diff --git a/RULES.md b/RULES.md index 5915505a8e..e8deb8a7c4 100644 --- a/RULES.md +++ b/RULES.md @@ -51,7 +51,6 @@ The [AWS Solutions Library](https://aws.amazon.com/solutions/) offers a collecti | AwsSolutions-AS2 | The Auto Scaling Group does not have properly configured health checks. | The health check feature enables the service to detect whether its registered EC2 instances are healthy or not. | | AwsSolutions-AS3 | The Auto Scaling Group does not have notifications configured for all scaling events. | Notifications on EC2 instance launch, launch error, termination, and termination errors allow operators to gain better insights into systems attributes such as activity and health. | | AwsSolutions-ASC3 | The GraphQL API does not have request level logging enabled. | It is important to use CloudWatch Logs to log metrics such as who has accessed the GraphQL API, how the caller accessed the API, and invalid requests. | -| AwsSolutions-ATH1 | The Athena workgroup does not encrypt query results. | Encrypting query results stored in S3 helps secure data to meet compliance requirements for data-at-rest encryption. | | AwsSolutions-CB4 | The CodeBuild project does not use an AWS KMS key for encryption. | Using an AWS KMS key helps follow the standard security advice of granting least privilege to objects generated by the project. | | AwsSolutions-C91 | The Cloud9 instance does not use a no-ingress EC2 instance with AWS Systems Manager. | SSM adds an additional layer of protection as it allows operators to control access through IAM permissions and does not require opening inbound ports. | | AwsSolutions-CFR3 | The CloudFront distribution does not have access logging enabled. | Enabling access logs helps operators track all viewer requests for the content delivered through the Content Delivery Network. | @@ -695,9 +694,9 @@ Unimplemented rules from the AWS PCI DSS 3.2.1 Conformance Pack. A collection of community rules that are not currently included in any of the pre-built NagPacks, but are still available for inclusion in [custom NagPacks](https://github.com/cdklabs/cdk-nag/blob/main/docs/NagPack.md). -| Rule ID | Cause | Explanation | -| ------------------------------------- | ---------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| LambdaFunctionUrlAuth | The Lambda Function URL allows for public, unauthenticated access. | AWS Lambda Function URLs allow you to invoke your function via a HTTPS end-point, setting the authentication to NONE allows anyone on the internet to invoke your function. | +| Rule ID | Cause | Explanation | +| ------------------------------------- | ---------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| LambdaFunctionUrlAuth | The Lambda Function URL allows for public, unauthenticated access. | AWS Lambda Function URLs allow you to invoke your function via a HTTPS end-point, setting the authentication to NONE allows anyone on the internet to invoke your function. | | LambdaEventSourceSQSVisibilityTimeout | The SQS queue visibility timeout of Lambda Event Source Mapping is less than 6 times timeout of Lambda function. | Setting the visibility timeout to [at least 6 times the Lambda function timeout](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-configure-lambda-function-trigger.html) helps prevent configurations resulting in duplicate processing of queue items when the Lambda function execution is retried. | ## Footnotes diff --git a/src/packs/aws-solutions.ts b/src/packs/aws-solutions.ts index a798c53e20..ad38a63f7f 100644 --- a/src/packs/aws-solutions.ts +++ b/src/packs/aws-solutions.ts @@ -14,7 +14,6 @@ import { APIGWRequestValidation, } from '../rules/apigw'; import { AppSyncGraphQLRequestLogging } from '../rules/appsync'; -import { AthenaWorkgroupEncryptedQueryResults } from '../rules/athena'; import { AutoScalingGroupCooldownPeriod, AutoScalingGroupHealthCheck, @@ -1007,15 +1006,6 @@ export class AwsSolutionsChecks extends NagPack { * @param ignores list of ignores for the resource */ private checkAnalytics(node: CfnResource): void { - this.applyRule({ - ruleSuffixOverride: 'ATH1', - info: 'The Athena workgroup does not encrypt query results.', - explanation: - 'Encrypting query results stored in S3 helps secure data to meet compliance requirements for data-at-rest encryption.', - level: NagMessageLevel.ERROR, - rule: AthenaWorkgroupEncryptedQueryResults, - node: node, - }); this.applyRule({ ruleSuffixOverride: 'EMR2', info: 'The EMR cluster does not have S3 logging enabled.', diff --git a/src/rules/athena/AthenaWorkgroupEncryptedQueryResults.ts b/src/rules/athena/AthenaWorkgroupEncryptedQueryResults.ts deleted file mode 100644 index 54ed10e953..0000000000 --- a/src/rules/athena/AthenaWorkgroupEncryptedQueryResults.ts +++ /dev/null @@ -1,46 +0,0 @@ -/* -Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. -SPDX-License-Identifier: Apache-2.0 -*/ -import { parse } from 'path'; -import { CfnResource, Stack } from 'aws-cdk-lib'; -import { CfnWorkGroup } from 'aws-cdk-lib/aws-athena'; -import { NagRuleCompliance, NagRules } from '../../nag-rules'; - -/** - * Athena workgroups encrypt query results - * @param node the CfnResource to check - */ -export default Object.defineProperty( - (node: CfnResource): NagRuleCompliance => { - if (node instanceof CfnWorkGroup) { - const workGroupConfiguration = Stack.of(node).resolve( - node.workGroupConfiguration - ); - const enforceWorkGroupConfiguration = NagRules.resolveIfPrimitive( - node, - workGroupConfiguration?.enforceWorkGroupConfiguration - ); - if (!enforceWorkGroupConfiguration) { - return NagRuleCompliance.NON_COMPLIANT; - } - const resultConfiguration = Stack.of(node).resolve( - workGroupConfiguration.resultConfiguration - ); - if (resultConfiguration === undefined) { - return NagRuleCompliance.NON_COMPLIANT; - } - const encryptionConfiguration = Stack.of(node).resolve( - resultConfiguration.encryptionConfiguration - ); - if (encryptionConfiguration === undefined) { - return NagRuleCompliance.NON_COMPLIANT; - } - return NagRuleCompliance.COMPLIANT; - } else { - return NagRuleCompliance.NOT_APPLICABLE; - } - }, - 'name', - { value: parse(__filename).name } -); diff --git a/src/rules/athena/index.ts b/src/rules/athena/index.ts deleted file mode 100644 index 5a129734a9..0000000000 --- a/src/rules/athena/index.ts +++ /dev/null @@ -1,5 +0,0 @@ -/* -Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. -SPDX-License-Identifier: Apache-2.0 -*/ -export { default as AthenaWorkgroupEncryptedQueryResults } from './AthenaWorkgroupEncryptedQueryResults'; diff --git a/src/rules/index.ts b/src/rules/index.ts index 2c1e901831..b73bafb08e 100644 --- a/src/rules/index.ts +++ b/src/rules/index.ts @@ -4,7 +4,6 @@ SPDX-License-Identifier: Apache-2.0 */ export * as apigw from './apigw'; export * as appsync from './appsync'; -export * as athena from './athena'; export * as autoscaling from './autoscaling'; export * as cloud9 from './cloud9'; export * as cloudfront from './cloudfront'; diff --git a/test/Packs.test.ts b/test/Packs.test.ts index a09f7a5fbc..cce02d87d3 100644 --- a/test/Packs.test.ts +++ b/test/Packs.test.ts @@ -71,7 +71,6 @@ describe('Check NagPack Details', () => { 'AwsSolutions-AS2', 'AwsSolutions-AS3', 'AwsSolutions-ASC3', - 'AwsSolutions-ATH1', 'AwsSolutions-CB4', 'AwsSolutions-C91', 'AwsSolutions-CFR3', diff --git a/test/rules/Athena.test.ts b/test/rules/Athena.test.ts deleted file mode 100644 index 8c2ce8cb8f..0000000000 --- a/test/rules/Athena.test.ts +++ /dev/null @@ -1,78 +0,0 @@ -/* -Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. -SPDX-License-Identifier: Apache-2.0 -*/ -import { CfnWorkGroup } from 'aws-cdk-lib/aws-athena'; -import { Aspects, Stack } from 'aws-cdk-lib/core'; -import { TestPack, TestType, validateStack } from './utils'; -import { AthenaWorkgroupEncryptedQueryResults } from '../../src/rules/athena'; - -const testPack = new TestPack([AthenaWorkgroupEncryptedQueryResults]); -let stack: Stack; - -beforeEach(() => { - stack = new Stack(); - Aspects.of(stack).add(testPack); -}); - -describe('Amazon Athena', () => { - describe('AthenaWorkgroupEncryptedQueryResults: Athena workgroups encrypt query results', () => { - const ruleId = 'AthenaWorkgroupEncryptedQueryResults'; - test('Noncompliance 1', () => { - new CfnWorkGroup(stack, 'rWorkgroup', { - name: 'foo', - }); - validateStack(stack, ruleId, TestType.NON_COMPLIANCE); - }); - test('Noncompliance 2', () => { - new CfnWorkGroup(stack, 'rWorkgroup', { - name: 'foo', - workGroupConfiguration: { - enforceWorkGroupConfiguration: false, - resultConfiguration: { - encryptionConfiguration: { - encryptionOption: 'SSE_S3', - }, - }, - }, - }); - validateStack(stack, ruleId, TestType.NON_COMPLIANCE); - }); - test('Noncompliance 3', () => { - new CfnWorkGroup(stack, 'rWorkgroup', { - name: 'foo', - workGroupConfiguration: { - enforceWorkGroupConfiguration: true, - requesterPaysEnabled: true, - }, - }); - validateStack(stack, ruleId, TestType.NON_COMPLIANCE); - }); - test('Noncompliance 4', () => { - new CfnWorkGroup(stack, 'rWorkgroup', { - name: 'foo', - workGroupConfiguration: { - enforceWorkGroupConfiguration: true, - resultConfiguration: { - outputLocation: 'bar', - }, - }, - }); - validateStack(stack, ruleId, TestType.NON_COMPLIANCE); - }); - test('Compliance', () => { - new CfnWorkGroup(stack, 'rWorkgroup', { - name: 'foo', - workGroupConfiguration: { - enforceWorkGroupConfiguration: true, - resultConfiguration: { - encryptionConfiguration: { - encryptionOption: 'SSE_S3', - }, - }, - }, - }); - validateStack(stack, ruleId, TestType.COMPLIANCE); - }); - }); -});