Skip to content
This repository has been archived by the owner on Dec 30, 2024. It is now read-only.

Fix cfn-nag violations #204

Closed
JimTharioAmazon opened this issue Mar 2, 2021 · 1 comment
Closed

Fix cfn-nag violations #204

JimTharioAmazon opened this issue Mar 2, 2021 · 1 comment
Assignees
@JimTharioAmazon
Labels
build-and-deploy issues related to building and deploying the project CI/CD finding Issues found with CI/CD workflows installation Feature related to installation
Milestone
v1.9.0

Comments

@JimTharioAmazon
Copy link
Member

./msam-events-release.template

| WARN W58
|
| Resources: ["Collector", "AlarmUpdater"]
| Line Numbers: [-1, -1]
|
| Lambda functions require permission to write CloudWatch Logs

Failures count: 0
Warnings count: 2

./aws-media-services-application-mapper-release.template

Failures count: 0
Warnings count: 0

./msam-core-release.template

| WARN W58
|
| Resources: ["IncomingCloudwatchAlarm", "UpdateNodes", "UpdateConnections", "UpdateFromTags", "SsmRunCommand", "ProcessSsmRunCommand", "UpdateSsmNodes", "APIHandler"]
| Line Numbers: [-1, -1, -1, -1, -1, -1, -1, -1]
|
| Lambda functions require permission to write CloudWatch Logs

Failures count: 0
Warnings count: 8

./msam-dynamodb-release.template

| WARN W78
|
| Resources: ["Channels", "Events", "Layout", "Settings", "Content", "Alarms", "CloudWatchEvents"]
| Line Numbers: [51, 75, 152, 186, 200, 242, 298]
|
| DynamoDB table should have backup enabled, should be set using PointInTimeRecoveryEnabled

| WARN W74
|
| Resources: ["Channels", "Events", "Layout", "Settings", "Content", "Alarms", "CloudWatchEvents"]
| Line Numbers: [51, 75, 152, 186, 200, 242, 298]
|
| DynamoDB table should have encryption enabled using a CMK stored in KMS

| WARN W58
|
| Resources: ["DefaultSettingsResource"]
| Line Numbers: [6]
|
| Lambda functions require permission to write CloudWatch Logs

Failures count: 0
Warnings count: 15

./msam-browser-app-release.template

| WARN W10
|
| Resources: ["MSAMAppBucketCloudFrontDistribution"]
| Line Numbers: [23]
|
| CloudFront Distribution should enable access logging

| WARN W70
|
| Resources: ["MSAMAppBucketCloudFrontDistribution"]
| Line Numbers: [23]
|
| Cloudfront should use minimum protocol version TLS 1.2

| WARN W58
|
| Resources: ["MSAMWebContentResource", "MSAMWebInvalidationResource"]
| Line Numbers: [164, 214]
|
| Lambda functions require permission to write CloudWatch Logs

| WARN W35
|
| Resources: ["MSAMBrowserAppBucket"]
| Line Numbers: [146]
|
| S3 Bucket should have access logging configured

| WARN W41
|
| Resources: ["MSAMBrowserAppBucket"]
| Line Numbers: [146]
|
| S3 Bucket should have encryption option set

Failures count: 0
Warnings count: 6

./msam-iam-roles-release.template

| FAIL F5
|
| Resources: ["InstallationManagedPolicy"]
| Line Numbers: [278]
|
| IAM managed policy should not allow * action

| WARN W13
|
| Resources: ["InstallationManagedPolicy"]
| Line Numbers: [278]
|
| IAM managed policy should not allow * resource

| FAIL F39
|
| Resources: ["InstallationPolicy"]
| Line Numbers: [243]
|
| IAM policy should not allow * resource with PassRole action

| FAIL F4
|
| Resources: ["InstallationPolicy"]
| Line Numbers: [243]
|
| IAM policy should not allow * action

| WARN W12
|
| Resources: ["InstallationPolicy"]
| Line Numbers: [243]
|
| IAM policy should not allow * resource

| WARN W11
|
| Resources: ["EventsRole", "DynamoDBRole", "CoreRole", "WebRole"]
| Line Numbers: [6, 47, 82, 205]
|
| IAM role should not allow * resource on its permissions policy

| WARN W76
|
| Resources: ["CoreRole"]
| Line Numbers: [82]
|
| SPCM for IAM policy document is higher than 25

Failures count: 3
Warnings count: 7
@JimTharioAmazon JimTharioAmazon added installation Feature related to installation build-and-deploy issues related to building and deploying the project CI/CD finding Issues found with CI/CD workflows labels Mar 2, 2021
@JimTharioAmazon JimTharioAmazon added this to the v1.9.0 milestone Mar 2, 2021
JimTharioAmazon added a commit that referenced this issue Mar 2, 2021
@JimTharioAmazon
Fix cfn-nag violations #204
731124f
JimTharioAmazon added a commit that referenced this issue Mar 3, 2021
@JimTharioAmazon
Fix cfn-nag violations #204
9bdc357
JimTharioAmazon added a commit that referenced this issue Mar 3, 2021
@JimTharioAmazon
Fix cfn-nag violations #204
c3cdf29
@JimTharioAmazon JimTharioAmazon self-assigned this Mar 3, 2021
JimTharioAmazon added a commit that referenced this issue Mar 3, 2021
@JimTharioAmazon
Point-in-time recovery enabled #187 #204
d5f08ec
JimTharioAmazon added a commit that referenced this issue Mar 4, 2021
@JimTharioAmazon
Fix cfn-nag violations #204
79637cd
JimTharioAmazon added a commit that referenced this issue Mar 4, 2021
@JimTharioAmazon
Fix cfn-nag violations #204
1d15fe7
JimTharioAmazon added a commit that referenced this issue Mar 4, 2021
@JimTharioAmazon
Fix cfn-nag violations #204
d373b28
@JimTharioAmazon
Copy link
Member Author

Several '*' resource issues required suppressing in the IAM template. That template is general and applied first by compartmentalized groups before actual resource ARNs are known from the following templates.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@JimTharioAmazon JimTharioAmazon

Labels
build-and-deploy issues related to building and deploying the project CI/CD finding Issues found with CI/CD workflows installation Feature related to installation
Projects
None yet
Milestone
v1.9.0
Development

No branches or pull requests
1 participant
@JimTharioAmazon