Skip to content

Commit

Permalink
remove AthenaWorkgroupEncryptedQueryResults
Browse files Browse the repository at this point in the history
  • Loading branch information
@clueleaf
clueleaf committed Nov 10, 2024
1 parent 789a9c2 commit cec1cab
Show file tree
Hide file tree
Showing 7 changed files with 3 additions and 145 deletions.
7 changes: 3 additions & 4 deletions RULES.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,6 @@ The [AWS Solutions Library](https://aws.amazon.com/solutions/) offers a collecti
| AwsSolutions-AS2 | The Auto Scaling Group does not have properly configured health checks. | The health check feature enables the service to detect whether its registered EC2 instances are healthy or not. |
| AwsSolutions-AS3 | The Auto Scaling Group does not have notifications configured for all scaling events. | Notifications on EC2 instance launch, launch error, termination, and termination errors allow operators to gain better insights into systems attributes such as activity and health. |
| AwsSolutions-ASC3 | The GraphQL API does not have request level logging enabled. | It is important to use CloudWatch Logs to log metrics such as who has accessed the GraphQL API, how the caller accessed the API, and invalid requests. |
| AwsSolutions-ATH1 | The Athena workgroup does not encrypt query results. | Encrypting query results stored in S3 helps secure data to meet compliance requirements for data-at-rest encryption. |
| AwsSolutions-CB4 | The CodeBuild project does not use an AWS KMS key for encryption. | Using an AWS KMS key helps follow the standard security advice of granting least privilege to objects generated by the project. |
| AwsSolutions-C91 | The Cloud9 instance does not use a no-ingress EC2 instance with AWS Systems Manager. | SSM adds an additional layer of protection as it allows operators to control access through IAM permissions and does not require opening inbound ports. |
| AwsSolutions-CFR3 | The CloudFront distribution does not have access logging enabled. | Enabling access logs helps operators track all viewer requests for the content delivered through the Content Delivery Network. |
Expand Down Expand Up @@ -695,9 +694,9 @@ Unimplemented rules from the AWS PCI DSS 3.2.1 Conformance Pack.

A collection of community rules that are not currently included in any of the pre-built NagPacks, but are still available for inclusion in [custom NagPacks](https://github.com/cdklabs/cdk-nag/blob/main/docs/NagPack.md).

| Rule ID | Cause | Explanation |
| ------------------------------------- | ---------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| LambdaFunctionUrlAuth | The Lambda Function URL allows for public, unauthenticated access. | AWS Lambda Function URLs allow you to invoke your function via a HTTPS end-point, setting the authentication to NONE allows anyone on the internet to invoke your function. |
| Rule ID | Cause | Explanation |
| ------------------------------------- | ---------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| LambdaFunctionUrlAuth | The Lambda Function URL allows for public, unauthenticated access. | AWS Lambda Function URLs allow you to invoke your function via a HTTPS end-point, setting the authentication to NONE allows anyone on the internet to invoke your function. |
| LambdaEventSourceSQSVisibilityTimeout | The SQS queue visibility timeout of Lambda Event Source Mapping is less than 6 times timeout of Lambda function. | Setting the visibility timeout to [at least 6 times the Lambda function timeout](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-configure-lambda-function-trigger.html) helps prevent configurations resulting in duplicate processing of queue items when the Lambda function execution is retried. |

## Footnotes
Expand Down
10 changes: 0 additions & 10 deletions src/packs/aws-solutions.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,6 @@ import {
APIGWRequestValidation,
} from '../rules/apigw';
import { AppSyncGraphQLRequestLogging } from '../rules/appsync';
import { AthenaWorkgroupEncryptedQueryResults } from '../rules/athena';
import {
AutoScalingGroupCooldownPeriod,
AutoScalingGroupHealthCheck,
Expand Down Expand Up @@ -1007,15 +1006,6 @@ export class AwsSolutionsChecks extends NagPack {
* @param ignores list of ignores for the resource
*/
private checkAnalytics(node: CfnResource): void {
this.applyRule({
ruleSuffixOverride: 'ATH1',
info: 'The Athena workgroup does not encrypt query results.',
explanation:
'Encrypting query results stored in S3 helps secure data to meet compliance requirements for data-at-rest encryption.',
level: NagMessageLevel.ERROR,
rule: AthenaWorkgroupEncryptedQueryResults,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'EMR2',
info: 'The EMR cluster does not have S3 logging enabled.',
Expand Down
46 changes: 0 additions & 46 deletions src/rules/athena/AthenaWorkgroupEncryptedQueryResults.ts
View file

This file was deleted.

5 changes: 0 additions & 5 deletions src/rules/athena/index.ts
View file

This file was deleted.

1 change: 0 additions & 1 deletion src/rules/index.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@ SPDX-License-Identifier: Apache-2.0
*/
export * as apigw from './apigw';
export * as appsync from './appsync';
export * as athena from './athena';
export * as autoscaling from './autoscaling';
export * as cloud9 from './cloud9';
export * as cloudfront from './cloudfront';
Expand Down
1 change: 0 additions & 1 deletion test/Packs.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,6 @@ describe('Check NagPack Details', () => {
'AwsSolutions-AS2',
'AwsSolutions-AS3',
'AwsSolutions-ASC3',
'AwsSolutions-ATH1',
'AwsSolutions-CB4',
'AwsSolutions-C91',
'AwsSolutions-CFR3',
Expand Down
78 changes: 0 additions & 78 deletions test/rules/Athena.test.ts
View file

This file was deleted.

0 comments on commit cec1cab

Please sign in to comment.