Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

bug: SNSEncryptedKMS rule unexpectedly removed from NIST 800-53 rev 5 pack #1849

Open
bhegde82 opened this issue Nov 22, 2024 · 1 comment · May be fixed by #1853
Open

bug: SNSEncryptedKMS rule unexpectedly removed from NIST 800-53 rev 5 pack #1849

bhegde82 opened this issue Nov 22, 2024 · 1 comment · May be fixed by #1853
Labels
bug Something isn't working needs-triage This issue or PR still needs to be triaged.

Comments

@bhegde82
Copy link

What is the problem?

In a prior change #1821 , the SNSEncryptedKMS rule was removed from cdk-nag entirely due to updated AWS guidance that retired this control for AWS Foundational Security Best Practices: https://docs.aws.amazon.com/securityhub/latest/userguide/sns-controls.html#sns-1

However, as noted in the above documentation, the rule is still included in the NIST 800-53 Rev.5 standard.

Therefore, the rule should be added back to cdk-nag for the NIST 800-53 rev 5 pack, although it can still be excluded for the AwsSolutions pack.

This also breaks custom nag packs that were importing the premade rule for use, even though the change was introduced in a minor version upgrade.

Reproduction Steps

Sample 1: Using NIST 800-53 rev. 5 rule pack

import { App, Aspects, Stack } from "aws-cdk-lib";
import { Topic } from "aws-cdk-lib/aws-sns";
import { Construct } from "constructs";

import { NIST80053R5Checks } from "cdk-nag";

const app = new App();

Aspects.of(app).add(new NIST80053R5Checks({ verbose: true }));

class InfrastructureStack extends Stack {
  constructor(scope: Construct, id: string) {
    super(scope, id);

    // Unencrypted SNS topic
    new Topic(this, "SNSTopic");
  }
}
new InfrastructureStack(app, "CDKNagTest");

Sample 2: Import SNSEncryptedKMS rule into custom nag packs

import { App, Aspects, CfnResource, Stack } from 'aws-cdk-lib';
import { Construct, IConstruct } from 'constructs';
import {
  NagMessageLevel,
  NagPack,
  NagPackProps,
  rules,
} from 'cdk-nag';
import { Topic } from 'aws-cdk-lib/aws-sns';
import { Key } from 'aws-cdk-lib/aws-kms';

export class ExampleChecks extends NagPack {
  constructor (props?: NagPackProps) {
    super(props);
    this.packName = 'Example';
  }
  public visit (node: IConstruct) {
    if (node instanceof CfnResource) {
      this.applyRule({
        info: 'SNS KMS required.',
        explanation: 'Please enabled SNS KMS.',
        level: NagMessageLevel.ERROR,
        rule: rules.sns.SNSEncryptedKMS,
        node: node,
      });
    }
  }
}

const app = new App();

Aspects.of(app).add(new ExampleChecks({ verbose: true }));

class InfrastructureStack extends Stack {
  constructor(scope: Construct, id: string) {
    super(scope, id);
    
    const key = new Key(this, "Key", { enableKeyRotation: true });
    new Topic(this, "SNSTopic", { masterKey: key });
  }
}
new InfrastructureStack(app, "CDKNagTest");

What did you expect to happen?

Sample 1

This code is supposed to trigger an Error finding due to the SNS topic not using KMS encryption.

> tsc && cdk synth

[Error at /CDKNagTest/SNSTopic/Resource] NIST.800.53.R5-SNSEncryptedKMS: The SNS topic does not have KMS encryption enabled - (Control IDs: AU-9(3), CP-9d, SC-8(3), SC-8(4), SC-13a, SC-28(1)). To help protect data at rest, ensure that your Amazon Simple Notification Service (Amazon SNS) topics require encryption using AWS Key Management Service (AWS KMS) Because sensitive data can exist at rest in published messages, enable encryption at rest to help protect that data.

Sample 2

This code is supposed to synthesize properly into CloudFormation without a runtime error.

What actually happened?

Sample 1

cdk synth succeeds instead of raising the Error finding.

> tsc && cdk synth

Resources:
  SNSTopicBCCC5DD8:
    Type: AWS::SNS::Topic
    Metadata:
      aws:cdk:path: CDKNagTest/SNSTopic/Resource
  CDKMetadata:
    Type: AWS::CDK::Metadata
    Properties:
      Analytics: v2:deflate64:H4sIAAAAAAAA/yXGzQ5EMBAA4Gdxb0c1Ee7egL1vqq1k/MxsTK2DeHfB6fssFJUBk7ldtA+TnrGHo0vOT8rt8hUSOD78Q6+agZ6c99oovK0+3m+YAiZkOhVxiDBK/i9qsAbKbBREvW6UcInQvl4CUdSScwAAAA==
    Metadata:
      aws:cdk:path: CDKNagTest/CDKMetadata/Default
    Condition: CDKMetadataAvailable
Conditions:
  CDKMetadataAvailable:
    Fn::Or:
      - Fn::Or:
          - Fn::Equals:
              - Ref: AWS::Region
              - af-south-1
          - Fn::Equals:
              - Ref: AWS::Region
              - ap-east-1
          - Fn::Equals:
              - Ref: AWS::Region
              - ap-northeast-1
          - Fn::Equals:
              - Ref: AWS::Region
              - ap-northeast-2
          - Fn::Equals:
              - Ref: AWS::Region
              - ap-northeast-3
          - Fn::Equals:
              - Ref: AWS::Region
              - ap-south-1
          - Fn::Equals:
              - Ref: AWS::Region
              - ap-south-2
          - Fn::Equals:
              - Ref: AWS::Region
              - ap-southeast-1
          - Fn::Equals:
              - Ref: AWS::Region
              - ap-southeast-2
          - Fn::Equals:
              - Ref: AWS::Region
              - ap-southeast-3
      - Fn::Or:
          - Fn::Equals:
              - Ref: AWS::Region
              - ap-southeast-4
          - Fn::Equals:
              - Ref: AWS::Region
              - ca-central-1
          - Fn::Equals:
              - Ref: AWS::Region
              - ca-west-1
          - Fn::Equals:
              - Ref: AWS::Region
              - cn-north-1
          - Fn::Equals:
              - Ref: AWS::Region
              - cn-northwest-1
          - Fn::Equals:
              - Ref: AWS::Region
              - eu-central-1
          - Fn::Equals:
              - Ref: AWS::Region
              - eu-central-2
          - Fn::Equals:
              - Ref: AWS::Region
              - eu-north-1
          - Fn::Equals:
              - Ref: AWS::Region
              - eu-south-1
          - Fn::Equals:
              - Ref: AWS::Region
              - eu-south-2
      - Fn::Or:
          - Fn::Equals:
              - Ref: AWS::Region
              - eu-west-1
          - Fn::Equals:
              - Ref: AWS::Region
              - eu-west-2
          - Fn::Equals:
              - Ref: AWS::Region
              - eu-west-3
          - Fn::Equals:
              - Ref: AWS::Region
              - il-central-1
          - Fn::Equals:
              - Ref: AWS::Region
              - me-central-1
          - Fn::Equals:
              - Ref: AWS::Region
              - me-south-1
          - Fn::Equals:
              - Ref: AWS::Region
              - sa-east-1
          - Fn::Equals:
              - Ref: AWS::Region
              - us-east-1
          - Fn::Equals:
              - Ref: AWS::Region
              - us-east-2
          - Fn::Equals:
              - Ref: AWS::Region
              - us-west-1
      - Fn::Equals:
          - Ref: AWS::Region
          - us-west-2
Parameters:
  BootstrapVersion:
    Type: AWS::SSM::Parameter::Value<String>
    Default: /cdk-bootstrap/hnb659fds/version
    Description: Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]

Sample 2

Typescript compilation fails since the rule has been deleted

> tsc && cdk synth

lib/test.ts:23:25 - error TS2339: Property 'SNSEncryptedKMS' does not exist on type 'typeof import("/Users/username/CDKTest/node_modules/cdk-nag/lib/rules/sns/index")'.

23         rule: rules.sns.SNSEncryptedKMS,
                           ~~~~~~~~~~~~~~~

Found 1 error in lib/test.ts:23

cdk-nag version

2.34.3

Language

Typescript

Other information

No response

@bhegde82 bhegde82 added bug Something isn't working needs-triage This issue or PR still needs to be triaged. labels Nov 22, 2024
@clueleaf
Copy link
Contributor

@bhegde82
Thank you for reporting. I will add the rule back to NIST 800-53 Rev.5 and NIST 800-53 Rev.4 as well.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working needs-triage This issue or PR still needs to be triaged.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants