From 0240e9ea1d27298336f0f92cc0116034ab8a55af Mon Sep 17 00:00:00 2001 From: clueleaf <10379303+clueleaf@users.noreply.github.com> Date: Wed, 30 Oct 2024 01:10:25 +0900 Subject: [PATCH 1/4] feat: remove SNSEncryptedKMS (#1821) Fixes #1805 --- Dockerfile | 2 +- RULES.md | 5 ----- src/packs/aws-solutions.ts | 11 +---------- src/packs/hipaa-security.ts | 18 ------------------ src/packs/nist-800-53-r4.ts | 18 ------------------ src/packs/nist-800-53-r5.ts | 18 ------------------ src/packs/pci-dss-321.ts | 18 ------------------ src/rules/sns/SNSEncryptedKMS.ts | 28 ---------------------------- src/rules/sns/index.ts | 1 - test/Packs.test.ts | 5 ----- test/rules/SNS.test.ts | 16 ++-------------- 11 files changed, 4 insertions(+), 136 deletions(-) delete mode 100644 src/rules/sns/SNSEncryptedKMS.ts diff --git a/Dockerfile b/Dockerfile index 73388bed24..161a80c687 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM jsii/superchain:1-buster-slim-node18 +FROM jsii/superchain:1-buster-slim-node20 USER root diff --git a/RULES.md b/RULES.md index 562dc1bfbe..a5f883a1e7 100644 --- a/RULES.md +++ b/RULES.md @@ -148,7 +148,6 @@ The [AWS Solutions Library](https://aws.amazon.com/solutions/) offers a collecti | AwsSolutions-SM2 | The SageMaker notebook instance does not have an encrypted storage volume. | Encrypting storage volumes helps protect SageMaker data-at-rest. | | AwsSolutions-SM3 | The SageMaker notebook instance has direct internet access enabled. | Disabling public accessibility helps minimize security risks. | | AwsSolutions-SMG4 | The secret does not have automatic rotation scheduled. | AWS Secrets Manager can be configured to automatically rotate the secret for a secured service or database. | -| AwsSolutions-SNS2 | The SNS Topic does not have server-side encryption enabled. | Server side encryption adds additional protection of sensitive data delivered as messages to subscribers. | | AwsSolutions-SNS3 | The SNS Topic does not require publishers to use SSL. | Without HTTPS (TLS), a network-based attacker can eavesdrop on network traffic or manipulate it, using an attack such as man-in-the-middle. Allow only encrypted connections over HTTPS (TLS) using the aws:SecureTransport condition and the 'sns:Publish' action in the topic policy to force publishers to use SSL. If SSE is already enabled then this control is auto enforced. | | AwsSolutions-SQS2 | The SQS Queue does not have server-side encryption enabled. | Server side encryption adds additional protection of sensitive data delivered as messages to subscribers. | | AwsSolutions-SQS3 | The SQS queue is not used as a dead-letter queue (DLQ) and does not have a DLQ enabled. | Using a DLQ helps maintain the queue flow and avoid losing data by detecting and mitigating failures and service disruptions on time. | @@ -253,7 +252,6 @@ The [Operational Best Practices for HIPAA Security](https://docs.aws.amazon.com/ | [HIPAA.Security-SageMakerNotebookNoDirectInternetAccess](https://docs.aws.amazon.com/config/latest/developerguide/sagemaker-notebook-no-direct-internet-access.html) | The SageMaker notebook does not disable direct internet access. | By preventing direct internet access, you can keep sensitive data from being accessed by unauthorized users. | 164.308(a)(3)(i), 164.308(a)(4)(ii)(A), 164.308(a)(4)(ii)(C), 164.312(a)(1), 164.312(e)(1) | | [HIPAA.Security-SecretsManagerRotationEnabled](https://docs.aws.amazon.com/config/latest/developerguide/secretsmanager-rotation-enabled-check.html) | The secret does not have automatic rotation scheduled. | Rotating secrets on a regular schedule can shorten the period a secret is active, and potentially reduce the business impact if the secret is compromised. | 164.308(a)(4)(ii)(B) | | [HIPAA.Security-SecretsManagerUsingKMSKey](https://docs.aws.amazon.com/config/latest/developerguide/secretsmanager-using-cmk.html) | The secret is not encrypted with a KMS Customer managed key. | To help protect data at rest, ensure encryption with AWS Key Management Service (AWS KMS) is enabled for AWS Secrets Manager secrets. Because sensitive data can exist at rest in Secrets Manager secrets, enable encryption at rest to help protect that data. | 164.312(a)(2)(iv), 164.312(e)(2)(ii) | -| [HIPAA.Security-SNSEncryptedKMS](https://docs.aws.amazon.com/config/latest/developerguide/sns-encrypted-kms.html) | The SNS topic does not have KMS encryption enabled. | To help protect data at rest, ensure that your Amazon Simple Notification Service (Amazon SNS) topics require encryption using AWS Key Management Service (AWS KMS) Because sensitive data can exist at rest in published messages, enable encryption at rest to help protect that data. | 164.312(a)(2)(iv), 164.312(e)(2)(ii) | | [HIPAA.Security-VPCFlowLogsEnabled](https://docs.aws.amazon.com/config/latest/developerguide/vpc-flow-logs-enabled.html) | The VPC does not have an associated Flow Log. | The VPC flow logs provide detailed records for information about the IP traffic going to and from network interfaces in your Amazon Virtual Private Cloud (Amazon VPC). By default, the flow log record includes values for the different components of the IP flow, including the source, destination, and protocol. | 164.308(a)(3)(ii)(A), 164.312(b) | | [HIPAA.Security-VPCNoUnrestrictedRouteToIGW](https://docs.aws.amazon.com/config/latest/developerguide/no-unrestricted-route-to-igw.html) | The route table may contain one or more unrestricted route(s) to an IGW ('0.0.0.0/0' or '::/0'). | Ensure Amazon EC2 route tables do not have unrestricted routes to an internet gateway. Removing or limiting the access to the internet for workloads within Amazon VPCs can reduce unintended access within your environment. | 164.312(e)(1) | | [HIPAA.Security-VPCSubnetAutoAssignPublicIpDisabled](https://docs.aws.amazon.com/config/latest/developerguide/subnet-auto-assign-public-ip-disabled.html) | The subnet auto-assigns public IP addresses. | Manage access to the AWS Cloud by ensuring Amazon Virtual Private Cloud (VPC) subnets are not automatically assigned a public IP address. Amazon Elastic Compute Cloud (EC2) instances that are launched into subnets that have this attribute enabled have a public IP address assigned to their primary network interface. | 164.308(a)(3)(i), 164.308(a)(4)(ii)(A), 164.308(a)(4)(ii)(C), 164.312(a)(1), 164.312(e)(1) | @@ -381,7 +379,6 @@ The [Operational Best Practices for NIST 800-53 rev 4](https://docs.aws.amazon.c | [NIST.800.53.R4-SageMakerEndpointConfigurationKMSKeyConfigured](https://docs.aws.amazon.com/config/latest/developerguide/sagemaker-endpoint-configuration-kms-key-configured.html) | The SageMaker resource endpoint is not encrypted with a KMS key. | Because sensitive data can exist at rest in SageMaker endpoint, enable encryption at rest to help protect that data. | SC-13, SC-28 | | [NIST.800.53.R4-SageMakerNotebookInstanceKMSKeyConfigured](https://docs.aws.amazon.com/config/latest/developerguide/sagemaker-notebook-instance-kms-key-configured.html) | The SageMaker notebook is not encrypted with a KMS key. | Because sensitive data can exist at rest in SageMaker notebook, enable encryption at rest to help protect that data. | SC-13, SC-28 | | [NIST.800.53.R4-SageMakerNotebookNoDirectInternetAccess](https://docs.aws.amazon.com/config/latest/developerguide/sagemaker-notebook-no-direct-internet-access.html) | The SageMaker notebook does not disable direct internet access. | By preventing direct internet access, you can keep sensitive data from being accessed by unauthorized users. | AC-3, AC-4, AC-6, AC-21(b), SC-7, SC-7(3) | -| [NIST.800.53.R4-SNSEncryptedKMS](https://docs.aws.amazon.com/config/latest/developerguide/sns-encrypted-kms.html) | The SNS topic does not have KMS encryption enabled. | To help protect data at rest, ensure that your Amazon Simple Notification Service (Amazon SNS) topics require encryption using AWS Key Management Service (AWS KMS) Because sensitive data can exist at rest in published messages, enable encryption at rest to help protect that data. | SC-13, SC-28 | | [NIST.800.53.R4-VPCFlowLogsEnabled](https://docs.aws.amazon.com/config/latest/developerguide/vpc-flow-logs-enabled.html) | The VPC does not have an associated Flow Log. | The VPC flow logs provide detailed records for information about the IP traffic going to and from network interfaces in your Amazon Virtual Private Cloud (Amazon VPC). By default, the flow log record includes values for the different components of the IP flow, including the source, destination, and protocol. | AU-2(a)(d), AU-3, AU-12(a)(c) | | [NIST.800.53.R4-WAFv2LoggingEnabled](https://docs.aws.amazon.com/config/latest/developerguide/wafv2-logging-enabled.html) | The WAFv2 web ACL does not have logging enabled. | AWS WAF logging provides detailed information about the traffic that is analyzed by your web ACL. The logs record the time that AWS WAF received the request from your AWS resource, information about the request, and an action for the rule that each request matched. | AU-2(a)(d), AU-3, AU-12(a)(c), SC-7, SI-4(a)(b)(c) | @@ -521,7 +518,6 @@ The [Operational Best Practices for NIST 800-53 rev 5](https://docs.aws.amazon.c | [NIST.800.53.R5-SageMakerNotebookNoDirectInternetAccess](https://docs.aws.amazon.com/config/latest/developerguide/sagemaker-notebook-no-direct-internet-access.html) | The SageMaker notebook does not disable direct internet access. | By preventing direct internet access, you can keep sensitive data from being accessed by unauthorized users. | AC-2(6), AC-3, AC-3(7), AC-4(21), AC-6, AC-17b, AC-17(1), AC-17(1), AC-17(4)(a), AC-17(9), AC-17(10), MP-2, SC-7a, SC-7b, SC-7c, SC-7(2), SC-7(3), SC-7(7), SC-7(9)(a), SC-7(11), SC-7(12), SC-7(16), SC-7(20), SC-7(21), SC-7(24)(b), SC-7(25), SC-7(26), SC-7(27), SC-7(28), SC-25 | | [NIST.800.53.R5-SecretsManagerRotationEnabled](https://docs.aws.amazon.com/config/latest/developerguide/secretsmanager-rotation-enabled-check.html) | The secret does not have automatic rotation scheduled. | Rotating secrets on a regular schedule can shorten the period a secret is active, and potentially reduce the business impact if the secret is compromised. | AC-2(1), AC-3(3)(a), AC-3(3)(b)(1), AC-3(3)(b)(2), AC-3(3)(b)(3), AC-3(3)(b)(4), AC-3(3)(b)(5), AC-3(3)(c), AC-3(3), AC-3(4)(a), AC-3(4)(b), AC-3(4)(c), AC-3(4)(d), AC-3(4)(e), AC-3(4), AC-3(8), AC-3(12)(a), AC-3(13), AC-3(15)(a), AC-3(15)(b), AC-4(28), AC-24, CM-5(1)(a), SC-23(3) | | [NIST.800.53.R5-SecretsManagerUsingKMSKey](https://docs.aws.amazon.com/config/latest/developerguide/secretsmanager-using-cmk.html) | The secret is not encrypted with a KMS Customer managed key. | To help protect data at rest, ensure encryption with AWS Key Management Service (AWS KMS) is enabled for AWS Secrets Manager secrets. Because sensitive data can exist at rest in Secrets Manager secrets, enable encryption at rest to help protect that data. | AU-9(3), CP-9d, SC-8(3), SC-8(4), SC-13a, SC-28(1), SI-19(4) | -| [NIST.800.53.R5-SNSEncryptedKMS](https://docs.aws.amazon.com/config/latest/developerguide/sns-encrypted-kms.html) | The SNS topic does not have KMS encryption enabled. | To help protect data at rest, ensure that your Amazon Simple Notification Service (Amazon SNS) topics require encryption using AWS Key Management Service (AWS KMS) Because sensitive data can exist at rest in published messages, enable encryption at rest to help protect that data. | AU-9(3), CP-9d, SC-8(3), SC-8(4), SC-13a, SC-28(1) | | [NIST.800.53.R5-VPCFlowLogsEnabled](https://docs.aws.amazon.com/config/latest/developerguide/vpc-flow-logs-enabled.html) | The VPC does not have an associated Flow Log. | The VPC flow logs provide detailed records for information about the IP traffic going to and from network interfaces in your Amazon Virtual Private Cloud (Amazon VPC). By default, the flow log record includes values for the different components of the IP flow, including the source, destination, and protocol. | AC-4(26), AU-2b, AU-3a, AU-3b, AU-3c, AU-3d, AU-3e, AU-6(3), AU-6(4), AU-6(6), AU-6(9), AU-8b, AU-12a, AU-12c, AU-12(1), AU-12(2), AU-12(3), AU-12(4), AU-14a, AU-14b, AU-14b, AU-14(3), CA-7b, CM-5(1)(b), CM-6a, CM-9b, IA-3(3)(b), MA-4(1)(a), PM-14a.1, PM-14b, PM-31, SI-4(17), SI-7(8) | | [NIST.800.53.R5-VPCNoUnrestrictedRouteToIGW](https://docs.aws.amazon.com/config/latest/developerguide/no-unrestricted-route-to-igw.html) | The route table may contain one or more unrestricted route(s) to an IGW ('0.0.0.0/0' or '::/0'). | Ensure Amazon EC2 route tables do not have unrestricted routes to an internet gateway. Removing or limiting the access to the internet for workloads within Amazon VPCs can reduce unintended access within your environment. | AC-4(21), CM-7b | | [NIST.800.53.R5-VPCSubnetAutoAssignPublicIpDisabled](https://docs.aws.amazon.com/config/latest/developerguide/subnet-auto-assign-public-ip-disabled.html) | The subnet auto-assigns public IP addresses. | Manage access to the AWS Cloud by ensuring Amazon Virtual Private Cloud (VPC) subnets are not automatically assigned a public IP address. Amazon Elastic Compute Cloud (EC2) instances that are launched into subnets that have this attribute enabled have a public IP address assigned to their primary network interface. | AC-2(6), AC-3, AC-3(7), AC-4(21), AC-6, AC-17b, AC-17(1), AC-17(1), AC-17(4)(a), AC-17(9), AC-17(10), MP-2, SC-7a, SC-7b, SC-7c, SC-7(2), SC-7(3), SC-7(7), SC-7(9)(a), SC-7(11), SC-7(12), SC-7(16), SC-7(20), SC-7(21), SC-7(24)(b), SC-7(25), SC-7(26), SC-7(27), SC-7(28), SC-25 | @@ -649,7 +645,6 @@ The [Operational Best Practices for PCI DSS 3.2.1](https://docs.aws.amazon.com/c | [PCI.DSS.321-SageMakerNotebookInstanceKMSKeyConfigured](https://docs.aws.amazon.com/config/latest/developerguide/sagemaker-notebook-instance-kms-key-configured.html) | The SageMaker notebook is not encrypted with a KMS key. | Because sensitive data can exist at rest in SageMaker notebook, enable encryption at rest to help protect that data. | 3.4, 8.2.1 | | [PCI.DSS.321-SageMakerNotebookNoDirectInternetAccess](https://docs.aws.amazon.com/config/latest/developerguide/sagemaker-notebook-no-direct-internet-access.html) | The SageMaker notebook does not disable direct internet access. | By preventing direct internet access, you can keep sensitive data from being accessed by unauthorized users. | 1.2, 1.2.1, 1.3, 1.3.1, 1.3.2, 1.3.4, 1.3.6, 2.2.2 | | [PCI.DSS.321-SecretsManagerUsingKMSKey](https://docs.aws.amazon.com/config/latest/developerguide/secretsmanager-using-cmk.html) | The secret is not encrypted with a KMS Customer managed key. | To help protect data at rest, ensure encryption with AWS Key Management Service (AWS KMS) is enabled for AWS Secrets Manager secrets. Because sensitive data can exist at rest in Secrets Manager secrets, enable encryption at rest to help protect that data. | 3.4, 8.2.1 | -| [PCI.DSS.321-SNSEncryptedKMS](https://docs.aws.amazon.com/config/latest/developerguide/sns-encrypted-kms.html) | The SNS topic does not have KMS encryption enabled. | To help protect data at rest, ensure that your Amazon Simple Notification Service (Amazon SNS) topics require encryption using AWS Key Management Service (AWS KMS) Because sensitive data can exist at rest in published messages, enable encryption at rest to help protect that data. | 8.2.1 | | [PCI.DSS.321-VPCFlowLogsEnabled](https://docs.aws.amazon.com/config/latest/developerguide/vpc-flow-logs-enabled.html) | The VPC does not have an associated Flow Log. | The VPC flow logs provide detailed records for information about the IP traffic going to and from network interfaces in your Amazon Virtual Private Cloud (Amazon VPC). By default, the flow log record includes values for the different components of the IP flow, including the source, destination, and protocol. | 2.2, 10.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6 | | [PCI.DSS.321-VPCNoUnrestrictedRouteToIGW](https://docs.aws.amazon.com/config/latest/developerguide/no-unrestricted-route-to-igw.html) | The route table may contain one or more unrestricted route(s) to an IGW ('0.0.0.0/0' or '::/0'). | Ensure Amazon EC2 route tables do not have unrestricted routes to an internet gateway. Removing or limiting the access to the internet for workloads within Amazon VPCs can reduce unintended access within your environment. | 1.2, 1.2.1, 1.3, 1.3.1, 1.3.2, 2.2.2 | | [PCI.DSS.321-VPCSubnetAutoAssignPublicIpDisabled](https://docs.aws.amazon.com/config/latest/developerguide/subnet-auto-assign-public-ip-disabled.html) | The subnet auto-assigns public IP addresses. | Manage access to the AWS Cloud by ensuring Amazon Virtual Private Cloud (VPC) subnets are not automatically assigned a public IP address. Amazon Elastic Compute Cloud (EC2) instances that are launched into subnets that have this attribute enabled have a public IP address assigned to their primary network interface. | 1.2, 1.2.1, 1.3, 1.3.1, 1.3.2, 1.3.4, 1.3.6, 2.2.2 | diff --git a/src/packs/aws-solutions.ts b/src/packs/aws-solutions.ts index 856cb9e5c0..a798c53e20 100644 --- a/src/packs/aws-solutions.ts +++ b/src/packs/aws-solutions.ts @@ -174,7 +174,7 @@ import { SageMakerNotebookNoDirectInternetAccess, } from '../rules/sagemaker'; import { SecretsManagerRotationEnabled } from '../rules/secretsmanager'; -import { SNSEncryptedKMS, SNSTopicSSLPublishOnly } from '../rules/sns'; +import { SNSTopicSSLPublishOnly } from '../rules/sns'; import { SQSQueueDLQ, SQSQueueSSE, @@ -1358,15 +1358,6 @@ export class AwsSolutionsChecks extends NagPack { rule: EventBusOpenAccess, node: node, }); - this.applyRule({ - ruleSuffixOverride: 'SNS2', - info: 'The SNS Topic does not have server-side encryption enabled.', - explanation: - 'Server side encryption adds additional protection of sensitive data delivered as messages to subscribers.', - level: NagMessageLevel.ERROR, - rule: SNSEncryptedKMS, - node: node, - }); this.applyRule({ ruleSuffixOverride: 'SNS3', info: 'The SNS Topic does not require publishers to use SSL.', diff --git a/src/packs/hipaa-security.ts b/src/packs/hipaa-security.ts index 7af5bcab4f..ba0d31fb89 100644 --- a/src/packs/hipaa-security.ts +++ b/src/packs/hipaa-security.ts @@ -124,7 +124,6 @@ import { SecretsManagerRotationEnabled, SecretsManagerUsingKMSKey, } from '../rules/secretsmanager'; -import { SNSEncryptedKMS } from '../rules/sns'; import { VPCDefaultSecurityGroupClosed, VPCFlowLogsEnabled, @@ -167,7 +166,6 @@ export class HIPAASecurityChecks extends NagPack { this.checkS3(node); this.checkSageMaker(node); this.checkSecretsManager(node); - this.checkSNS(node); this.checkVPC(node); this.checkWAF(node); } @@ -1022,22 +1020,6 @@ export class HIPAASecurityChecks extends NagPack { }); } - /** - * Check Amazon SNS Resources - * @param node the CfnResource to check - * @param ignores list of ignores for the resource - */ - private checkSNS(node: CfnResource): void { - this.applyRule({ - info: 'The SNS topic does not have KMS encryption enabled - (Control IDs: 164.312(a)(2)(iv), 164.312(e)(2)(ii)).', - explanation: - 'Because sensitive data can exist at rest in published messages, enable encryption at rest to help protect that data.', - level: NagMessageLevel.ERROR, - rule: SNSEncryptedKMS, - node: node, - }); - } - /** * Check VPC Resources * @param node the CfnResource to check diff --git a/src/packs/nist-800-53-r4.ts b/src/packs/nist-800-53-r4.ts index 9cca0e52d6..6dd4b89357 100644 --- a/src/packs/nist-800-53-r4.ts +++ b/src/packs/nist-800-53-r4.ts @@ -100,7 +100,6 @@ import { SageMakerNotebookInstanceKMSKeyConfigured, SageMakerNotebookNoDirectInternetAccess, } from '../rules/sagemaker'; -import { SNSEncryptedKMS } from '../rules/sns'; import { VPCDefaultSecurityGroupClosed, VPCFlowLogsEnabled, @@ -139,7 +138,6 @@ export class NIST80053R4Checks extends NagPack { this.checkRedshift(node); this.checkS3(node); this.checkSageMaker(node); - this.checkSNS(node); this.checkVPC(node); this.checkWAF(node); } @@ -838,22 +836,6 @@ export class NIST80053R4Checks extends NagPack { }); } - /** - * Check Amazon SNS Resources - * @param node the CfnResource to check - * @param ignores list of ignores for the resource - */ - private checkSNS(node: CfnResource): void { - this.applyRule({ - info: 'The SNS topic does not have KMS encryption enabled - (Control IDs: SC-13, SC-28).', - explanation: - 'Because sensitive data can exist at rest in published messages, enable encryption at rest to help protect that data.', - level: NagMessageLevel.ERROR, - rule: SNSEncryptedKMS, - node: node, - }); - } - /** * Check VPC Resources * @param node the CfnResource to check diff --git a/src/packs/nist-800-53-r5.ts b/src/packs/nist-800-53-r5.ts index 79af7ce3d3..2d1309433f 100644 --- a/src/packs/nist-800-53-r5.ts +++ b/src/packs/nist-800-53-r5.ts @@ -117,7 +117,6 @@ import { SecretsManagerRotationEnabled, SecretsManagerUsingKMSKey, } from '../rules/secretsmanager'; -import { SNSEncryptedKMS } from '../rules/sns'; import { VPCDefaultSecurityGroupClosed, VPCFlowLogsEnabled, @@ -158,7 +157,6 @@ export class NIST80053R5Checks extends NagPack { this.checkS3(node); this.checkSageMaker(node); this.checkSecretsManager(node); - this.checkSNS(node); this.checkVPC(node); this.checkWAF(node); } @@ -965,22 +963,6 @@ export class NIST80053R5Checks extends NagPack { }); } - /** - * Check Amazon SNS Resources - * @param node the CfnResource to check - * @param ignores list of ignores for the resource - */ - private checkSNS(node: CfnResource): void { - this.applyRule({ - info: 'The SNS topic does not have KMS encryption enabled - (Control IDs: AU-9(3), CP-9d, SC-8(3), SC-8(4), SC-13a, SC-28(1)).', - explanation: - 'To help protect data at rest, ensure that your Amazon Simple Notification Service (Amazon SNS) topics require encryption using AWS Key Management Service (AWS KMS) Because sensitive data can exist at rest in published messages, enable encryption at rest to help protect that data.', - level: NagMessageLevel.ERROR, - rule: SNSEncryptedKMS, - node: node, - }); - } - /** * Check VPC Resources * @param node the CfnResource to check diff --git a/src/packs/pci-dss-321.ts b/src/packs/pci-dss-321.ts index 460441dd62..51740d84a5 100644 --- a/src/packs/pci-dss-321.ts +++ b/src/packs/pci-dss-321.ts @@ -98,7 +98,6 @@ import { SageMakerNotebookNoDirectInternetAccess, } from '../rules/sagemaker'; import { SecretsManagerUsingKMSKey } from '../rules/secretsmanager'; -import { SNSEncryptedKMS } from '../rules/sns'; import { VPCDefaultSecurityGroupClosed, VPCFlowLogsEnabled, @@ -138,7 +137,6 @@ export class PCIDSS321Checks extends NagPack { this.checkS3(node); this.checkSageMaker(node); this.checkSecretsManager(node); - this.checkSNS(node); this.checkVPC(node); this.checkWAF(node); } @@ -809,22 +807,6 @@ export class PCIDSS321Checks extends NagPack { }); } - /** - * Check Amazon SNS Resources - * @param node the CfnResource to check - * @param ignores list of ignores for the resource - */ - private checkSNS(node: CfnResource): void { - this.applyRule({ - info: 'The SNS topic does not have KMS encryption enabled - (Control ID: 8.2.1).', - explanation: - 'To help protect data at rest, ensure that your Amazon Simple Notification Service (Amazon SNS) topics require encryption using AWS Key Management Service (AWS KMS) Because sensitive data can exist at rest in published messages, enable encryption at rest to help protect that data.', - level: NagMessageLevel.ERROR, - rule: SNSEncryptedKMS, - node: node, - }); - } - /** * Check VPC Resources * @param node the CfnResource to check diff --git a/src/rules/sns/SNSEncryptedKMS.ts b/src/rules/sns/SNSEncryptedKMS.ts deleted file mode 100644 index 2850a2724d..0000000000 --- a/src/rules/sns/SNSEncryptedKMS.ts +++ /dev/null @@ -1,28 +0,0 @@ -/* -Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. -SPDX-License-Identifier: Apache-2.0 -*/ -import { parse } from 'path'; -import { CfnResource, Stack } from 'aws-cdk-lib'; -import { CfnTopic } from 'aws-cdk-lib/aws-sns'; -import { NagRuleCompliance } from '../../nag-rules'; - -/** - * SNS topics are encrypted via KMS - * @param node the CfnResource to check - */ -export default Object.defineProperty( - (node: CfnResource): NagRuleCompliance => { - if (node instanceof CfnTopic) { - const topicKey = Stack.of(node).resolve(node.kmsMasterKeyId); - if (topicKey == undefined) { - return NagRuleCompliance.NON_COMPLIANT; - } - return NagRuleCompliance.COMPLIANT; - } else { - return NagRuleCompliance.NOT_APPLICABLE; - } - }, - 'name', - { value: parse(__filename).name } -); diff --git a/src/rules/sns/index.ts b/src/rules/sns/index.ts index 4d45acee84..4012537604 100644 --- a/src/rules/sns/index.ts +++ b/src/rules/sns/index.ts @@ -2,5 +2,4 @@ Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: Apache-2.0 */ -export { default as SNSEncryptedKMS } from './SNSEncryptedKMS'; export { default as SNSTopicSSLPublishOnly } from './SNSTopicSSLPublishOnly'; diff --git a/test/Packs.test.ts b/test/Packs.test.ts index c2655d7eee..a09f7a5fbc 100644 --- a/test/Packs.test.ts +++ b/test/Packs.test.ts @@ -168,7 +168,6 @@ describe('Check NagPack Details', () => { 'AwsSolutions-SM2', 'AwsSolutions-SM3', 'AwsSolutions-SMG4', - 'AwsSolutions-SNS2', 'AwsSolutions-SNS3', 'AwsSolutions-SQS2', 'AwsSolutions-SQS3', @@ -291,7 +290,6 @@ describe('Check NagPack Details', () => { 'HIPAA.Security-SageMakerNotebookNoDirectInternetAccess', 'HIPAA.Security-SecretsManagerRotationEnabled', 'HIPAA.Security-SecretsManagerUsingKMSKey', - 'HIPAA.Security-SNSEncryptedKMS', 'HIPAA.Security-VPCFlowLogsEnabled', 'HIPAA.Security-VPCNoUnrestrictedRouteToIGW', 'HIPAA.Security-VPCSubnetAutoAssignPublicIpDisabled', @@ -395,7 +393,6 @@ describe('Check NagPack Details', () => { 'NIST.800.53.R4-SageMakerEndpointConfigurationKMSKeyConfigured', 'NIST.800.53.R4-SageMakerNotebookInstanceKMSKeyConfigured', 'NIST.800.53.R4-SageMakerNotebookNoDirectInternetAccess', - 'NIST.800.53.R4-SNSEncryptedKMS', 'NIST.800.53.R4-VPCFlowLogsEnabled', 'NIST.800.53.R4-WAFv2LoggingEnabled', ]; @@ -510,7 +507,6 @@ describe('Check NagPack Details', () => { 'NIST.800.53.R5-SageMakerNotebookNoDirectInternetAccess', 'NIST.800.53.R5-SecretsManagerRotationEnabled', 'NIST.800.53.R5-SecretsManagerUsingKMSKey', - 'NIST.800.53.R5-SNSEncryptedKMS', 'NIST.800.53.R5-VPCFlowLogsEnabled', 'NIST.800.53.R5-VPCNoUnrestrictedRouteToIGW', 'NIST.800.53.R5-VPCSubnetAutoAssignPublicIpDisabled', @@ -611,7 +607,6 @@ describe('Check NagPack Details', () => { 'PCI.DSS.321-SageMakerNotebookInstanceKMSKeyConfigured', 'PCI.DSS.321-SageMakerNotebookNoDirectInternetAccess', 'PCI.DSS.321-SecretsManagerUsingKMSKey', - 'PCI.DSS.321-SNSEncryptedKMS', 'PCI.DSS.321-VPCFlowLogsEnabled', 'PCI.DSS.321-VPCNoUnrestrictedRouteToIGW', 'PCI.DSS.321-VPCSubnetAutoAssignPublicIpDisabled', diff --git a/test/rules/SNS.test.ts b/test/rules/SNS.test.ts index 2e6c13add3..e73e7afd58 100644 --- a/test/rules/SNS.test.ts +++ b/test/rules/SNS.test.ts @@ -13,9 +13,9 @@ import { Key } from 'aws-cdk-lib/aws-kms'; import { CfnTopicPolicy, Topic } from 'aws-cdk-lib/aws-sns'; import { Aspects, Stack } from 'aws-cdk-lib/core'; import { validateStack, TestType, TestPack } from './utils'; -import { SNSEncryptedKMS, SNSTopicSSLPublishOnly } from '../../src/rules/sns'; +import { SNSTopicSSLPublishOnly } from '../../src/rules/sns'; -const testPack = new TestPack([SNSEncryptedKMS, SNSTopicSSLPublishOnly]); +const testPack = new TestPack([SNSTopicSSLPublishOnly]); let stack: Stack; beforeEach(() => { @@ -24,18 +24,6 @@ beforeEach(() => { }); describe('Amazon Simple Notification Service (Amazon SNS)', () => { - describe('SNSEncryptedKMS: SNS topics are encrypted via KMS', () => { - const ruleId = 'SNSEncryptedKMS'; - test('Noncompliance 1', () => { - new Topic(stack, 'rTopic'); - validateStack(stack, ruleId, TestType.NON_COMPLIANCE); - }); - test('Compliance', () => { - new Topic(stack, 'rTopic', { masterKey: new Key(stack, 'rKey') }); - validateStack(stack, ruleId, TestType.COMPLIANCE); - }); - }); - describe('SNSTopicSSLPublishOnly: SNS topics require SSL requests for publishing', () => { const ruleId = 'SNSTopicSSLPublishOnly'; test('Noncompliance 1', () => { From 0bca95765d82000c9341b4746524fad4aad209ff Mon Sep 17 00:00:00 2001 From: cdklabs-automation <90142015+cdklabs-automation@users.noreply.github.com> Date: Tue, 29 Oct 2024 17:11:23 -0700 Subject: [PATCH 2/4] chore(deps): upgrade dependencies (#1827) Upgrades project dependencies. See details in [workflow run]. [Workflow Run]: https://github.com/cdklabs/cdk-nag/actions/runs/11584447513 ------ *Automatically created by projen via the "upgrade-main" workflow* --- package.json | 2 +- yarn.lock | 42 +++++++++++++++++++++--------------------- 2 files changed, 22 insertions(+), 22 deletions(-) diff --git a/package.json b/package.json index be97340804..8a3715d08a 100644 --- a/package.json +++ b/package.json @@ -61,7 +61,7 @@ "jsii-pacmak": "^1.104.0", "jsii-rosetta": "1.x", "prettier": "^2.8.8", - "projen": "^0.88.8", + "projen": "^0.88.9", "ts-jest": "^27", "typescript": "^4.9.5" }, diff --git a/yarn.lock b/yarn.lock index 779295c168..464d734aaf 100644 --- a/yarn.lock +++ b/yarn.lock @@ -790,9 +790,9 @@ integrity sha512-hov8bUuiLiyFPGyFPE1lwWhmzYbirOXQNNo40+y3zow8aFVTeyn3VWL0VFFfdNddA8S4Vf0Tc062rzyNr7Paag== "@types/node@*": - version "22.8.2" - resolved "https://registry.yarnpkg.com/@types/node/-/node-22.8.2.tgz#8e82bb8201c0caf751dcdc61b0a262d2002d438b" - integrity sha512-NzaRNFV+FZkvK/KLCsNdTvID0SThyrs5SHB6tsD/lajr22FGC73N2QeDPM2wHtVde8mgcXuSsHQkH5cX1pbPLw== + version "22.8.4" + resolved "https://registry.yarnpkg.com/@types/node/-/node-22.8.4.tgz#ab754f7ac52e1fe74174f761c5b03acaf06da0dc" + integrity sha512-SpNNxkftTJOPk0oN+y2bIqurEXHTA2AOZ3EJDDKeJ5VzkvvORSvmQXGQarcOzWV1ac7DCaPBEdMDxBsM+d8jWw== dependencies: undici-types "~6.19.8" @@ -1340,9 +1340,9 @@ camelcase@^6.2.0, camelcase@^6.3.0: integrity sha512-Gmy6FhYlCY7uOElZUSbxo2UCDH8owEk996gkbrpsgGtrJLM3J7jGxl9Ic7Qwwj4ivOE5AWZWRMecDdF7hqGjFA== caniuse-lite@^1.0.30001669: - version "1.0.30001673" - resolved "https://registry.yarnpkg.com/caniuse-lite/-/caniuse-lite-1.0.30001673.tgz#5aa291557af1c71340e809987367410aab7a5a9e" - integrity sha512-WTrjUCSMp3LYX0nE12ECkV0a+e6LC85E0Auz75555/qr78Oc8YWhEPNfDd6SHdtlCMSzqtuXY0uyEMNRcsKpKw== + version "1.0.30001674" + resolved "https://registry.yarnpkg.com/caniuse-lite/-/caniuse-lite-1.0.30001674.tgz#eb200a716c3e796d33d30b9c8890517a72f862c8" + integrity sha512-jOsKlZVRnzfhLojb+Ykb+gyUSp9Xb57So+fAiFlLzzTKpqg8xxSav0e40c8/4F/v9N8QSvrRRaLeVzQbLqomYw== case@1.6.3, case@^1.6.3: version "1.6.3" @@ -1953,9 +1953,9 @@ downlevel-dts@^0.11.0: typescript next electron-to-chromium@^1.5.41: - version "1.5.48" - resolved "https://registry.yarnpkg.com/electron-to-chromium/-/electron-to-chromium-1.5.48.tgz#c4611d1ae36eaf943f94d384b62ec3d121167829" - integrity sha512-FXULnNK7ACNI9MTMOVAzUGiz/YrK9Kcb0s/JT4aJgsam7Eh6XYe7Y6q95lPq+VdBe1DpT2eTnfXFtnuPGCks4w== + version "1.5.49" + resolved "https://registry.yarnpkg.com/electron-to-chromium/-/electron-to-chromium-1.5.49.tgz#9358f514ab6eeed809a8689f4b39ea5114ae729c" + integrity sha512-ZXfs1Of8fDb6z7WEYZjXpgIRF6MEu8JdeGA0A40aZq6OQbS+eJpnnV49epZRna2DU/YsEjSQuGtQPPtvt6J65A== emittery@^0.8.1: version "0.8.1" @@ -4460,10 +4460,10 @@ process-nextick-args@~2.0.0: resolved "https://registry.yarnpkg.com/process-nextick-args/-/process-nextick-args-2.0.1.tgz#7820d9b16120cc55ca9ae7792680ae7dba6d7fe2" integrity sha512-3ouUOpQhtgrbOa17J7+uxOTpITYWaGP7/AhoR3+A+/1e9skrzelGi/dXzEYyvbxubEF6Wn2ypscTKiKJFFn1ag== -projen@^0.88.8: - version "0.88.8" - resolved "https://registry.yarnpkg.com/projen/-/projen-0.88.8.tgz#47eb93613085d2bd814746679740ffbe92ce4a0e" - integrity sha512-lDh6QsyVwflKFaXjPLlyGGe3Qm6XFesvu/AEWoeakXLkpb+UQsWFcG1uddMqOx2LDVQKn1SRApwnIKBlo/fGEA== +projen@^0.88.9: + version "0.88.9" + resolved "https://registry.yarnpkg.com/projen/-/projen-0.88.9.tgz#ab51e410c51478491d4a2ade3b37b2db3afbc65a" + integrity sha512-YMza01PNTsOXk9HnRq39meR4eh4TCu4otVQTEUyPAd6e2utgEK/AqHgZypJlRVws7Hb627nv603qgAwiq6yT4Q== dependencies: "@iarna/toml" "^2.2.5" case "^1.6.3" @@ -5134,17 +5134,17 @@ through@2, "through@>=2.2.7 <3": resolved "https://registry.yarnpkg.com/through/-/through-2.3.8.tgz#0dd4c9ffaabc357960b1b724115d7e0e86a2e1f5" integrity sha512-w89qg7PI8wAdvX60bMDP+bFoD5Dvhm9oLheFp5O4a2QF0cSBGsBX4qZmadPMvVqlLJBBci+WqGGOAPvcDeNSVg== -tldts-core@^6.1.56: - version "6.1.56" - resolved "https://registry.yarnpkg.com/tldts-core/-/tldts-core-6.1.56.tgz#6996d6f97172920aceedb9fadaa85a691e911332" - integrity sha512-Ihxv/Bwiyj73icTYVgBUkQ3wstlCglLoegSgl64oSrGUBX1hc7Qmf/CnrnJLaQdZrCnTaLqMYOwKMKlkfkFrxQ== +tldts-core@^6.1.57: + version "6.1.57" + resolved "https://registry.yarnpkg.com/tldts-core/-/tldts-core-6.1.57.tgz#2cc6e6af3d0807ad616900300083930efa81b57d" + integrity sha512-lXnRhuQpx3zU9EONF9F7HfcRLvN1uRYUBIiKL+C/gehC/77XTU+Jye6ui86GA3rU6FjlJ0triD1Tkjt2F/2lEg== tldts@^6.1.32: - version "6.1.56" - resolved "https://registry.yarnpkg.com/tldts/-/tldts-6.1.56.tgz#c425d343418a9c66db1197998559b828822bb9ec" - integrity sha512-2PT1oRZCxtsbLi5R2SQjE/v4vvgRggAtVcYj+3Rrcnu2nPZvu7m64+gDa/EsVSWd3QzEc0U0xN+rbEKsJC47kA== + version "6.1.57" + resolved "https://registry.yarnpkg.com/tldts/-/tldts-6.1.57.tgz#5d91d257ac945837358fe3954343fc01122fbad7" + integrity sha512-Oy7yDXK8meJl8vPMOldzA+MtueAJ5BrH4l4HXwZuj2AtfoQbLjmTJmjNWPUcAo+E/ibHn7QlqMS0BOcXJFJyHQ== dependencies: - tldts-core "^6.1.56" + tldts-core "^6.1.57" tmpl@1.0.5: version "1.0.5" From 53074473d268838e2e76f79f277ae629dec6da10 Mon Sep 17 00:00:00 2001 From: cdklabs-automation <90142015+cdklabs-automation@users.noreply.github.com> Date: Wed, 30 Oct 2024 17:11:07 -0700 Subject: [PATCH 3/4] chore(deps): upgrade dependencies (#1828) Upgrades project dependencies. See details in [workflow run]. [Workflow Run]: https://github.com/cdklabs/cdk-nag/actions/runs/11603602924 ------ *Automatically created by projen via the "upgrade-main" workflow* --- package.json | 2 +- yarn.lock | 48 ++++++++++++++++++++++++------------------------ 2 files changed, 25 insertions(+), 25 deletions(-) diff --git a/package.json b/package.json index 8a3715d08a..213647bde1 100644 --- a/package.json +++ b/package.json @@ -61,7 +61,7 @@ "jsii-pacmak": "^1.104.0", "jsii-rosetta": "1.x", "prettier": "^2.8.8", - "projen": "^0.88.9", + "projen": "^0.89.0", "ts-jest": "^27", "typescript": "^4.9.5" }, diff --git a/yarn.lock b/yarn.lock index 464d734aaf..5c03fb380b 100644 --- a/yarn.lock +++ b/yarn.lock @@ -61,18 +61,18 @@ table "^6.8.1" "@babel/code-frame@^7.0.0", "@babel/code-frame@^7.12.13", "@babel/code-frame@^7.25.9", "@babel/code-frame@^7.26.0": - version "7.26.0" - resolved "https://registry.yarnpkg.com/@babel/code-frame/-/code-frame-7.26.0.tgz#9374b5cd068d128dac0b94ff482594273b1c2815" - integrity sha512-INCKxTtbXtcNbUZ3YXutwMpEleqttcswhAdee7dhuoVrD2cnuc3PqtERBtxkX5nziX9vnBL8WXmSGwv8CuPV6g== + version "7.26.2" + resolved "https://registry.yarnpkg.com/@babel/code-frame/-/code-frame-7.26.2.tgz#4b5fab97d33338eff916235055f0ebc21e573a85" + integrity sha512-RJlIHRueQgwWitWgF8OdFYGZX328Ax5BCemNGlqHfplnRT9ESi8JkFlvaVYbS+UubVY6dpv87Fs2u5M29iNFVQ== dependencies: "@babel/helper-validator-identifier" "^7.25.9" js-tokens "^4.0.0" picocolors "^1.0.0" "@babel/compat-data@^7.25.9": - version "7.26.0" - resolved "https://registry.yarnpkg.com/@babel/compat-data/-/compat-data-7.26.0.tgz#f02ba6d34e88fadd5e8861e8b38902f43cc1c819" - integrity sha512-qETICbZSLe7uXv9VE8T/RWOdIE5qqyTucOt4zLYMafj2MRO271VGgLd4RACJMeBO37UPWhXiKMBk7YlJ0fOzQA== + version "7.26.2" + resolved "https://registry.yarnpkg.com/@babel/compat-data/-/compat-data-7.26.2.tgz#278b6b13664557de95b8f35b90d96785850bb56e" + integrity sha512-Z0WgzSEa+aUcdiJuCIqgujCshpMWgUpgOxXotrYPSA53hA3qopNaqcJpyr0hVb1FeWdnqFA35/fUtXgBK8srQg== "@babel/core@^7.1.0", "@babel/core@^7.12.3", "@babel/core@^7.7.2", "@babel/core@^7.8.0": version "7.26.0" @@ -96,11 +96,11 @@ semver "^6.3.1" "@babel/generator@^7.25.9", "@babel/generator@^7.26.0", "@babel/generator@^7.7.2": - version "7.26.0" - resolved "https://registry.yarnpkg.com/@babel/generator/-/generator-7.26.0.tgz#505cc7c90d92513f458a477e5ef0703e7c91b8d7" - integrity sha512-/AIkAmInnWwgEAJGQr9vY0c66Mj6kjkE2ZPB1PurTRaRAh3U+J45sAQMjQDJdh4WbR3l0x5xkimXBKyBXXAu2w== + version "7.26.2" + resolved "https://registry.yarnpkg.com/@babel/generator/-/generator-7.26.2.tgz#87b75813bec87916210e5e01939a4c823d6bb74f" + integrity sha512-zevQbhbau95nkoxSq3f/DC/SC+EEOUZd3DYqfSkMhY2/wfSeaHV1Ew4vk8e+x8lja31IbyuUa2uQ3JONqKbysw== dependencies: - "@babel/parser" "^7.26.0" + "@babel/parser" "^7.26.2" "@babel/types" "^7.26.0" "@jridgewell/gen-mapping" "^0.3.5" "@jridgewell/trace-mapping" "^0.3.25" @@ -162,10 +162,10 @@ "@babel/template" "^7.25.9" "@babel/types" "^7.26.0" -"@babel/parser@^7.1.0", "@babel/parser@^7.14.7", "@babel/parser@^7.20.7", "@babel/parser@^7.25.9", "@babel/parser@^7.26.0": - version "7.26.1" - resolved "https://registry.yarnpkg.com/@babel/parser/-/parser-7.26.1.tgz#44e02499960df2cdce2c456372a3e8e0c3c5c975" - integrity sha512-reoQYNiAJreZNsJzyrDNzFQ+IQ5JFiIzAHJg9bn94S3l+4++J7RsIhNMoB+lgP/9tpmiAQqspv+xfdxTSzREOw== +"@babel/parser@^7.1.0", "@babel/parser@^7.14.7", "@babel/parser@^7.20.7", "@babel/parser@^7.25.9", "@babel/parser@^7.26.0", "@babel/parser@^7.26.2": + version "7.26.2" + resolved "https://registry.yarnpkg.com/@babel/parser/-/parser-7.26.2.tgz#fd7b6f487cfea09889557ef5d4eeb9ff9a5abd11" + integrity sha512-DWMCZH9WA4Maitz2q21SRKHo9QXZxkDsbNZoVD62gusNtNBBqDg9i7uOhASfTfIGNzW+O+r7+jAlM8dwphcJKQ== dependencies: "@babel/types" "^7.26.0" @@ -1340,9 +1340,9 @@ camelcase@^6.2.0, camelcase@^6.3.0: integrity sha512-Gmy6FhYlCY7uOElZUSbxo2UCDH8owEk996gkbrpsgGtrJLM3J7jGxl9Ic7Qwwj4ivOE5AWZWRMecDdF7hqGjFA== caniuse-lite@^1.0.30001669: - version "1.0.30001674" - resolved "https://registry.yarnpkg.com/caniuse-lite/-/caniuse-lite-1.0.30001674.tgz#eb200a716c3e796d33d30b9c8890517a72f862c8" - integrity sha512-jOsKlZVRnzfhLojb+Ykb+gyUSp9Xb57So+fAiFlLzzTKpqg8xxSav0e40c8/4F/v9N8QSvrRRaLeVzQbLqomYw== + version "1.0.30001675" + resolved "https://registry.yarnpkg.com/caniuse-lite/-/caniuse-lite-1.0.30001675.tgz#0c1f01fc9cc543b61839753a4c234f995588d1b9" + integrity sha512-/wV1bQwPrkLiQMjaJF5yUMVM/VdRPOCU8QZ+PmG6uW6DvYSrNY1bpwHI/3mOcUosLaJCzYDi5o91IQB51ft6cg== case@1.6.3, case@^1.6.3: version "1.6.3" @@ -4460,10 +4460,10 @@ process-nextick-args@~2.0.0: resolved "https://registry.yarnpkg.com/process-nextick-args/-/process-nextick-args-2.0.1.tgz#7820d9b16120cc55ca9ae7792680ae7dba6d7fe2" integrity sha512-3ouUOpQhtgrbOa17J7+uxOTpITYWaGP7/AhoR3+A+/1e9skrzelGi/dXzEYyvbxubEF6Wn2ypscTKiKJFFn1ag== -projen@^0.88.9: - version "0.88.9" - resolved "https://registry.yarnpkg.com/projen/-/projen-0.88.9.tgz#ab51e410c51478491d4a2ade3b37b2db3afbc65a" - integrity sha512-YMza01PNTsOXk9HnRq39meR4eh4TCu4otVQTEUyPAd6e2utgEK/AqHgZypJlRVws7Hb627nv603qgAwiq6yT4Q== +projen@^0.89.0: + version "0.89.0" + resolved "https://registry.yarnpkg.com/projen/-/projen-0.89.0.tgz#5b6353d0ed5ca5cc57dc222c34d8fc2cc3def392" + integrity sha512-Ysk5P4+rRDgQ5ZJU7u59FO7vIO+jZ46j07I3jPkQl1ZCV1ymFul1SxRHkQokIc84BanLMbBpLmzddGUQhVctRw== dependencies: "@iarna/toml" "^2.2.5" case "^1.6.3" @@ -5200,9 +5200,9 @@ trim-newlines@^3.0.0: integrity sha512-c1PTsA3tYrIsLGkJkzHF+w9F2EyxfXGo4UyJc4pFL++FMjnq0HJS69T3M7d//gKrFKwy429bouPescbjecU+Zw== ts-api-utils@^1.3.0: - version "1.3.0" - resolved "https://registry.yarnpkg.com/ts-api-utils/-/ts-api-utils-1.3.0.tgz#4b490e27129f1e8e686b45cc4ab63714dc60eea1" - integrity sha512-UQMIo7pb8WRomKR1/+MFVLTroIvDVtMX3K6OUir8ynLyzB8Jeriont2bTAtmNPa1ekAgN7YPDyf6V+ygrdU+eQ== + version "1.4.0" + resolved "https://registry.yarnpkg.com/ts-api-utils/-/ts-api-utils-1.4.0.tgz#709c6f2076e511a81557f3d07a0cbd566ae8195c" + integrity sha512-032cPxaEKwM+GT3vA5JXNzIaizx388rhsSW79vGRNGXfRRAdEAn2mvk36PvK5HnOchyWZ7afLEXqYCvPCrzuzQ== ts-jest@^27: version "27.1.5" From 3a20507195b7945adf27984aa5ef8ef4ad7d7de9 Mon Sep 17 00:00:00 2001 From: cdklabs-automation <90142015+cdklabs-automation@users.noreply.github.com> Date: Thu, 31 Oct 2024 17:11:57 -0700 Subject: [PATCH 4/4] chore(deps): upgrade dependencies (#1829) Upgrades project dependencies. See details in [workflow run]. [Workflow Run]: https://github.com/cdklabs/cdk-nag/actions/runs/11621765721 ------ *Automatically created by projen via the "upgrade-main" workflow* --- .projen/tasks.json | 2 +- package.json | 2 +- yarn.lock | 26 +++++++++++++------------- 3 files changed, 15 insertions(+), 15 deletions(-) diff --git a/.projen/tasks.json b/.projen/tasks.json index 63c0d6cb83..6d038e7265 100644 --- a/.projen/tasks.json +++ b/.projen/tasks.json @@ -330,7 +330,7 @@ }, "steps": [ { - "exec": "npx npm-check-updates@16 --upgrade --target=minor --peer --dep=dev,peer,prod,optional --filter=eslint-config-prettier,eslint-import-resolver-typescript,eslint-plugin-import,eslint-plugin-prettier,jsii-diff,jsii-pacmak,prettier,projen,typescript" + "exec": "npx npm-check-updates@16 --upgrade --target=minor --peer --no-deprecated --dep=dev,peer,prod,optional --filter=eslint-config-prettier,eslint-import-resolver-typescript,eslint-plugin-import,eslint-plugin-prettier,jsii-diff,jsii-pacmak,prettier,projen,typescript" }, { "exec": "yarn install --check-files" diff --git a/package.json b/package.json index 213647bde1..e396882bd1 100644 --- a/package.json +++ b/package.json @@ -61,7 +61,7 @@ "jsii-pacmak": "^1.104.0", "jsii-rosetta": "1.x", "prettier": "^2.8.8", - "projen": "^0.89.0", + "projen": "^0.90.0", "ts-jest": "^27", "typescript": "^4.9.5" }, diff --git a/yarn.lock b/yarn.lock index 5c03fb380b..94846c480b 100644 --- a/yarn.lock +++ b/yarn.lock @@ -790,9 +790,9 @@ integrity sha512-hov8bUuiLiyFPGyFPE1lwWhmzYbirOXQNNo40+y3zow8aFVTeyn3VWL0VFFfdNddA8S4Vf0Tc062rzyNr7Paag== "@types/node@*": - version "22.8.4" - resolved "https://registry.yarnpkg.com/@types/node/-/node-22.8.4.tgz#ab754f7ac52e1fe74174f761c5b03acaf06da0dc" - integrity sha512-SpNNxkftTJOPk0oN+y2bIqurEXHTA2AOZ3EJDDKeJ5VzkvvORSvmQXGQarcOzWV1ac7DCaPBEdMDxBsM+d8jWw== + version "22.8.6" + resolved "https://registry.yarnpkg.com/@types/node/-/node-22.8.6.tgz#e8a0c0871623283d8b3ef7d7b9b1bfdfd3028e22" + integrity sha512-tosuJYKrIqjQIlVCM4PEGxOmyg3FCPa/fViuJChnGeEIhjA46oy8FMVoF9su1/v8PNs2a8Q0iFNyOx0uOF91nw== dependencies: undici-types "~6.19.8" @@ -1340,9 +1340,9 @@ camelcase@^6.2.0, camelcase@^6.3.0: integrity sha512-Gmy6FhYlCY7uOElZUSbxo2UCDH8owEk996gkbrpsgGtrJLM3J7jGxl9Ic7Qwwj4ivOE5AWZWRMecDdF7hqGjFA== caniuse-lite@^1.0.30001669: - version "1.0.30001675" - resolved "https://registry.yarnpkg.com/caniuse-lite/-/caniuse-lite-1.0.30001675.tgz#0c1f01fc9cc543b61839753a4c234f995588d1b9" - integrity sha512-/wV1bQwPrkLiQMjaJF5yUMVM/VdRPOCU8QZ+PmG6uW6DvYSrNY1bpwHI/3mOcUosLaJCzYDi5o91IQB51ft6cg== + version "1.0.30001676" + resolved "https://registry.yarnpkg.com/caniuse-lite/-/caniuse-lite-1.0.30001676.tgz#fe133d41fe74af8f7cc93b8a714c3e86a86e6f04" + integrity sha512-Qz6zwGCiPghQXGJvgQAem79esjitvJ+CxSbSQkW9H/UX5hg8XM88d4lp2W+MEQ81j+Hip58Il+jGVdazk1z9cw== case@1.6.3, case@^1.6.3: version "1.6.3" @@ -1953,9 +1953,9 @@ downlevel-dts@^0.11.0: typescript next electron-to-chromium@^1.5.41: - version "1.5.49" - resolved "https://registry.yarnpkg.com/electron-to-chromium/-/electron-to-chromium-1.5.49.tgz#9358f514ab6eeed809a8689f4b39ea5114ae729c" - integrity sha512-ZXfs1Of8fDb6z7WEYZjXpgIRF6MEu8JdeGA0A40aZq6OQbS+eJpnnV49epZRna2DU/YsEjSQuGtQPPtvt6J65A== + version "1.5.50" + resolved "https://registry.yarnpkg.com/electron-to-chromium/-/electron-to-chromium-1.5.50.tgz#d9ba818da7b2b5ef1f3dd32bce7046feb7e93234" + integrity sha512-eMVObiUQ2LdgeO1F/ySTXsvqvxb6ZH2zPGaMYsWzRDdOddUa77tdmI0ltg+L16UpbWdhPmuF3wIQYyQq65WfZw== emittery@^0.8.1: version "0.8.1" @@ -4460,10 +4460,10 @@ process-nextick-args@~2.0.0: resolved "https://registry.yarnpkg.com/process-nextick-args/-/process-nextick-args-2.0.1.tgz#7820d9b16120cc55ca9ae7792680ae7dba6d7fe2" integrity sha512-3ouUOpQhtgrbOa17J7+uxOTpITYWaGP7/AhoR3+A+/1e9skrzelGi/dXzEYyvbxubEF6Wn2ypscTKiKJFFn1ag== -projen@^0.89.0: - version "0.89.0" - resolved "https://registry.yarnpkg.com/projen/-/projen-0.89.0.tgz#5b6353d0ed5ca5cc57dc222c34d8fc2cc3def392" - integrity sha512-Ysk5P4+rRDgQ5ZJU7u59FO7vIO+jZ46j07I3jPkQl1ZCV1ymFul1SxRHkQokIc84BanLMbBpLmzddGUQhVctRw== +projen@^0.90.0: + version "0.90.0" + resolved "https://registry.yarnpkg.com/projen/-/projen-0.90.0.tgz#dacfe2a75e05da3c5919d8e084d18f25bd952b43" + integrity sha512-klJXSriGl/w+9Gj22vNenq8DjMBIscaOArt0aSTtPjeZyb5s0OSrDF0ALSzlLfz4x7dT8jRB2C8sb9tuuR/sUA== dependencies: "@iarna/toml" "^2.2.5" case "^1.6.3"