From 927280ef5c15d02cbf6419dd007777ca49410838 Mon Sep 17 00:00:00 2001
From: Adrian Dimech <51220968+agdimech@users.noreply.github.com>
Date: Mon, 18 Nov 2024 11:16:32 +1100
Subject: [PATCH] fix(pdk-nag): remove deprecated rules (#884)
---
packages/pdk-nag/src/packs/README.md | 4 +---
.../pdk-nag/src/packs/aws-prototyping-rules.ts | 14 --------------
packages/pdk-nag/test/prototyping-nag-pack.test.ts | 2 --
3 files changed, 1 insertion(+), 19 deletions(-)
diff --git a/packages/pdk-nag/src/packs/README.md b/packages/pdk-nag/src/packs/README.md
index 94b078563..453f49f1c 100644
--- a/packages/pdk-nag/src/packs/README.md
+++ b/packages/pdk-nag/src/packs/README.md
@@ -111,20 +111,18 @@ Total: `35`
### Warnings
-Total: `73`
+Total: `71`
| Rule ID | Cause | Explanation |
| ------------------ | ------------------ | ------------------ |
| APIGWAssociatedWithWAF | The REST API stage is not associated with AWS WAFv2 web ACL. | AWS WAFv2 is a web application firewall that helps protect web applications and APIs from attacks by allowing configured rules to allow, block, or monitor (count) web requests based on customizable rules and conditions that are defined. |
| APIGWAuthorization | The API does not implement authorization. | In most cases an API needs to have an authentication and authorization implementation strategy. This includes using such approaches as IAM, Cognito User Pools, Custom authorizer, etc.
Example threat: An actor with a network path to an API gateway stage end-point can interact with the API method in question without authorization, which may lead to reconnaissance and intrusion activities being performed against the exposed attack surface possibly impacting the confidentiality, integrity and availability of the data and resource assets associated with the prototype |
| APIGWRequestValidation | The REST API does not have request validation enabled. | The API should have basic request validation enabled. If the API is integrated with a custom source (Lambda, ECS, etc..) in the backend, deeper input validation should be considered for implementation. |
-| AthenaWorkgroupEncryptedQueryResults | The Athena workgroup does not encrypt query results. | Encrypting query results stored in S3 helps secure data to meet compliance requirements for data-at-rest encryption. |
| CloudFrontDistributionHttpsViewerNoOutdatedSSL | The CloudFront distribution allows for SSLv3 or TLSv1 for HTTPS viewer connections. | Vulnerabilities have been and continue to be discovered in the deprecated SSL and TLS protocols. Help protect viewer connections by specifying a viewer certificate that enforces a minimum of TLSv1.1 or TLSv1.2 in the security policy. Distributions that use that use the default CloudFront viewer certificate or use 'vip' for the SslSupportMethod are non-compliant with this rule, as the minimum security policy is set to TLSv1 regardless of the specified MinimumProtocolVersion |
| CloudFrontDistributionNoOutdatedSSL | The CloudFront distributions uses SSLv3 or TLSv1 for communication to the origin. | Vulnerabilities have been and continue to be discovered in the deprecated SSL and TLS protocols. Using a security policy with minimum TLSv1.1 or TLSv1.2 and appropriate security ciphers for HTTPS helps protect viewer connections. |
| CloudFrontDistributionWAFIntegration | The CloudFront distribution may require integration with AWS WAF. | The Web Application Firewall can help protect against application-layer attacks that can compromise the security of the system or place unnecessary load on them. |
| CodeBuildProjectKMSEncryptedArtifacts | The CodeBuild project does not use an AWS KMS key for encryption. | Using an AWS KMS key helps follow the standard security advice of granting least privilege to objects generated by the project. |
| CodeBuildProjectManagedImages | The CodeBuild project does not use images provided by the CodeBuild service or have a cdk-nag suppression rule explaining the need for a custom image. | Explaining differences/edits to Docker images helps operators better understand system dependencies. |
-| CodeBuildProjectPrivilegedModeDisabled | The CodeBuild project has privileged mode enabled. | Privileged grants elevated rights to the system, which introduces additional risk. Privileged mode should only be set to true only if the build project is used to build Docker images. Otherwise, a build that attempts to interact with the Docker daemon fails. |
| CognitoUserPoolAdvancedSecurityModeEnforced | The Cognito user pool does not have AdvancedSecurityMode set to ENFORCED. | Advanced security features enable the system to detect and act upon malicious sign-in attempts. |
| CognitoUserPoolAPIGWAuthorizer | The API Gateway method does not use a Cognito user pool authorizer. | API Gateway validates the tokens from a successful user pool authentication, and uses them to grant your users access to resources including Lambda functions, or your own API. |
| CognitoUserPoolMFA | The Cognito user pool is not configured to require MFA. | Multi-factor authentication (MFA) increases security for the application by adding another authentication method, and not relying solely on user name and password. |
diff --git a/packages/pdk-nag/src/packs/aws-prototyping-rules.ts b/packages/pdk-nag/src/packs/aws-prototyping-rules.ts
index ddde5f951..95639e82f 100644
--- a/packages/pdk-nag/src/packs/aws-prototyping-rules.ts
+++ b/packages/pdk-nag/src/packs/aws-prototyping-rules.ts
@@ -34,13 +34,6 @@ export let RuleMetadata = [
level: NagMessageLevel.WARN,
rule: rules.apigw.APIGWRequestValidation,
},
- {
- info: "The Athena workgroup does not encrypt query results.",
- explanation:
- "Encrypting query results stored in S3 helps secure data to meet compliance requirements for data-at-rest encryption.",
- level: NagMessageLevel.WARN,
- rule: rules.athena.AthenaWorkgroupEncryptedQueryResults,
- },
{
info: "The Auto Scaling launch configuration does not have public IP addresses disabled.",
explanation:
@@ -111,13 +104,6 @@ export let RuleMetadata = [
level: NagMessageLevel.WARN,
rule: rules.codebuild.CodeBuildProjectManagedImages,
},
- {
- info: "The CodeBuild project has privileged mode enabled.",
- explanation:
- "Privileged grants elevated rights to the system, which introduces additional risk. Privileged mode should only be set to true only if the build project is used to build Docker images. Otherwise, a build that attempts to interact with the Docker daemon fails.",
- level: NagMessageLevel.WARN,
- rule: rules.codebuild.CodeBuildProjectPrivilegedModeDisabled,
- },
{
info: "The Cognito user pool does not have AdvancedSecurityMode set to ENFORCED.",
explanation:
diff --git a/packages/pdk-nag/test/prototyping-nag-pack.test.ts b/packages/pdk-nag/test/prototyping-nag-pack.test.ts
index 413860298..92f1026ef 100644
--- a/packages/pdk-nag/test/prototyping-nag-pack.test.ts
+++ b/packages/pdk-nag/test/prototyping-nag-pack.test.ts
@@ -48,13 +48,11 @@ const expectedWarnings = [
"AwsPrototyping-APIGWAssociatedWithWAF",
"AwsPrototyping-APIGWAuthorization",
"AwsPrototyping-APIGWRequestValidation",
- "AwsPrototyping-AthenaWorkgroupEncryptedQueryResults",
"AwsPrototyping-CloudFrontDistributionHttpsViewerNoOutdatedSSL",
"AwsPrototyping-CloudFrontDistributionNoOutdatedSSL",
"AwsPrototyping-CloudFrontDistributionWAFIntegration",
"AwsPrototyping-CodeBuildProjectKMSEncryptedArtifacts",
"AwsPrototyping-CodeBuildProjectManagedImages",
- "AwsPrototyping-CodeBuildProjectPrivilegedModeDisabled",
"AwsPrototyping-CognitoUserPoolAdvancedSecurityModeEnforced",
"AwsPrototyping-CognitoUserPoolAPIGWAuthorizer",
"AwsPrototyping-CognitoUserPoolMFA",