diff --git a/cdk_integration_tests/src/typescript/IAMPolicyAttachedToGroupOrRoles/fail.ts b/cdk_integration_tests/src/typescript/IAMPolicyAttachedToGroupOrRoles/fail.ts new file mode 100644 index 00000000000..0e657cf3590 --- /dev/null +++ b/cdk_integration_tests/src/typescript/IAMPolicyAttachedToGroupOrRoles/fail.ts @@ -0,0 +1,6 @@ +import { aws_iam as iam } from 'aws-cdk-lib'; + +const cfnSecurityConfigurationProps1: iam.PolicyProps = { + statements: [{}], + users: [{}] +}; diff --git a/cdk_integration_tests/src/typescript/IAMPolicyAttachedToGroupOrRoles/fail2.ts b/cdk_integration_tests/src/typescript/IAMPolicyAttachedToGroupOrRoles/fail2.ts new file mode 100644 index 00000000000..647d7c4c6f4 --- /dev/null +++ b/cdk_integration_tests/src/typescript/IAMPolicyAttachedToGroupOrRoles/fail2.ts @@ -0,0 +1,26 @@ +import { aws_iam as iam } from 'aws-cdk-lib'; + +const a = new iam.Policy(this, 'userpool-policy', { + statements: [new iam.PolicyStatement({ + actions: ['cognito-idp:DescribeUserPool'], + resources: ['Arn'], + })], + users: ['sdsd'] +}); + +const b = new iam.Policy(this, 'userpool-policy', { + statements: [new iam.PolicyStatement({ + actions: ['cognito-idp:DescribeUserPool'], + resources: ['Arn'], + })], +}); +console.log('dsd') +b.attachToUser({}) + +const c = new iam.Policy(this, 'userpool-policy', { + statements: [new iam.PolicyStatement({ + actions: ['cognito-idp:DescribeUserPool'], + resources: ['Arn'], + })], +}); +c.attachToUser({}) \ No newline at end of file diff --git a/cdk_integration_tests/src/typescript/IAMPolicyAttachedToGroupOrRoles/pass.ts b/cdk_integration_tests/src/typescript/IAMPolicyAttachedToGroupOrRoles/pass.ts new file mode 100644 index 00000000000..6697828bc2e --- /dev/null +++ b/cdk_integration_tests/src/typescript/IAMPolicyAttachedToGroupOrRoles/pass.ts @@ -0,0 +1,15 @@ +import { aws_iam as iam } from 'aws-cdk-lib'; + +const a = new iam.Policy(this, 'userpool-policy', { + statements: [new iam.PolicyStatement({ + actions: ['cognito-idp:DescribeUserPool'], + resources: ['Arn'], + })], +}); + +const cfnSecurityConfigurationProps1: iam.PolicyProps = { + statements: [new iam.PolicyStatement({ + actions: ['cognito-idp:DescribeUserPool'], + resources: ['Arn'], + })], +}; diff --git a/cdk_integration_tests/src/typescript/KinesisStreamEncryptionType/fail.ts b/cdk_integration_tests/src/typescript/KinesisStreamEncryptionType/fail.ts new file mode 100644 index 00000000000..20232b10244 --- /dev/null +++ b/cdk_integration_tests/src/typescript/KinesisStreamEncryptionType/fail.ts @@ -0,0 +1,10 @@ +import { aws_kinesis as kinesis } from 'aws-cdk-lib'; + +const cfnSecurityConfigurationProps1: kinesis.CfnStreamProps = { + streamEncryption: { encryptionType: "None", keyId: "dfdf"}, + name: 'name', +}; + +const cfnSecurityConfigurationProps2: kinesis.CfnStreamProps = { + name: 'name', +}; diff --git a/cdk_integration_tests/src/typescript/KinesisStreamEncryptionType/fail2.ts b/cdk_integration_tests/src/typescript/KinesisStreamEncryptionType/fail2.ts new file mode 100644 index 00000000000..5afeac9376a --- /dev/null +++ b/cdk_integration_tests/src/typescript/KinesisStreamEncryptionType/fail2.ts @@ -0,0 +1,10 @@ +import { aws_kinesis as kinesis } from 'aws-cdk-lib'; + +const cfnSecurityConfiguration1 = new kinesis.CfnStream(this, 'MyCfnSecurityConfiguration', { + streamEncryption: { encryptionType: "None", keyId: "dfdf"}, + name: 'name', +}); + +const cfnSecurityConfiguration2 = new kinesis.CfnStream(this, 'MyCfnSecurityConfiguration', { + name: 'name', +}); diff --git a/cdk_integration_tests/src/typescript/KinesisStreamEncryptionType/pass.ts b/cdk_integration_tests/src/typescript/KinesisStreamEncryptionType/pass.ts new file mode 100644 index 00000000000..815a69069e1 --- /dev/null +++ b/cdk_integration_tests/src/typescript/KinesisStreamEncryptionType/pass.ts @@ -0,0 +1,6 @@ +import { aws_kinesis as kinesis } from 'aws-cdk-lib'; + +const cfnSecurityConfigurationProps1: kinesis.CfnStreamProps = { + streamEncryption: { encryptionType: "KMS", keyId: "dfdf"}, + name: 'name', +}; diff --git a/cdk_integration_tests/src/typescript/LambdaDLQConfigured/fail.ts b/cdk_integration_tests/src/typescript/LambdaDLQConfigured/fail.ts new file mode 100644 index 00000000000..f6c67f57e14 --- /dev/null +++ b/cdk_integration_tests/src/typescript/LambdaDLQConfigured/fail.ts @@ -0,0 +1,16 @@ +import { aws_lambda as lambda } from 'aws-cdk-lib'; +import { aws_sam as sam } from 'aws-cdk-lib'; + +const cfnSecurityConfigurationProps1: lambda.FunctionProps = { + name: 'name', + role: "", +}; + +const cfnSecurityConfigurationProps1: lambda.CfnFunctionProps = { + name: 'name', + role: "", +}; + +const cfnSecurityConfigurationProps2: sam.CfnFunctionProps = { + name: 'name', +}; diff --git a/cdk_integration_tests/src/typescript/LambdaDLQConfigured/fail2.ts b/cdk_integration_tests/src/typescript/LambdaDLQConfigured/fail2.ts new file mode 100644 index 00000000000..78e459dc77d --- /dev/null +++ b/cdk_integration_tests/src/typescript/LambdaDLQConfigured/fail2.ts @@ -0,0 +1,17 @@ +import { aws_lambda as lambda } from 'aws-cdk-lib'; +import { aws_sam as sam } from 'aws-cdk-lib'; + +const cfnSecurityConfiguration1 = new lambda.Function(this, 'MyCfnSecurityConfiguration', { + role: "", + name: 'name', +}); + +const cfnSecurityConfiguration2 = new lambda.CfnFunction(this, 'MyCfnSecurityConfiguration', { + role: "", + name: 'name', +}); + +const cfnSecurityConfiguration3 = new sam.CfnFunction(this, 'MyCfnSecurityConfiguration', { + role: "", + name: 'name', +}); diff --git a/cdk_integration_tests/src/typescript/LambdaDLQConfigured/pass.ts b/cdk_integration_tests/src/typescript/LambdaDLQConfigured/pass.ts new file mode 100644 index 00000000000..ac1785db264 --- /dev/null +++ b/cdk_integration_tests/src/typescript/LambdaDLQConfigured/pass.ts @@ -0,0 +1,21 @@ +import {aws_lambda as lambda} from 'aws-cdk-lib'; +import {aws_sam as sam} from 'aws-cdk-lib'; + +const cfnSecurityConfiguration1 = new lambda.Function(this, 'MyCfnSecurityConfiguration', { + role: "", + name: 'name', + deadLetterQueue: {}, + deadLetterQueueEnabled: true, +}); + +const cfnSecurityConfiguration2 = new lambda.CfnFunction(this, 'MyCfnSecurityConfiguration', { + role: "", + name: 'name', + deadLetterConfig: {}, +}); + +const cfnSecurityConfiguration2 = new sam.CfnFunction(this, 'MyCfnSecurityConfiguration', { + role: "", + name: 'name', + deadLetterQueue: {}, +}); \ No newline at end of file diff --git a/cdk_integration_tests/src/typescript/LambdaEnvironmentCredentials/fail.ts b/cdk_integration_tests/src/typescript/LambdaEnvironmentCredentials/fail.ts new file mode 100644 index 00000000000..16236a09dab --- /dev/null +++ b/cdk_integration_tests/src/typescript/LambdaEnvironmentCredentials/fail.ts @@ -0,0 +1,29 @@ +import {aws_lambda as lambda} from 'aws-cdk-lib'; +import {aws_sam as sam} from 'aws-cdk-lib'; + +const cfnSecurityConfigurationProps1: lambda.FunctionProps = { + name: 'name', + role: "", + environment: { + "bla": "bla", + } +}; + +const cfnSecurityConfigurationProps2: lambda.CfnFunctionProps = { + name: 'name', + role: "", + environment: { + variables: { + "bla": "bla", + } + } +}; + +const cfnSecurityConfigurationProps3: sam.CfnFunctionProps = { + name: 'name', + environment: { + variables: { + bla: "bla", + } + } +}; diff --git a/cdk_integration_tests/src/typescript/LambdaEnvironmentCredentials/fail2.ts b/cdk_integration_tests/src/typescript/LambdaEnvironmentCredentials/fail2.ts new file mode 100644 index 00000000000..1e3b04d006f --- /dev/null +++ b/cdk_integration_tests/src/typescript/LambdaEnvironmentCredentials/fail2.ts @@ -0,0 +1,30 @@ +import { aws_lambda as lambda } from 'aws-cdk-lib'; +import { aws_sam as sam } from 'aws-cdk-lib'; + +const cfnSecurityConfiguration1 = new lambda.Function(this, 'MyCfnSecurityConfiguration', { + role: "", + name: 'name', + environment: { + "bla": "bla", + } +}); + +const cfnSecurityConfiguration2 = new lambda.CfnFunction(this, 'MyCfnSecurityConfiguration', { + role: "", + name: 'name', + environment: { + variables: { + "bla": "bla", + } + } +}); + +const cfnSecurityConfiguration3 = new sam.CfnFunction(this, 'MyCfnSecurityConfiguration', { + role: "", + name: 'name', + environment: { + variables: { + bla: "bla", + } + } +}); diff --git a/cdk_integration_tests/src/typescript/LambdaEnvironmentCredentials/pass.ts b/cdk_integration_tests/src/typescript/LambdaEnvironmentCredentials/pass.ts new file mode 100644 index 00000000000..53fd9d05779 --- /dev/null +++ b/cdk_integration_tests/src/typescript/LambdaEnvironmentCredentials/pass.ts @@ -0,0 +1,63 @@ +import {aws_lambda as lambda} from 'aws-cdk-lib'; +import {aws_sam as sam} from 'aws-cdk-lib'; + +const cfnSecurityConfiguration1 = new lambda.Function(this, 'MyCfnSecurityConfiguration', { + role: "", + name: 'name', + environment: { + "bla": "bla", + }, + environmentEncryption: {} +}); + +const cfnSecurityConfiguration2 = new lambda.CfnFunction(this, 'MyCfnSecurityConfiguration', { + role: "", + name: 'name', + environment: { + variables: { + "bla": "bla", + } + }, + kmsKeyArn: "arn" +}); + +const cfnSecurityConfiguration3 = new sam.CfnFunction(this, 'MyCfnSecurityConfiguration', { + role: "", + name: 'name', + environment: { + variables: { + bla: "bla", + } + }, + kmsKeyArn: "arn" +}); + +const cfnSecurityConfigurationProps1: lambda.FunctionProps = { + name: 'name', + role: "", + environment: { + "bla": "bla", + }, + environmentEncryption: {} +}; + +const cfnSecurityConfigurationProps2: lambda.CfnFunctionProps = { + name: 'name', + role: "", + environment: { + variables: { + "bla": "bla", + } + }, + kmsKeyArn: "arn" +}; + +const cfnSecurityConfigurationProps3: sam.CfnFunctionProps = { + name: 'name', + environment: { + variables: { + bla: "bla", + } + }, + kmsKeyArn: "arn" +}; diff --git a/cdk_integration_tests/src/typescript/LambdaEnvironmentEncryptionSettings/fail.ts b/cdk_integration_tests/src/typescript/LambdaEnvironmentEncryptionSettings/fail.ts new file mode 100644 index 00000000000..16236a09dab --- /dev/null +++ b/cdk_integration_tests/src/typescript/LambdaEnvironmentEncryptionSettings/fail.ts @@ -0,0 +1,29 @@ +import {aws_lambda as lambda} from 'aws-cdk-lib'; +import {aws_sam as sam} from 'aws-cdk-lib'; + +const cfnSecurityConfigurationProps1: lambda.FunctionProps = { + name: 'name', + role: "", + environment: { + "bla": "bla", + } +}; + +const cfnSecurityConfigurationProps2: lambda.CfnFunctionProps = { + name: 'name', + role: "", + environment: { + variables: { + "bla": "bla", + } + } +}; + +const cfnSecurityConfigurationProps3: sam.CfnFunctionProps = { + name: 'name', + environment: { + variables: { + bla: "bla", + } + } +}; diff --git a/cdk_integration_tests/src/typescript/LambdaEnvironmentEncryptionSettings/fail2.ts b/cdk_integration_tests/src/typescript/LambdaEnvironmentEncryptionSettings/fail2.ts new file mode 100644 index 00000000000..7b177449acd --- /dev/null +++ b/cdk_integration_tests/src/typescript/LambdaEnvironmentEncryptionSettings/fail2.ts @@ -0,0 +1,30 @@ +import { aws_lambda as lambda } from 'aws-cdk-lib'; +import { aws_sam as sam } from 'aws-cdk-lib'; + +const cfnSecurityConfiguration1 = new lambda.Function(this, 'MyCfnSecurityConfiguration', { + role: "", + name: 'name', + environment: { + "bla": "bla", + }, +}); + +const cfnSecurityConfiguration2 = new lambda.CfnFunction(this, 'MyCfnSecurityConfiguration', { + role: "", + name: 'name', + environment: { + variables: { + "bla": "bla", + } + } +}); + +const cfnSecurityConfiguration3 = new sam.CfnFunction(this, 'MyCfnSecurityConfiguration', { + role: "", + name: 'name', + environment: { + variables: { + bla: "bla", + } + } +}); diff --git a/cdk_integration_tests/src/typescript/LambdaEnvironmentEncryptionSettings/pass.ts b/cdk_integration_tests/src/typescript/LambdaEnvironmentEncryptionSettings/pass.ts new file mode 100644 index 00000000000..5b8dc049840 --- /dev/null +++ b/cdk_integration_tests/src/typescript/LambdaEnvironmentEncryptionSettings/pass.ts @@ -0,0 +1,31 @@ +import {aws_lambda as lambda} from 'aws-cdk-lib'; +import {aws_sam as sam} from 'aws-cdk-lib'; + +const cfnSecurityConfiguration1 = new lambda.Function(this, 'MyCfnSecurityConfiguration', { + role: "", + name: 'name', +}); + +const cfnSecurityConfiguration2 = new lambda.CfnFunction(this, 'MyCfnSecurityConfiguration', { + role: "", + name: 'name', +}); + +const cfnSecurityConfiguration3 = new sam.CfnFunction(this, 'MyCfnSecurityConfiguration', { + role: "", + name: 'name', +}); + +const cfnSecurityConfigurationProps1: lambda.FunctionProps = { + name: 'name', + role: "", +}; + +const cfnSecurityConfigurationProps2: lambda.CfnFunctionProps = { + name: 'name', + role: "", +}; + +const cfnSecurityConfigurationProps3: sam.CfnFunctionProps = { + name: 'name', +}; diff --git a/cdk_integration_tests/src/typescript/LambdaFunctionLevelConcurrentExecutionLimit/fail.ts b/cdk_integration_tests/src/typescript/LambdaFunctionLevelConcurrentExecutionLimit/fail.ts new file mode 100644 index 00000000000..16236a09dab --- /dev/null +++ b/cdk_integration_tests/src/typescript/LambdaFunctionLevelConcurrentExecutionLimit/fail.ts @@ -0,0 +1,29 @@ +import {aws_lambda as lambda} from 'aws-cdk-lib'; +import {aws_sam as sam} from 'aws-cdk-lib'; + +const cfnSecurityConfigurationProps1: lambda.FunctionProps = { + name: 'name', + role: "", + environment: { + "bla": "bla", + } +}; + +const cfnSecurityConfigurationProps2: lambda.CfnFunctionProps = { + name: 'name', + role: "", + environment: { + variables: { + "bla": "bla", + } + } +}; + +const cfnSecurityConfigurationProps3: sam.CfnFunctionProps = { + name: 'name', + environment: { + variables: { + bla: "bla", + } + } +}; diff --git a/cdk_integration_tests/src/typescript/LambdaFunctionLevelConcurrentExecutionLimit/fail2.ts b/cdk_integration_tests/src/typescript/LambdaFunctionLevelConcurrentExecutionLimit/fail2.ts new file mode 100644 index 00000000000..1e3b04d006f --- /dev/null +++ b/cdk_integration_tests/src/typescript/LambdaFunctionLevelConcurrentExecutionLimit/fail2.ts @@ -0,0 +1,30 @@ +import { aws_lambda as lambda } from 'aws-cdk-lib'; +import { aws_sam as sam } from 'aws-cdk-lib'; + +const cfnSecurityConfiguration1 = new lambda.Function(this, 'MyCfnSecurityConfiguration', { + role: "", + name: 'name', + environment: { + "bla": "bla", + } +}); + +const cfnSecurityConfiguration2 = new lambda.CfnFunction(this, 'MyCfnSecurityConfiguration', { + role: "", + name: 'name', + environment: { + variables: { + "bla": "bla", + } + } +}); + +const cfnSecurityConfiguration3 = new sam.CfnFunction(this, 'MyCfnSecurityConfiguration', { + role: "", + name: 'name', + environment: { + variables: { + bla: "bla", + } + } +}); diff --git a/cdk_integration_tests/src/typescript/LambdaFunctionLevelConcurrentExecutionLimit/pass.ts b/cdk_integration_tests/src/typescript/LambdaFunctionLevelConcurrentExecutionLimit/pass.ts new file mode 100644 index 00000000000..8f3a13bb29c --- /dev/null +++ b/cdk_integration_tests/src/typescript/LambdaFunctionLevelConcurrentExecutionLimit/pass.ts @@ -0,0 +1,69 @@ +import {aws_lambda as lambda} from 'aws-cdk-lib'; +import {aws_sam as sam} from 'aws-cdk-lib'; + +const cfnSecurityConfiguration1 = new lambda.Function(this, 'MyCfnSecurityConfiguration', { + role: "", + name: 'name', + environment: { + "bla": "bla", + }, + environmentEncryption: {}, + "reservedConcurrentExecutions": 1, +}); + +const cfnSecurityConfiguration2 = new lambda.CfnFunction(this, 'MyCfnSecurityConfiguration', { + role: "", + name: 'name', + environment: { + variables: { + "bla": "bla", + } + }, + kmsKeyArn: "arn", + reservedConcurrentExecutions: 1, +}); + +const cfnSecurityConfiguration3 = new sam.CfnFunction(this, 'MyCfnSecurityConfiguration', { + role: "", + name: 'name', + environment: { + variables: { + bla: "bla", + } + }, + kmsKeyArn: "arn", + reservedConcurrentExecutions: 1, +}); + +const cfnSecurityConfigurationProps1: lambda.FunctionProps = { + name: 'name', + role: "", + environment: { + "bla": "bla", + }, + environmentEncryption: {}, + reservedConcurrentExecutions: 1, +}; + +const cfnSecurityConfigurationProps2: lambda.CfnFunctionProps = { + name: 'name', + role: "", + environment: { + variables: { + "bla": "bla", + } + }, + kmsKeyArn: "arn", + reservedConcurrentExecutions: 1, +}; + +const cfnSecurityConfigurationProps3: sam.CfnFunctionProps = { + name: 'name', + environment: { + variables: { + bla: "bla", + } + }, + kmsKeyArn: "arn", + reservedConcurrentExecutions: 1, +}; diff --git a/cdk_integration_tests/src/typescript/LambdaInVPC/fail.ts b/cdk_integration_tests/src/typescript/LambdaInVPC/fail.ts new file mode 100644 index 00000000000..16236a09dab --- /dev/null +++ b/cdk_integration_tests/src/typescript/LambdaInVPC/fail.ts @@ -0,0 +1,29 @@ +import {aws_lambda as lambda} from 'aws-cdk-lib'; +import {aws_sam as sam} from 'aws-cdk-lib'; + +const cfnSecurityConfigurationProps1: lambda.FunctionProps = { + name: 'name', + role: "", + environment: { + "bla": "bla", + } +}; + +const cfnSecurityConfigurationProps2: lambda.CfnFunctionProps = { + name: 'name', + role: "", + environment: { + variables: { + "bla": "bla", + } + } +}; + +const cfnSecurityConfigurationProps3: sam.CfnFunctionProps = { + name: 'name', + environment: { + variables: { + bla: "bla", + } + } +}; diff --git a/cdk_integration_tests/src/typescript/LambdaInVPC/fail2.ts b/cdk_integration_tests/src/typescript/LambdaInVPC/fail2.ts new file mode 100644 index 00000000000..63deab6d904 --- /dev/null +++ b/cdk_integration_tests/src/typescript/LambdaInVPC/fail2.ts @@ -0,0 +1,27 @@ +import { aws_lambda as lambda } from 'aws-cdk-lib'; +import { aws_sam as sam } from 'aws-cdk-lib'; + +const cfnSecurityConfiguration1 = new lambda.Function(this, 'MyCfnSecurityConfiguration', { + role: "", + name: 'name', +}); + +const cfnSecurityConfiguration2 = new lambda.CfnFunction(this, 'MyCfnSecurityConfiguration', { + role: "", + name: 'name', + environment: { + variables: { + "bla": "bla", + } + } +}); + +const cfnSecurityConfiguration3 = new sam.CfnFunction(this, 'MyCfnSecurityConfiguration', { + role: "", + name: 'name', + environment: { + variables: { + bla: "bla", + } + } +}); diff --git a/cdk_integration_tests/src/typescript/LambdaInVPC/pass.ts b/cdk_integration_tests/src/typescript/LambdaInVPC/pass.ts new file mode 100644 index 00000000000..4fc24e72e40 --- /dev/null +++ b/cdk_integration_tests/src/typescript/LambdaInVPC/pass.ts @@ -0,0 +1,69 @@ +import {aws_lambda as lambda} from 'aws-cdk-lib'; +import {aws_sam as sam} from 'aws-cdk-lib'; + +const cfnSecurityConfiguration1 = new lambda.Function(this, 'MyCfnSecurityConfiguration', { + role: "", + name: 'name', + environment: { + "bla": "bla", + }, + environmentEncryption: {}, + "vpc": {}, +}); + +const cfnSecurityConfiguration2 = new lambda.CfnFunction(this, 'MyCfnSecurityConfiguration', { + role: "", + name: 'name', + environment: { + variables: { + "bla": "bla", + } + }, + kmsKeyArn: "arn", + vpcConfig: {}, +}); + +const cfnSecurityConfiguration3 = new sam.CfnFunction(this, 'MyCfnSecurityConfiguration', { + role: "", + name: 'name', + environment: { + variables: { + bla: "bla", + } + }, + kmsKeyArn: "arn", + vpcConfig: {}, +}); + +const cfnSecurityConfigurationProps1: lambda.FunctionProps = { + name: 'name', + role: "", + environment: { + "bla": "bla", + }, + environmentEncryption: {}, + reservedConcurrentExecutions: 1, +}; + +const cfnSecurityConfigurationProps2: lambda.CfnFunctionProps = { + name: 'name', + role: "", + environment: { + variables: { + "bla": "bla", + } + }, + kmsKeyArn: "arn", + reservedConcurrentExecutions: 1, +}; + +const cfnSecurityConfigurationProps3: sam.CfnFunctionProps = { + name: 'name', + environment: { + variables: { + bla: "bla", + } + }, + kmsKeyArn: "arn", + reservedConcurrentExecutions: 1, +}; diff --git a/cdk_integration_tests/src/typescript/LaunchConfigurationEBSEncryption/fail.ts b/cdk_integration_tests/src/typescript/LaunchConfigurationEBSEncryption/fail.ts new file mode 100644 index 00000000000..1d3aa5f5bf0 --- /dev/null +++ b/cdk_integration_tests/src/typescript/LaunchConfigurationEBSEncryption/fail.ts @@ -0,0 +1,44 @@ +import {aws_autoscaling as autoscaling} from 'aws-cdk-lib'; + +const cfnSecurityConfigurationProps1: autoscaling.CfnLaunchConfigurationProps = { + imageId: 'imageId', + instanceType: 'instanceType', + + // the properties below are optional + associatePublicIpAddress: false, + blockDeviceMappings: [{ + deviceName: 'deviceName', + + // the properties below are optional + ebs: { + deleteOnTermination: false, + encrypted: false, + iops: 123, + snapshotId: 'snapshotId', + throughput: 123, + volumeSize: 123, + volumeType: 'volumeType', + }, + noDevice: false, + virtualName: 'virtualName', + }], + classicLinkVpcId: 'classicLinkVpcId', + classicLinkVpcSecurityGroups: ['classicLinkVpcSecurityGroups'], + ebsOptimized: false, + iamInstanceProfile: 'iamInstanceProfile', + instanceId: 'instanceId', + instanceMonitoring: false, + kernelId: 'kernelId', + keyName: 'keyName', + launchConfigurationName: 'launchConfigurationName', + metadataOptions: { + httpEndpoint: 'httpEndpoint', + httpPutResponseHopLimit: 123, + httpTokens: 'httpTokens', + }, + placementTenancy: 'placementTenancy', + ramDiskId: 'ramDiskId', + securityGroups: ['securityGroups'], + spotPrice: 'spotPrice', + userData: 'userData', +}; diff --git a/cdk_integration_tests/src/typescript/LaunchConfigurationEBSEncryption/fail2.ts b/cdk_integration_tests/src/typescript/LaunchConfigurationEBSEncryption/fail2.ts new file mode 100644 index 00000000000..1e181aa899f --- /dev/null +++ b/cdk_integration_tests/src/typescript/LaunchConfigurationEBSEncryption/fail2.ts @@ -0,0 +1,30 @@ +import {aws_autoscaling as autoscaling} from 'aws-cdk-lib'; + +const cfnSecurityConfiguration1 = new autoscaling.CfnLaunchConfiguration(this, 'MyCfnSecurityConfiguration', { + imageId: 'imageId', + instanceType: 'instanceType', + blockDeviceMappings: [{ + deviceName: 'deviceName', + + // the properties below are optional + ebs: { + deleteOnTermination: false, + encrypted: false, + iops: 123, + snapshotId: 'snapshotId', + throughput: 123, + volumeSize: 123, + volumeType: 'volumeType', + }, + noDevice: false, + virtualName: 'virtualName', + }], +}); + +const cfnSecurityConfiguration2 = new autoscaling.CfnLaunchConfiguration(this, 'MyCfnSecurityConfiguration', { + blockDeviceMappings: [{ + ebs: { + encrypted: false, + }, + }], +}); diff --git a/cdk_integration_tests/src/typescript/LaunchConfigurationEBSEncryption/pass.ts b/cdk_integration_tests/src/typescript/LaunchConfigurationEBSEncryption/pass.ts new file mode 100644 index 00000000000..112dd95dce5 --- /dev/null +++ b/cdk_integration_tests/src/typescript/LaunchConfigurationEBSEncryption/pass.ts @@ -0,0 +1,155 @@ +import { aws_autoscaling as autoscaling } from 'aws-cdk-lib'; + +const cfnSecurityConfiguration1 = new autoscaling.CfnLaunchConfiguration(this, 'MyCfnSecurityConfiguration', { + imageId: 'imageId', + instanceType: 'instanceType', + blockDeviceMappings: [{ + deviceName: 'deviceName', + + // the properties below are optional + ebs: { + deleteOnTermination: false, + encrypted: true, + iops: 123, + snapshotId: 'snapshotId', + throughput: 123, + volumeSize: 123, + volumeType: 'volumeType', + }, + noDevice: false, + virtualName: 'virtualName', + }], +}); + +const cfnSecurityConfiguration2 = new autoscaling.CfnLaunchConfiguration(this, 'MyCfnSecurityConfiguration', { + imageId: 'imageId', + instanceType: 'instanceType', + blockDeviceMappings: [{ + deviceName: 'deviceName', + + // the properties below are optional + ebs: { + deleteOnTermination: false, + iops: 123, + snapshotId: 'snapshotId', + throughput: 123, + volumeSize: 123, + volumeType: 'volumeType', + }, + noDevice: false, + virtualName: 'virtualName', + }], +}); + +const cfnSecurityConfiguration3 = new autoscaling.CfnLaunchConfiguration(this, 'MyCfnSecurityConfiguration', { + imageId: 'imageId', + instanceType: 'instanceType', + blockDeviceMappings: [{ + deviceName: 'deviceName', + noDevice: false, + virtualName: 'virtualName', + }], +}); + +const cfnSecurityConfigurationProps1: autoscaling.CfnLaunchConfigurationProps = { + imageId: 'imageId', + instanceType: 'instanceType', + + // the properties below are optional + associatePublicIpAddress: false, + blockDeviceMappings: [{ + deviceName: 'deviceName', + + // the properties below are optional + ebs: { + deleteOnTermination: false, + encrypted: true, + iops: 123, + snapshotId: 'snapshotId', + throughput: 123, + volumeSize: 123, + volumeType: 'volumeType', + }, + noDevice: false, + virtualName: 'virtualName', + }], + classicLinkVpcId: 'classicLinkVpcId', + classicLinkVpcSecurityGroups: ['classicLinkVpcSecurityGroups'], + ebsOptimized: false, + iamInstanceProfile: 'iamInstanceProfile', + instanceId: 'instanceId', + instanceMonitoring: false, + kernelId: 'kernelId', + keyName: 'keyName', + launchConfigurationName: 'launchConfigurationName', + metadataOptions: { + httpEndpoint: 'httpEndpoint', + httpPutResponseHopLimit: 123, + httpTokens: 'httpTokens', + }, + placementTenancy: 'placementTenancy', + ramDiskId: 'ramDiskId', + securityGroups: ['securityGroups'], + spotPrice: 'spotPrice', + userData: 'userData', +}; + +const cfnSecurityConfigurationProps2: autoscaling.CfnLaunchConfigurationProps = { + imageId: 'imageId', + instanceType: 'instanceType', + + // the properties below are optional + associatePublicIpAddress: false, + blockDeviceMappings: [{ + deviceName: 'deviceName', + noDevice: false, + virtualName: 'virtualName', + }], + classicLinkVpcId: 'classicLinkVpcId', + classicLinkVpcSecurityGroups: ['classicLinkVpcSecurityGroups'], + ebsOptimized: false, + iamInstanceProfile: 'iamInstanceProfile', + instanceId: 'instanceId', + instanceMonitoring: false, + kernelId: 'kernelId', + keyName: 'keyName', + launchConfigurationName: 'launchConfigurationName', + metadataOptions: { + httpEndpoint: 'httpEndpoint', + httpPutResponseHopLimit: 123, + httpTokens: 'httpTokens', + }, + placementTenancy: 'placementTenancy', + ramDiskId: 'ramDiskId', + securityGroups: ['securityGroups'], + spotPrice: 'spotPrice', + userData: 'userData', +}; + +const cfnSecurityConfigurationProps3: autoscaling.CfnLaunchConfigurationProps = { + imageId: 'imageId', + instanceType: 'instanceType', + + // the properties below are optional + associatePublicIpAddress: false, + classicLinkVpcId: 'classicLinkVpcId', + classicLinkVpcSecurityGroups: ['classicLinkVpcSecurityGroups'], + ebsOptimized: false, + iamInstanceProfile: 'iamInstanceProfile', + instanceId: 'instanceId', + instanceMonitoring: false, + kernelId: 'kernelId', + keyName: 'keyName', + launchConfigurationName: 'launchConfigurationName', + metadataOptions: { + httpEndpoint: 'httpEndpoint', + httpPutResponseHopLimit: 123, + httpTokens: 'httpTokens', + }, + placementTenancy: 'placementTenancy', + ramDiskId: 'ramDiskId', + securityGroups: ['securityGroups'], + spotPrice: 'spotPrice', + userData: 'userData', +}; + diff --git a/cdk_integration_tests/src/typescript/NeptuneClusterStorageEncrypted/fail.ts b/cdk_integration_tests/src/typescript/NeptuneClusterStorageEncrypted/fail.ts new file mode 100644 index 00000000000..b84b3a028dd --- /dev/null +++ b/cdk_integration_tests/src/typescript/NeptuneClusterStorageEncrypted/fail.ts @@ -0,0 +1,44 @@ +import { aws_neptune as neptune } from 'aws-cdk-lib'; + +const cfnDBCluster1: neptune.CfnDBClusterProps = { + associatedRoles: [{ + roleArn: 'roleArn', + + // the properties below are optional + featureName: 'featureName', + }], + availabilityZones: ['availabilityZones'], + backupRetentionPeriod: 123, + copyTagsToSnapshot: false, + dbClusterIdentifier: 'dbClusterIdentifier', + dbClusterParameterGroupName: 'dbClusterParameterGroupName', + dbInstanceParameterGroupName: 'dbInstanceParameterGroupName', + dbPort: 123, + dbSubnetGroupName: 'dbSubnetGroupName', + deletionProtection: false, + enableCloudwatchLogsExports: ['enableCloudwatchLogsExports'], + engineVersion: 'engineVersion', + iamAuthEnabled: false, + kmsKeyId: 'kmsKeyId', + preferredBackupWindow: 'preferredBackupWindow', + preferredMaintenanceWindow: 'preferredMaintenanceWindow', + restoreToTime: 'restoreToTime', + restoreType: 'restoreType', + serverlessScalingConfiguration: { + maxCapacity: 123, + minCapacity: 123, + }, + snapshotIdentifier: 'snapshotIdentifier', + sourceDbClusterIdentifier: 'sourceDbClusterIdentifier', + storageEncrypted: false, + tags: [{ + key: 'key', + value: 'value', + }], + useLatestRestorableTime: false, + vpcSecurityGroupIds: ['vpcSecurityGroupIds'], +}); + +const cfnDBCluster2: neptune.CfnDBClusterProps = { + storageEncrypted: false, +}; diff --git a/cdk_integration_tests/src/typescript/NeptuneClusterStorageEncrypted/fail2.ts b/cdk_integration_tests/src/typescript/NeptuneClusterStorageEncrypted/fail2.ts new file mode 100644 index 00000000000..861932fa4bc --- /dev/null +++ b/cdk_integration_tests/src/typescript/NeptuneClusterStorageEncrypted/fail2.ts @@ -0,0 +1,44 @@ +import { aws_neptune as neptune } from 'aws-cdk-lib'; + +const cfnDBCluster1 = new neptune.CfnDBCluster(this, 'MyCfnDBCluster', /* all optional props */ { + associatedRoles: [{ + roleArn: 'roleArn', + + // the properties below are optional + featureName: 'featureName', + }], + availabilityZones: ['availabilityZones'], + backupRetentionPeriod: 123, + copyTagsToSnapshot: false, + dbClusterIdentifier: 'dbClusterIdentifier', + dbClusterParameterGroupName: 'dbClusterParameterGroupName', + dbInstanceParameterGroupName: 'dbInstanceParameterGroupName', + dbPort: 123, + dbSubnetGroupName: 'dbSubnetGroupName', + deletionProtection: false, + enableCloudwatchLogsExports: ['enableCloudwatchLogsExports'], + engineVersion: 'engineVersion', + iamAuthEnabled: false, + kmsKeyId: 'kmsKeyId', + preferredBackupWindow: 'preferredBackupWindow', + preferredMaintenanceWindow: 'preferredMaintenanceWindow', + restoreToTime: 'restoreToTime', + restoreType: 'restoreType', + serverlessScalingConfiguration: { + maxCapacity: 123, + minCapacity: 123, + }, + snapshotIdentifier: 'snapshotIdentifier', + sourceDbClusterIdentifier: 'sourceDbClusterIdentifier', + storageEncrypted: false, + tags: [{ + key: 'key', + value: 'value', + }], + useLatestRestorableTime: false, + vpcSecurityGroupIds: ['vpcSecurityGroupIds'], +}); + +const cfnDBCluster2 = new neptune.CfnDBCluster(this, 'MyCfnDBCluster', /* all optional props */ { + storageEncrypted: false, +}); \ No newline at end of file diff --git a/cdk_integration_tests/src/typescript/NeptuneClusterStorageEncrypted/pass.ts b/cdk_integration_tests/src/typescript/NeptuneClusterStorageEncrypted/pass.ts new file mode 100644 index 00000000000..c7bfa3cac36 --- /dev/null +++ b/cdk_integration_tests/src/typescript/NeptuneClusterStorageEncrypted/pass.ts @@ -0,0 +1,87 @@ +import {aws_neptune as neptune} from 'aws-cdk-lib'; + +const cfnDBCluster1 = new neptune.CfnDBCluster(this, 'MyCfnDBCluster', /* all optional props */ { + associatedRoles: [{ + roleArn: 'roleArn', + + // the properties below are optional + featureName: 'featureName', + }], + availabilityZones: ['availabilityZones'], + backupRetentionPeriod: 123, + copyTagsToSnapshot: false, + dbClusterIdentifier: 'dbClusterIdentifier', + dbClusterParameterGroupName: 'dbClusterParameterGroupName', + dbInstanceParameterGroupName: 'dbInstanceParameterGroupName', + dbPort: 123, + dbSubnetGroupName: 'dbSubnetGroupName', + deletionProtection: false, + enableCloudwatchLogsExports: ['enableCloudwatchLogsExports'], + engineVersion: 'engineVersion', + iamAuthEnabled: false, + kmsKeyId: 'kmsKeyId', + preferredBackupWindow: 'preferredBackupWindow', + preferredMaintenanceWindow: 'preferredMaintenanceWindow', + restoreToTime: 'restoreToTime', + restoreType: 'restoreType', + serverlessScalingConfiguration: { + maxCapacity: 123, + minCapacity: 123, + }, + snapshotIdentifier: 'snapshotIdentifier', + sourceDbClusterIdentifier: 'sourceDbClusterIdentifier', + storageEncrypted: true, + tags: [{ + key: 'key', + value: 'value', + }], + useLatestRestorableTime: false, + vpcSecurityGroupIds: ['vpcSecurityGroupIds'], +}); + +const cfnDBCluster2 = new neptune.CfnDBCluster(this, 'MyCfnDBCluster', /* all optional props */ { + storageEncrypted: true, +}); + +const cfnDBCluster4: neptune.CfnDBClusterProps = { + associatedRoles: [{ + roleArn: 'roleArn', + + // the properties below are optional + featureName: 'featureName', + }], + availabilityZones: ['availabilityZones'], + backupRetentionPeriod: 123, + copyTagsToSnapshot: false, + dbClusterIdentifier: 'dbClusterIdentifier', + dbClusterParameterGroupName: 'dbClusterParameterGroupName', + dbInstanceParameterGroupName: 'dbInstanceParameterGroupName', + dbPort: 123, + dbSubnetGroupName: 'dbSubnetGroupName', + deletionProtection: false, + enableCloudwatchLogsExports: ['enableCloudwatchLogsExports'], + engineVersion: 'engineVersion', + iamAuthEnabled: false, + kmsKeyId: 'kmsKeyId', + preferredBackupWindow: 'preferredBackupWindow', + preferredMaintenanceWindow: 'preferredMaintenanceWindow', + restoreToTime: 'restoreToTime', + restoreType: 'restoreType', + serverlessScalingConfiguration: { + maxCapacity: 123, + minCapacity: 123, + }, + snapshotIdentifier: 'snapshotIdentifier', + sourceDbClusterIdentifier: 'sourceDbClusterIdentifier', + storageEncrypted: true, + tags: [{ + key: 'key', + value: 'value', + }], + useLatestRestorableTime: false, + vpcSecurityGroupIds: ['vpcSecurityGroupIds'], +}); + +const cfnDBCluster5: neptune.CfnDBClusterProps = { + storageEncrypted: true, +}; diff --git a/cdk_integration_tests/src/typescript/RDSEnhancedMonitorEnabled/fail2.ts b/cdk_integration_tests/src/typescript/RDSEnhancedMonitorEnabled/fail2.ts new file mode 100644 index 00000000000..ea8cb01972b --- /dev/null +++ b/cdk_integration_tests/src/typescript/RDSEnhancedMonitorEnabled/fail2.ts @@ -0,0 +1,27 @@ +import {aws_rds as rds} from 'aws-cdk-lib'; + +const instance2 = new rds.DatabaseInstance(this, "PostgresInstance2", { + engine: rds.DatabaseInstanceEngine.POSTGRES, + credentials: { + username: 'username', + password: 'password' + }, + monitoringInterval: 0, +}); + +const instance1 = new rds.DatabaseInstance(this, "PostgresInstance2", { + engine: rds.DatabaseInstanceEngine.POSTGRES, + credentials: { + username: 'username', + password: 'password' + }, + monitoringInterval: -1, +}); + +const instance3 = new rds.DatabaseInstance(this, "PostgresInstance2", { + engine: rds.DatabaseInstanceEngine.POSTGRES, + credentials: { + username: 'username', + password: 'password' + }, +}); diff --git a/cdk_integration_tests/src/typescript/RDSEnhancedMonitorEnabled/pass.ts b/cdk_integration_tests/src/typescript/RDSEnhancedMonitorEnabled/pass.ts new file mode 100644 index 00000000000..5a5e8c0f1e5 --- /dev/null +++ b/cdk_integration_tests/src/typescript/RDSEnhancedMonitorEnabled/pass.ts @@ -0,0 +1,20 @@ +import {aws_rds as rds} from 'aws-cdk-lib'; + +const instance2 = new rds.DatabaseInstance(this, "PostgresInstance2", { + engine: rds.DatabaseInstanceEngine.POSTGRES, + credentials: { + username: 'username', + password: 'password' + }, + monitoringInterval: 1, +}); + +const instance1 = new rds.DatabaseInstance(this, "PostgresInstance2", { + engine: rds.DatabaseInstanceEngine.POSTGRES, + credentials: { + username: 'username', + password: 'password' + }, + monitoringInterval: 322424, +}); + diff --git a/cdk_integration_tests/test_checks_typescript.py b/cdk_integration_tests/test_checks_typescript.py index b40612e4ffc..5390a1d849a 100644 --- a/cdk_integration_tests/test_checks_typescript.py +++ b/cdk_integration_tests/test_checks_typescript.py @@ -305,3 +305,78 @@ def CKV_AWS_28_DynamodbRecovery(): @pytest.mark.skip(reason="Not supported yet") def CKV_AWS_3_EBSEncryption(): run_check(check_results=failed_checks, check_id="CKV_AWS_3", policy_name="EBSEncryption", language="typescript") + + +@pytest.mark.skip(reason="Not supported yet") +def CKV_AWS_5_ElasticsearchEncryption(): + run_check(check_results=failed_checks, check_id="CKV_AWS_5", policy_name="ElasticsearchEncryption", language="typescript") + + +@pytest.mark.skip(reason="Not supported yet") +def CKV_AWS_6_ElasticsearchNodeToNodeEncryption(): + run_check(check_results=failed_checks, check_id="CKV_AWS_6", policy_name="ElasticsearchNodeToNodeEncryption", language="typescript") + + +@pytest.mark.skip(reason="Not supported yet") +def CKV_AWS_94_GlueDataCatalogEncryption(): + run_check(check_results=failed_checks, check_id="CKV_AWS_94", policy_name="GlueDataCatalogEncryption", language="typescript") + + +@pytest.mark.skip(reason="Not supported yet") +def CKV_AWS_99_GlueSecurityConfiguration(): + run_check(check_results=failed_checks, check_id="CKV_AWS_99", policy_name="GlueSecurityConfiguration", language="typescript") + + +@pytest.mark.skip(reason="Not supported yet") +def CKV_AWS_195_GlueSecurityConfigurationEnabled(): + run_check(check_results=failed_checks, check_id="CKV_AWS_195", policy_name="GlueSecurityConfigurationEnabled", language="typescript") + + +@pytest.mark.skip(reason="Not supported yet") +def CKV_AWS_40_IAMPolicyAttachedToGroupOrRoles(): + run_check(check_results=failed_checks, check_id="CKV_AWS_40", policy_name="IAMPolicyAttachedToGroupOrRoles", language="typescript") + + +@pytest.mark.skip(reason="Not supported yet") +def CKV_AWS_43_KinesisStreamEncryptionType(): + run_check(check_results=failed_checks, check_id="CKV_AWS_43", policy_name="KinesisStreamEncryptionType", language="typescript") + + +@pytest.mark.skip(reason="Not supported yet") +def CKV_AWS_116_LambdaDLQConfigured(): + run_check(check_results=failed_checks, check_id="CKV_AWS_116", policy_name="LambdaDLQConfigured", language="typescript") + + +@pytest.mark.skip(reason="Not supported yet") +def CKV_AWS_45_LambdaEnvironmentCredentials(): + run_check(check_results=failed_checks, check_id="CKV_AWS_45", policy_name="LambdaEnvironmentCredentials", language="typescript") + + +@pytest.mark.skip(reason="Not supported yet") +def CKV_AWS_173_LambdaEnvironmentEncryptionSettings(): + run_check(check_results=failed_checks, check_id="CKV_AWS_173", policy_name="LambdaEnvironmentEncryptionSettings", language="typescript") + + +@pytest.mark.skip(reason="Not supported yet") +def CKV_AWS_115_LambdaFunctionLevelConcurrentExecutionLimit(): + run_check(check_results=failed_checks, check_id="CKV_AWS_115", policy_name="LambdaFunctionLevelConcurrentExecutionLimit", language="typescript") + + +@pytest.mark.skip(reason="Not supported yet") +def CKV_AWS_117_LambdaInVPC(): + run_check(check_results=failed_checks, check_id="CKV_AWS_117", policy_name="LambdaInVPC", language="typescript") + + +@pytest.mark.skip(reason="Not supported yet") +def CKV_AWS_8_LaunchConfigurationEBSEncryption(): + run_check(check_results=failed_checks, check_id="CKV_AWS_8", policy_name="LaunchConfigurationEBSEncryption", language="typescript") + + +@pytest.mark.skip(reason="Not supported yet") +def CKV_AWS_44_NeptuneClusterStorageEncrypted(): + run_check(check_results=failed_checks, check_id="CKV_AWS_44", policy_name="NeptuneClusterStorageEncrypted", language="typescript") + + +@pytest.mark.skip(reason="Not supported yet") +def CKV_AWS_118_RDSEnhancedMonitorEnabled(): + run_check(check_results=failed_checks, check_id="CKV_AWS_118", policy_name="RDSEnhancedMonitorEnabled", language="typescript") diff --git a/checkov/cdk/checks/typescript/IAMPolicyAttachedToGroupOrRoles.yaml b/checkov/cdk/checks/typescript/IAMPolicyAttachedToGroupOrRoles.yaml new file mode 100644 index 00000000000..419fa1a26a4 --- /dev/null +++ b/checkov/cdk/checks/typescript/IAMPolicyAttachedToGroupOrRoles.yaml @@ -0,0 +1,28 @@ +metadata: + version: 0.2 + approach: define failing + id: CKV_AWS_40 + name: Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) + category: IAM + framework: cdk +scope: + languages: + - typescript +definition: + or: + - pattern: | + new $PACKAGE.aws_iam.Policy(, , { , users: , }) + conditions: + - metavariable: $PACKAGE + comparison: $PACKAGE == "aws-cdk-lib" + - pattern: | + $P = new $PACKAGE.aws_iam.Policy() + + $P.attachToUser() + conditions: + - metavariable: $PACKAGE + comparison: $PACKAGE == "aws-cdk-lib" + - pattern: "$X = { , users :, }" + conditions: + - metavariable: $X + type: aws-cdk-lib.aws_iam.PolicyProps diff --git a/checkov/cdk/checks/typescript/KinesisStreamEncryptionType.yaml b/checkov/cdk/checks/typescript/KinesisStreamEncryptionType.yaml new file mode 100644 index 00000000000..27b742890a8 --- /dev/null +++ b/checkov/cdk/checks/typescript/KinesisStreamEncryptionType.yaml @@ -0,0 +1,24 @@ +metadata: + version: 0.2 + approach: define failing + id: CKV_AWS_43 + name: Ensure Kinesis Stream is securely encrypted + category: ENCRYPTION + framework: cdk +scope: + languages: + - typescript +definition: + or: + - pattern: new $PACKAGE.aws_kinesis.CfnStream(, , { }) + conditions: + - not_pattern: | + new $PACKAGE.aws_kinesis.CfnStream(, , { , streamEncryption: { , encryptionType: "KMS", }, }) + - metavariable: $PACKAGE + comparison: $PACKAGE == "aws-cdk-lib" + - pattern: "$X = { }" + conditions: + - not_pattern: | + $X = { , streamEncryption: { , encryptionType: "KMS", }, } + - metavariable: $X + type: aws-cdk-lib.aws_kinesis.CfnStreamProps diff --git a/checkov/cdk/checks/typescript/LambdaDLQConfigured.yaml b/checkov/cdk/checks/typescript/LambdaDLQConfigured.yaml new file mode 100644 index 00000000000..2ee96da3fde --- /dev/null +++ b/checkov/cdk/checks/typescript/LambdaDLQConfigured.yaml @@ -0,0 +1,48 @@ +metadata: + version: 0.2 + approach: define failing + id: CKV_AWS_116 + name: Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ) + category: GENERAL_SECURITY + framework: cdk +scope: + languages: + - typescript +definition: + or: + - pattern: new $PACKAGE.aws_lambda.Function(, , { }) + conditions: + - not_pattern: | + new $PACKAGE.aws_lambda.Function(, , { , deadLetterQueue: , , deadLetterQueueEnabled: true ,}) + - metavariable: $PACKAGE + comparison: $PACKAGE == "aws-cdk-lib" + - pattern: new $PACKAGE.aws_lambda.CfnFunction(, , { }) + conditions: + - not_pattern: | + new $PACKAGE.aws_lambda.CfnFunction(, , { , deadLetterConfig: , }) + - metavariable: $PACKAGE + comparison: $PACKAGE == "aws-cdk-lib" + - pattern: new $PACKAGE.aws_sam.CfnFunction(, , { }) + conditions: + - not_pattern: | + new $PACKAGE.aws_sam.CfnFunction(, , { , deadLetterQueue: , }) + - metavariable: $PACKAGE + comparison: $PACKAGE == "aws-cdk-lib" + - pattern: $X = { } + conditions: + - not_pattern: | + $X = { , deadLetterQueue: , , deadLetterQueueEnabled: true ,} + - metavariable: $X + type: aws-cdk-lib.aws_lambda.FunctionProps + - pattern: $X = { } + conditions: + - not_pattern: | + $X = { , deadLetterConfig: , } + - metavariable: $X + type: aws-cdk-lib.aws_lambda.CfnFunctionProps + - pattern: $X = { } + conditions: + - not_pattern: | + $X = { , deadLetterQueue: , } + - metavariable: $X + type: aws-cdk-lib.aws_sam.CfnFunctionProps \ No newline at end of file diff --git a/checkov/cdk/checks/typescript/LambdaEnvironmentCredentials.yaml b/checkov/cdk/checks/typescript/LambdaEnvironmentCredentials.yaml new file mode 100644 index 00000000000..a359e1691f9 --- /dev/null +++ b/checkov/cdk/checks/typescript/LambdaEnvironmentCredentials.yaml @@ -0,0 +1,38 @@ +metadata: + version: 0.2 + approach: define failing + id: CKV_AWS_45 + name: Ensure no hard-coded secrets exist in lambda environment + category: SECRETS + framework: cdk +scope: + languages: + - typescript +definition: + or: + - patterns: + or: + - pattern: | + new $PACKAGE.aws_lambda.Function( ,, { , environment: { $ARG1:'$ARG2' }, }) + - pattern: | + new $PACKAGE.aws_lambda.CfnFunction( ,, { , environment: { , variables: { $ARG1:'$ARG2'}, }, }) + - pattern: | + new $PACKAGE.aws_sam.CfnFunction( ,, { , environment: { , variables: { $ARG1:'$ARG2'}, }, }) + conditions: + - metavariable: $PACKAGE + comparison: $PACKAGE == "aws-cdk-lib" + - pattern: | + $X = { , environment: { $ARG1:'$ARG2' }, } + conditions: + - metavariable: $X + type: aws-cdk-lib.aws_lambda.FunctionProps + - pattern: | + $X = { , environment: { , variables: { $ARG1:'$ARG2'}, }, } + conditions: + - metavariable: $X + type: aws-cdk-lib.aws_lambda.CfnFunctionProps + - pattern: | + $X = { , environment: { , variables: { $ARG1:'$ARG2'}, }, } + conditions: + - metavariable: $X + type: aws-cdk-lib.aws_sam.CfnFunctionProps diff --git a/checkov/cdk/checks/typescript/LambdaEnvironmentEncryptionSettings.yaml b/checkov/cdk/checks/typescript/LambdaEnvironmentEncryptionSettings.yaml new file mode 100644 index 00000000000..eb2a4279cc2 --- /dev/null +++ b/checkov/cdk/checks/typescript/LambdaEnvironmentEncryptionSettings.yaml @@ -0,0 +1,66 @@ +metadata: + version: 0.2 + approach: define failing + id: CKV_AWS_173 + name: Check encryption settings for Lambda environmental variable + category: Encryption + framework: cdk +scope: + languages: + - typescript +definition: + or: + - pattern: | + new $PACKAGE.aws_lambda.Function(, , { , environment: { , $ARG1:'$ARG2', }, } ) + conditions: + - not_pattern: | + new $PACKAGE.aws_lambda.Function(, , { , environment: { , $ARG1:'$ARG2', }, , environmentEncryption: $KMS, }) + - not_pattern: | + new $PACKAGE.aws_lambda.Function(, , { , environmentEncryption: $KMS, , environment: { , $ARG1:'$ARG2', }, }) + - metavariable: $PACKAGE + comparison: $PACKAGE == "aws-cdk-lib" + - pattern: | + new $PACKAGE.aws_lambda.CfnFunction(, , { , environment: { , variables: { , $ARG1:'$ARG2', }, }, }) + conditions: + - not_pattern: | + new $PACKAGE.aws_lambda.CfnFunction(, , { , environment: { , variables: { $ARG1:'$ARG2' }, }, , kmsKeyArn: $KMS, }) + - not_pattern: | + new $PACKAGE.aws_lambda.CfnFunction(, , { , kmsKeyArn: $KMS, , environment: { , variables: { , $ARG1:'$ARG2', }, }) + - metavariable: $PACKAGE + comparison: $PACKAGE == "aws-cdk-lib" + - pattern: | + new $PACKAGE.aws_sam.CfnFunction(, , { , environment: { , variables: { $ARG1:'$ARG2'}, }, }) + conditions: + - not_pattern: | + new $PACKAGE.aws_sam.CfnFunction(, , { , environment: { , variables: { $ARG1:'$ARG2'}, , kmsKeyArn: $KMS, }, }) + - not_pattern: | + new $PACKAGE.aws_sam.CfnFunction(, , { , kmsKeyArn: $KMS, , environment: { , variables: { , $ARG1:'$ARG2', }, }) + - metavariable: $PACKAGE + comparison: $PACKAGE == "aws-cdk-lib" + - pattern: | + $X = { , environment: { $ARG1:'$ARG2' }, } + conditions: + - not_pattern: | + $X = { , environment: { , $ARG1:'$ARG2', }, , environmentEncryption: $KMS, } + - not_pattern: | + $X = { , environmentEncryption: $KMS, , environment: { , $ARG1:'$ARG2', }, } + - metavariable: $X + type: aws-cdk-lib.aws_lambda.FunctionProps + - pattern: | + $X = { , environment: { , variables: { , $ARG1:'$ARG2', }, }, } + conditions: + - not_pattern: | + $X = { , environment: { , variables: { , $ARG1:'$ARG2', }, }, , kmsKeyArn: $KMS, } + - not_pattern: | + $X = { , kmsKeyArn: $KMS, , environment: { , variables: { , $ARG1:'$ARG2', }, }, } + - metavariable: $X + type: aws-cdk-lib.aws_lambda.CfnFunctionProps + - pattern: | + $X = { , environment: { , variables: { , $ARG1:'$ARG2', }, }, } + conditions: + - not_pattern: | + $X = { , environment: { , variables: { , $ARG1:'$ARG2', }, , kmsKeyArn: $KMS, }, } + - not_pattern: | + $X = { , kmsKeyArn: $KMS, , environment: { , variables: { , $ARG1:'$ARG2', }, }, } + - metavariable: $X + type: aws-cdk-lib.aws_sam.CfnFunctionProps \ No newline at end of file diff --git a/checkov/cdk/checks/typescript/LambdaFunctionLevelConcurrentExecutionLimit.yaml b/checkov/cdk/checks/typescript/LambdaFunctionLevelConcurrentExecutionLimit.yaml new file mode 100644 index 00000000000..cfe66be7480 --- /dev/null +++ b/checkov/cdk/checks/typescript/LambdaFunctionLevelConcurrentExecutionLimit.yaml @@ -0,0 +1,51 @@ +metadata: + version: 0.2 + approach: define failing + id: CKV_AWS_115 + name: Ensure that AWS Lambda function is configured for function-level concurrent execution limit + category: GENERAL_SECURITY + framework: cdk +scope: + languages: + - typescript +definition: + or: + - pattern: new $PACKAGE.aws_lambda.Function(, , { }) + conditions: + - not_pattern: | + new $PACKAGE.aws_lambda.Function(, , { , reservedConcurrentExecutions: $NUM, }, ) + - metavariable: $PACKAGE + comparison: $PACKAGE == "aws-cdk-lib" + - pattern: new $PACKAGE.aws_lambda.CfnFunction(, , { }) + conditions: + - not_pattern: | + new $PACKAGE.aws_lambda.CfnFunction(, , { , "reservedConcurrentExecutions": $NUM, }, ) + - metavariable: $PACKAGE + comparison: $PACKAGE == "aws-cdk-lib" + - pattern: new $PACKAGE.aws_sam.CfnFunction(, , { }) + conditions: + - not_pattern: | + new $PACKAGE.aws_sam.CfnFunction(, , { , reservedConcurrentExecutions: $NUM, }, ) + - metavariable: $PACKAGE + comparison: $PACKAGE == "aws-cdk-lib" + - pattern: | + $X = { } + conditions: + - metavariable: $X + type: aws-cdk-lib.aws_lambda.FunctionProps + - not_pattern: | + $X = { , reservedConcurrentExecutions: $NUM, } + - pattern: | + $X = { } + conditions: + - metavariable: $X + type: aws-cdk-lib.aws_lambda.CfnFunctionProps + - not_pattern: | + $X = { , reservedConcurrentExecutions: $NUM, } + - pattern: | + $X = { } + conditions: + - metavariable: $X + type: aws-cdk-lib.aws_sam.CfnFunctionProps + - not_pattern: | + $X = { , reservedConcurrentExecutions: $NUM, } diff --git a/checkov/cdk/checks/typescript/LambdaInVPC.yaml b/checkov/cdk/checks/typescript/LambdaInVPC.yaml new file mode 100644 index 00000000000..41d830ff169 --- /dev/null +++ b/checkov/cdk/checks/typescript/LambdaInVPC.yaml @@ -0,0 +1,51 @@ +metadata: + version: 0.2 + approach: define failing + id: CKV_AWS_117 + name: Ensure that AWS Lambda function is configured inside a VPC + category: GENERAL_SECURITY + framework: cdk +scope: + languages: + - typescript +definition: + or: + - pattern: new $PACKAGE.aws_lambda.Function(, , { }) + conditions: + - not_pattern: | + new $PACKAGE.aws_lambda.Function(, , { , vpc: , } ) + - metavariable: $PACKAGE + comparison: $PACKAGE == "aws-cdk-lib" + - pattern: new $PACKAGE.aws_lambda.CfnFunction(, , { }) + conditions: + - not_pattern: | + new $PACKAGE.aws_lambda.CfnFunction(, , { , vpcConfig: , } ) + - metavariable: $PACKAGE + comparison: $PACKAGE == "aws-cdk-lib" + - pattern: new $PACKAGE.aws_sam.CfnFunction(, , { }) + conditions: + - not_pattern: | + new $PACKAGE.aws_sam.CfnFunction(, , { , vpcConfig: , } ) + - metavariable: $PACKAGE + comparison: $PACKAGE == "aws-cdk-lib" + - pattern: | + $X = { } + conditions: + - metavariable: $X + type: aws-cdk-lib.aws_lambda.FunctionProps + - not_pattern: | + $X = { , vpc: , } + - pattern: | + $X = { } + conditions: + - metavariable: $X + type: aws-cdk-lib.aws_lambda.CfnFunctionProps + - not_pattern: | + $X = { , vpcConfig: , } + - pattern: | + $X = { } + conditions: + - metavariable: $X + type: aws-cdk-lib.aws_sam.CfnFunctionProps + - not_pattern: | + $X = { , vpcConfig: , } diff --git a/checkov/cdk/checks/typescript/LaunchConfigurationEBSEncryption.yaml b/checkov/cdk/checks/typescript/LaunchConfigurationEBSEncryption.yaml new file mode 100644 index 00000000000..8d3ba9295ef --- /dev/null +++ b/checkov/cdk/checks/typescript/LaunchConfigurationEBSEncryption.yaml @@ -0,0 +1,22 @@ +metadata: + version: 0.2 + approach: define failing + id: CKV_AWS_8 + name: Ensure all data stored in the Launch configuration EBS is securely encrypted + category: ENCRYPTION + framework: cdk +scope: + languages: + - typescript +definition: + or: + - pattern: | + new $PACKAGE.aws_autoscaling.CfnLaunchConfiguration(, , { , blockDeviceMappings: [, { , 'ebs':{ , 'encrypted': false, }, } ,], }) + conditions: + - metavariable: $PACKAGE + comparison: $PACKAGE == "aws-cdk-lib" + - pattern: | + $X = { , blockDeviceMappings: [, { , 'ebs':{ , 'encrypted': false, }, } ,], } + conditions: + - metavariable: $X + type: aws-cdk-lib.aws_autoscaling.CfnLaunchConfigurationProps diff --git a/checkov/cdk/checks/typescript/NeptuneClusterStorageEncrypted.yaml b/checkov/cdk/checks/typescript/NeptuneClusterStorageEncrypted.yaml new file mode 100644 index 00000000000..06d96fcf8a7 --- /dev/null +++ b/checkov/cdk/checks/typescript/NeptuneClusterStorageEncrypted.yaml @@ -0,0 +1,25 @@ +metadata: + version: 0.2 + approach: define failing + id: CKV_AWS_44 + name: Ensure Neptune storage is securely encrypted + category: ENCRYPTION + framework: cdk +scope: + languages: + - typescript +definition: + or: + - pattern: new $PACKAGE.aws_neptune.CfnDBCluster(, , { }) + conditions: + - not_pattern: | + new $PACKAGE.aws_neptune.CfnDBCluster(, , { , storageEncrypted: true, }) + - metavariable: $PACKAGE + comparison: $PACKAGE == "aws-cdk-lib" + - pattern: | + $X = { } + conditions: + - metavariable: $X + type: aws-cdk-lib.aws_neptune.CfnDBClusterProps + - not_pattern: | + $X = { , storageEncrypted: true, } diff --git a/checkov/cdk/checks/typescript/RDSEnhancedMonitorEnabled.yaml b/checkov/cdk/checks/typescript/RDSEnhancedMonitorEnabled.yaml new file mode 100644 index 00000000000..d8328fda9db --- /dev/null +++ b/checkov/cdk/checks/typescript/RDSEnhancedMonitorEnabled.yaml @@ -0,0 +1,19 @@ +metadata: + version: 0.2 + approach: define failing + id: CKV_AWS_118 + name: Ensure that enhanced monitoring is enabled for Amazon RDS instances + category: LOGGING + framework: cdk +scope: + languages: + - typescript +definition: + pattern: new $PACKAGE.aws_rds.DatabaseInstance(, , { }) + conditions: + - not_pattern: | + new $PACKAGE.aws_rds.DatabaseInstance(, , { , monitoringInterval: $COUNT, }) + - metavariable: $COUNT # bug: should preform with not_pattern and not after BCE-33034 + comparison: $COUNT > 0 + - metavariable: $PACKAGE + comparison: $PACKAGE == "aws-cdk-lib"