Skip to content

Commit

Permalink
feat: remove AthenaWorkgroupEncryptedQueryResults and CodeBuildProjec…
Browse files Browse the repository at this point in the history
…tPrivilegedModeDisabled (#1838)

Fixes #1803 
Fixes #1804
  • Loading branch information
clueleaf authored Nov 12, 2024
1 parent 1c8b00a commit 650846a
Show file tree
Hide file tree
Showing 10 changed files with 3 additions and 225 deletions.
8 changes: 3 additions & 5 deletions RULES.md
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,6 @@ The [AWS Solutions Library](https://aws.amazon.com/solutions/) offers a collecti
| Rule ID | Cause | Explanation |
| ------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| AwsSolutions-APIG3 | The REST API stage is not associated with AWS WAFv2 web ACL. | AWS WAFv2 is a web application firewall that helps protect web applications and APIs from attacks by allowing configured rules to allow, block, or monitor (count) web requests based on customizable rules and conditions that are defined. |
| AwsSolutions-CB3 | The CodeBuild project has privileged mode enabled. | Privileged grants elevated rights to the system, which introduces additional risk. Privileged mode should only be set to true only if the build project is used to build Docker images. Otherwise, a build that attempts to interact with the Docker daemon fails. |
| AwsSolutions-CB5 | The Codebuild project does not use images provided by the CodeBuild service or have a cdk-nag suppression rule explaining the need for a custom image. | Explaining differences/edits to Docker images helps operators better understand system dependencies. |
| AwsSolutions-CFR1 | The CloudFront distribution may require Geo restrictions. | Geo restriction may need to be enabled for the distribution in order to allow or deny a country in order to allow or restrict users in specific locations from accessing content. |
| AwsSolutions-CFR2 | The CloudFront distribution may require integration with AWS WAF. | The Web Application Firewall can help protect against application-layer attacks that can compromise the security of the system or place unnecessary load on them. |
Expand Down Expand Up @@ -51,7 +50,6 @@ The [AWS Solutions Library](https://aws.amazon.com/solutions/) offers a collecti
| AwsSolutions-AS2 | The Auto Scaling Group does not have properly configured health checks. | The health check feature enables the service to detect whether its registered EC2 instances are healthy or not. |
| AwsSolutions-AS3 | The Auto Scaling Group does not have notifications configured for all scaling events. | Notifications on EC2 instance launch, launch error, termination, and termination errors allow operators to gain better insights into systems attributes such as activity and health. |
| AwsSolutions-ASC3 | The GraphQL API does not have request level logging enabled. | It is important to use CloudWatch Logs to log metrics such as who has accessed the GraphQL API, how the caller accessed the API, and invalid requests. |
| AwsSolutions-ATH1 | The Athena workgroup does not encrypt query results. | Encrypting query results stored in S3 helps secure data to meet compliance requirements for data-at-rest encryption. |
| AwsSolutions-CB4 | The CodeBuild project does not use an AWS KMS key for encryption. | Using an AWS KMS key helps follow the standard security advice of granting least privilege to objects generated by the project. |
| AwsSolutions-C91 | The Cloud9 instance does not use a no-ingress EC2 instance with AWS Systems Manager. | SSM adds an additional layer of protection as it allows operators to control access through IAM permissions and does not require opening inbound ports. |
| AwsSolutions-CFR3 | The CloudFront distribution does not have access logging enabled. | Enabling access logs helps operators track all viewer requests for the content delivered through the Content Delivery Network. |
Expand Down Expand Up @@ -695,9 +693,9 @@ Unimplemented rules from the AWS PCI DSS 3.2.1 Conformance Pack.

A collection of community rules that are not currently included in any of the pre-built NagPacks, but are still available for inclusion in [custom NagPacks](https://github.com/cdklabs/cdk-nag/blob/main/docs/NagPack.md).

| Rule ID | Cause | Explanation |
| ------------------------------------- | ---------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| LambdaFunctionUrlAuth | The Lambda Function URL allows for public, unauthenticated access. | AWS Lambda Function URLs allow you to invoke your function via a HTTPS end-point, setting the authentication to NONE allows anyone on the internet to invoke your function. |
| Rule ID | Cause | Explanation |
| ------------------------------------- | ---------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| LambdaFunctionUrlAuth | The Lambda Function URL allows for public, unauthenticated access. | AWS Lambda Function URLs allow you to invoke your function via a HTTPS end-point, setting the authentication to NONE allows anyone on the internet to invoke your function. |
| LambdaEventSourceSQSVisibilityTimeout | The SQS queue visibility timeout of Lambda Event Source Mapping is less than 6 times timeout of Lambda function. | Setting the visibility timeout to [at least 6 times the Lambda function timeout](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-configure-lambda-function-trigger.html) helps prevent configurations resulting in duplicate processing of queue items when the Lambda function execution is retried. |

## Footnotes
Expand Down
20 changes: 0 additions & 20 deletions src/packs/aws-solutions.ts
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,6 @@ import {
APIGWRequestValidation,
} from '../rules/apigw';
import { AppSyncGraphQLRequestLogging } from '../rules/appsync';
import { AthenaWorkgroupEncryptedQueryResults } from '../rules/athena';
import {
AutoScalingGroupCooldownPeriod,
AutoScalingGroupHealthCheck,
Expand All @@ -33,7 +32,6 @@ import {
import {
CodeBuildProjectKMSEncryptedArtifacts,
CodeBuildProjectManagedImages,
CodeBuildProjectPrivilegedModeDisabled,
} from '../rules/codebuild';
import {
CognitoUserPoolAdvancedSecurityModeEnforced,
Expand Down Expand Up @@ -1007,15 +1005,6 @@ export class AwsSolutionsChecks extends NagPack {
* @param ignores list of ignores for the resource
*/
private checkAnalytics(node: CfnResource): void {
this.applyRule({
ruleSuffixOverride: 'ATH1',
info: 'The Athena workgroup does not encrypt query results.',
explanation:
'Encrypting query results stored in S3 helps secure data to meet compliance requirements for data-at-rest encryption.',
level: NagMessageLevel.ERROR,
rule: AthenaWorkgroupEncryptedQueryResults,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'EMR2',
info: 'The EMR cluster does not have S3 logging enabled.',
Expand Down Expand Up @@ -1464,15 +1453,6 @@ export class AwsSolutionsChecks extends NagPack {
* @param ignores list of ignores for the resource
*/
private checkDeveloperTools(node: CfnResource): void {
this.applyRule({
ruleSuffixOverride: 'CB3',
info: 'The CodeBuild project has privileged mode enabled.',
explanation:
'Privileged grants elevated rights to the system, which introduces additional risk. Privileged mode should only be set to true only if the build project is used to build Docker images. Otherwise, a build that attempts to interact with the Docker daemon fails.',
level: NagMessageLevel.WARN,
rule: CodeBuildProjectPrivilegedModeDisabled,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'CB4',
info: 'The CodeBuild project does not use an AWS KMS key for encryption.',
Expand Down
46 changes: 0 additions & 46 deletions src/rules/athena/AthenaWorkgroupEncryptedQueryResults.ts

This file was deleted.

5 changes: 0 additions & 5 deletions src/rules/athena/index.ts

This file was deleted.

32 changes: 0 additions & 32 deletions src/rules/codebuild/CodeBuildProjectPrivilegedModeDisabled.ts

This file was deleted.

1 change: 0 additions & 1 deletion src/rules/codebuild/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -5,5 +5,4 @@ SPDX-License-Identifier: Apache-2.0
export { default as CodeBuildProjectEnvVarAwsCred } from './CodeBuildProjectEnvVarAwsCred';
export { default as CodeBuildProjectKMSEncryptedArtifacts } from './CodeBuildProjectKMSEncryptedArtifacts';
export { default as CodeBuildProjectManagedImages } from './CodeBuildProjectManagedImages';
export { default as CodeBuildProjectPrivilegedModeDisabled } from './CodeBuildProjectPrivilegedModeDisabled';
export { default as CodeBuildProjectSourceRepoUrl } from './CodeBuildProjectSourceRepoUrl';
1 change: 0 additions & 1 deletion src/rules/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@ SPDX-License-Identifier: Apache-2.0
*/
export * as apigw from './apigw';
export * as appsync from './appsync';
export * as athena from './athena';
export * as autoscaling from './autoscaling';
export * as cloud9 from './cloud9';
export * as cloudfront from './cloudfront';
Expand Down
2 changes: 0 additions & 2 deletions test/Packs.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,6 @@ describe('Check NagPack Details', () => {
test('Pack contains expected warning and error rules', () => {
const expectedWarnings = [
'AwsSolutions-APIG3',
'AwsSolutions-CB3',
'AwsSolutions-CB5',
'AwsSolutions-CFR1',
'AwsSolutions-CFR2',
Expand Down Expand Up @@ -71,7 +70,6 @@ describe('Check NagPack Details', () => {
'AwsSolutions-AS2',
'AwsSolutions-AS3',
'AwsSolutions-ASC3',
'AwsSolutions-ATH1',
'AwsSolutions-CB4',
'AwsSolutions-C91',
'AwsSolutions-CFR3',
Expand Down
Loading

0 comments on commit 650846a

Please sign in to comment.