lib/aws-s3'; | ||
|
||
class S3BucketWithPublicAccessStack extends cdk.Stack { | ||
constructor(scope: Construct, id: string, props?: cdk.StackProps) { | ||
super(scope, id, props); | ||
|
||
new s3.Bucket(this, 'aaa', { | ||
versioned: false, // You can enable versioning if needed | ||
removalPolicy: cdk.RemovalPolicy.DESTROY, // Change this according to your retention policy | ||
blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL, // Enforce all public access restrictions | ||
}); | ||
} | ||
} | ||
|
||
class PublicS3BucketStack extends cdk.Stack { | ||
constructor(scope: Construct, id: string, props?: cdk.StackProps) { | ||
super(scope, id, props); | ||
|
||
new s3.CfnBucket(this, 'PublicBucket', { | ||
versioningConfiguration: { | ||
status: 'Suspended', // You can enable versioning if needed | ||
}, | ||
publicAccessBlockConfiguration: { | ||
blockPublicAcls: true, | ||
blockPublicPolicy: true, | ||
ignorePublicAcls: true, | ||
restrictPublicBuckets: true, | ||
}, | ||
}); | ||
} | ||
} | ||
|
||
const app = new cdk.App(); | ||
new S3BucketWithPublicAccessStack(app, 'S3BucketWithPublicAccessStack'); | ||
new PublicS3BucketStack(app, 'PublicS3BucketStack'); | ||
app.synth(); |
17 changes: 17 additions & 0 deletions
17
cdk_integration_tests/src/typescript/SNSTopicEncryption/fail.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
import { App, Stack } from 'aws-cdk-lib'; | ||
import * as sns from 'aws-cdk-lib/aws-sns'; | ||
import { Construct } from 'constructs'; | ||
|
||
class MyStack extends Stack { | ||
constructor(scope: Construct, id: string, props?: {}) { | ||
super(scope, id, props); | ||
|
||
new sns.Topic(this, 'Topic', { | ||
topicName: 'my-topic', | ||
}); | ||
} | ||
} | ||
|
||
const app = new App(); | ||
new MyStack(app, 'MyStack'); | ||
app.synth(); |
23 changes: 23 additions & 0 deletions
23
cdk_integration_tests/src/typescript/SNSTopicEncryption/pass.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
import { App, Stack } from 'aws-cdk-lib'; | ||
import * as sns from 'aws-cdk-lib/aws-sns'; | ||
import * as kms from 'aws-cdk-lib/aws-kms'; | ||
import { Construct } from 'constructs'; | ||
|
||
class MyStack extends Stack { | ||
constructor(scope: Construct, id: string, props?: {}) { | ||
super(scope, id, props); | ||
|
||
// Create a new KMS Key | ||
const key = new kms.Key(this, 'MyKey'); | ||
|
||
// Create a new SNS Topic using the KMS Key for encryption | ||
new sns.Topic(this, 'Topic', { | ||
topicName: 'my-topic', | ||
masterKey: key, | ||
}); | ||
} | ||
} | ||
|
||
const app = new App(); | ||
new MyStack(app, 'MyStack'); | ||
app.synth(); |
33 changes: 33 additions & 0 deletions
33
cdk_integration_tests/src/typescript/SQSQueueEncryption/fail__2__.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
import { App, Stack } from 'aws-cdk-lib'; | ||
import { Construct } from 'constructs'; | ||
import * as sqs from 'aws-cdk-lib/aws-sqs'; | ||
|
||
class SqsQueueWithKmsKeyStack extends Stack { | ||
constructor(scope: Construct, id: string, props?: {}) { | ||
super(scope, id, props); | ||
|
||
new sqs.Queue(this, "MySqsQueue", { | ||
encryption: sqs.QueueEncryption.KMS, | ||
visibilityTimeout: cdk.Duration.seconds(300) // Other properties for the queue | ||
}); | ||
} | ||
} | ||
|
||
const app = new App(); | ||
new SqsQueueWithKmsKeyStack(app, "SqsQueueWithKmsKeyStack"); | ||
app.synth(); | ||
|
||
class SqsQueueWithKmsKeyIdStack extends Stack { | ||
constructor(scope: Construct, id: string, props?: {}) { | ||
super(scope, id, props); | ||
|
||
var mySqs = new sqs.CfnQueue(this, "MySqsQueue", { | ||
visibilityTimeout: 300 // Other properties for the queue | ||
// Specify the KMS key ID if needed here, e.g., kmsMasterKeyId: 'alias/aws/sqs' | ||
}); | ||
} | ||
} | ||
|
||
const app2 = new App(); | ||
new SqsQueueWithKmsKeyIdStack(app2, "SqsQueueWithKmsKeyIdStack"); | ||
app2.synth(); |
50 changes: 50 additions & 0 deletions
50
cdk_integration_tests/src/typescript/SQSQueueEncryption/pass.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,50 @@ | ||
import { App, Stack } from 'aws-cdk-lib'; | ||
import * as sqs from 'aws-cdk-lib/aws-sqs'; | ||
import * as kms from 'aws-cdk-lib/aws-kms'; | ||
import * as cfn from 'aws-cdk-lib/aws-cloudformation'; | ||
import { Construct } from 'constructs'; | ||
|
||
class SqsQueueWithKmsKeyStack extends Stack { | ||
constructor(scope: Construct, id: string, props?: {}) { | ||
super(scope, id, props); | ||
|
||
// Create a KMS key for encryption | ||
const kmsKey = new kms.Key(this, 'MyKmsKey', { | ||
enableKeyRotation: true, | ||
}); | ||
|
||
// Create an SQS queue with KMS encryption | ||
new sqs.Queue(this, 'MySqsQueue', { | ||
encryption: sqs.QueueEncryption.KMS, | ||
encryptionMasterKey: kmsKey, | ||
visibilityTimeout: cdk.Duration.seconds(300), // Other properties for the queue | ||
}); | ||
} | ||
} | ||
|
||
const app = new App(); | ||
new SqsQueueWithKmsKeyStack(app, 'SqsQueueWithKmsKeyStack'); | ||
app.synth(); | ||
|
||
|
||
class SqsQueueWithKmsKeyIdStack extends Stack { | ||
constructor(scope: Construct, id: string, props?: {}) { | ||
super(scope, id, props); | ||
|
||
// Define a custom KMS key | ||
const kmsKey = new cfn.CfnCustomResource(this, 'MyKmsKeyResource', { | ||
serviceToken: 'arn:aws:lambda:<your-region>:<your-account>:function/<your-lambda-function>', | ||
// Add other properties as needed | ||
}); | ||
|
||
// Define an SQS queue with a specific KmsMasterKeyId | ||
new sqs.CfnQueue(this, 'MySqsQueue', { | ||
kmsMasterKeyId: kmsKey.getAtt('KmsKeyId').toString(), | ||
visibilityTimeout: 300, // Other properties for the queue | ||
}); | ||
} | ||
} | ||
|
||
const app2 = new App(); | ||
new SqsQueueWithKmsKeyIdStack(app2, 'SqsQueueWithKmsKeyIdStack'); | ||
app2.synth(); |
32 changes: 32 additions & 0 deletions
32
cdk_integration_tests/src/typescript/SecretManagerSecretEncrypted/fail__2__.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
import { App, Stack } from 'aws-cdk-lib'; | ||
import * as secretsmanager from 'aws-cdk-lib/aws-secretsmanager'; | ||
import * as kms from 'aws-cdk-lib/aws-kms'; | ||
import { Construct } from 'constructs'; | ||
|
||
class MySecretsStack extends Stack { | ||
constructor(scope: Construct, id: string, props?: {}) { | ||
super(scope, id, props); | ||
|
||
// Define a SecretsManager secret with KMS key ID | ||
const mySecret = new secretsmanager.Secret(this, 'MySecret', { | ||
secretName: 'MySecretName', | ||
encryptionKey: kms.Key.fromKeyArn(this, 'MyKmsKey', 'arn:aws:kms:REGION:ACCOUNT_ID:key/aws/KMS_KEY_ID'), | ||
}); | ||
} | ||
} | ||
|
||
class MySecretsStack2 extends Stack { | ||
constructor(scope: Construct, id: string, props?: {}) { | ||
super(scope, id, props); | ||
|
||
// Define a SecretsManager secret without specifying KMS key ID | ||
const mySecret = new secretsmanager.Secret(this, 'MySecret', { | ||
secretName: 'MySecretName', | ||
}); | ||
} | ||
} | ||
|
||
const app = new App(); | ||
new MySecretsStack(app, "MySecretsStack"); | ||
new MySecretsStack2(app, "MySecretsStack2"); | ||
app.synth(); |
21 changes: 21 additions & 0 deletions
21
cdk_integration_tests/src/typescript/SecretManagerSecretEncrypted/pass.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
import { App, Stack } from 'aws-cdk-lib'; | ||
import * as secretsmanager from 'aws-cdk-lib/aws-secretsmanager'; | ||
import * as kms from 'aws-cdk-lib/aws-kms'; | ||
import { Construct } from 'constructs'; | ||
|
||
class MySecretsStack extends Stack { | ||
constructor(scope: Construct, id: string, props?: {}) { | ||
super(scope, id, props); | ||
|
||
// Define a SecretsManager secret with KMS key ID | ||
const mySecret = new secretsmanager.Secret(this, 'MySecret', { | ||
secretName: 'MySecretName', | ||
encryptionKey: kms.Key.fromKeyArn(this, 'MyKmsKey', 'arn:aws:kms:REGION:ACCOUNT_ID:key/KMS_KEY_ID'), | ||
}); | ||
} | ||
} | ||
|
||
|
||
const app = new App(); | ||
new MySecretsStack(app, "MySecretsStack"); | ||
app.synth(); |
Oops, something went wrong.