-
Notifications
You must be signed in to change notification settings - Fork 67
/
Copy pathSecretsManagerRotationEnabled.ts
129 lines (126 loc) · 4.03 KB
/
SecretsManagerRotationEnabled.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
/*
Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
SPDX-License-Identifier: Apache-2.0
*/
import { parse } from 'path';
import { CfnResource, Stack } from 'aws-cdk-lib';
import {
CfnSecret,
CfnRotationSchedule,
CfnSecretTargetAttachment,
} from 'aws-cdk-lib/aws-secretsmanager';
import { NagRuleCompliance, NagRules } from '../../nag-rules';
/**
* Secrets have automatic rotation scheduled
* @param node the CfnResource to check
*/
export default Object.defineProperty(
(node: CfnResource): NagRuleCompliance => {
if (node instanceof CfnSecret) {
const secretLogicalId = NagRules.resolveResourceFromInstrinsic(
node,
node.ref
);
const secretTargetAttachmentLogicalIds = Array<string>();
const cfnSecretTargetAttachments = Array<CfnSecretTargetAttachment>();
const cfnRotationSchedules = Array<CfnRotationSchedule>();
for (const child of Stack.of(node).node.findAll()) {
if (child instanceof CfnSecretTargetAttachment) {
cfnSecretTargetAttachments.push(child);
} else if (child instanceof CfnRotationSchedule) {
cfnRotationSchedules.push(child);
}
}
if (cfnRotationSchedules.length === 0) {
return NagRuleCompliance.NON_COMPLIANT;
}
let found = false;
for (const child of cfnSecretTargetAttachments) {
const attachmentLogicalId = getMatchingSecretTargetAttachment(
child,
secretLogicalId
);
if (attachmentLogicalId) {
secretTargetAttachmentLogicalIds.push(attachmentLogicalId);
}
}
for (const child of cfnRotationSchedules) {
if (
isMatchingRotationSchedule(
child,
secretLogicalId,
secretTargetAttachmentLogicalIds
)
) {
found = true;
break;
}
}
if (!found) {
return NagRuleCompliance.NON_COMPLIANT;
}
return NagRuleCompliance.COMPLIANT;
} else {
return NagRuleCompliance.NOT_APPLICABLE;
}
},
'name',
{ value: parse(__filename).name }
);
/**
* Helper function to check whether a given Secret Target Attachment is associated with the given secret.
* @param node The CfnTargetAttachment to check.
* @param secretLogicalId The Cfn Logical ID of the secret.
* Returns the Logical ID if the attachment if is associated with the secret, otherwise and empty string.
*/
function getMatchingSecretTargetAttachment(
node: CfnSecretTargetAttachment,
secretLogicalId: string
): string {
const resourceSecretId = NagRules.resolveResourceFromInstrinsic(
node,
node.secretId
);
if (secretLogicalId === resourceSecretId) {
return NagRules.resolveResourceFromInstrinsic(node, node.ref);
}
return '';
}
/**
* Helper function to check whether a given Rotation Schedule is associated with the given secret.
* @param node The CfnRotationSchedule to check.
* @param secretLogicalId The Cfn Logical ID of the secret.
* @param secretTargetAttachmentLogicalIds The Cfn Logical IDs of any Secret Target Attachments associated with the given secret.
* Returns whether the CfnRotationSchedule is associated with the given secret.
*/
function isMatchingRotationSchedule(
node: CfnRotationSchedule,
secretLogicalId: string,
secretTargetAttachmentLogicalIds: string[]
): boolean {
const resourceSecretId = NagRules.resolveResourceFromInstrinsic(
node,
node.secretId
);
if (
secretLogicalId === resourceSecretId ||
secretTargetAttachmentLogicalIds.includes(resourceSecretId)
) {
if (
Stack.of(node).resolve(node.hostedRotationLambda) === undefined &&
Stack.of(node).resolve(node.rotationLambdaArn) === undefined
) {
return false;
}
const rotationRules = Stack.of(node).resolve(node.rotationRules);
if (rotationRules !== undefined) {
const automaticallyAfterDays = Stack.of(node).resolve(
rotationRules.automaticallyAfterDays
);
if (automaticallyAfterDays !== undefined) {
return true;
}
}
}
return false;
}