ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S6258/cloudformation/rule.adoc
hendrik-buchwald-sonarsource d5f1cbee3c
Modify rule S6258: Fix indentation (#2589)
2023-07-20 17:00:27 +02:00

356 lines
8.0 KiB
Plaintext
Raw Blame History

include::../description.adoc[]
include::../ask-yourself.adoc[]
include::../recommended.adoc[]
== Sensitive Code Example
For https://aws.amazon.com/s3/[Amazon S3 access requests]:
[source,yaml]
----
AWSTemplateFormatVersion: 2010-09-09
Resources:
S3Bucket:
Type: 'AWS::S3::Bucket' # Sensitive
Properties:
BucketName: "mynoncompliantbucket"
----
For https://aws.amazon.com/api-gateway/[Amazon API Gateway] stages:
[source,yaml]
----
AWSTemplateFormatVersion: 2010-09-09
Resources:
Prod: # Sensitive
Type: AWS::ApiGateway::Stage
Properties:
StageName: Prod
Description: Prod Stage
TracingEnabled: false # Sensitive
----
For https://aws.amazon.com/neptune/[Amazon Neptune] clusters:
[source,yaml]
----
AWSTemplateFormatVersion: 2010-09-09
Resources:
Cluster:
Type: AWS::Neptune::DBCluster
Properties:
EnableCloudwatchLogsExports: [] # Sensitive
----
For https://aws.amazon.com/msk/[Amazon MSK] broker logs:
[source,yaml]
----
AWSTemplateFormatVersion: 2010-09-09
Resources:
SensitiveCluster:
Type: 'AWS::MSK::Cluster'
Properties:
ClusterName: Sensitive Cluster
LoggingInfo:
BrokerLogs: # Sensitive
CloudWatchLogs:
Enabled: false
LogGroup: CWLG
Firehose:
DeliveryStream: DS
Enabled: false
----
For https://aws.amazon.com/documentdb/[Amazon DocDB]:
[source,yaml]
----
AWSTemplateFormatVersion: "2010-09-09"
Resources:
DocDBOmittingLogs: # Sensitive
Type: "AWS::DocDB::DBCluster"
Properties:
DBClusterIdentifier : "DB Without Logs"
----
For https://aws.amazon.com/amazon-mq/[Amazon MQ]:
[source,yaml]
----
AWSTemplateFormatVersion: 2010-09-09
Resources:
Broker:
Type: AWS::AmazonMQ::Broker
Properties:
Logs: # Sensitive
Audit: false
General: false
----
For https://aws.amazon.com/redshift/[Amazon Redshift]:
[source,yaml]
----
AWSTemplateFormatVersion: 2010-09-09
Resources:
ClusterOmittingLogging: # Sensitive
Type: "AWS::Redshift::Cluster"
Properties:
DBName: "Redshift Warehouse Cluster"
----
For https://aws.amazon.com/opensearch-service/[Amazon OpenSearch] service or Amazon Elasticsearch service:
[source,yaml]
----
AWSTemplateFormatVersion: '2010-09-09'
Resources:
OpenSearchServiceDomain:
Type: 'AWS::OpenSearchService::Domain'
Properties:
LogPublishingOptions: # Sensitive
ES_APPLICATION_LOGS:
CloudWatchLogsLogGroupArn: 'arn:aws:logs:us-east-1:1234:log-group:es-application-logs'
Enabled: true
INDEX_SLOW_LOGS:
CloudWatchLogsLogGroupArn: 'arn:aws:logs:us-east-1:1234:log-group:es-index-slow-logs'
Enabled: true
----
For https://aws.amazon.com/cloudfront/[Amazon CloudFront] distributions:
[source,yaml]
----
AWSTemplateFormatVersion: 2010-09-09
Resources:
CloudFrontDistribution: # Sensitive
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
DefaultRootObject: "index.html"
----
For https://aws.amazon.com/elasticloadbalancing/[Amazon Elastic Load Balancing]:
[source,yaml]
----
AWSTemplateFormatVersion: 2010-09-09
Resources:
LoadBalancer:
Type: AWS::ElasticLoadBalancing::LoadBalancer
Properties:
AccessLoggingPolicy:
Enabled: false # Sensitive
----
For https://aws.amazon.com/elasticloadbalancing/[Amazon Load Balancing (v2)]:
[source,yaml]
----
AWSTemplateFormatVersion: 2010-09-09
Resources:
ApplicationLoadBalancer:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Properties:
Name: CompliantLoadBalancer
LoadBalancerAttributes:
- Key: "access_logs.s3.enabled"
Value: false # Sensitive
----
== Compliant Solution
For https://aws.amazon.com/s3/[Amazon S3 access requests]:
[source,yaml]
----
AWSTemplateFormatVersion: 2010-09-09
Resources:
S3BucketLogs:
Type: 'AWS::S3::Bucket'
Properties:
BucketName: "mycompliantloggingbucket"
AccessControl: LogDeliveryWrite
S3Bucket:
Type: 'AWS::S3::Bucket'
Properties:
BucketName: "mycompliantbucket"
LoggingConfiguration:
DestinationBucketName: !Ref S3BucketLogs
LogFilePrefix: testing-logs
----
For https://aws.amazon.com/api-gateway/[Amazon API Gateway] stages:
[source,yaml]
----
AWSTemplateFormatVersion: 2010-09-09
Resources:
Prod:
Type: AWS::ApiGateway::Stage
Properties:
StageName: Prod
Description: Prod Stage
TracingEnabled: true
AccessLogSetting:
DestinationArn: "arn:aws:logs:eu-west-1:123456789:test"
Format: "..."
----
For https://aws.amazon.com/neptune/[Amazon Neptune] clusters:
[source,yaml]
----
AWSTemplateFormatVersion: 2010-09-09
Resources:
Cluster:
Type: AWS::Neptune::DBCluster
Properties:
EnableCloudwatchLogsExports: ["audit"]
----
For https://aws.amazon.com/msk/[Amazon MSK] broker logs:
[source,yaml]
----
AWSTemplateFormatVersion: 2010-09-09
Resources:
SensitiveCluster:
Type: 'AWS::MSK::Cluster'
Properties:
ClusterName: Sensitive Cluster
LoggingInfo:
BrokerLogs:
Firehose:
DeliveryStream: DS
Enabled: true
S3:
Bucket: Broker Logs
Enabled: true
Prefix: "logs/msk-brokers-"
----
For https://aws.amazon.com/documentdb/[Amazon DocDB]:
[source,yaml]
----
AWSTemplateFormatVersion: "2010-09-09"
Resources:
DocDBWithLogs:
Type: "AWS::DocDB::DBCluster"
Properties:
DBClusterIdentifier : "DB With Logs"
EnableCloudwatchLogsExports:
- audit
----
For https://aws.amazon.com/amazon-mq/[Amazon MQ] enable `Audit` or `General`:
[source,yaml]
----
AWSTemplateFormatVersion: 2010-09-09
Resources:
Broker:
Type: AWS::AmazonMQ::Broker
Properties:
Logs:
Audit: true
General: true
----
For https://aws.amazon.com/redshift/[Amazon Redshift]:
[source,yaml]
----
AWSTemplateFormatVersion: 2010-09-09
Resources:
CompliantCluster:
Type: "AWS::Redshift::Cluster"
Properties:
DBName: "Redshift Warehouse Cluster"
LoggingProperties:
BucketName: "Infra Logs"
S3KeyPrefix: "log/redshift-"
----
For https://aws.amazon.com/opensearch-service/[Amazon OpenSearch] service, or Amazon Elasticsearch service:
[source,yaml]
----
AWSTemplateFormatVersion: '2010-09-09'
Resources:
OpenSearchServiceDomain:
Type: 'AWS::OpenSearchService::Domain'
Properties:
LogPublishingOptions:
AUDIT_LOGS:
CloudWatchLogsLogGroupArn: 'arn:aws:logs:us-east-1:1234:log-group:es-audit-logs'
Enabled: true
----
For https://aws.amazon.com/cloudfront/[Amazon CloudFront] distributions:
[source,yaml]
----
AWSTemplateFormatVersion: 2010-09-09
Resources:
CloudFrontDistribution:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
DefaultRootObject: "index.html"
Logging:
Bucket: "mycompliantbucket"
Prefix: "log/cloudfront-"
----
For https://aws.amazon.com/elasticloadbalancing/[Amazon Elastic Load Balancing]:
[source,yaml]
----
AWSTemplateFormatVersion: 2010-09-09
Resources:
LoadBalancer:
Type: AWS::ElasticLoadBalancing::LoadBalancer
Properties:
AccessLoggingPolicy:
Enabled: true
S3BucketName: mycompliantbucket
S3BucketPrefix: "log/loadbalancer-"
----
For https://aws.amazon.com/elasticloadbalancing/[Amazon Load Balancing (v2)]:
[source,yaml]
----
AWSTemplateFormatVersion: 2010-09-09
Resources:
ApplicationLoadBalancer:
Type: AWS::ElasticLoadBalancingV2::LoadBalancer
Properties:
Name: CompliantLoadBalancer
LoadBalancerAttributes:
- Key: "access_logs.s3.enabled"
Value: true
- Key: "access_logs.s3.bucket"
Value: "mycompliantbucket"
- Key: "access_logs.s3.prefix"
Value: "log/elbv2-"
----
include::../see.adoc[]
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
include::../message.adoc[]
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink