Skip to content

Commit

Permalink
Merge branch 'main' into main
Browse files Browse the repository at this point in the history
  • Loading branch information
dontirun authored Nov 1, 2024
2 parents adb5344 + 3a20507 commit 4a59ed0
Show file tree
Hide file tree
Showing 14 changed files with 44 additions and 176 deletions.
2 changes: 1 addition & 1 deletion .projen/tasks.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion Dockerfile
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM jsii/superchain:1-buster-slim-node18
FROM jsii/superchain:1-buster-slim-node20

USER root

Expand Down
5 changes: 0 additions & 5 deletions RULES.md

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion package.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

11 changes: 1 addition & 10 deletions src/packs/aws-solutions.ts
Original file line number Diff line number Diff line change
Expand Up @@ -174,7 +174,7 @@ import {
SageMakerNotebookNoDirectInternetAccess,
} from '../rules/sagemaker';
import { SecretsManagerRotationEnabled } from '../rules/secretsmanager';
import { SNSEncryptedKMS, SNSTopicSSLPublishOnly } from '../rules/sns';
import { SNSTopicSSLPublishOnly } from '../rules/sns';
import {
SQSQueueDLQ,
SQSQueueSSE,
Expand Down Expand Up @@ -1358,15 +1358,6 @@ export class AwsSolutionsChecks extends NagPack {
rule: EventBusOpenAccess,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'SNS2',
info: 'The SNS Topic does not have server-side encryption enabled.',
explanation:
'Server side encryption adds additional protection of sensitive data delivered as messages to subscribers.',
level: NagMessageLevel.ERROR,
rule: SNSEncryptedKMS,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'SNS3',
info: 'The SNS Topic does not require publishers to use SSL.',
Expand Down
18 changes: 0 additions & 18 deletions src/packs/hipaa-security.ts
Original file line number Diff line number Diff line change
Expand Up @@ -124,7 +124,6 @@ import {
SecretsManagerRotationEnabled,
SecretsManagerUsingKMSKey,
} from '../rules/secretsmanager';
import { SNSEncryptedKMS } from '../rules/sns';
import {
VPCDefaultSecurityGroupClosed,
VPCFlowLogsEnabled,
Expand Down Expand Up @@ -167,7 +166,6 @@ export class HIPAASecurityChecks extends NagPack {
this.checkS3(node);
this.checkSageMaker(node);
this.checkSecretsManager(node);
this.checkSNS(node);
this.checkVPC(node);
this.checkWAF(node);
}
Expand Down Expand Up @@ -1022,22 +1020,6 @@ export class HIPAASecurityChecks extends NagPack {
});
}

/**
* Check Amazon SNS Resources
* @param node the CfnResource to check
* @param ignores list of ignores for the resource
*/
private checkSNS(node: CfnResource): void {
this.applyRule({
info: 'The SNS topic does not have KMS encryption enabled - (Control IDs: 164.312(a)(2)(iv), 164.312(e)(2)(ii)).',
explanation:
'Because sensitive data can exist at rest in published messages, enable encryption at rest to help protect that data.',
level: NagMessageLevel.ERROR,
rule: SNSEncryptedKMS,
node: node,
});
}

/**
* Check VPC Resources
* @param node the CfnResource to check
Expand Down
18 changes: 0 additions & 18 deletions src/packs/nist-800-53-r4.ts
Original file line number Diff line number Diff line change
Expand Up @@ -100,7 +100,6 @@ import {
SageMakerNotebookInstanceKMSKeyConfigured,
SageMakerNotebookNoDirectInternetAccess,
} from '../rules/sagemaker';
import { SNSEncryptedKMS } from '../rules/sns';
import {
VPCDefaultSecurityGroupClosed,
VPCFlowLogsEnabled,
Expand Down Expand Up @@ -139,7 +138,6 @@ export class NIST80053R4Checks extends NagPack {
this.checkRedshift(node);
this.checkS3(node);
this.checkSageMaker(node);
this.checkSNS(node);
this.checkVPC(node);
this.checkWAF(node);
}
Expand Down Expand Up @@ -838,22 +836,6 @@ export class NIST80053R4Checks extends NagPack {
});
}

/**
* Check Amazon SNS Resources
* @param node the CfnResource to check
* @param ignores list of ignores for the resource
*/
private checkSNS(node: CfnResource): void {
this.applyRule({
info: 'The SNS topic does not have KMS encryption enabled - (Control IDs: SC-13, SC-28).',
explanation:
'Because sensitive data can exist at rest in published messages, enable encryption at rest to help protect that data.',
level: NagMessageLevel.ERROR,
rule: SNSEncryptedKMS,
node: node,
});
}

/**
* Check VPC Resources
* @param node the CfnResource to check
Expand Down
18 changes: 0 additions & 18 deletions src/packs/nist-800-53-r5.ts
Original file line number Diff line number Diff line change
Expand Up @@ -117,7 +117,6 @@ import {
SecretsManagerRotationEnabled,
SecretsManagerUsingKMSKey,
} from '../rules/secretsmanager';
import { SNSEncryptedKMS } from '../rules/sns';
import {
VPCDefaultSecurityGroupClosed,
VPCFlowLogsEnabled,
Expand Down Expand Up @@ -158,7 +157,6 @@ export class NIST80053R5Checks extends NagPack {
this.checkS3(node);
this.checkSageMaker(node);
this.checkSecretsManager(node);
this.checkSNS(node);
this.checkVPC(node);
this.checkWAF(node);
}
Expand Down Expand Up @@ -965,22 +963,6 @@ export class NIST80053R5Checks extends NagPack {
});
}

/**
* Check Amazon SNS Resources
* @param node the CfnResource to check
* @param ignores list of ignores for the resource
*/
private checkSNS(node: CfnResource): void {
this.applyRule({
info: 'The SNS topic does not have KMS encryption enabled - (Control IDs: AU-9(3), CP-9d, SC-8(3), SC-8(4), SC-13a, SC-28(1)).',
explanation:
'To help protect data at rest, ensure that your Amazon Simple Notification Service (Amazon SNS) topics require encryption using AWS Key Management Service (AWS KMS) Because sensitive data can exist at rest in published messages, enable encryption at rest to help protect that data.',
level: NagMessageLevel.ERROR,
rule: SNSEncryptedKMS,
node: node,
});
}

/**
* Check VPC Resources
* @param node the CfnResource to check
Expand Down
18 changes: 0 additions & 18 deletions src/packs/pci-dss-321.ts
Original file line number Diff line number Diff line change
Expand Up @@ -98,7 +98,6 @@ import {
SageMakerNotebookNoDirectInternetAccess,
} from '../rules/sagemaker';
import { SecretsManagerUsingKMSKey } from '../rules/secretsmanager';
import { SNSEncryptedKMS } from '../rules/sns';
import {
VPCDefaultSecurityGroupClosed,
VPCFlowLogsEnabled,
Expand Down Expand Up @@ -138,7 +137,6 @@ export class PCIDSS321Checks extends NagPack {
this.checkS3(node);
this.checkSageMaker(node);
this.checkSecretsManager(node);
this.checkSNS(node);
this.checkVPC(node);
this.checkWAF(node);
}
Expand Down Expand Up @@ -809,22 +807,6 @@ export class PCIDSS321Checks extends NagPack {
});
}

/**
* Check Amazon SNS Resources
* @param node the CfnResource to check
* @param ignores list of ignores for the resource
*/
private checkSNS(node: CfnResource): void {
this.applyRule({
info: 'The SNS topic does not have KMS encryption enabled - (Control ID: 8.2.1).',
explanation:
'To help protect data at rest, ensure that your Amazon Simple Notification Service (Amazon SNS) topics require encryption using AWS Key Management Service (AWS KMS) Because sensitive data can exist at rest in published messages, enable encryption at rest to help protect that data.',
level: NagMessageLevel.ERROR,
rule: SNSEncryptedKMS,
node: node,
});
}

/**
* Check VPC Resources
* @param node the CfnResource to check
Expand Down
28 changes: 0 additions & 28 deletions src/rules/sns/SNSEncryptedKMS.ts

This file was deleted.

1 change: 0 additions & 1 deletion src/rules/sns/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -2,5 +2,4 @@
Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
SPDX-License-Identifier: Apache-2.0
*/
export { default as SNSEncryptedKMS } from './SNSEncryptedKMS';
export { default as SNSTopicSSLPublishOnly } from './SNSTopicSSLPublishOnly';
5 changes: 0 additions & 5 deletions test/Packs.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -168,7 +168,6 @@ describe('Check NagPack Details', () => {
'AwsSolutions-SM2',
'AwsSolutions-SM3',
'AwsSolutions-SMG4',
'AwsSolutions-SNS2',
'AwsSolutions-SNS3',
'AwsSolutions-SQS2',
'AwsSolutions-SQS3',
Expand Down Expand Up @@ -291,7 +290,6 @@ describe('Check NagPack Details', () => {
'HIPAA.Security-SageMakerNotebookNoDirectInternetAccess',
'HIPAA.Security-SecretsManagerRotationEnabled',
'HIPAA.Security-SecretsManagerUsingKMSKey',
'HIPAA.Security-SNSEncryptedKMS',
'HIPAA.Security-VPCFlowLogsEnabled',
'HIPAA.Security-VPCNoUnrestrictedRouteToIGW',
'HIPAA.Security-VPCSubnetAutoAssignPublicIpDisabled',
Expand Down Expand Up @@ -395,7 +393,6 @@ describe('Check NagPack Details', () => {
'NIST.800.53.R4-SageMakerEndpointConfigurationKMSKeyConfigured',
'NIST.800.53.R4-SageMakerNotebookInstanceKMSKeyConfigured',
'NIST.800.53.R4-SageMakerNotebookNoDirectInternetAccess',
'NIST.800.53.R4-SNSEncryptedKMS',
'NIST.800.53.R4-VPCFlowLogsEnabled',
'NIST.800.53.R4-WAFv2LoggingEnabled',
];
Expand Down Expand Up @@ -510,7 +507,6 @@ describe('Check NagPack Details', () => {
'NIST.800.53.R5-SageMakerNotebookNoDirectInternetAccess',
'NIST.800.53.R5-SecretsManagerRotationEnabled',
'NIST.800.53.R5-SecretsManagerUsingKMSKey',
'NIST.800.53.R5-SNSEncryptedKMS',
'NIST.800.53.R5-VPCFlowLogsEnabled',
'NIST.800.53.R5-VPCNoUnrestrictedRouteToIGW',
'NIST.800.53.R5-VPCSubnetAutoAssignPublicIpDisabled',
Expand Down Expand Up @@ -611,7 +607,6 @@ describe('Check NagPack Details', () => {
'PCI.DSS.321-SageMakerNotebookInstanceKMSKeyConfigured',
'PCI.DSS.321-SageMakerNotebookNoDirectInternetAccess',
'PCI.DSS.321-SecretsManagerUsingKMSKey',
'PCI.DSS.321-SNSEncryptedKMS',
'PCI.DSS.321-VPCFlowLogsEnabled',
'PCI.DSS.321-VPCNoUnrestrictedRouteToIGW',
'PCI.DSS.321-VPCSubnetAutoAssignPublicIpDisabled',
Expand Down
16 changes: 2 additions & 14 deletions test/rules/SNS.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -13,9 +13,9 @@ import { Key } from 'aws-cdk-lib/aws-kms';
import { CfnTopicPolicy, Topic } from 'aws-cdk-lib/aws-sns';
import { Aspects, Stack } from 'aws-cdk-lib/core';
import { validateStack, TestType, TestPack } from './utils';
import { SNSEncryptedKMS, SNSTopicSSLPublishOnly } from '../../src/rules/sns';
import { SNSTopicSSLPublishOnly } from '../../src/rules/sns';

const testPack = new TestPack([SNSEncryptedKMS, SNSTopicSSLPublishOnly]);
const testPack = new TestPack([SNSTopicSSLPublishOnly]);
let stack: Stack;

beforeEach(() => {
Expand All @@ -24,18 +24,6 @@ beforeEach(() => {
});

describe('Amazon Simple Notification Service (Amazon SNS)', () => {
describe('SNSEncryptedKMS: SNS topics are encrypted via KMS', () => {
const ruleId = 'SNSEncryptedKMS';
test('Noncompliance 1', () => {
new Topic(stack, 'rTopic');
validateStack(stack, ruleId, TestType.NON_COMPLIANCE);
});
test('Compliance', () => {
new Topic(stack, 'rTopic', { masterKey: new Key(stack, 'rKey') });
validateStack(stack, ruleId, TestType.COMPLIANCE);
});
});

describe('SNSTopicSSLPublishOnly: SNS topics require SSL requests for publishing', () => {
const ruleId = 'SNSTopicSSLPublishOnly';
test('Noncompliance 1', () => {
Expand Down
Loading

0 comments on commit 4a59ed0

Please sign in to comment.