From 030d7c1b6dc346f387667f3497f16771788d428d Mon Sep 17 00:00:00 2001 From: Steven Smiley <53946040+StevenSmiley@users.noreply.github.com> Date: Mon, 22 Apr 2024 15:21:48 -0700 Subject: [PATCH 01/13] Cleanup examples --- .../aws/cloudtrail/enable_all_regions.cf.go | 2 +- .../aws/cloudtrail/enable_log_validation.cf.go | 2 +- .../cloudtrail/encryption_customer_key.cf.go | 2 +- .../dynamodb/enable_at_rest_encryption.cf.go | 8 ++++---- .../add_description_to_security_group.cf.go | 4 ---- ...dd_description_to_security_group_rule.cf.go | 4 ---- .../cloud/aws/ec2/no_public_ingress_sgr.cf.go | 6 +----- checks/cloud/aws/iam/no_policy_wildcards.cf.go | 4 ---- .../kinesis/enable_in_transit_encryption.cf.go | 1 - checks/cloud/aws/lambda/enable_tracing.cf.go | 2 +- .../cloud/aws/lambda/restrict_source_arn.cf.go | 2 -- checks/cloud/aws/mq/enable_audit_logging.cf.go | 10 ++-------- .../cloud/aws/mq/enable_general_logging.cf.go | 10 ++-------- checks/cloud/aws/mq/no_public_access.cf.go | 10 ++-------- .../aws/msk/enable_at_rest_encryption.cf.go | 8 ++------ .../aws/msk/enable_in_transit_encryption.cf.go | 8 ++------ checks/cloud/aws/msk/enable_logging.cf.go | 9 ++------- .../cloud/aws/neptune/enable_log_export.cf.go | 11 ++--------- .../neptune/enable_storage_encryption.cf.go | 8 ++------ .../aws/neptune/encryption_customer_key.cf.go | 10 ++-------- .../cloud/aws/rds/disable_public_access.cf.go | 10 ++-------- .../aws/rds/enable_performance_insights.cf.go | 9 ++------- .../aws/rds/encrypt_cluster_storage_data.cf.go | 10 ++-------- .../rds/encrypt_instance_storage_data.cf.go | 9 ++------- .../cloud/aws/rds/no_classic_resources.cf.go | 10 +++------- ...ance_insights_encryption_customer_key.cf.go | 10 ++-------- .../aws/rds/specify_backup_retention.cf.go | 10 ++-------- .../add_description_to_security_group.cf.go | 12 ++++-------- .../aws/redshift/encryption_customer_key.cf.go | 10 +++------- .../aws/redshift/no_classic_resources.cf.go | 4 ++-- checks/cloud/aws/redshift/use_vpc.cf.go | 2 +- .../aws/s3/enable_bucket_encryption.cf.go | 6 +++--- .../cloud/aws/s3/enable_bucket_logging.cf.go | 8 +++----- checks/cloud/aws/s3/enable_versioning.cf.go | 2 +- .../cloud/aws/s3/encryption_customer_key.cf.go | 18 +++++++++--------- checks/cloud/aws/s3/ignore_public_acls.cf.go | 4 ++-- .../aws/s3/no_public_access_with_acl.cf.go | 4 ++-- checks/cloud/aws/s3/no_public_buckets.cf.go | 4 ++-- .../aws/s3/specify_public_access_block.cf.go | 4 ++-- .../aws/sam/api_use_secure_tls_policy.cf.go | 8 ++------ .../aws/sam/enable_api_access_logging.cf.go | 8 ++------ .../aws/sam/enable_api_cache_encryption.cf.go | 12 +++--------- checks/cloud/aws/sam/enable_api_tracing.cf.go | 12 +++--------- .../aws/sam/enable_function_tracing.cf.go | 4 ---- .../sam/enable_http_api_access_logging.cf.go | 8 ++------ .../aws/sam/enable_state_machine_tracing.cf.go | 6 ------ .../aws/sam/enable_table_encryption.cf.go | 6 ------ .../aws/sam/no_function_policy_wildcards.cf.go | 4 ---- .../no_state_machine_policy_wildcards.cf.go | 4 ---- .../aws/sns/enable_topic_encryption.cf.go | 10 ++-------- .../aws/sns/topic_encryption_with_cmk.cf.go | 10 ++-------- .../aws/sqs/enable_queue_encryption.cf.go | 9 ++------- .../sqs/no_wildcards_in_policy_documents.cf.go | 8 ++------ .../aws/sqs/queue_encryption_with_cmk.cf.go | 10 ++-------- .../aws/ssm/secret_use_customer_key.cf.go | 6 +----- 55 files changed, 99 insertions(+), 293 deletions(-) diff --git a/checks/cloud/aws/cloudtrail/enable_all_regions.cf.go b/checks/cloud/aws/cloudtrail/enable_all_regions.cf.go index d520d8b8..8f093cbc 100644 --- a/checks/cloud/aws/cloudtrail/enable_all_regions.cf.go +++ b/checks/cloud/aws/cloudtrail/enable_all_regions.cf.go @@ -3,7 +3,7 @@ package cloudtrail var cloudFormationEnableAllRegionsGoodExamples = []string{ `--- Resources: - BadExample: + GoodExample: Type: AWS::CloudTrail::Trail Properties: IsLogging: true diff --git a/checks/cloud/aws/cloudtrail/enable_log_validation.cf.go b/checks/cloud/aws/cloudtrail/enable_log_validation.cf.go index 5b66e32e..080fba33 100644 --- a/checks/cloud/aws/cloudtrail/enable_log_validation.cf.go +++ b/checks/cloud/aws/cloudtrail/enable_log_validation.cf.go @@ -3,7 +3,7 @@ package cloudtrail var cloudFormationEnableLogValidationGoodExamples = []string{ `--- Resources: - BadExample: + GoodExample: Type: AWS::CloudTrail::Trail Properties: IsLogging: true diff --git a/checks/cloud/aws/cloudtrail/encryption_customer_key.cf.go b/checks/cloud/aws/cloudtrail/encryption_customer_key.cf.go index a52c9c68..9bb1247f 100644 --- a/checks/cloud/aws/cloudtrail/encryption_customer_key.cf.go +++ b/checks/cloud/aws/cloudtrail/encryption_customer_key.cf.go @@ -3,7 +3,7 @@ package cloudtrail var cloudFormationEncryptionCustomerManagedKeyGoodExamples = []string{ `--- Resources: - BadExample: + GoodExample: Type: AWS::CloudTrail::Trail Properties: IsLogging: true diff --git a/checks/cloud/aws/dynamodb/enable_at_rest_encryption.cf.go b/checks/cloud/aws/dynamodb/enable_at_rest_encryption.cf.go index 411f3337..0bbdf666 100644 --- a/checks/cloud/aws/dynamodb/enable_at_rest_encryption.cf.go +++ b/checks/cloud/aws/dynamodb/enable_at_rest_encryption.cf.go @@ -3,14 +3,14 @@ package dynamodb var cloudFormationEnableAtRestEncryptionGoodExamples = []string{ `--- Resources: - daxCluster: + GoodExample: Type: AWS::DAX::Cluster Properties: ClusterName: "MyDAXCluster" NodeType: "dax.r3.large" ReplicationFactor: 1 IAMRoleARN: "arn:aws:iam::111122223333:role/DaxAccess" - Description: "DAX cluster created with CloudFormation" + Description: "DAX cluster with encryption at rest" SSESpecification: SSEEnabled: true `, @@ -19,14 +19,14 @@ Resources: var cloudFormationEnableAtRestEncryptionBadExamples = []string{ `--- Resources: - daxCluster: + BadExample: Type: AWS::DAX::Cluster Properties: ClusterName: "MyDAXCluster" NodeType: "dax.r3.large" ReplicationFactor: 1 IAMRoleARN: "arn:aws:iam::111122223333:role/DaxAccess" - Description: "DAX cluster created with CloudFormation" + Description: "DAX cluster without encryption at rest" SubnetGroupName: !Ref subnetGroupClu `, } diff --git a/checks/cloud/aws/ec2/add_description_to_security_group.cf.go b/checks/cloud/aws/ec2/add_description_to_security_group.cf.go index fa28e64e..d85f2899 100644 --- a/checks/cloud/aws/ec2/add_description_to_security_group.cf.go +++ b/checks/cloud/aws/ec2/add_description_to_security_group.cf.go @@ -2,8 +2,6 @@ package ec2 var cloudFormationAddDescriptionToSecurityGroupGoodExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good example of group description Resources: GoodSecurityGroup: Type: AWS::EC2::SecurityGroup @@ -17,8 +15,6 @@ Resources: var cloudFormationAddDescriptionToSecurityGroupBadExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Bad example of group description Resources: BadSecurityGroup: Type: AWS::EC2::SecurityGroup diff --git a/checks/cloud/aws/ec2/add_description_to_security_group_rule.cf.go b/checks/cloud/aws/ec2/add_description_to_security_group_rule.cf.go index 4b9adbe7..0a01c832 100644 --- a/checks/cloud/aws/ec2/add_description_to_security_group_rule.cf.go +++ b/checks/cloud/aws/ec2/add_description_to_security_group_rule.cf.go @@ -2,8 +2,6 @@ package ec2 var cloudFormationAddDescriptionToSecurityGroupRuleGoodExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good example of SGR description Resources: GoodSecurityGroup: Type: AWS::EC2::SecurityGroup @@ -18,8 +16,6 @@ Resources: var cloudFormationAddDescriptionToSecurityGroupRuleBadExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Bad example of SGR description Resources: BadSecurityGroup: Type: AWS::EC2::SecurityGroup diff --git a/checks/cloud/aws/ec2/no_public_ingress_sgr.cf.go b/checks/cloud/aws/ec2/no_public_ingress_sgr.cf.go index f27fe989..03118337 100644 --- a/checks/cloud/aws/ec2/no_public_ingress_sgr.cf.go +++ b/checks/cloud/aws/ec2/no_public_ingress_sgr.cf.go @@ -2,10 +2,8 @@ package ec2 var cloudFormationNoPublicIngressSgrGoodExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good example of ingress rule Resources: - BadSecurityGroup: + GoodSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Limits security group egress traffic @@ -17,8 +15,6 @@ Resources: var cloudFormationNoPublicIngressSgrBadExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Bad example of ingress rule Resources: BadSecurityGroup: Type: AWS::EC2::SecurityGroup diff --git a/checks/cloud/aws/iam/no_policy_wildcards.cf.go b/checks/cloud/aws/iam/no_policy_wildcards.cf.go index 690b08b0..dc509d23 100644 --- a/checks/cloud/aws/iam/no_policy_wildcards.cf.go +++ b/checks/cloud/aws/iam/no_policy_wildcards.cf.go @@ -2,8 +2,6 @@ package iam var cloudFormationNoPolicyWildcardsGoodExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good example of policy Resources: GoodPolicy: Type: 'AWS::IAM::Policy' @@ -21,8 +19,6 @@ Resources: var cloudFormationNoPolicyWildcardsBadExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Bad example of policy Resources: BadPolicy: Type: 'AWS::IAM::Policy' diff --git a/checks/cloud/aws/kinesis/enable_in_transit_encryption.cf.go b/checks/cloud/aws/kinesis/enable_in_transit_encryption.cf.go index 71aec208..e2024cc7 100644 --- a/checks/cloud/aws/kinesis/enable_in_transit_encryption.cf.go +++ b/checks/cloud/aws/kinesis/enable_in_transit_encryption.cf.go @@ -32,7 +32,6 @@ Resources: - Key: Environment Value: Production - `, } diff --git a/checks/cloud/aws/lambda/enable_tracing.cf.go b/checks/cloud/aws/lambda/enable_tracing.cf.go index 57e009a7..16bb82c3 100644 --- a/checks/cloud/aws/lambda/enable_tracing.cf.go +++ b/checks/cloud/aws/lambda/enable_tracing.cf.go @@ -3,7 +3,7 @@ package lambda var cloudFormationEnableTracingGoodExamples = []string{ `--- Resources: - Function: + GoodExample: Type: AWS::Lambda::Function Properties: Handler: index.handler diff --git a/checks/cloud/aws/lambda/restrict_source_arn.cf.go b/checks/cloud/aws/lambda/restrict_source_arn.cf.go index d72be4fb..74fab788 100644 --- a/checks/cloud/aws/lambda/restrict_source_arn.cf.go +++ b/checks/cloud/aws/lambda/restrict_source_arn.cf.go @@ -28,7 +28,6 @@ Resources: Action: lambda:InvokeFunction Principal: s3.amazonaws.com SourceArn: "lambda.amazonaws.com" - `, } @@ -59,7 +58,6 @@ Resources: FunctionName: !Ref BadExample Action: lambda:InvokeFunction Principal: s3.amazonaws.com - `, } diff --git a/checks/cloud/aws/mq/enable_audit_logging.cf.go b/checks/cloud/aws/mq/enable_audit_logging.cf.go index f2e0e688..36623ca4 100644 --- a/checks/cloud/aws/mq/enable_audit_logging.cf.go +++ b/checks/cloud/aws/mq/enable_audit_logging.cf.go @@ -2,29 +2,23 @@ package mq var cloudFormationEnableAuditLoggingGoodExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good example Resources: - Broker: + GoodBroker: Type: AWS::AmazonMQ::Broker Properties: Logs: Audit: true - `, } var cloudFormationEnableAuditLoggingBadExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Bad example Resources: - Broker: + BadBroker: Type: AWS::AmazonMQ::Broker Properties: Logs: Audit: false - `, } diff --git a/checks/cloud/aws/mq/enable_general_logging.cf.go b/checks/cloud/aws/mq/enable_general_logging.cf.go index 2743db2c..77d854da 100644 --- a/checks/cloud/aws/mq/enable_general_logging.cf.go +++ b/checks/cloud/aws/mq/enable_general_logging.cf.go @@ -2,29 +2,23 @@ package mq var cloudFormationEnableGeneralLoggingGoodExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good example Resources: - Broker: + GoodBroker: Type: AWS::AmazonMQ::Broker Properties: Logs: General: true - `, } var cloudFormationEnableGeneralLoggingBadExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Bad example Resources: - Broker: + BadBroker: Type: AWS::AmazonMQ::Broker Properties: Logs: General: false - `, } diff --git a/checks/cloud/aws/mq/no_public_access.cf.go b/checks/cloud/aws/mq/no_public_access.cf.go index 32e167ac..ee687027 100644 --- a/checks/cloud/aws/mq/no_public_access.cf.go +++ b/checks/cloud/aws/mq/no_public_access.cf.go @@ -2,27 +2,21 @@ package mq var cloudFormationNoPublicAccessGoodExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good example Resources: - Broker: + GoodBroker: Type: AWS::AmazonMQ::Broker Properties: PubliclyAccessible: false - `, } var cloudFormationNoPublicAccessBadExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Bad example Resources: - Broker: + BadBroker: Type: AWS::AmazonMQ::Broker Properties: PubliclyAccessible: true - `, } diff --git a/checks/cloud/aws/msk/enable_at_rest_encryption.cf.go b/checks/cloud/aws/msk/enable_at_rest_encryption.cf.go index 084839e2..ac2cf4c5 100644 --- a/checks/cloud/aws/msk/enable_at_rest_encryption.cf.go +++ b/checks/cloud/aws/msk/enable_at_rest_encryption.cf.go @@ -2,10 +2,8 @@ package msk var cloudFormationEnableAtRestEncryptionGoodExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good example Resources: - Cluster: + GoodCluster: Type: AWS::MSK::Cluster Properties: EncryptionInfo: @@ -16,10 +14,8 @@ Resources: var cloudFormationEnableAtRestEncryptionBadExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Bad example Resources: - Cluster: + BadCluster: Type: AWS::MSK::Cluster Properties: `, diff --git a/checks/cloud/aws/msk/enable_in_transit_encryption.cf.go b/checks/cloud/aws/msk/enable_in_transit_encryption.cf.go index 2880b766..c29d5823 100644 --- a/checks/cloud/aws/msk/enable_in_transit_encryption.cf.go +++ b/checks/cloud/aws/msk/enable_in_transit_encryption.cf.go @@ -2,10 +2,8 @@ package msk var cloudFormationEnableInTransitEncryptionGoodExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good example Resources: - Cluster: + GoodCluster: Type: AWS::MSK::Cluster Properties: EncryptionInfo: @@ -16,10 +14,8 @@ Resources: var cloudFormationEnableInTransitEncryptionBadExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Bad example Resources: - Cluster: + BadCluster: Type: AWS::MSK::Cluster Properties: EncryptionInfo: diff --git a/checks/cloud/aws/msk/enable_logging.cf.go b/checks/cloud/aws/msk/enable_logging.cf.go index bbce3510..639956d2 100644 --- a/checks/cloud/aws/msk/enable_logging.cf.go +++ b/checks/cloud/aws/msk/enable_logging.cf.go @@ -2,10 +2,8 @@ package msk var cloudFormationEnableLoggingGoodExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good example Resources: - Cluster: + GoodCluster: Type: AWS::MSK::Cluster Properties: LoggingInfo: @@ -19,17 +17,14 @@ Resources: var cloudFormationEnableLoggingBadExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Bad example Resources: - Cluster: + BadCluster: Type: AWS::MSK::Cluster Properties: LoggingInfo: BrokerLogs: CloudWatchLogs: Enabled: false - `, } diff --git a/checks/cloud/aws/neptune/enable_log_export.cf.go b/checks/cloud/aws/neptune/enable_log_export.cf.go index b2b0bb5a..f41a8dd2 100644 --- a/checks/cloud/aws/neptune/enable_log_export.cf.go +++ b/checks/cloud/aws/neptune/enable_log_export.cf.go @@ -2,30 +2,23 @@ package neptune var cloudFormationEnableLogExportGoodExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good example Resources: - Cluster: + GoodCluster: Type: AWS::Neptune::DBCluster Properties: EnableCloudwatchLogsExports: - audit - - `, } var cloudFormationEnableLogExportBadExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Bad example Resources: - Cluster: + BadCluster: Type: AWS::Neptune::DBCluster Properties: EnableCloudwatchLogsExports: - debug - `, } diff --git a/checks/cloud/aws/neptune/enable_storage_encryption.cf.go b/checks/cloud/aws/neptune/enable_storage_encryption.cf.go index c5835718..de513e5d 100644 --- a/checks/cloud/aws/neptune/enable_storage_encryption.cf.go +++ b/checks/cloud/aws/neptune/enable_storage_encryption.cf.go @@ -2,15 +2,12 @@ package neptune var cloudFormationEnableStorageEncryptionGoodExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good example Resources: - Cluster: + GoodCluster: Type: AWS::Neptune::DBCluster Properties: StorageEncrypted: true KmsKeyId: "something" - `, } @@ -19,11 +16,10 @@ var cloudFormationEnableStorageEncryptionBadExamples = []string{ AWSTemplateFormatVersion: 2010-09-09 Description: Bad example Resources: - Cluster: + BadCluster: Type: AWS::Neptune::DBCluster Properties: StorageEncrypted: false - `, } diff --git a/checks/cloud/aws/neptune/encryption_customer_key.cf.go b/checks/cloud/aws/neptune/encryption_customer_key.cf.go index cb9dbfa2..d415e1ab 100644 --- a/checks/cloud/aws/neptune/encryption_customer_key.cf.go +++ b/checks/cloud/aws/neptune/encryption_customer_key.cf.go @@ -2,28 +2,22 @@ package neptune var cloudFormationCheckEncryptionCustomerKeyGoodExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good example Resources: - Cluster: + GoodCluster: Type: AWS::Neptune::DBCluster Properties: StorageEncrypted: true KmsKeyId: "something" - `, } var cloudFormationCheckEncryptionCustomerKeyBadExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Bad example Resources: - Cluster: + BadCluster: Type: AWS::Neptune::DBCluster Properties: StorageEncrypted: false - `, } diff --git a/checks/cloud/aws/rds/disable_public_access.cf.go b/checks/cloud/aws/rds/disable_public_access.cf.go index 8c4be392..b3a2ed29 100644 --- a/checks/cloud/aws/rds/disable_public_access.cf.go +++ b/checks/cloud/aws/rds/disable_public_access.cf.go @@ -2,27 +2,21 @@ package rds var cloudFormationNoPublicDbAccessGoodExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good example Resources: - Queue: + GoodQueue: Type: AWS::RDS::DBInstance Properties: PubliclyAccessible: false - `, } var cloudFormationNoPublicDbAccessBadExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Bad example Resources: - Queue: + BadQueue: Type: AWS::RDS::DBInstance Properties: PubliclyAccessible: true - `, } diff --git a/checks/cloud/aws/rds/enable_performance_insights.cf.go b/checks/cloud/aws/rds/enable_performance_insights.cf.go index d51f6bd8..2ae0a1fb 100644 --- a/checks/cloud/aws/rds/enable_performance_insights.cf.go +++ b/checks/cloud/aws/rds/enable_performance_insights.cf.go @@ -2,10 +2,8 @@ package rds var cloudFormationEnablePerformanceInsightsGoodExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good example Resources: - Queue: + GoodExample: Type: AWS::RDS::DBInstance Properties: EnablePerformanceInsights: true @@ -16,14 +14,11 @@ Resources: var cloudFormationEnablePerformanceInsightsBadExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Bad example Resources: - Queue: + BadExample: Type: AWS::RDS::DBInstance Properties: EnablePerformanceInsights: false - `, } diff --git a/checks/cloud/aws/rds/encrypt_cluster_storage_data.cf.go b/checks/cloud/aws/rds/encrypt_cluster_storage_data.cf.go index c30b13d5..78eba360 100644 --- a/checks/cloud/aws/rds/encrypt_cluster_storage_data.cf.go +++ b/checks/cloud/aws/rds/encrypt_cluster_storage_data.cf.go @@ -2,28 +2,22 @@ package rds var cloudFormationEncryptClusterStorageDataGoodExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good example of rds sgr Resources: - Cluster: + GoodExample: Type: AWS::RDS::DBCluster Properties: StorageEncrypted: true KmsKeyId: "something" - `, } var cloudFormationEncryptClusterStorageDataBadExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Bad example of rds sgr Resources: - Cluster: + BadExample: Type: AWS::RDS::DBCluster Properties: StorageEncrypted: false - `, } diff --git a/checks/cloud/aws/rds/encrypt_instance_storage_data.cf.go b/checks/cloud/aws/rds/encrypt_instance_storage_data.cf.go index 233d8641..b8535971 100644 --- a/checks/cloud/aws/rds/encrypt_instance_storage_data.cf.go +++ b/checks/cloud/aws/rds/encrypt_instance_storage_data.cf.go @@ -2,10 +2,8 @@ package rds var cloudFormationEncryptInstanceStorageDataGoodExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good example of rds sgr Resources: - Instance: + GoodExample: Type: AWS::RDS::DBInstance Properties: StorageEncrypted: true @@ -16,14 +14,11 @@ Resources: var cloudFormationEncryptInstanceStorageDataBadExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Bad example of rds sgr Resources: - Instance: + BadExample: Type: AWS::RDS::DBInstance Properties: StorageEncrypted: false - `, } diff --git a/checks/cloud/aws/rds/no_classic_resources.cf.go b/checks/cloud/aws/rds/no_classic_resources.cf.go index 7b93bbdd..ca2d9f47 100644 --- a/checks/cloud/aws/rds/no_classic_resources.cf.go +++ b/checks/cloud/aws/rds/no_classic_resources.cf.go @@ -2,23 +2,19 @@ package rds var cloudFormationNoClassicResourcesGoodExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good example of rds sgr Resources: - +# TODO `, } var cloudFormationNoClassicResourcesBadExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Bad example of rds sgr Resources: - Queue: + BadExample: Type: AWS::RDS::DBSecurityGroup Properties: Description: "" - + # TODO `, } diff --git a/checks/cloud/aws/rds/performance_insights_encryption_customer_key.cf.go b/checks/cloud/aws/rds/performance_insights_encryption_customer_key.cf.go index 89ba60a7..82cfccb0 100644 --- a/checks/cloud/aws/rds/performance_insights_encryption_customer_key.cf.go +++ b/checks/cloud/aws/rds/performance_insights_encryption_customer_key.cf.go @@ -2,28 +2,22 @@ package rds var cloudFormationPerformanceInsightsEncryptionCustomerKeyGoodExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good example Resources: - Queue: + GoodExample: Type: AWS::RDS::DBInstance Properties: EnablePerformanceInsights: true PerformanceInsightsKMSKeyId: "something" - `, } var cloudFormationPerformanceInsightsEncryptionCustomerKeyBadExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Bad example Resources: - Queue: + BadExample: Type: AWS::RDS::DBInstance Properties: EnablePerformanceInsights: true - `, } diff --git a/checks/cloud/aws/rds/specify_backup_retention.cf.go b/checks/cloud/aws/rds/specify_backup_retention.cf.go index 300d0ebb..55a1d9bc 100644 --- a/checks/cloud/aws/rds/specify_backup_retention.cf.go +++ b/checks/cloud/aws/rds/specify_backup_retention.cf.go @@ -2,26 +2,20 @@ package rds var cloudFormationSpecifyBackupRetentionGoodExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good example Resources: - Queue: + GoodExample: Type: AWS::RDS::DBInstance Properties: BackupRetentionPeriod: 30 - `, } var cloudFormationSpecifyBackupRetentionBadExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Bad example Resources: - Queue: + BadExample: Type: AWS::RDS::DBInstance Properties: - `, } diff --git a/checks/cloud/aws/redshift/add_description_to_security_group.cf.go b/checks/cloud/aws/redshift/add_description_to_security_group.cf.go index 5f65e8f1..34339c11 100644 --- a/checks/cloud/aws/redshift/add_description_to_security_group.cf.go +++ b/checks/cloud/aws/redshift/add_description_to_security_group.cf.go @@ -2,27 +2,23 @@ package redshift var cloudFormationAddDescriptionToSecurityGroupGoodExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good example of redshift sgr Resources: - Queue: + GoodExample: Type: AWS::Redshift::ClusterSecurityGroup Properties: Description: "Disallow bad stuff" - + # TODO `, } var cloudFormationAddDescriptionToSecurityGroupBadExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Bad example of redshift sgr Resources: - Queue: + BadExample: Type: AWS::Redshift::ClusterSecurityGroup Properties: Description: "" - + # TODO `, } diff --git a/checks/cloud/aws/redshift/encryption_customer_key.cf.go b/checks/cloud/aws/redshift/encryption_customer_key.cf.go index c8a5581f..8ebd547c 100644 --- a/checks/cloud/aws/redshift/encryption_customer_key.cf.go +++ b/checks/cloud/aws/redshift/encryption_customer_key.cf.go @@ -2,10 +2,8 @@ package redshift var cloudFormationEncryptionCustomerKeyGoodExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good example of redshift cluster Resources: - Queue: + GoodExample: Type: AWS::Redshift::Cluster Properties: Encrypted: true @@ -16,13 +14,11 @@ Resources: var cloudFormationEncryptionCustomerKeyBadExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Bad example of redshift cluster Resources: - Queue: + BadExample: Type: AWS::Redshift::Cluster Properties: - Encrypted: true + Encrypted: false `, } diff --git a/checks/cloud/aws/redshift/no_classic_resources.cf.go b/checks/cloud/aws/redshift/no_classic_resources.cf.go index 0464a607..f92b353e 100644 --- a/checks/cloud/aws/redshift/no_classic_resources.cf.go +++ b/checks/cloud/aws/redshift/no_classic_resources.cf.go @@ -5,7 +5,7 @@ var cloudFormationNoClassicResourcesGoodExamples = []string{ AWSTemplateFormatVersion: 2010-09-09 Description: Good example of redshift sgr Resources: - +# TODO `, } @@ -18,7 +18,7 @@ Resources: Type: AWS::Redshift::ClusterSecurityGroup Properties: Description: "" - + # TODO `, } diff --git a/checks/cloud/aws/redshift/use_vpc.cf.go b/checks/cloud/aws/redshift/use_vpc.cf.go index 37e37a1e..bd9dd880 100644 --- a/checks/cloud/aws/redshift/use_vpc.cf.go +++ b/checks/cloud/aws/redshift/use_vpc.cf.go @@ -22,7 +22,7 @@ Resources: Type: AWS::Redshift::Cluster Properties: ClusterSubnetGroupName: "" - + # TODO `, } diff --git a/checks/cloud/aws/s3/enable_bucket_encryption.cf.go b/checks/cloud/aws/s3/enable_bucket_encryption.cf.go index 64becbd7..bb3ffac4 100644 --- a/checks/cloud/aws/s3/enable_bucket_encryption.cf.go +++ b/checks/cloud/aws/s3/enable_bucket_encryption.cf.go @@ -4,13 +4,13 @@ var cloudFormationEnableBucketEncryptionGoodExamples = []string{ ` Resources: GoodExample: + Type: AWS::S3::Bucket Properties: BucketEncryption: ServerSideEncryptionConfiguration: - BucketKeyEnabled: true ServerSideEncryptionByDefault: SSEAlgorithm: AES256 - Type: AWS::S3::Bucket `, } @@ -18,14 +18,14 @@ var cloudFormationEnableBucketEncryptionBadExamples = []string{ `--- Resources: BadExample: + Type: AWS::S3::Bucket Properties: BucketEncryption: ServerSideEncryptionConfiguration: - BucketKeyEnabled: false ServerSideEncryptionByDefault: KMSMasterKeyID: asdf - SSEAlgorithm: asdf - Type: AWS::S3::Bucket + SSEAlgorithm: asdf # TODO `, } diff --git a/checks/cloud/aws/s3/enable_bucket_logging.cf.go b/checks/cloud/aws/s3/enable_bucket_logging.cf.go index 33984656..68169dad 100644 --- a/checks/cloud/aws/s3/enable_bucket_logging.cf.go +++ b/checks/cloud/aws/s3/enable_bucket_logging.cf.go @@ -4,18 +4,16 @@ var cloudFormationEnableBucketLoggingGoodExamples = []string{ `--- Resources: GoodExample: + Type: AWS::S3::Bucket Properties: LoggingConfiguration: DestinationBucketName: logging-bucket LogFilePrefix: accesslogs/ - Type: AWS::S3::Bucket `, `--- Resources: - MyS3Bucket: + GoodExample: Type: AWS::S3::Bucket - DeletionPolicy: Retain - UpdateReplacePolicy: Retain Properties: BucketName: !Sub my-s3-bucket-${BucketSuffix} LoggingConfiguration: @@ -33,7 +31,7 @@ Resources: var cloudFormationEnableBucketLoggingBadExamples = []string{ `--- Resources: - DisabledEncryptionBucket: + BadExample: Properties: Type: AWS::S3::Bucket `, diff --git a/checks/cloud/aws/s3/enable_versioning.cf.go b/checks/cloud/aws/s3/enable_versioning.cf.go index ababbce7..4781542d 100644 --- a/checks/cloud/aws/s3/enable_versioning.cf.go +++ b/checks/cloud/aws/s3/enable_versioning.cf.go @@ -4,10 +4,10 @@ var cloudFormationEnableVersioningGoodExamples = []string{ `--- Resources: GoodExample: + Type: AWS::S3::Bucket Properties: VersioningConfiguration: Status: Enabled - Type: AWS::S3::Bucket `, } diff --git a/checks/cloud/aws/s3/encryption_customer_key.cf.go b/checks/cloud/aws/s3/encryption_customer_key.cf.go index c4fe72b5..0adfbacb 100644 --- a/checks/cloud/aws/s3/encryption_customer_key.cf.go +++ b/checks/cloud/aws/s3/encryption_customer_key.cf.go @@ -4,6 +4,7 @@ var cloudFormationCheckEncryptionCustomerKeyGoodExamples = []string{ ` Resources: GoodExample: + Type: AWS::S3::Bucket Properties: BucketEncryption: ServerSideEncryptionConfiguration: @@ -11,21 +12,20 @@ Resources: ServerSideEncryptionByDefault: KMSMasterKeyID: kms-arn SSEAlgorithm: aws:kms - Type: AWS::S3::Bucket `, } var cloudFormationCheckEncryptionCustomerKeyBadExamples = []string{ `--- Resources: - BadExample: - Properties: - BucketEncryption: - ServerSideEncryptionConfiguration: - - BucketKeyEnabled: false - ServerSideEncryptionByDefault: - SSEAlgorithm: AES256 - Type: AWS::S3::Bucket +BadExample: + Type: AWS::S3::Bucket + Properties: + BucketEncryption: + ServerSideEncryptionConfiguration: + - BucketKeyEnabled: false + ServerSideEncryptionByDefault: + SSEAlgorithm: AES256 `, } diff --git a/checks/cloud/aws/s3/ignore_public_acls.cf.go b/checks/cloud/aws/s3/ignore_public_acls.cf.go index c8755ded..f0d5460d 100644 --- a/checks/cloud/aws/s3/ignore_public_acls.cf.go +++ b/checks/cloud/aws/s3/ignore_public_acls.cf.go @@ -4,6 +4,7 @@ var cloudFormationIgnorePublicAclsGoodExamples = []string{ `--- Resources: GoodExample: + Type: AWS::S3::Bucket Properties: AccessControl: Private PublicAccessBlockConfiguration: @@ -11,7 +12,6 @@ Resources: BlockPublicPolicy: true IgnorePublicAcls: true RestrictPublicBuckets: true - Type: AWS::S3::Bucket `, } @@ -19,9 +19,9 @@ var cloudFormationIgnorePublicAclsBadExamples = []string{ `--- Resources: BadExample: + Type: AWS::S3::Bucket Properties: AccessControl: AuthenticatedRead - Type: AWS::S3::Bucket `, } diff --git a/checks/cloud/aws/s3/no_public_access_with_acl.cf.go b/checks/cloud/aws/s3/no_public_access_with_acl.cf.go index c4c1db72..57a8332f 100644 --- a/checks/cloud/aws/s3/no_public_access_with_acl.cf.go +++ b/checks/cloud/aws/s3/no_public_access_with_acl.cf.go @@ -4,9 +4,9 @@ var cloudFormationNoPublicAccessWithAclGoodExamples = []string{ `--- Resources: GoodExample: + Type: AWS::S3::Bucket Properties: AccessControl: Private - Type: AWS::S3::Bucket `, } @@ -14,9 +14,9 @@ var cloudFormationNoPublicAccessWithAclBadExamples = []string{ `--- Resources: BadExample: + Type: AWS::S3::Bucket Properties: AccessControl: AuthenticatedRead - Type: AWS::S3::Bucket `, } diff --git a/checks/cloud/aws/s3/no_public_buckets.cf.go b/checks/cloud/aws/s3/no_public_buckets.cf.go index e58682d5..e1fc36d2 100644 --- a/checks/cloud/aws/s3/no_public_buckets.cf.go +++ b/checks/cloud/aws/s3/no_public_buckets.cf.go @@ -4,23 +4,23 @@ var cloudFormationNoPublicBucketsGoodExamples = []string{ `--- Resources: GoodExample: + Type: AWS::S3::Bucket Properties: PublicAccessBlockConfiguration: BlockPublicAcls: true BlockPublicPolicy: true IgnorePublicAcls: true RestrictPublicBuckets: true - Type: AWS::S3::Bucket `, } var cloudFormationNoPublicBucketsBadExamples = []string{ `--- Resources: + Type: AWS::S3::Bucket BadExample: Properties: AccessControl: AuthenticatedRead - Type: AWS::S3::Bucket `, } diff --git a/checks/cloud/aws/s3/specify_public_access_block.cf.go b/checks/cloud/aws/s3/specify_public_access_block.cf.go index 16b9d876..2658dbcf 100644 --- a/checks/cloud/aws/s3/specify_public_access_block.cf.go +++ b/checks/cloud/aws/s3/specify_public_access_block.cf.go @@ -4,6 +4,7 @@ var cloudFormationSpecifyPublicAccessBlockGoodExamples = []string{ `--- Resources: GoodExample: + Type: AWS::S3::Bucket Properties: AccessControl: Private PublicAccessBlockConfiguration: @@ -11,7 +12,6 @@ Resources: BlockPublicPolicy: true IgnorePublicAcls: true RestrictPublicBuckets: true - Type: AWS::S3::Bucket `, } @@ -19,9 +19,9 @@ var cloudFormationSpecifyPublicAccessBlockBadExamples = []string{ `--- Resources: BadExample: + Type: AWS::S3::Bucket Properties: AccessControl: AuthenticatedRead - Type: AWS::S3::Bucket `, } diff --git a/checks/cloud/aws/sam/api_use_secure_tls_policy.cf.go b/checks/cloud/aws/sam/api_use_secure_tls_policy.cf.go index 7bd750c9..84db31c2 100644 --- a/checks/cloud/aws/sam/api_use_secure_tls_policy.cf.go +++ b/checks/cloud/aws/sam/api_use_secure_tls_policy.cf.go @@ -2,10 +2,8 @@ package sam var cloudFormationApiUseSecureTlsPolicyGoodExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good Example of SAM API Resources: - ApiGatewayApi: + GoodExample: Type: AWS::Serverless::Api Properties: Name: Good SAM API example @@ -18,10 +16,8 @@ Resources: var cloudFormationApiUseSecureTlsPolicyBadExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Bad Example of SAM API Resources: - ApiGatewayApi: + BadExample: Type: AWS::Serverless::Api Properties: Name: Bad SAM API example diff --git a/checks/cloud/aws/sam/enable_api_access_logging.cf.go b/checks/cloud/aws/sam/enable_api_access_logging.cf.go index 708d29ea..d3e112dc 100644 --- a/checks/cloud/aws/sam/enable_api_access_logging.cf.go +++ b/checks/cloud/aws/sam/enable_api_access_logging.cf.go @@ -2,10 +2,8 @@ package sam var cloudFormationEnableApiAccessLoggingGoodExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good Example of SAM API Resources: - ApiGatewayApi: + GoodExample: Type: AWS::Serverless::Api Properties: Name: Good SAM API example @@ -21,10 +19,8 @@ Resources: var cloudFormationEnableApiAccessLoggingBadExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Bad Example of SAM API Resources: - ApiGatewayApi: + BadExample: Type: AWS::Serverless::Api Properties: Name: Bad SAM API example diff --git a/checks/cloud/aws/sam/enable_api_cache_encryption.cf.go b/checks/cloud/aws/sam/enable_api_cache_encryption.cf.go index adbc3a3a..dc5205f1 100644 --- a/checks/cloud/aws/sam/enable_api_cache_encryption.cf.go +++ b/checks/cloud/aws/sam/enable_api_cache_encryption.cf.go @@ -2,10 +2,8 @@ package sam var cloudFormationEnableApiCacheEncryptionGoodExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good Example of SAM API Resources: - ApiGatewayApi: + GoodExample: Type: AWS::Serverless::Api Properties: Name: Good SAM API example @@ -20,20 +18,16 @@ Resources: var cloudFormationEnableApiCacheEncryptionBadExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Bad Example of SAM API Resources: - ApiGatewayApi: + BadExample: Type: AWS::Serverless::Api Properties: Name: Bad SAM API example StageName: Prod TracingEnabled: false `, `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Bad Example of SAM API Resources: - ApiGatewayApi: + BadExample: Type: AWS::Serverless::Api Properties: Name: Bad SAM API example diff --git a/checks/cloud/aws/sam/enable_api_tracing.cf.go b/checks/cloud/aws/sam/enable_api_tracing.cf.go index f3a114ad..188f5553 100644 --- a/checks/cloud/aws/sam/enable_api_tracing.cf.go +++ b/checks/cloud/aws/sam/enable_api_tracing.cf.go @@ -2,10 +2,8 @@ package sam var cloudFormationEnableApiTracingGoodExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good Example of SAM API Resources: - ApiGatewayApi: + GoodExample: Type: AWS::Serverless::Api Properties: Name: Good SAM API example @@ -16,20 +14,16 @@ Resources: var cloudFormationEnableApiTracingBadExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Bad Example of SAM API Resources: - ApiGatewayApi: + BadExample: Type: AWS::Serverless::Api Properties: Name: Bad SAM API example StageName: Prod TracingEnabled: false `, `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Bad Example of SAM API Resources: - ApiGatewayApi: + BadExample: Type: AWS::Serverless::Api Properties: Name: Bad SAM API example diff --git a/checks/cloud/aws/sam/enable_function_tracing.cf.go b/checks/cloud/aws/sam/enable_function_tracing.cf.go index 01f0409c..1e41cb65 100644 --- a/checks/cloud/aws/sam/enable_function_tracing.cf.go +++ b/checks/cloud/aws/sam/enable_function_tracing.cf.go @@ -2,8 +2,6 @@ package sam var cloudFormationEnableFunctionTracingGoodExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good Example of SAM Function Resources: GoodFunction: Type: AWS::Serverless::Function @@ -22,8 +20,6 @@ Resources: var cloudFormationEnableFunctionTracingBadExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Bad Example of SAM Function Resources: BadFunction: Type: AWS::Serverless::Function diff --git a/checks/cloud/aws/sam/enable_http_api_access_logging.cf.go b/checks/cloud/aws/sam/enable_http_api_access_logging.cf.go index 7ff8f3f6..99440aa4 100644 --- a/checks/cloud/aws/sam/enable_http_api_access_logging.cf.go +++ b/checks/cloud/aws/sam/enable_http_api_access_logging.cf.go @@ -2,10 +2,8 @@ package sam var cloudFormationEnableHttpApiAccessLoggingGoodExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good Example of SAM API Resources: - ApiGatewayApi: + GoodExample: Type: AWS::Serverless::HttpApi Properties: Name: Good SAM API example @@ -19,10 +17,8 @@ Resources: var cloudFormationEnableHttpApiAccessLoggingBadExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Bad Example of SAM API Resources: - HttpApi: + BadExample: Type: AWS::Serverless::HttpApi Properties: Name: Good SAM API example diff --git a/checks/cloud/aws/sam/enable_state_machine_tracing.cf.go b/checks/cloud/aws/sam/enable_state_machine_tracing.cf.go index f66ea070..01543d01 100644 --- a/checks/cloud/aws/sam/enable_state_machine_tracing.cf.go +++ b/checks/cloud/aws/sam/enable_state_machine_tracing.cf.go @@ -2,8 +2,6 @@ package sam var cloudFormationEnableStateMachineTracingGoodExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good Example of SAM API Resources: GoodStateMachine: Type: AWS::Serverless::StateMachine @@ -23,8 +21,6 @@ Resources: var cloudFormationEnableStateMachineTracingBadExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Bad Example of SAM API Resources: BadStateMachine: Type: AWS::Serverless::StateMachine @@ -40,8 +36,6 @@ Resources: Tracing: Enabled: false `, `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Bad Example of SAM API Resources: BadStateMachine: Type: AWS::Serverless::StateMachine diff --git a/checks/cloud/aws/sam/enable_table_encryption.cf.go b/checks/cloud/aws/sam/enable_table_encryption.cf.go index 21a51ea3..8c6a6088 100644 --- a/checks/cloud/aws/sam/enable_table_encryption.cf.go +++ b/checks/cloud/aws/sam/enable_table_encryption.cf.go @@ -2,8 +2,6 @@ package sam var cloudFormationEnableTableEncryptionGoodExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good Example of SAM Table Resources: GoodFunction: Type: AWS::Serverless::SimpleTable @@ -16,8 +14,6 @@ Resources: var cloudFormationEnableTableEncryptionBadExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Bad Example of SAM Table Resources: BadFunction: Type: AWS::Serverless::SimpleTable @@ -26,8 +22,6 @@ Resources: SSESpecification: SSEEnabled: false `, `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Bad Example of SAM Table Resources: BadFunction: Type: AWS::Serverless::SimpleTable diff --git a/checks/cloud/aws/sam/no_function_policy_wildcards.cf.go b/checks/cloud/aws/sam/no_function_policy_wildcards.cf.go index b7e03618..91d2b079 100644 --- a/checks/cloud/aws/sam/no_function_policy_wildcards.cf.go +++ b/checks/cloud/aws/sam/no_function_policy_wildcards.cf.go @@ -2,8 +2,6 @@ package sam var cloudFormationNoFunctionPolicyWildcardsGoodExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good Example of SAM Function Resources: GoodFunction: Type: AWS::Serverless::Function @@ -30,8 +28,6 @@ Resources: var cloudFormationNoFunctionPolicyWildcardsBadExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Bad Example of SAM Function Resources: BadFunction: Type: AWS::Serverless::Function diff --git a/checks/cloud/aws/sam/no_state_machine_policy_wildcards.cf.go b/checks/cloud/aws/sam/no_state_machine_policy_wildcards.cf.go index 1ebb9a78..98b1e92e 100644 --- a/checks/cloud/aws/sam/no_state_machine_policy_wildcards.cf.go +++ b/checks/cloud/aws/sam/no_state_machine_policy_wildcards.cf.go @@ -2,8 +2,6 @@ package sam var cloudFormationNoStateMachinePolicyWildcardsGoodExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good Example of SAM Function Resources: GoodFunction: Type: AWS::Serverless::StateMachine @@ -32,8 +30,6 @@ Resources: var cloudFormationNoStateMachinePolicyWildcardsBadExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Bad Example of SAM Function Resources: BadFunction: Type: AWS::Serverless::StateMachine diff --git a/checks/cloud/aws/sns/enable_topic_encryption.cf.go b/checks/cloud/aws/sns/enable_topic_encryption.cf.go index 23ed11e2..f3cba85b 100644 --- a/checks/cloud/aws/sns/enable_topic_encryption.cf.go +++ b/checks/cloud/aws/sns/enable_topic_encryption.cf.go @@ -2,28 +2,22 @@ package sns var cloudFormationEnableTopicEncryptionGoodExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good example of topic Resources: - Queue: + GoodTopic: Type: AWS::SQS::Topic Properties: TopicName: blah KmsMasterKeyId: some-key - `, } var cloudFormationEnableTopicEncryptionBadExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Bad example of topic Resources: - Queue: + BadTopic: Type: AWS::SNS::Topic Properties: TopicName: blah - `, } diff --git a/checks/cloud/aws/sns/topic_encryption_with_cmk.cf.go b/checks/cloud/aws/sns/topic_encryption_with_cmk.cf.go index 7385cc39..e6e3a93d 100644 --- a/checks/cloud/aws/sns/topic_encryption_with_cmk.cf.go +++ b/checks/cloud/aws/sns/topic_encryption_with_cmk.cf.go @@ -2,29 +2,23 @@ package sns var cloudFormationTopicEncryptionUsesCMKGoodExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good example of topic Resources: - Queue: + GoodTopic: Type: AWS::SQS::Topic Properties: TopicName: blah KmsMasterKeyId: some-key - `, } var cloudFormationTopicEncryptionUsesCMKBadExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Bad example of topic Resources: - Queue: + BadTopic: Type: AWS::SNS::Topic Properties: TopicName: blah KmsMasterKeyId: alias/aws/sns - `, } diff --git a/checks/cloud/aws/sqs/enable_queue_encryption.cf.go b/checks/cloud/aws/sqs/enable_queue_encryption.cf.go index 9a4bf0b4..ce5ca46f 100644 --- a/checks/cloud/aws/sqs/enable_queue_encryption.cf.go +++ b/checks/cloud/aws/sqs/enable_queue_encryption.cf.go @@ -2,24 +2,19 @@ package sqs var cloudFormationEnableQueueEncryptionGoodExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good example of queue Resources: - Queue: + GoodQueue: Type: AWS::SQS::Queue Properties: KmsMasterKeyId: some-key QueueName: my-queue - `, } var cloudFormationEnableQueueEncryptionBadExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Bad example of queue Resources: - Queue: + BadQueue: Type: AWS::SQS::Queue Properties: QueueName: my-queue diff --git a/checks/cloud/aws/sqs/no_wildcards_in_policy_documents.cf.go b/checks/cloud/aws/sqs/no_wildcards_in_policy_documents.cf.go index f94d4502..a5e16973 100644 --- a/checks/cloud/aws/sqs/no_wildcards_in_policy_documents.cf.go +++ b/checks/cloud/aws/sqs/no_wildcards_in_policy_documents.cf.go @@ -2,10 +2,8 @@ package sqs var cloudFormationNoWildcardsInPolicyDocumentsGoodExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good example of queue policy Resources: - MyQueue: + GoodQueue: Type: AWS::SQS::Queue Properties: Name: something @@ -30,10 +28,8 @@ Resources: var cloudFormationNoWildcardsInPolicyDocumentsBadExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Bad example of queue policy Resources: - MyQueue: + BadQueue: Type: AWS::SQS::Queue Properties: Name: something diff --git a/checks/cloud/aws/sqs/queue_encryption_with_cmk.cf.go b/checks/cloud/aws/sqs/queue_encryption_with_cmk.cf.go index 864652be..1b523892 100644 --- a/checks/cloud/aws/sqs/queue_encryption_with_cmk.cf.go +++ b/checks/cloud/aws/sqs/queue_encryption_with_cmk.cf.go @@ -2,29 +2,23 @@ package sqs var cloudFormationQueueEncryptionUsesCMKGoodExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good example of queue Resources: - Queue: + GoodQueue: Type: AWS::SQS::Queue Properties: KmsMasterKeyId: some-key QueueName: my-queue - `, } var cloudFormationQueueEncryptionUsesCMKBadExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Bad example of queue Resources: - Queue: + BadQueue: Type: AWS::SQS::Queue Properties: KmsMasterKeyId: alias/aws/sqs QueueName: my-queue - `, } diff --git a/checks/cloud/aws/ssm/secret_use_customer_key.cf.go b/checks/cloud/aws/ssm/secret_use_customer_key.cf.go index e98c1be3..5339a600 100644 --- a/checks/cloud/aws/ssm/secret_use_customer_key.cf.go +++ b/checks/cloud/aws/ssm/secret_use_customer_key.cf.go @@ -2,10 +2,8 @@ package ssm var cloudFormationSecretUseCustomerKeyGoodExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good example of ingress rule Resources: - Secret: + GoodSecret: Type: AWS::SecretsManager::Secret Properties: Description: "secret" @@ -17,8 +15,6 @@ Resources: var cloudFormationSecretUseCustomerKeyBadExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Bad example of secret Resources: BadSecret: Type: AWS::SecretsManager::Secret From b00d22828092e1072b44b643bd18c3f2c70f69a1 Mon Sep 17 00:00:00 2001 From: Steven Smiley <53946040+StevenSmiley@users.noreply.github.com> Date: Mon, 22 Apr 2024 15:34:17 -0700 Subject: [PATCH 02/13] Cleanup --- checks/cloud/aws/rds/no_classic_resources.cf.go | 8 -------- 1 file changed, 8 deletions(-) diff --git a/checks/cloud/aws/rds/no_classic_resources.cf.go b/checks/cloud/aws/rds/no_classic_resources.cf.go index ca2d9f47..b3889611 100644 --- a/checks/cloud/aws/rds/no_classic_resources.cf.go +++ b/checks/cloud/aws/rds/no_classic_resources.cf.go @@ -2,19 +2,11 @@ package rds var cloudFormationNoClassicResourcesGoodExamples = []string{ `--- -Resources: -# TODO `, } var cloudFormationNoClassicResourcesBadExamples = []string{ `--- -Resources: - BadExample: - Type: AWS::RDS::DBSecurityGroup - Properties: - Description: "" - # TODO `, } From 03a69f2b6cf01b843f73cf63dcf077ded0c67672 Mon Sep 17 00:00:00 2001 From: Steven Smiley <53946040+StevenSmiley@users.noreply.github.com> Date: Mon, 22 Apr 2024 15:34:28 -0700 Subject: [PATCH 03/13] Cleanup --- .../add_description_to_security_group.cf.go | 2 -- .../aws/redshift/encryption_customer_key.cf.go | 1 - .../cloud/aws/redshift/no_classic_resources.cf.go | 12 ------------ checks/cloud/aws/redshift/use_vpc.cf.go | 13 ++++--------- checks/cloud/aws/s3/enable_bucket_encryption.cf.go | 4 ++-- 5 files changed, 6 insertions(+), 26 deletions(-) diff --git a/checks/cloud/aws/redshift/add_description_to_security_group.cf.go b/checks/cloud/aws/redshift/add_description_to_security_group.cf.go index 34339c11..0f96c818 100644 --- a/checks/cloud/aws/redshift/add_description_to_security_group.cf.go +++ b/checks/cloud/aws/redshift/add_description_to_security_group.cf.go @@ -7,7 +7,6 @@ Resources: Type: AWS::Redshift::ClusterSecurityGroup Properties: Description: "Disallow bad stuff" - # TODO `, } @@ -18,7 +17,6 @@ Resources: Type: AWS::Redshift::ClusterSecurityGroup Properties: Description: "" - # TODO `, } diff --git a/checks/cloud/aws/redshift/encryption_customer_key.cf.go b/checks/cloud/aws/redshift/encryption_customer_key.cf.go index 8ebd547c..8330adc2 100644 --- a/checks/cloud/aws/redshift/encryption_customer_key.cf.go +++ b/checks/cloud/aws/redshift/encryption_customer_key.cf.go @@ -8,7 +8,6 @@ Resources: Properties: Encrypted: true KmsKeyId: "something" - `, } diff --git a/checks/cloud/aws/redshift/no_classic_resources.cf.go b/checks/cloud/aws/redshift/no_classic_resources.cf.go index f92b353e..184abacc 100644 --- a/checks/cloud/aws/redshift/no_classic_resources.cf.go +++ b/checks/cloud/aws/redshift/no_classic_resources.cf.go @@ -2,23 +2,11 @@ package redshift var cloudFormationNoClassicResourcesGoodExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good example of redshift sgr -Resources: -# TODO `, } var cloudFormationNoClassicResourcesBadExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Bad example of redshift sgr -Resources: - Queue: - Type: AWS::Redshift::ClusterSecurityGroup - Properties: - Description: "" - # TODO `, } diff --git a/checks/cloud/aws/redshift/use_vpc.cf.go b/checks/cloud/aws/redshift/use_vpc.cf.go index bd9dd880..0fc32116 100644 --- a/checks/cloud/aws/redshift/use_vpc.cf.go +++ b/checks/cloud/aws/redshift/use_vpc.cf.go @@ -2,27 +2,22 @@ package redshift var cloudFormationUseVpcGoodExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good example of redshift cluster Resources: - Queue: + GoodCluster: Type: AWS::Redshift::Cluster Properties: ClusterSubnetGroupName: "my-subnet-group" - `, } var cloudFormationUseVpcBadExamples = []string{ `--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Bad example of redshift cluster Resources: - Queue: + BadCluster: Type: AWS::Redshift::Cluster Properties: - ClusterSubnetGroupName: "" - # TODO + DBName: "mydb" + ClusterType: "single-node" `, } diff --git a/checks/cloud/aws/s3/enable_bucket_encryption.cf.go b/checks/cloud/aws/s3/enable_bucket_encryption.cf.go index bb3ffac4..0a48940d 100644 --- a/checks/cloud/aws/s3/enable_bucket_encryption.cf.go +++ b/checks/cloud/aws/s3/enable_bucket_encryption.cf.go @@ -24,8 +24,8 @@ Resources: ServerSideEncryptionConfiguration: - BucketKeyEnabled: false ServerSideEncryptionByDefault: - KMSMasterKeyID: asdf - SSEAlgorithm: asdf # TODO + KMSMasterKeyID: alias/alias-name + SSEAlgorithm: aws:kms `, } From d5ae35335f2595a16f548639bd711558c8eaffb9 Mon Sep 17 00:00:00 2001 From: Steven Smiley <53946040+StevenSmiley@users.noreply.github.com> Date: Mon, 22 Apr 2024 15:37:07 -0700 Subject: [PATCH 04/13] Update encryption_customer_key.cf.go --- .../cloud/aws/s3/encryption_customer_key.cf.go | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/checks/cloud/aws/s3/encryption_customer_key.cf.go b/checks/cloud/aws/s3/encryption_customer_key.cf.go index 0adfbacb..5399f843 100644 --- a/checks/cloud/aws/s3/encryption_customer_key.cf.go +++ b/checks/cloud/aws/s3/encryption_customer_key.cf.go @@ -18,14 +18,14 @@ Resources: var cloudFormationCheckEncryptionCustomerKeyBadExamples = []string{ `--- Resources: -BadExample: - Type: AWS::S3::Bucket - Properties: - BucketEncryption: - ServerSideEncryptionConfiguration: - - BucketKeyEnabled: false - ServerSideEncryptionByDefault: - SSEAlgorithm: AES256 + BadExample: + Type: AWS::S3::Bucket + Properties: + BucketEncryption: + ServerSideEncryptionConfiguration: + - BucketKeyEnabled: false + ServerSideEncryptionByDefault: + SSEAlgorithm: AES256 `, } From 82e5f4287a45c59650e465f3c1a5c52205261a50 Mon Sep 17 00:00:00 2001 From: Steven Smiley <53946040+StevenSmiley@users.noreply.github.com> Date: Tue, 23 Apr 2024 07:07:47 -0700 Subject: [PATCH 05/13] Update disable_public_access.cf.go --- checks/cloud/aws/rds/disable_public_access.cf.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/checks/cloud/aws/rds/disable_public_access.cf.go b/checks/cloud/aws/rds/disable_public_access.cf.go index b3a2ed29..94ee13eb 100644 --- a/checks/cloud/aws/rds/disable_public_access.cf.go +++ b/checks/cloud/aws/rds/disable_public_access.cf.go @@ -3,7 +3,7 @@ package rds var cloudFormationNoPublicDbAccessGoodExamples = []string{ `--- Resources: - GoodQueue: + GoodExample: Type: AWS::RDS::DBInstance Properties: PubliclyAccessible: false @@ -13,7 +13,7 @@ Resources: var cloudFormationNoPublicDbAccessBadExamples = []string{ `--- Resources: - BadQueue: + BadExample: Type: AWS::RDS::DBInstance Properties: PubliclyAccessible: true From b40147fd35715b8fb7dad34c64953d94bbc88d97 Mon Sep 17 00:00:00 2001 From: Steven Smiley Date: Fri, 3 May 2024 11:22:51 -0700 Subject: [PATCH 06/13] chore: make docs --- avd_docs/aws/rds/AVD-AWS-0180/CloudFormation.md | 5 +---- avd_docs/aws/s3/AVD-AWS-0089/CloudFormation.md | 2 +- 2 files changed, 2 insertions(+), 5 deletions(-) diff --git a/avd_docs/aws/rds/AVD-AWS-0180/CloudFormation.md b/avd_docs/aws/rds/AVD-AWS-0180/CloudFormation.md index e183f4cb..57615a7d 100644 --- a/avd_docs/aws/rds/AVD-AWS-0180/CloudFormation.md +++ b/avd_docs/aws/rds/AVD-AWS-0180/CloudFormation.md @@ -2,15 +2,12 @@ Remove the public endpoint from the RDS instance. ```yaml--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good example Resources: - Queue: + GoodExample: Type: AWS::RDS::DBInstance Properties: PubliclyAccessible: false - ``` diff --git a/avd_docs/aws/s3/AVD-AWS-0089/CloudFormation.md b/avd_docs/aws/s3/AVD-AWS-0089/CloudFormation.md index b9513dea..28799dc7 100644 --- a/avd_docs/aws/s3/AVD-AWS-0089/CloudFormation.md +++ b/avd_docs/aws/s3/AVD-AWS-0089/CloudFormation.md @@ -4,11 +4,11 @@ Add a logging block to the resource to enable access logging ```yaml--- Resources: GoodExample: + Type: AWS::S3::Bucket Properties: LoggingConfiguration: DestinationBucketName: logging-bucket LogFilePrefix: accesslogs/ - Type: AWS::S3::Bucket ``` From 5a025adddfa0badf3ebeca3a9d319f3690dbe565 Mon Sep 17 00:00:00 2001 From: Steven Smiley Date: Mon, 6 May 2024 10:30:31 -0700 Subject: [PATCH 07/13] Revert change to classic resources examples --- checks/cloud/aws/rds/no_classic_resources.cf.go | 12 ++++++++++++ checks/cloud/aws/redshift/no_classic_resources.cf.go | 12 ++++++++++++ 2 files changed, 24 insertions(+) diff --git a/checks/cloud/aws/rds/no_classic_resources.cf.go b/checks/cloud/aws/rds/no_classic_resources.cf.go index b3889611..7b93bbdd 100644 --- a/checks/cloud/aws/rds/no_classic_resources.cf.go +++ b/checks/cloud/aws/rds/no_classic_resources.cf.go @@ -2,11 +2,23 @@ package rds var cloudFormationNoClassicResourcesGoodExamples = []string{ `--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Good example of rds sgr +Resources: + `, } var cloudFormationNoClassicResourcesBadExamples = []string{ `--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Bad example of rds sgr +Resources: + Queue: + Type: AWS::RDS::DBSecurityGroup + Properties: + Description: "" + `, } diff --git a/checks/cloud/aws/redshift/no_classic_resources.cf.go b/checks/cloud/aws/redshift/no_classic_resources.cf.go index 184abacc..0464a607 100644 --- a/checks/cloud/aws/redshift/no_classic_resources.cf.go +++ b/checks/cloud/aws/redshift/no_classic_resources.cf.go @@ -2,11 +2,23 @@ package redshift var cloudFormationNoClassicResourcesGoodExamples = []string{ `--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Good example of redshift sgr +Resources: + `, } var cloudFormationNoClassicResourcesBadExamples = []string{ `--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Bad example of redshift sgr +Resources: + Queue: + Type: AWS::Redshift::ClusterSecurityGroup + Properties: + Description: "" + `, } From 93963d3c2813bb73fed078be027ce77c1a246f48 Mon Sep 17 00:00:00 2001 From: Steven Smiley Date: Tue, 7 May 2024 11:33:11 -0700 Subject: [PATCH 08/13] update test --- cmd/avd_generator/main_test.go | 31 ++++++++++++++----------------- 1 file changed, 14 insertions(+), 17 deletions(-) diff --git a/cmd/avd_generator/main_test.go b/cmd/avd_generator/main_test.go index 696166fb..a9c41d08 100644 --- a/cmd/avd_generator/main_test.go +++ b/cmd/avd_generator/main_test.go @@ -54,15 +54,13 @@ func Test_AVDPageGeneration(t *testing.T) { b, err = os.ReadFile(filepath.Join(tmpDir, "aws/rds/AVD-AWS-0077", "CloudFormation.md")) require.NoError(t, err) - assert.Contains(t, string(b), `yaml--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good example -Resources: - Queue: - Type: AWS::RDS::DBInstance - Properties: - BackupRetentionPeriod: 30 -`) + assert.Contains(t, string(b), `--- + Resources: + GoodExample: + Type: AWS::RDS::DBInstance + Properties: + BackupRetentionPeriod: 30 + `) // check rego policies b, err = os.ReadFile(filepath.Join(tmpDir, "aws/rds/AVD-AWS-0180", "Terraform.md")) @@ -74,12 +72,11 @@ Resources: b, err = os.ReadFile(filepath.Join(tmpDir, "aws/rds/AVD-AWS-0180", "CloudFormation.md")) require.NoError(t, err) - assert.Contains(t, string(b), `yaml--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good example -Resources: - Queue: - Type: AWS::RDS::DBInstance - Properties: - PubliclyAccessible: false`) + assert.Contains(t, string(b), `--- + Resources: + GoodExample: + Type: AWS::RDS::DBInstance + Properties: + PubliclyAccessible: false + `) } From b22601dde492c18393ef5f731a6e14c3f6edae65 Mon Sep 17 00:00:00 2001 From: Steven Smiley Date: Tue, 7 May 2024 12:47:12 -0700 Subject: [PATCH 09/13] convert tabs to spaces --- cmd/avd_generator/main_test.go | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/cmd/avd_generator/main_test.go b/cmd/avd_generator/main_test.go index a9c41d08..06308298 100644 --- a/cmd/avd_generator/main_test.go +++ b/cmd/avd_generator/main_test.go @@ -54,13 +54,13 @@ func Test_AVDPageGeneration(t *testing.T) { b, err = os.ReadFile(filepath.Join(tmpDir, "aws/rds/AVD-AWS-0077", "CloudFormation.md")) require.NoError(t, err) - assert.Contains(t, string(b), `--- - Resources: - GoodExample: - Type: AWS::RDS::DBInstance - Properties: - BackupRetentionPeriod: 30 - `) + assert.Contains(t, string(b), `--- + Resources: + GoodExample: + Type: AWS::RDS::DBInstance + Properties: + BackupRetentionPeriod: 30 + `) // check rego policies b, err = os.ReadFile(filepath.Join(tmpDir, "aws/rds/AVD-AWS-0180", "Terraform.md")) @@ -72,11 +72,11 @@ func Test_AVDPageGeneration(t *testing.T) { b, err = os.ReadFile(filepath.Join(tmpDir, "aws/rds/AVD-AWS-0180", "CloudFormation.md")) require.NoError(t, err) - assert.Contains(t, string(b), `--- - Resources: - GoodExample: - Type: AWS::RDS::DBInstance - Properties: - PubliclyAccessible: false - `) + assert.Contains(t, string(b), `--- + Resources: + GoodExample: + Type: AWS::RDS::DBInstance + Properties: + PubliclyAccessible: false + `) } From bf939987dc513dfda8c973a3f41d5245b7a3a849 Mon Sep 17 00:00:00 2001 From: Simar Date: Thu, 16 May 2024 00:17:51 -0600 Subject: [PATCH 10/13] bump trivy version --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index c76054e0..80ae7aab 100644 --- a/go.mod +++ b/go.mod @@ -5,7 +5,7 @@ go 1.22 toolchain go1.22.0 require ( - github.com/aquasecurity/trivy v0.51.2-0.20240514170658-7c22ee3df5ee + github.com/aquasecurity/trivy v0.51.2-0.20240516011451-88702cfd5918 github.com/docker/docker v26.0.2+incompatible github.com/liamg/iamgo v0.0.9 github.com/liamg/memoryfs v1.6.0 diff --git a/go.sum b/go.sum index edb54139..51eb9fd1 100644 --- a/go.sum +++ b/go.sum @@ -218,8 +218,8 @@ github.com/apparentlymart/go-textseg/v15 v15.0.0 h1:uYvfpb3DyLSCGWnctWKGj857c6ew github.com/apparentlymart/go-textseg/v15 v15.0.0/go.mod h1:K8XmNZdhEBkdlyDdvbmmsvpAG721bKi0joRfFdHIWJ4= github.com/aquasecurity/go-version v0.0.0-20210121072130-637058cfe492 h1:rcEG5HI490FF0a7zuvxOxen52ddygCfNVjP0XOCMl+M= github.com/aquasecurity/go-version v0.0.0-20210121072130-637058cfe492/go.mod h1:9Beu8XsUNNfzml7WBf3QmyPToP1wm1Gj/Vc5UJKqTzU= -github.com/aquasecurity/trivy v0.51.2-0.20240514170658-7c22ee3df5ee h1:Cs0OQO/ldEv1R9wPGhr5DemUJ18lk05Ly71zlaBDM88= -github.com/aquasecurity/trivy v0.51.2-0.20240514170658-7c22ee3df5ee/go.mod h1:7UhbpzvSN7Ack4D4cX9X9XC5qFX4KP5O1xSskdZxGQY= +github.com/aquasecurity/trivy v0.51.2-0.20240516011451-88702cfd5918 h1:ErW4tRpUVRnihE7hrAc9U1bVGMrK7pfkZH068kcj3sM= +github.com/aquasecurity/trivy v0.51.2-0.20240516011451-88702cfd5918/go.mod h1:eTi5J7nzhtHI6GogE3v0BXI0Qeeb8MkjA7vrhGNZTjs= github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0 h1:jfIu9sQUG6Ig+0+Ap1h4unLjW6YQJpKZVmUzxsD4E/Q= github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0/go.mod h1:t2tdKJDJF9BV14lnkjHmOQgcvEKgtqs5a1N3LNdJhGE= github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8= From 1cd8b937e3e9bd661bec1fd0ce21bc152d95bd85 Mon Sep 17 00:00:00 2001 From: Simar Date: Thu, 16 May 2024 00:18:21 -0600 Subject: [PATCH 11/13] fix tests --- .../aws/rds/AVD-AWS-0077/CloudFormation.md | 2 -- cmd/avd_generator/main_test.go | 28 +++++++++---------- 2 files changed, 14 insertions(+), 16 deletions(-) diff --git a/avd_docs/aws/rds/AVD-AWS-0077/CloudFormation.md b/avd_docs/aws/rds/AVD-AWS-0077/CloudFormation.md index 77970d10..6f657422 100644 --- a/avd_docs/aws/rds/AVD-AWS-0077/CloudFormation.md +++ b/avd_docs/aws/rds/AVD-AWS-0077/CloudFormation.md @@ -2,8 +2,6 @@ Explicitly set the retention period to greater than the default ```yaml--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good example Resources: Queue: Type: AWS::RDS::DBInstance diff --git a/cmd/avd_generator/main_test.go b/cmd/avd_generator/main_test.go index 06308298..464ab2c7 100644 --- a/cmd/avd_generator/main_test.go +++ b/cmd/avd_generator/main_test.go @@ -54,13 +54,13 @@ func Test_AVDPageGeneration(t *testing.T) { b, err = os.ReadFile(filepath.Join(tmpDir, "aws/rds/AVD-AWS-0077", "CloudFormation.md")) require.NoError(t, err) - assert.Contains(t, string(b), `--- - Resources: - GoodExample: - Type: AWS::RDS::DBInstance - Properties: - BackupRetentionPeriod: 30 - `) + assert.Contains(t, string(b), `--- +Resources: + GoodExample: + Type: AWS::RDS::DBInstance + Properties: + BackupRetentionPeriod: 30 +`) // check rego policies b, err = os.ReadFile(filepath.Join(tmpDir, "aws/rds/AVD-AWS-0180", "Terraform.md")) @@ -72,11 +72,11 @@ func Test_AVDPageGeneration(t *testing.T) { b, err = os.ReadFile(filepath.Join(tmpDir, "aws/rds/AVD-AWS-0180", "CloudFormation.md")) require.NoError(t, err) - assert.Contains(t, string(b), `--- - Resources: - GoodExample: - Type: AWS::RDS::DBInstance - Properties: - PubliclyAccessible: false - `) + assert.Contains(t, string(b), `--- +Resources: + GoodExample: + Type: AWS::RDS::DBInstance + Properties: + PubliclyAccessible: false +`) } From 808d021eadfcece9cce8a6609b541c9b9ddec183 Mon Sep 17 00:00:00 2001 From: Simar Date: Thu, 16 May 2024 00:19:24 -0600 Subject: [PATCH 12/13] deprecate AVD-AWS-0081 --- checks/cloud/aws/rds/no_classic_resources.go | 1 + 1 file changed, 1 insertion(+) diff --git a/checks/cloud/aws/rds/no_classic_resources.go b/checks/cloud/aws/rds/no_classic_resources.go index 32ed9310..43169a3b 100755 --- a/checks/cloud/aws/rds/no_classic_resources.go +++ b/checks/cloud/aws/rds/no_classic_resources.go @@ -11,6 +11,7 @@ import ( var CheckNoClassicResources = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0081", + Deprecated: true, Provider: providers.AWSProvider, Service: "rds", ShortCode: "no-classic-resources", From 96fc6994612be78f958e0c4a235d60ab6ee29f5f Mon Sep 17 00:00:00 2001 From: Simar Date: Thu, 16 May 2024 00:24:32 -0600 Subject: [PATCH 13/13] update docs --- avd_docs/aws/cloudtrail/AVD-AWS-0014/CloudFormation.md | 2 +- avd_docs/aws/cloudtrail/AVD-AWS-0015/CloudFormation.md | 2 +- avd_docs/aws/cloudtrail/AVD-AWS-0016/CloudFormation.md | 2 +- avd_docs/aws/dynamodb/AVD-AWS-0023/CloudFormation.md | 4 ++-- avd_docs/aws/ec2/AVD-AWS-0099/CloudFormation.md | 2 -- avd_docs/aws/ec2/AVD-AWS-0107/CloudFormation.md | 4 +--- avd_docs/aws/ec2/AVD-AWS-0124/CloudFormation.md | 2 -- avd_docs/aws/iam/AVD-AWS-0057/CloudFormation.md | 2 -- avd_docs/aws/lambda/AVD-AWS-0066/CloudFormation.md | 2 +- avd_docs/aws/lambda/AVD-AWS-0067/CloudFormation.md | 1 - avd_docs/aws/mq/AVD-AWS-0070/CloudFormation.md | 5 +---- avd_docs/aws/mq/AVD-AWS-0071/CloudFormation.md | 5 +---- avd_docs/aws/mq/AVD-AWS-0072/CloudFormation.md | 5 +---- avd_docs/aws/msk/AVD-AWS-0073/CloudFormation.md | 4 +--- avd_docs/aws/msk/AVD-AWS-0074/CloudFormation.md | 4 +--- avd_docs/aws/msk/AVD-AWS-0179/CloudFormation.md | 4 +--- avd_docs/aws/neptune/AVD-AWS-0075/CloudFormation.md | 6 +----- avd_docs/aws/neptune/AVD-AWS-0076/CloudFormation.md | 5 +---- avd_docs/aws/neptune/AVD-AWS-0128/CloudFormation.md | 5 +---- avd_docs/aws/rds/AVD-AWS-0077/CloudFormation.md | 3 +-- avd_docs/aws/rds/AVD-AWS-0078/CloudFormation.md | 5 +---- avd_docs/aws/rds/AVD-AWS-0079/CloudFormation.md | 5 +---- avd_docs/aws/rds/AVD-AWS-0080/CloudFormation.md | 4 +--- avd_docs/aws/rds/AVD-AWS-0133/CloudFormation.md | 4 +--- avd_docs/aws/redshift/AVD-AWS-0083/CloudFormation.md | 5 +---- avd_docs/aws/redshift/AVD-AWS-0084/CloudFormation.md | 5 +---- avd_docs/aws/redshift/AVD-AWS-0127/CloudFormation.md | 5 +---- avd_docs/aws/s3/AVD-AWS-0088/CloudFormation.md | 2 +- avd_docs/aws/s3/AVD-AWS-0090/CloudFormation.md | 2 +- avd_docs/aws/s3/AVD-AWS-0091/CloudFormation.md | 2 +- avd_docs/aws/s3/AVD-AWS-0092/CloudFormation.md | 2 +- avd_docs/aws/s3/AVD-AWS-0093/CloudFormation.md | 2 +- avd_docs/aws/s3/AVD-AWS-0094/CloudFormation.md | 2 +- avd_docs/aws/s3/AVD-AWS-0132/CloudFormation.md | 2 +- avd_docs/aws/sam/AVD-AWS-0110/CloudFormation.md | 4 +--- avd_docs/aws/sam/AVD-AWS-0111/CloudFormation.md | 4 +--- avd_docs/aws/sam/AVD-AWS-0112/CloudFormation.md | 4 +--- avd_docs/aws/sam/AVD-AWS-0113/CloudFormation.md | 4 +--- avd_docs/aws/sam/AVD-AWS-0114/CloudFormation.md | 2 -- avd_docs/aws/sam/AVD-AWS-0116/CloudFormation.md | 4 +--- avd_docs/aws/sam/AVD-AWS-0117/CloudFormation.md | 2 -- avd_docs/aws/sam/AVD-AWS-0120/CloudFormation.md | 2 -- avd_docs/aws/sam/AVD-AWS-0121/CloudFormation.md | 2 -- avd_docs/aws/sam/AVD-AWS-0125/CloudFormation.md | 2 -- avd_docs/aws/sns/AVD-AWS-0095/CloudFormation.md | 5 +---- avd_docs/aws/sns/AVD-AWS-0136/CloudFormation.md | 5 +---- avd_docs/aws/sqs/AVD-AWS-0096/CloudFormation.md | 5 +---- avd_docs/aws/sqs/AVD-AWS-0097/CloudFormation.md | 4 +--- avd_docs/aws/sqs/AVD-AWS-0135/CloudFormation.md | 5 +---- avd_docs/aws/ssm/AVD-AWS-0098/CloudFormation.md | 4 +--- 50 files changed, 42 insertions(+), 132 deletions(-) diff --git a/avd_docs/aws/cloudtrail/AVD-AWS-0014/CloudFormation.md b/avd_docs/aws/cloudtrail/AVD-AWS-0014/CloudFormation.md index 6f69815d..43535a5b 100644 --- a/avd_docs/aws/cloudtrail/AVD-AWS-0014/CloudFormation.md +++ b/avd_docs/aws/cloudtrail/AVD-AWS-0014/CloudFormation.md @@ -3,7 +3,7 @@ Enable Cloudtrail in all regions ```yaml--- Resources: - BadExample: + GoodExample: Type: AWS::CloudTrail::Trail Properties: IsLogging: true diff --git a/avd_docs/aws/cloudtrail/AVD-AWS-0015/CloudFormation.md b/avd_docs/aws/cloudtrail/AVD-AWS-0015/CloudFormation.md index d77fd90c..edba85cf 100644 --- a/avd_docs/aws/cloudtrail/AVD-AWS-0015/CloudFormation.md +++ b/avd_docs/aws/cloudtrail/AVD-AWS-0015/CloudFormation.md @@ -3,7 +3,7 @@ Use Customer managed key ```yaml--- Resources: - BadExample: + GoodExample: Type: AWS::CloudTrail::Trail Properties: IsLogging: true diff --git a/avd_docs/aws/cloudtrail/AVD-AWS-0016/CloudFormation.md b/avd_docs/aws/cloudtrail/AVD-AWS-0016/CloudFormation.md index bb9a815c..0665c8a5 100644 --- a/avd_docs/aws/cloudtrail/AVD-AWS-0016/CloudFormation.md +++ b/avd_docs/aws/cloudtrail/AVD-AWS-0016/CloudFormation.md @@ -3,7 +3,7 @@ Turn on log validation for Cloudtrail ```yaml--- Resources: - BadExample: + GoodExample: Type: AWS::CloudTrail::Trail Properties: IsLogging: true diff --git a/avd_docs/aws/dynamodb/AVD-AWS-0023/CloudFormation.md b/avd_docs/aws/dynamodb/AVD-AWS-0023/CloudFormation.md index 558e673d..a27d440a 100644 --- a/avd_docs/aws/dynamodb/AVD-AWS-0023/CloudFormation.md +++ b/avd_docs/aws/dynamodb/AVD-AWS-0023/CloudFormation.md @@ -3,14 +3,14 @@ Enable encryption at rest for DAX Cluster ```yaml--- Resources: - daxCluster: + GoodExample: Type: AWS::DAX::Cluster Properties: ClusterName: "MyDAXCluster" NodeType: "dax.r3.large" ReplicationFactor: 1 IAMRoleARN: "arn:aws:iam::111122223333:role/DaxAccess" - Description: "DAX cluster created with CloudFormation" + Description: "DAX cluster with encryption at rest" SSESpecification: SSEEnabled: true diff --git a/avd_docs/aws/ec2/AVD-AWS-0099/CloudFormation.md b/avd_docs/aws/ec2/AVD-AWS-0099/CloudFormation.md index c9599ebb..e7015cb4 100644 --- a/avd_docs/aws/ec2/AVD-AWS-0099/CloudFormation.md +++ b/avd_docs/aws/ec2/AVD-AWS-0099/CloudFormation.md @@ -2,8 +2,6 @@ Add descriptions for all security groups ```yaml--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good example of group description Resources: GoodSecurityGroup: Type: AWS::EC2::SecurityGroup diff --git a/avd_docs/aws/ec2/AVD-AWS-0107/CloudFormation.md b/avd_docs/aws/ec2/AVD-AWS-0107/CloudFormation.md index d4d61144..6aa99a86 100644 --- a/avd_docs/aws/ec2/AVD-AWS-0107/CloudFormation.md +++ b/avd_docs/aws/ec2/AVD-AWS-0107/CloudFormation.md @@ -2,10 +2,8 @@ Set a more restrictive cidr range ```yaml--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good example of ingress rule Resources: - BadSecurityGroup: + GoodSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: Limits security group egress traffic diff --git a/avd_docs/aws/ec2/AVD-AWS-0124/CloudFormation.md b/avd_docs/aws/ec2/AVD-AWS-0124/CloudFormation.md index c358b87b..335dc6b5 100644 --- a/avd_docs/aws/ec2/AVD-AWS-0124/CloudFormation.md +++ b/avd_docs/aws/ec2/AVD-AWS-0124/CloudFormation.md @@ -2,8 +2,6 @@ Add descriptions for all security groups rules ```yaml--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good example of SGR description Resources: GoodSecurityGroup: Type: AWS::EC2::SecurityGroup diff --git a/avd_docs/aws/iam/AVD-AWS-0057/CloudFormation.md b/avd_docs/aws/iam/AVD-AWS-0057/CloudFormation.md index a8381732..42f175d1 100644 --- a/avd_docs/aws/iam/AVD-AWS-0057/CloudFormation.md +++ b/avd_docs/aws/iam/AVD-AWS-0057/CloudFormation.md @@ -2,8 +2,6 @@ Specify the exact permissions required, and to which resources they should apply instead of using wildcards. ```yaml--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good example of policy Resources: GoodPolicy: Type: 'AWS::IAM::Policy' diff --git a/avd_docs/aws/lambda/AVD-AWS-0066/CloudFormation.md b/avd_docs/aws/lambda/AVD-AWS-0066/CloudFormation.md index b08a117f..b89dbae5 100644 --- a/avd_docs/aws/lambda/AVD-AWS-0066/CloudFormation.md +++ b/avd_docs/aws/lambda/AVD-AWS-0066/CloudFormation.md @@ -3,7 +3,7 @@ Enable tracing ```yaml--- Resources: - Function: + GoodExample: Type: AWS::Lambda::Function Properties: Handler: index.handler diff --git a/avd_docs/aws/lambda/AVD-AWS-0067/CloudFormation.md b/avd_docs/aws/lambda/AVD-AWS-0067/CloudFormation.md index 92b92587..f455a210 100644 --- a/avd_docs/aws/lambda/AVD-AWS-0067/CloudFormation.md +++ b/avd_docs/aws/lambda/AVD-AWS-0067/CloudFormation.md @@ -28,7 +28,6 @@ Resources: Action: lambda:InvokeFunction Principal: s3.amazonaws.com SourceArn: "lambda.amazonaws.com" - ``` diff --git a/avd_docs/aws/mq/AVD-AWS-0070/CloudFormation.md b/avd_docs/aws/mq/AVD-AWS-0070/CloudFormation.md index e71d1722..5fb4dec8 100644 --- a/avd_docs/aws/mq/AVD-AWS-0070/CloudFormation.md +++ b/avd_docs/aws/mq/AVD-AWS-0070/CloudFormation.md @@ -2,16 +2,13 @@ Enable audit logging ```yaml--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good example Resources: - Broker: + GoodBroker: Type: AWS::AmazonMQ::Broker Properties: Logs: Audit: true - ``` diff --git a/avd_docs/aws/mq/AVD-AWS-0071/CloudFormation.md b/avd_docs/aws/mq/AVD-AWS-0071/CloudFormation.md index a2363b8d..161f3674 100644 --- a/avd_docs/aws/mq/AVD-AWS-0071/CloudFormation.md +++ b/avd_docs/aws/mq/AVD-AWS-0071/CloudFormation.md @@ -2,16 +2,13 @@ Enable general logging ```yaml--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good example Resources: - Broker: + GoodBroker: Type: AWS::AmazonMQ::Broker Properties: Logs: General: true - ``` diff --git a/avd_docs/aws/mq/AVD-AWS-0072/CloudFormation.md b/avd_docs/aws/mq/AVD-AWS-0072/CloudFormation.md index 8aad3321..8495ea5a 100644 --- a/avd_docs/aws/mq/AVD-AWS-0072/CloudFormation.md +++ b/avd_docs/aws/mq/AVD-AWS-0072/CloudFormation.md @@ -2,15 +2,12 @@ Disable public access when not required ```yaml--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good example Resources: - Broker: + GoodBroker: Type: AWS::AmazonMQ::Broker Properties: PubliclyAccessible: false - ``` diff --git a/avd_docs/aws/msk/AVD-AWS-0073/CloudFormation.md b/avd_docs/aws/msk/AVD-AWS-0073/CloudFormation.md index b9f7fa1b..aee301c6 100644 --- a/avd_docs/aws/msk/AVD-AWS-0073/CloudFormation.md +++ b/avd_docs/aws/msk/AVD-AWS-0073/CloudFormation.md @@ -2,10 +2,8 @@ Enable in transit encryption ```yaml--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good example Resources: - Cluster: + GoodCluster: Type: AWS::MSK::Cluster Properties: EncryptionInfo: diff --git a/avd_docs/aws/msk/AVD-AWS-0074/CloudFormation.md b/avd_docs/aws/msk/AVD-AWS-0074/CloudFormation.md index 595b3aff..d3874ba7 100644 --- a/avd_docs/aws/msk/AVD-AWS-0074/CloudFormation.md +++ b/avd_docs/aws/msk/AVD-AWS-0074/CloudFormation.md @@ -2,10 +2,8 @@ Enable logging ```yaml--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good example Resources: - Cluster: + GoodCluster: Type: AWS::MSK::Cluster Properties: LoggingInfo: diff --git a/avd_docs/aws/msk/AVD-AWS-0179/CloudFormation.md b/avd_docs/aws/msk/AVD-AWS-0179/CloudFormation.md index 97580e1d..8465b9f7 100644 --- a/avd_docs/aws/msk/AVD-AWS-0179/CloudFormation.md +++ b/avd_docs/aws/msk/AVD-AWS-0179/CloudFormation.md @@ -2,10 +2,8 @@ Enable at rest encryption ```yaml--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good example Resources: - Cluster: + GoodCluster: Type: AWS::MSK::Cluster Properties: EncryptionInfo: diff --git a/avd_docs/aws/neptune/AVD-AWS-0075/CloudFormation.md b/avd_docs/aws/neptune/AVD-AWS-0075/CloudFormation.md index 81cd425c..64c8c3b3 100644 --- a/avd_docs/aws/neptune/AVD-AWS-0075/CloudFormation.md +++ b/avd_docs/aws/neptune/AVD-AWS-0075/CloudFormation.md @@ -2,17 +2,13 @@ Enable export logs ```yaml--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good example Resources: - Cluster: + GoodCluster: Type: AWS::Neptune::DBCluster Properties: EnableCloudwatchLogsExports: - audit - - ``` diff --git a/avd_docs/aws/neptune/AVD-AWS-0076/CloudFormation.md b/avd_docs/aws/neptune/AVD-AWS-0076/CloudFormation.md index d8fa03ee..6d86d7ca 100644 --- a/avd_docs/aws/neptune/AVD-AWS-0076/CloudFormation.md +++ b/avd_docs/aws/neptune/AVD-AWS-0076/CloudFormation.md @@ -2,16 +2,13 @@ Enable encryption of Neptune storage ```yaml--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good example Resources: - Cluster: + GoodCluster: Type: AWS::Neptune::DBCluster Properties: StorageEncrypted: true KmsKeyId: "something" - ``` diff --git a/avd_docs/aws/neptune/AVD-AWS-0128/CloudFormation.md b/avd_docs/aws/neptune/AVD-AWS-0128/CloudFormation.md index e6685104..e99e0fb3 100644 --- a/avd_docs/aws/neptune/AVD-AWS-0128/CloudFormation.md +++ b/avd_docs/aws/neptune/AVD-AWS-0128/CloudFormation.md @@ -2,16 +2,13 @@ Enable encryption using customer managed keys ```yaml--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good example Resources: - Cluster: + GoodCluster: Type: AWS::Neptune::DBCluster Properties: StorageEncrypted: true KmsKeyId: "something" - ``` diff --git a/avd_docs/aws/rds/AVD-AWS-0077/CloudFormation.md b/avd_docs/aws/rds/AVD-AWS-0077/CloudFormation.md index 6f657422..26dc0f9e 100644 --- a/avd_docs/aws/rds/AVD-AWS-0077/CloudFormation.md +++ b/avd_docs/aws/rds/AVD-AWS-0077/CloudFormation.md @@ -3,12 +3,11 @@ Explicitly set the retention period to greater than the default ```yaml--- Resources: - Queue: + GoodExample: Type: AWS::RDS::DBInstance Properties: BackupRetentionPeriod: 30 - ``` diff --git a/avd_docs/aws/rds/AVD-AWS-0078/CloudFormation.md b/avd_docs/aws/rds/AVD-AWS-0078/CloudFormation.md index 409debda..d4ed2832 100644 --- a/avd_docs/aws/rds/AVD-AWS-0078/CloudFormation.md +++ b/avd_docs/aws/rds/AVD-AWS-0078/CloudFormation.md @@ -2,16 +2,13 @@ Use Customer Managed Keys to encrypt Performance Insights data ```yaml--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good example Resources: - Queue: + GoodExample: Type: AWS::RDS::DBInstance Properties: EnablePerformanceInsights: true PerformanceInsightsKMSKeyId: "something" - ``` diff --git a/avd_docs/aws/rds/AVD-AWS-0079/CloudFormation.md b/avd_docs/aws/rds/AVD-AWS-0079/CloudFormation.md index 935d8e20..99c9dfe1 100644 --- a/avd_docs/aws/rds/AVD-AWS-0079/CloudFormation.md +++ b/avd_docs/aws/rds/AVD-AWS-0079/CloudFormation.md @@ -2,16 +2,13 @@ Enable encryption for RDS clusters ```yaml--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good example of rds sgr Resources: - Cluster: + GoodExample: Type: AWS::RDS::DBCluster Properties: StorageEncrypted: true KmsKeyId: "something" - ``` diff --git a/avd_docs/aws/rds/AVD-AWS-0080/CloudFormation.md b/avd_docs/aws/rds/AVD-AWS-0080/CloudFormation.md index d4c0592a..fe7184a5 100644 --- a/avd_docs/aws/rds/AVD-AWS-0080/CloudFormation.md +++ b/avd_docs/aws/rds/AVD-AWS-0080/CloudFormation.md @@ -2,10 +2,8 @@ Enable encryption for RDS instances ```yaml--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good example of rds sgr Resources: - Instance: + GoodExample: Type: AWS::RDS::DBInstance Properties: StorageEncrypted: true diff --git a/avd_docs/aws/rds/AVD-AWS-0133/CloudFormation.md b/avd_docs/aws/rds/AVD-AWS-0133/CloudFormation.md index 8701d535..eb45d2c4 100644 --- a/avd_docs/aws/rds/AVD-AWS-0133/CloudFormation.md +++ b/avd_docs/aws/rds/AVD-AWS-0133/CloudFormation.md @@ -2,10 +2,8 @@ Enable performance insights ```yaml--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good example Resources: - Queue: + GoodExample: Type: AWS::RDS::DBInstance Properties: EnablePerformanceInsights: true diff --git a/avd_docs/aws/redshift/AVD-AWS-0083/CloudFormation.md b/avd_docs/aws/redshift/AVD-AWS-0083/CloudFormation.md index 85e3cd04..34b6170f 100644 --- a/avd_docs/aws/redshift/AVD-AWS-0083/CloudFormation.md +++ b/avd_docs/aws/redshift/AVD-AWS-0083/CloudFormation.md @@ -2,15 +2,12 @@ Add descriptions for all security groups and rules ```yaml--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good example of redshift sgr Resources: - Queue: + GoodExample: Type: AWS::Redshift::ClusterSecurityGroup Properties: Description: "Disallow bad stuff" - ``` diff --git a/avd_docs/aws/redshift/AVD-AWS-0084/CloudFormation.md b/avd_docs/aws/redshift/AVD-AWS-0084/CloudFormation.md index 285ecfc4..35ea8b57 100644 --- a/avd_docs/aws/redshift/AVD-AWS-0084/CloudFormation.md +++ b/avd_docs/aws/redshift/AVD-AWS-0084/CloudFormation.md @@ -2,16 +2,13 @@ Enable encryption using CMK ```yaml--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good example of redshift cluster Resources: - Queue: + GoodExample: Type: AWS::Redshift::Cluster Properties: Encrypted: true KmsKeyId: "something" - ``` diff --git a/avd_docs/aws/redshift/AVD-AWS-0127/CloudFormation.md b/avd_docs/aws/redshift/AVD-AWS-0127/CloudFormation.md index 5ee49293..32dd1569 100644 --- a/avd_docs/aws/redshift/AVD-AWS-0127/CloudFormation.md +++ b/avd_docs/aws/redshift/AVD-AWS-0127/CloudFormation.md @@ -2,15 +2,12 @@ Deploy Redshift cluster into a non default VPC ```yaml--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good example of redshift cluster Resources: - Queue: + GoodCluster: Type: AWS::Redshift::Cluster Properties: ClusterSubnetGroupName: "my-subnet-group" - ``` diff --git a/avd_docs/aws/s3/AVD-AWS-0088/CloudFormation.md b/avd_docs/aws/s3/AVD-AWS-0088/CloudFormation.md index 56c5f8c6..1d5ae66e 100644 --- a/avd_docs/aws/s3/AVD-AWS-0088/CloudFormation.md +++ b/avd_docs/aws/s3/AVD-AWS-0088/CloudFormation.md @@ -4,13 +4,13 @@ Configure bucket encryption ```yaml Resources: GoodExample: + Type: AWS::S3::Bucket Properties: BucketEncryption: ServerSideEncryptionConfiguration: - BucketKeyEnabled: true ServerSideEncryptionByDefault: SSEAlgorithm: AES256 - Type: AWS::S3::Bucket ``` diff --git a/avd_docs/aws/s3/AVD-AWS-0090/CloudFormation.md b/avd_docs/aws/s3/AVD-AWS-0090/CloudFormation.md index a7766b3f..da47c0fb 100644 --- a/avd_docs/aws/s3/AVD-AWS-0090/CloudFormation.md +++ b/avd_docs/aws/s3/AVD-AWS-0090/CloudFormation.md @@ -4,10 +4,10 @@ Enable versioning to protect against accidental/malicious removal or modificatio ```yaml--- Resources: GoodExample: + Type: AWS::S3::Bucket Properties: VersioningConfiguration: Status: Enabled - Type: AWS::S3::Bucket ``` diff --git a/avd_docs/aws/s3/AVD-AWS-0091/CloudFormation.md b/avd_docs/aws/s3/AVD-AWS-0091/CloudFormation.md index b4cf72f0..fb0fac74 100644 --- a/avd_docs/aws/s3/AVD-AWS-0091/CloudFormation.md +++ b/avd_docs/aws/s3/AVD-AWS-0091/CloudFormation.md @@ -4,6 +4,7 @@ Enable ignoring the application of public ACLs in PUT calls ```yaml--- Resources: GoodExample: + Type: AWS::S3::Bucket Properties: AccessControl: Private PublicAccessBlockConfiguration: @@ -11,7 +12,6 @@ Resources: BlockPublicPolicy: true IgnorePublicAcls: true RestrictPublicBuckets: true - Type: AWS::S3::Bucket ``` diff --git a/avd_docs/aws/s3/AVD-AWS-0092/CloudFormation.md b/avd_docs/aws/s3/AVD-AWS-0092/CloudFormation.md index ba29b338..534552fc 100644 --- a/avd_docs/aws/s3/AVD-AWS-0092/CloudFormation.md +++ b/avd_docs/aws/s3/AVD-AWS-0092/CloudFormation.md @@ -4,9 +4,9 @@ Don't use canned ACLs or switch to private acl ```yaml--- Resources: GoodExample: + Type: AWS::S3::Bucket Properties: AccessControl: Private - Type: AWS::S3::Bucket ``` diff --git a/avd_docs/aws/s3/AVD-AWS-0093/CloudFormation.md b/avd_docs/aws/s3/AVD-AWS-0093/CloudFormation.md index 0f77f2e3..b1ae39f4 100644 --- a/avd_docs/aws/s3/AVD-AWS-0093/CloudFormation.md +++ b/avd_docs/aws/s3/AVD-AWS-0093/CloudFormation.md @@ -4,13 +4,13 @@ Limit the access to public buckets to only the owner or AWS Services (eg; CloudF ```yaml--- Resources: GoodExample: + Type: AWS::S3::Bucket Properties: PublicAccessBlockConfiguration: BlockPublicAcls: true BlockPublicPolicy: true IgnorePublicAcls: true RestrictPublicBuckets: true - Type: AWS::S3::Bucket ``` diff --git a/avd_docs/aws/s3/AVD-AWS-0094/CloudFormation.md b/avd_docs/aws/s3/AVD-AWS-0094/CloudFormation.md index 2fcff6ae..4573fda2 100644 --- a/avd_docs/aws/s3/AVD-AWS-0094/CloudFormation.md +++ b/avd_docs/aws/s3/AVD-AWS-0094/CloudFormation.md @@ -4,6 +4,7 @@ Define a aws_s3_bucket_public_access_block for the given bucket to control publi ```yaml--- Resources: GoodExample: + Type: AWS::S3::Bucket Properties: AccessControl: Private PublicAccessBlockConfiguration: @@ -11,7 +12,6 @@ Resources: BlockPublicPolicy: true IgnorePublicAcls: true RestrictPublicBuckets: true - Type: AWS::S3::Bucket ``` diff --git a/avd_docs/aws/s3/AVD-AWS-0132/CloudFormation.md b/avd_docs/aws/s3/AVD-AWS-0132/CloudFormation.md index ca02c350..e61b1766 100644 --- a/avd_docs/aws/s3/AVD-AWS-0132/CloudFormation.md +++ b/avd_docs/aws/s3/AVD-AWS-0132/CloudFormation.md @@ -4,6 +4,7 @@ Enable encryption using customer managed keys ```yaml Resources: GoodExample: + Type: AWS::S3::Bucket Properties: BucketEncryption: ServerSideEncryptionConfiguration: @@ -11,7 +12,6 @@ Resources: ServerSideEncryptionByDefault: KMSMasterKeyID: kms-arn SSEAlgorithm: aws:kms - Type: AWS::S3::Bucket ``` diff --git a/avd_docs/aws/sam/AVD-AWS-0110/CloudFormation.md b/avd_docs/aws/sam/AVD-AWS-0110/CloudFormation.md index df4a9779..1740b3bf 100644 --- a/avd_docs/aws/sam/AVD-AWS-0110/CloudFormation.md +++ b/avd_docs/aws/sam/AVD-AWS-0110/CloudFormation.md @@ -2,10 +2,8 @@ Enable cache encryption ```yaml--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good Example of SAM API Resources: - ApiGatewayApi: + GoodExample: Type: AWS::Serverless::Api Properties: Name: Good SAM API example diff --git a/avd_docs/aws/sam/AVD-AWS-0111/CloudFormation.md b/avd_docs/aws/sam/AVD-AWS-0111/CloudFormation.md index 70af5c17..9f61c0d9 100644 --- a/avd_docs/aws/sam/AVD-AWS-0111/CloudFormation.md +++ b/avd_docs/aws/sam/AVD-AWS-0111/CloudFormation.md @@ -2,10 +2,8 @@ Enable tracing ```yaml--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good Example of SAM API Resources: - ApiGatewayApi: + GoodExample: Type: AWS::Serverless::Api Properties: Name: Good SAM API example diff --git a/avd_docs/aws/sam/AVD-AWS-0112/CloudFormation.md b/avd_docs/aws/sam/AVD-AWS-0112/CloudFormation.md index 4ccf336a..e0bc77dd 100644 --- a/avd_docs/aws/sam/AVD-AWS-0112/CloudFormation.md +++ b/avd_docs/aws/sam/AVD-AWS-0112/CloudFormation.md @@ -2,10 +2,8 @@ Use the most modern TLS/SSL policies available ```yaml--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good Example of SAM API Resources: - ApiGatewayApi: + GoodExample: Type: AWS::Serverless::Api Properties: Name: Good SAM API example diff --git a/avd_docs/aws/sam/AVD-AWS-0113/CloudFormation.md b/avd_docs/aws/sam/AVD-AWS-0113/CloudFormation.md index 95ca9abe..320a9f24 100644 --- a/avd_docs/aws/sam/AVD-AWS-0113/CloudFormation.md +++ b/avd_docs/aws/sam/AVD-AWS-0113/CloudFormation.md @@ -2,10 +2,8 @@ Enable logging for API Gateway stages ```yaml--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good Example of SAM API Resources: - ApiGatewayApi: + GoodExample: Type: AWS::Serverless::Api Properties: Name: Good SAM API example diff --git a/avd_docs/aws/sam/AVD-AWS-0114/CloudFormation.md b/avd_docs/aws/sam/AVD-AWS-0114/CloudFormation.md index 51d1242a..240a4e18 100644 --- a/avd_docs/aws/sam/AVD-AWS-0114/CloudFormation.md +++ b/avd_docs/aws/sam/AVD-AWS-0114/CloudFormation.md @@ -2,8 +2,6 @@ Specify the exact permissions required, and to which resources they should apply instead of using wildcards. ```yaml--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good Example of SAM Function Resources: GoodFunction: Type: AWS::Serverless::Function diff --git a/avd_docs/aws/sam/AVD-AWS-0116/CloudFormation.md b/avd_docs/aws/sam/AVD-AWS-0116/CloudFormation.md index 14fbea69..0809c6c4 100644 --- a/avd_docs/aws/sam/AVD-AWS-0116/CloudFormation.md +++ b/avd_docs/aws/sam/AVD-AWS-0116/CloudFormation.md @@ -2,10 +2,8 @@ Enable logging for API Gateway stages ```yaml--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good Example of SAM API Resources: - ApiGatewayApi: + GoodExample: Type: AWS::Serverless::HttpApi Properties: Name: Good SAM API example diff --git a/avd_docs/aws/sam/AVD-AWS-0117/CloudFormation.md b/avd_docs/aws/sam/AVD-AWS-0117/CloudFormation.md index 9cc1aa66..ec59fff7 100644 --- a/avd_docs/aws/sam/AVD-AWS-0117/CloudFormation.md +++ b/avd_docs/aws/sam/AVD-AWS-0117/CloudFormation.md @@ -2,8 +2,6 @@ Enable tracing ```yaml--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good Example of SAM API Resources: GoodStateMachine: Type: AWS::Serverless::StateMachine diff --git a/avd_docs/aws/sam/AVD-AWS-0120/CloudFormation.md b/avd_docs/aws/sam/AVD-AWS-0120/CloudFormation.md index 07f97cb8..f6af777e 100644 --- a/avd_docs/aws/sam/AVD-AWS-0120/CloudFormation.md +++ b/avd_docs/aws/sam/AVD-AWS-0120/CloudFormation.md @@ -2,8 +2,6 @@ Specify the exact permissions required, and to which resources they should apply instead of using wildcards. ```yaml--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good Example of SAM Function Resources: GoodFunction: Type: AWS::Serverless::StateMachine diff --git a/avd_docs/aws/sam/AVD-AWS-0121/CloudFormation.md b/avd_docs/aws/sam/AVD-AWS-0121/CloudFormation.md index a9e173d7..4d4da4d1 100644 --- a/avd_docs/aws/sam/AVD-AWS-0121/CloudFormation.md +++ b/avd_docs/aws/sam/AVD-AWS-0121/CloudFormation.md @@ -2,8 +2,6 @@ Enable server side encryption ```yaml--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good Example of SAM Table Resources: GoodFunction: Type: AWS::Serverless::SimpleTable diff --git a/avd_docs/aws/sam/AVD-AWS-0125/CloudFormation.md b/avd_docs/aws/sam/AVD-AWS-0125/CloudFormation.md index 132c68a6..2862625f 100644 --- a/avd_docs/aws/sam/AVD-AWS-0125/CloudFormation.md +++ b/avd_docs/aws/sam/AVD-AWS-0125/CloudFormation.md @@ -2,8 +2,6 @@ Enable tracing ```yaml--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good Example of SAM Function Resources: GoodFunction: Type: AWS::Serverless::Function diff --git a/avd_docs/aws/sns/AVD-AWS-0095/CloudFormation.md b/avd_docs/aws/sns/AVD-AWS-0095/CloudFormation.md index ab23afc7..c761b104 100644 --- a/avd_docs/aws/sns/AVD-AWS-0095/CloudFormation.md +++ b/avd_docs/aws/sns/AVD-AWS-0095/CloudFormation.md @@ -2,16 +2,13 @@ Turn on SNS Topic encryption ```yaml--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good example of topic Resources: - Queue: + GoodTopic: Type: AWS::SQS::Topic Properties: TopicName: blah KmsMasterKeyId: some-key - ``` diff --git a/avd_docs/aws/sns/AVD-AWS-0136/CloudFormation.md b/avd_docs/aws/sns/AVD-AWS-0136/CloudFormation.md index fee03701..c63a05f8 100644 --- a/avd_docs/aws/sns/AVD-AWS-0136/CloudFormation.md +++ b/avd_docs/aws/sns/AVD-AWS-0136/CloudFormation.md @@ -2,16 +2,13 @@ Use a CMK for SNS Topic encryption ```yaml--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good example of topic Resources: - Queue: + GoodTopic: Type: AWS::SQS::Topic Properties: TopicName: blah KmsMasterKeyId: some-key - ``` diff --git a/avd_docs/aws/sqs/AVD-AWS-0096/CloudFormation.md b/avd_docs/aws/sqs/AVD-AWS-0096/CloudFormation.md index 5408c537..83b8e99b 100644 --- a/avd_docs/aws/sqs/AVD-AWS-0096/CloudFormation.md +++ b/avd_docs/aws/sqs/AVD-AWS-0096/CloudFormation.md @@ -2,16 +2,13 @@ Turn on SQS Queue encryption ```yaml--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good example of queue Resources: - Queue: + GoodQueue: Type: AWS::SQS::Queue Properties: KmsMasterKeyId: some-key QueueName: my-queue - ``` diff --git a/avd_docs/aws/sqs/AVD-AWS-0097/CloudFormation.md b/avd_docs/aws/sqs/AVD-AWS-0097/CloudFormation.md index 98791c9e..5155816b 100644 --- a/avd_docs/aws/sqs/AVD-AWS-0097/CloudFormation.md +++ b/avd_docs/aws/sqs/AVD-AWS-0097/CloudFormation.md @@ -2,10 +2,8 @@ Keep policy scope to the minimum that is required to be effective ```yaml--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good example of queue policy Resources: - MyQueue: + GoodQueue: Type: AWS::SQS::Queue Properties: Name: something diff --git a/avd_docs/aws/sqs/AVD-AWS-0135/CloudFormation.md b/avd_docs/aws/sqs/AVD-AWS-0135/CloudFormation.md index 45c261df..16279589 100644 --- a/avd_docs/aws/sqs/AVD-AWS-0135/CloudFormation.md +++ b/avd_docs/aws/sqs/AVD-AWS-0135/CloudFormation.md @@ -2,16 +2,13 @@ Encrypt SQS Queue with a customer-managed key ```yaml--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good example of queue Resources: - Queue: + GoodQueue: Type: AWS::SQS::Queue Properties: KmsMasterKeyId: some-key QueueName: my-queue - ``` diff --git a/avd_docs/aws/ssm/AVD-AWS-0098/CloudFormation.md b/avd_docs/aws/ssm/AVD-AWS-0098/CloudFormation.md index b8b3b11b..f5a80493 100644 --- a/avd_docs/aws/ssm/AVD-AWS-0098/CloudFormation.md +++ b/avd_docs/aws/ssm/AVD-AWS-0098/CloudFormation.md @@ -2,10 +2,8 @@ Use customer managed keys ```yaml--- -AWSTemplateFormatVersion: 2010-09-09 -Description: Good example of ingress rule Resources: - Secret: + GoodSecret: Type: AWS::SecretsManager::Secret Properties: Description: "secret"