forked from bridgecrewio/checkov
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(sast): Python cdk policies batch 2 (bridgecrewio#5725)
* 5 policies added * name change * 16 more policies * 3 more policies * fixes * fixes * fixes * new policies * new policies * blank lines deleted * new policy * fix secrets * add test * blanks * blanks * fixes * typo * fix * fix ids * added tests * fixes * improvements * improvements --------- Co-authored-by: pazbechor <[email protected]>
- Loading branch information
Showing
48 changed files
with
1,171 additions
and
35 deletions.
There are no files selected for viewing
66 changes: 66 additions & 0 deletions
66
cdk_integration_tests/src/python/APIGatewayAccessLogging/fail__2__.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,66 @@ | ||
from aws_cdk import aws_apigateway as apigateway | ||
|
||
cfn_stage = apigateway.CfnStage(self, "MyCfnStage", | ||
rest_api_id="restApiId", | ||
|
||
# the properties below are optional | ||
|
||
cache_cluster_enabled=False, | ||
cache_cluster_size="cacheClusterSize", | ||
canary_setting=apigateway.CfnStage.CanarySettingProperty( | ||
deployment_id="deploymentId", | ||
percent_traffic=123, | ||
stage_variable_overrides={ | ||
"stage_variable_overrides_key": "stageVariableOverrides" | ||
}, | ||
use_stage_cache=False | ||
), | ||
client_certificate_id="clientCertificateId", | ||
deployment_id="deploymentId", | ||
description="description", | ||
documentation_version="documentationVersion", | ||
method_settings=[apigateway.CfnStage.MethodSettingProperty( | ||
cache_data_encrypted=False, | ||
cache_ttl_in_seconds=123, | ||
caching_enabled=False, | ||
data_trace_enabled=False, | ||
http_method="httpMethod", | ||
logging_level="loggingLevel", | ||
metrics_enabled=False, | ||
resource_path="resourcePath", | ||
throttling_burst_limit=123, | ||
throttling_rate_limit=123 | ||
)], | ||
stage_name="stageName", | ||
tags=[CfnTag( | ||
key="key", | ||
value="value" | ||
)], | ||
tracing_enabled=False, | ||
variables={ | ||
"variables_key": "variables" | ||
} | ||
) | ||
|
||
from aws_cdk import core | ||
from aws_cdk import aws_serverless as serverless | ||
|
||
class ServerlessApiWithAccessLogStack(core.Stack): | ||
|
||
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: | ||
super().__init__(scope, id, **kwargs) | ||
|
||
# Create a Serverless API | ||
serverless.Api( | ||
self, "MyApi", | ||
default_stage={ | ||
"stage_name": "prod", | ||
"access_log_setting": serverless.AccessLogSetting( | ||
format=serverless.AccessLogFormat.json_with_standard_fields() | ||
) | ||
} | ||
) | ||
|
||
app = core.App() | ||
ServerlessApiWithAccessLogStack(app, "ServerlessApiWithAccessLogStack") | ||
app.synth() |
70 changes: 70 additions & 0 deletions
70
cdk_integration_tests/src/python/APIGatewayAccessLogging/pass.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,70 @@ | ||
from aws_cdk import aws_apigateway as apigateway | ||
|
||
cfn_stage = apigateway.CfnStage(self, "MyCfnStage", | ||
rest_api_id="restApiId", | ||
|
||
# the properties below are optional | ||
access_log_setting=apigateway.CfnStage.AccessLogSettingProperty( | ||
destination_arn="destinationArn", | ||
format="format" | ||
), | ||
cache_cluster_enabled=False, | ||
cache_cluster_size="cacheClusterSize", | ||
canary_setting=apigateway.CfnStage.CanarySettingProperty( | ||
deployment_id="deploymentId", | ||
percent_traffic=123, | ||
stage_variable_overrides={ | ||
"stage_variable_overrides_key": "stageVariableOverrides" | ||
}, | ||
use_stage_cache=False | ||
), | ||
client_certificate_id="clientCertificateId", | ||
deployment_id="deploymentId", | ||
description="description", | ||
documentation_version="documentationVersion", | ||
method_settings=[apigateway.CfnStage.MethodSettingProperty( | ||
cache_data_encrypted=False, | ||
cache_ttl_in_seconds=123, | ||
caching_enabled=False, | ||
data_trace_enabled=False, | ||
http_method="httpMethod", | ||
logging_level="loggingLevel", | ||
metrics_enabled=False, | ||
resource_path="resourcePath", | ||
throttling_burst_limit=123, | ||
throttling_rate_limit=123 | ||
)], | ||
stage_name="stageName", | ||
tags=[CfnTag( | ||
key="key", | ||
value="value" | ||
)], | ||
tracing_enabled=False, | ||
variables={ | ||
"variables_key": "variables" | ||
} | ||
) | ||
|
||
from aws_cdk import core | ||
from aws_cdk import aws_serverless as serverless | ||
|
||
class ServerlessApiWithAccessLogStack(core.Stack): | ||
|
||
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: | ||
super().__init__(scope, id, **kwargs) | ||
|
||
# Create a Serverless API | ||
serverless.Api( | ||
self, "MyApi", | ||
default_stage={ | ||
"stage_name": "prod", | ||
"access_log_setting": serverless.AccessLogSetting( | ||
destination_arn="arn:aws:logs:us-east-1:123456789012:log-group/MyLogGroup", | ||
format=serverless.AccessLogFormat.json_with_standard_fields() | ||
) | ||
} | ||
) | ||
|
||
app = core.App() | ||
ServerlessApiWithAccessLogStack(app, "ServerlessApiWithAccessLogStack") | ||
app.synth() |
21 changes: 21 additions & 0 deletions
21
cdk_integration_tests/src/python/AmazonMQBrokerPublicAccess/fail__1__.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
from aws_cdk import core | ||
from aws_cdk import aws_amazonmq as amazonmq | ||
|
||
class AmazonMQStack(core.Stack): | ||
|
||
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: | ||
super().__init__(scope, id, **kwargs) | ||
|
||
# Create an Amazon MQ broker with PubliclyAccessible set to false | ||
amazonmq_broker = amazonmq.CfnBroker( | ||
self, | ||
"MyAmazonMQBroker", | ||
broker_name="my-amazon-mq-broker", | ||
engine_type="ACTIVEMQ", | ||
host_instance_type="mq.t2.micro", | ||
publicly_accessible=True, # Set PubliclyAccessible to false | ||
) | ||
|
||
app = core.App() | ||
AmazonMQStack(app, "AmazonMQStack") | ||
app.synth() |
21 changes: 21 additions & 0 deletions
21
cdk_integration_tests/src/python/AmazonMQBrokerPublicAccess/pass.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
from aws_cdk import core | ||
from aws_cdk import aws_amazonmq as amazonmq | ||
|
||
class AmazonMQStack(core.Stack): | ||
|
||
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: | ||
super().__init__(scope, id, **kwargs) | ||
|
||
# Create an Amazon MQ broker with PubliclyAccessible set to false | ||
amazonmq_broker = amazonmq.CfnBroker( | ||
self, | ||
"MyAmazonMQBroker", | ||
broker_name="my-amazon-mq-broker", | ||
engine_type="ACTIVEMQ", | ||
host_instance_type="mq.t2.micro", | ||
publicly_accessible=False, # Set PubliclyAccessible to false | ||
) | ||
|
||
app = core.App() | ||
AmazonMQStack(app, "AmazonMQStack") | ||
app.synth() |
24 changes: 24 additions & 0 deletions
24
cdk_integration_tests/src/python/AppSyncFieldLevelLogs/fail__1__.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
from aws_cdk import core | ||
from aws_cdk import aws_appsync as appsync | ||
|
||
class AppSyncStack(core.Stack): | ||
|
||
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: | ||
super().__init__(scope, id, **kwargs) | ||
|
||
# Define the GraphQL API using CfnGraphQLApi | ||
graphql_api = appsync.CfnGraphQLApi( | ||
self, | ||
"AppSyncGraphQLApi", | ||
name="MyAppSyncAPI", | ||
authentication_type="API_KEY", # You can change the authentication type | ||
log_config=appsync.CfnGraphQLApi.LogConfigProperty( | ||
cloud_watch_logs_role_arn="cloudWatchLogsRoleArn", | ||
exclude_verbose_content=False, | ||
), | ||
) | ||
|
||
|
||
app = core.App() | ||
AppSyncStack(app, "AppSyncStack") | ||
app.synth() |
25 changes: 25 additions & 0 deletions
25
cdk_integration_tests/src/python/AppSyncFieldLevelLogs/pass.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
from aws_cdk import core | ||
from aws_cdk import aws_appsync as appsync | ||
|
||
class AppSyncStack(core.Stack): | ||
|
||
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: | ||
super().__init__(scope, id, **kwargs) | ||
|
||
# Define the GraphQL API using CfnGraphQLApi | ||
graphql_api = appsync.CfnGraphQLApi( | ||
self, | ||
"AppSyncGraphQLApi", | ||
name="MyAppSyncAPI", | ||
authentication_type="API_KEY", # You can change the authentication type | ||
log_config=appsync.CfnGraphQLApi.LogConfigProperty( | ||
cloud_watch_logs_role_arn="cloudWatchLogsRoleArn", | ||
exclude_verbose_content=False, | ||
field_log_level=appsync.FieldLogLevel.ALL | ||
), | ||
) | ||
|
||
|
||
app = core.App() | ||
AppSyncStack(app, "AppSyncStack") | ||
app.synth() |
24 changes: 24 additions & 0 deletions
24
cdk_integration_tests/src/python/AppSyncLogging/fail__1__.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
from aws_cdk import core | ||
from aws_cdk import aws_appsync as appsync | ||
|
||
class AppSyncStack(core.Stack): | ||
|
||
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: | ||
super().__init__(scope, id, **kwargs) | ||
|
||
# Define the GraphQL API using CfnGraphQLApi | ||
graphql_api = appsync.CfnGraphQLApi( | ||
self, | ||
"AppSyncGraphQLApi", | ||
name="MyAppSyncAPI", | ||
authentication_type="API_KEY", # You can change the authentication type | ||
log_config=appsync.CfnGraphQLApi.LogConfigProperty( | ||
exclude_verbose_content=False, | ||
field_log_level="fieldLogLevel" | ||
), | ||
) | ||
|
||
|
||
app = core.App() | ||
AppSyncStack(app, "AppSyncStack") | ||
app.synth() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
from aws_cdk import core | ||
from aws_cdk import aws_appsync as appsync | ||
|
||
class AppSyncStack(core.Stack): | ||
|
||
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: | ||
super().__init__(scope, id, **kwargs) | ||
|
||
# Define the GraphQL API using CfnGraphQLApi | ||
graphql_api = appsync.CfnGraphQLApi( | ||
self, | ||
"AppSyncGraphQLApi", | ||
name="MyAppSyncAPI", | ||
authentication_type="API_KEY", # You can change the authentication type | ||
log_config=appsync.CfnGraphQLApi.LogConfigProperty( | ||
cloud_watch_logs_role_arn="cloudWatchLogsRoleArn", | ||
exclude_verbose_content=False, | ||
field_log_level="fieldLogLevel" | ||
), | ||
) | ||
|
||
|
||
app = core.App() | ||
AppSyncStack(app, "AppSyncStack") | ||
app.synth() |
28 changes: 28 additions & 0 deletions
28
cdk_integration_tests/src/python/AthenaWorkgroupConfiguration/fail__1__.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
from aws_cdk import core | ||
from aws_cdk import aws_athena as athena | ||
|
||
class AthenaStack(core.Stack): | ||
|
||
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: | ||
super().__init__(scope, id, **kwargs) | ||
|
||
# Create an Athena WorkGroup | ||
workgroup = athena.CfnWorkGroup( | ||
self, | ||
"MyAthenaWorkGroup", | ||
name="my-workgroup", | ||
description="My Athena WorkGroup", | ||
state="ENABLED", # You can change the state | ||
work_group_configuration=athena.CfnWorkGroup.WorkGroupConfigurationProperty( | ||
additional_configuration="additionalConfiguration", | ||
bytes_scanned_cutoff_per_query=123, | ||
customer_content_encryption_configuration=athena.CfnWorkGroup.CustomerContentEncryptionConfigurationProperty( | ||
kms_key="kmsKey" | ||
), | ||
enforce_work_group_configuration=False, | ||
) | ||
) | ||
|
||
app = core.App() | ||
AthenaStack(app, "AthenaStack") | ||
app.synth() |
28 changes: 28 additions & 0 deletions
28
cdk_integration_tests/src/python/AthenaWorkgroupConfiguration/pass.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
from aws_cdk import core | ||
from aws_cdk import aws_athena as athena | ||
|
||
class AthenaStack(core.Stack): | ||
|
||
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: | ||
super().__init__(scope, id, **kwargs) | ||
|
||
# Create an Athena WorkGroup | ||
workgroup = athena.CfnWorkGroup( | ||
self, | ||
"MyAthenaWorkGroup", | ||
name="my-workgroup", | ||
description="My Athena WorkGroup", | ||
state="ENABLED", # You can change the state | ||
work_group_configuration=athena.CfnWorkGroup.WorkGroupConfigurationProperty( | ||
additional_configuration="additionalConfiguration", | ||
bytes_scanned_cutoff_per_query=123, | ||
customer_content_encryption_configuration=athena.CfnWorkGroup.CustomerContentEncryptionConfigurationProperty( | ||
kms_key="kmsKey" | ||
), | ||
enforce_work_group_configuration=True, | ||
) | ||
) | ||
|
||
app = core.App() | ||
AthenaStack(app, "AthenaStack") | ||
app.synth() |
24 changes: 24 additions & 0 deletions
24
cdk_integration_tests/src/python/CloudTrailLogValidation/fail__1__.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
from aws_cdk import core | ||
from aws_cdk import aws_cloudtrail as cloudtrail | ||
from aws_cdk import aws_iam as iam | ||
|
||
class CloudTrailStack(core.Stack): | ||
|
||
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: | ||
super().__init__(scope, id, **kwargs) | ||
|
||
# Create an AWS CloudTrail trail using CfnTrail | ||
trail = cloudtrail.CfnTrail( | ||
self, | ||
"MyCloudTrail", | ||
is_logging=True, | ||
enable_log_file_validation=False, | ||
management_events=[ | ||
cloudtrail.ReadWriteType.WRITE_ONLY, | ||
], | ||
include_global_service_events=True, | ||
) | ||
|
||
app = core.App() | ||
CloudTrailStack(app, "CloudTrailStack") | ||
app.synth() |
24 changes: 24 additions & 0 deletions
24
cdk_integration_tests/src/python/CloudTrailLogValidation/pass.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
from aws_cdk import core | ||
from aws_cdk import aws_cloudtrail as cloudtrail | ||
from aws_cdk import aws_iam as iam | ||
|
||
class CloudTrailStack(core.Stack): | ||
|
||
def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: | ||
super().__init__(scope, id, **kwargs) | ||
|
||
# Create an AWS CloudTrail trail using CfnTrail | ||
trail = cloudtrail.CfnTrail( | ||
self, | ||
"MyCloudTrail", | ||
is_logging=True, | ||
enable_log_file_validation=True, # Enable log file validation | ||
management_events=[ | ||
cloudtrail.ReadWriteType.WRITE_ONLY, | ||
], | ||
include_global_service_events=True, | ||
) | ||
|
||
app = core.App() | ||
CloudTrailStack(app, "CloudTrailStack") | ||
app.synth() |
Oops, something went wrong.