diff --git a/cdk_integration_tests/src/python/ALBDropHttpHeaders/fail__1__.py b/cdk_integration_tests/src/python/ALBDropHttpHeaders/fail__1__.py new file mode 100644 index 00000000000..dd7fef0dd05 --- /dev/null +++ b/cdk_integration_tests/src/python/ALBDropHttpHeaders/fail__1__.py @@ -0,0 +1,24 @@ +from aws_cdk import core +from aws_cdk import aws_elasticloadbalancingv2 as elbv2 + +class MyALBStack(core.Stack): + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Define ALB with Load Balancer Attributes + alb = elbv2.CfnLoadBalancer( + self, 'MyALB', + name='my-alb', + type='application', + load_balancer_attributes=[ + { + 'key': 'routing.http.drop_invalid_header_fields.enabled', + 'value': 'false' + } + ] + # Other properties for your ALB + ) + +app = core.App() +MyALBStack(app, "MyALBStack") +app.synth() diff --git a/cdk_integration_tests/src/python/ALBDropHttpHeaders/pass.py b/cdk_integration_tests/src/python/ALBDropHttpHeaders/pass.py new file mode 100644 index 00000000000..afebc233c1e --- /dev/null +++ b/cdk_integration_tests/src/python/ALBDropHttpHeaders/pass.py @@ -0,0 +1,24 @@ +from aws_cdk import core +from aws_cdk import aws_elasticloadbalancingv2 as elbv2 + +class MyALBStack(core.Stack): + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Define ALB with Load Balancer Attributes + alb = elbv2.CfnLoadBalancer( + self, 'MyALB', + name='my-alb', + type='application', + load_balancer_attributes=[ + { + 'key': 'routing.http.drop_invalid_header_fields.enabled', + 'value': 'true' + } + ] + # Other properties for your ALB + ) + +app = core.App() +MyALBStack(app, "MyALBStack") +app.synth() diff --git a/cdk_integration_tests/src/python/ALBListenerHTTPS/fail__1__.py b/cdk_integration_tests/src/python/ALBListenerHTTPS/fail__1__.py new file mode 100644 index 00000000000..68b2de39403 --- /dev/null +++ b/cdk_integration_tests/src/python/ALBListenerHTTPS/fail__1__.py @@ -0,0 +1,25 @@ +from aws_cdk import core +from aws_cdk import aws_elasticloadbalancingv2 as elbv2 + +class MyListenerStack(core.Stack): + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Define HTTPS Redirect Listener + listener = elbv2.CfnListener( + self, 'MyHTTPSRedirectListener', + load_balancer_arn='your-load-balancer-arn', # Replace with your ALB ARN + protocol='HTTP', + port=80, + default_actions=[{ + 'type': 'abc', + 'redirectConfig': { + 'protocol': 'HTTP', + } + }] + # Other properties for your Redirect Listener + ) + +app = core.App() +MyListenerStack(app, "MyListenerStack") +app.synth() diff --git a/cdk_integration_tests/src/python/ALBListenerHTTPS/pass.py b/cdk_integration_tests/src/python/ALBListenerHTTPS/pass.py new file mode 100644 index 00000000000..dd768e396d6 --- /dev/null +++ b/cdk_integration_tests/src/python/ALBListenerHTTPS/pass.py @@ -0,0 +1,43 @@ +from aws_cdk import core +from aws_cdk import aws_elasticloadbalancingv2 as elbv2 + +class MyListenerStack(core.Stack): + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Define HTTPS Listener + listener = elbv2.CfnListener( + self, 'MyHTTPSListener', + load_balancer_arn='your-load-balancer-arn', # Replace with your ALB ARN + protocol='HTTPS', + # Other properties for your Listener + ) + +app = core.App() +MyListenerStack(app, "MyListenerStack") +app.synth() + + +class MyListenerStack(core.Stack): + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Define HTTPS Redirect Listener + listener = elbv2.CfnListener( + self, 'MyHTTPSRedirectListener', + load_balancer_arn='your-load-balancer-arn', # Replace with your ALB ARN + protocol='HTTP', + port=80, + default_actions=[{ + 'type': 'redirect', + 'redirectConfig': { + 'protocol': 'HTTPS', + } + }] + # Other properties for your Redirect Listener + ) + +app = core.App() +MyListenerStack(app, "MyListenerStack") +app.synth() + diff --git a/cdk_integration_tests/src/python/AuroraEncryption/fail__1__.py b/cdk_integration_tests/src/python/AuroraEncryption/fail__1__.py new file mode 100644 index 00000000000..b33068f363d --- /dev/null +++ b/cdk_integration_tests/src/python/AuroraEncryption/fail__1__.py @@ -0,0 +1,19 @@ +from aws_cdk import core +from aws_cdk import aws_rds as rds + +class MyDBClusterStack(core.Stack): + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Define RDS Aurora Serverless DB cluster + my_db_cluster = rds.CfnDBCluster( + self, 'MyDBCluster', + engine='aurora', # Change this to your desired engine type + engine_mode='serverless', + storage_encrypted=False, + # Other properties for your DB cluster + ) + +app = core.App() +MyDBClusterStack(app, "MyDBClusterStack") +app.synth() diff --git a/cdk_integration_tests/src/python/AuroraEncryption/pass.py b/cdk_integration_tests/src/python/AuroraEncryption/pass.py new file mode 100644 index 00000000000..561f7c8540b --- /dev/null +++ b/cdk_integration_tests/src/python/AuroraEncryption/pass.py @@ -0,0 +1,19 @@ +from aws_cdk import core +from aws_cdk import aws_rds as rds + +class MyDBClusterStack(core.Stack): + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Define RDS Aurora Serverless DB cluster + my_db_cluster = rds.CfnDBCluster( + self, 'MyDBCluster', + engine='aurora', # Change this to your desired engine type + engine_mode='serverless', + storage_encrypted=True, + # Other properties for your DB cluster + ) + +app = core.App() +MyDBClusterStack(app, "MyDBClusterStack") +app.synth() diff --git a/cdk_integration_tests/src/python/ECSClusterContainerInsights/fail__1__.py b/cdk_integration_tests/src/python/ECSClusterContainerInsights/fail__1__.py new file mode 100644 index 00000000000..523b018c2a5 --- /dev/null +++ b/cdk_integration_tests/src/python/ECSClusterContainerInsights/fail__1__.py @@ -0,0 +1,21 @@ +from aws_cdk import core +from aws_cdk import aws_ecs as ecs + +class MyECSClusterStack(core.Stack): + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Define ECS Cluster with Cluster Settings + cluster = ecs.CfnCluster( + self, 'MyECSCluster', + cluster_name='my-ecs-cluster', + cluster_settings=[{ + 'name': 'containerInsights', + 'value': 'disabled' + }] + # Other properties for your ECS Cluster + ) + +app = core.App() +MyECSClusterStack(app, "MyECSClusterStack") +app.synth() diff --git a/cdk_integration_tests/src/python/ECSClusterContainerInsights/pass.py b/cdk_integration_tests/src/python/ECSClusterContainerInsights/pass.py new file mode 100644 index 00000000000..2db1b96e979 --- /dev/null +++ b/cdk_integration_tests/src/python/ECSClusterContainerInsights/pass.py @@ -0,0 +1,21 @@ +from aws_cdk import core +from aws_cdk import aws_ecs as ecs + +class MyECSClusterStack(core.Stack): + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Define ECS Cluster with Cluster Settings + cluster = ecs.CfnCluster( + self, 'MyECSCluster', + cluster_name='my-ecs-cluster', + cluster_settings=[{ + 'name': 'containerInsights', + 'value': 'enabled' + }] + # Other properties for your ECS Cluster + ) + +app = core.App() +MyECSClusterStack(app, "MyECSClusterStack") +app.synth() diff --git a/cdk_integration_tests/src/python/EKSSecretsEncryption/fail__1__.py b/cdk_integration_tests/src/python/EKSSecretsEncryption/fail__1__.py new file mode 100644 index 00000000000..402dbffee89 --- /dev/null +++ b/cdk_integration_tests/src/python/EKSSecretsEncryption/fail__1__.py @@ -0,0 +1,20 @@ +from aws_cdk import core +from aws_cdk import aws_eks as eks + +class MyEKSClusterStack(core.Stack): + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Define EKS Cluster with Encryption Configuration + cluster = eks.CfnCluster( + self, 'MyEKSCluster', + name='my-eks-cluster', + encryption_config=[{ + 'resources': ['abc'] + }] + # Other properties for your EKS Cluster + ) + +app = core.App() +MyEKSClusterStack(app, "MyEKSClusterStack") +app.synth() diff --git a/cdk_integration_tests/src/python/EKSSecretsEncryption/pass.py b/cdk_integration_tests/src/python/EKSSecretsEncryption/pass.py new file mode 100644 index 00000000000..c4bb8c03336 --- /dev/null +++ b/cdk_integration_tests/src/python/EKSSecretsEncryption/pass.py @@ -0,0 +1,20 @@ +from aws_cdk import core +from aws_cdk import aws_eks as eks + +class MyEKSClusterStack(core.Stack): + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Define EKS Cluster with Encryption Configuration + cluster = eks.CfnCluster( + self, 'MyEKSCluster', + name='my-eks-cluster', + encryption_config=[{ + 'resources': ['secrets'] + }] + # Other properties for your EKS Cluster + ) + +app = core.App() +MyEKSClusterStack(app, "MyEKSClusterStack") +app.synth() diff --git a/cdk_integration_tests/src/python/LambdaEnvironmentCredentials/fail__2__.py b/cdk_integration_tests/src/python/LambdaEnvironmentCredentials/fail__2__.py new file mode 100644 index 00000000000..287342a3a51 --- /dev/null +++ b/cdk_integration_tests/src/python/LambdaEnvironmentCredentials/fail__2__.py @@ -0,0 +1,43 @@ +from aws_cdk import core +from aws_cdk import aws_lambda as _lambda +from aws_cdk import aws_sam as sam + +class MyLambdaFunctionStack(core.Stack): + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Define Lambda Function + my_lambda = _lambda.Function( + self, 'MyLambdaFunction', + runtime=_lambda.Runtime.PYTHON_3_8, + handler='index.handler', + code=_lambda.Code.from_asset('lambda'), # Replace 'lambda' with your function code directory + environment={ + 'MY_VARIABLE': 'pass' + } + ) + +app = core.App() +MyLambdaFunctionStack(app, "MyLambdaFunctionStack") +app.synth() + + +class MyServerlessFunctionStack(core.Stack): + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Define Serverless Lambda Function + my_lambda = sam.CfnFunction( + self, 'MyServerlessFunction', + code_uri='lambda/', # Replace 'lambda/' with your function code directory + handler='index.handler', + runtime='python3.8', + environment={ + 'MY_VARIABLE': 'pass' + } + # Other properties for your Serverless Lambda Function + ) + +app = core.App() +MyServerlessFunctionStack(app, "MyServerlessFunctionStack") +app.synth() diff --git a/cdk_integration_tests/src/python/LambdaEnvironmentCredentials/pass.py b/cdk_integration_tests/src/python/LambdaEnvironmentCredentials/pass.py new file mode 100644 index 00000000000..e98771811df --- /dev/null +++ b/cdk_integration_tests/src/python/LambdaEnvironmentCredentials/pass.py @@ -0,0 +1,43 @@ +from aws_cdk import core +from aws_cdk import aws_lambda as _lambda +from aws_cdk import aws_sam as sam + +class MyLambdaFunctionStack(core.Stack): + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Define Lambda Function + my_lambda = _lambda.Function( + self, 'MyLambdaFunction', + runtime=_lambda.Runtime.PYTHON_3_8, + handler='index.handler', + code=_lambda.Code.from_asset('lambda'), # Replace 'lambda' with your function code directory + environment={ + 'MY_VARIABLE': {'a':'b'} + } + ) + +app = core.App() +MyLambdaFunctionStack(app, "MyLambdaFunctionStack") +app.synth() + + +class MyServerlessFunctionStack(core.Stack): + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Define Serverless Lambda Function + my_lambda = sam.CfnFunction( + self, 'MyServerlessFunction', + code_uri='lambda/', # Replace 'lambda/' with your function code directory + handler='index.handler', + runtime='python3.8', + environment={ + 'MY_VARIABLE': {'a':'b'} + } + # Other properties for your Serverless Lambda Function + ) + +app = core.App() +MyServerlessFunctionStack(app, "MyServerlessFunctionStack") +app.synth() diff --git a/cdk_integration_tests/src/python/LambdaEnvironmentEncryptionSettings/fail__2__.py b/cdk_integration_tests/src/python/LambdaEnvironmentEncryptionSettings/fail__2__.py new file mode 100644 index 00000000000..92a0395f7f2 --- /dev/null +++ b/cdk_integration_tests/src/python/LambdaEnvironmentEncryptionSettings/fail__2__.py @@ -0,0 +1,43 @@ +from aws_cdk import core +from aws_cdk import aws_lambda as _lambda +from aws_cdk import aws_sam as sam +class MyLambdaFunctionStack(core.Stack): + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Define Lambda function + my_lambda_function = _lambda.Function( + self, 'MyLambdaFunction', + runtime=_lambda.Runtime.PYTHON_3_8, + handler='index.handler', + code=_lambda.Code.from_asset('path/to/your/function/code'), + environment={ + 'MY_VARIABLE_1': 'Value1', + 'MY_VARIABLE_2': 'Value2' + }, + ) + +app = core.App() +MyLambdaFunctionStack(app, "MyLambdaFunctionStack") +app.synth() + + +class MyServerlessFunctionStack(core.Stack): + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Define SAM Function + my_sam_function = sam.CfnFunction( + self, 'MySAMFunction', + handler='index.handler', + runtime='python3.8', + code_uri='./path/to/your/function/code', + environment={ + 'MY_VARIABLE_1': 'Value1', + 'MY_VARIABLE_2': 'Value2' + }, + ) + +app = core.App() +MyServerlessFunctionStack(app, "MyServerlessFunctionStack") +app.synth() diff --git a/cdk_integration_tests/src/python/LambdaEnvironmentEncryptionSettings/pass.py b/cdk_integration_tests/src/python/LambdaEnvironmentEncryptionSettings/pass.py new file mode 100644 index 00000000000..4c62f94496b --- /dev/null +++ b/cdk_integration_tests/src/python/LambdaEnvironmentEncryptionSettings/pass.py @@ -0,0 +1,45 @@ +from aws_cdk import core +from aws_cdk import aws_lambda as _lambda +from aws_cdk import aws_sam as sam +class MyLambdaFunctionStack(core.Stack): + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Define Lambda function + my_lambda_function = _lambda.Function( + self, 'MyLambdaFunction', + runtime=_lambda.Runtime.PYTHON_3_8, + handler='index.handler', + code=_lambda.Code.from_asset('path/to/your/function/code'), + environment={ + 'MY_VARIABLE_1': 'Value1', + 'MY_VARIABLE_2': 'Value2' + }, + kms_key=_lambda.Key.from_key_arn(self, 'MyKmsKey', 'arn:aws:kms:region:account-id:key/key-id') + ) + +app = core.App() +MyLambdaFunctionStack(app, "MyLambdaFunctionStack") +app.synth() + + +class MyServerlessFunctionStack(core.Stack): + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Define SAM Function + my_sam_function = sam.CfnFunction( + self, 'MySAMFunction', + handler='index.handler', + runtime='python3.8', + code_uri='./path/to/your/function/code', + environment={ + 'MY_VARIABLE_1': 'Value1', + 'MY_VARIABLE_2': 'Value2' + }, + kms_key_arn='arn:aws:kms:region:account-id:key/key-id' + ) + +app = core.App() +MyServerlessFunctionStack(app, "MyServerlessFunctionStack") +app.synth() diff --git a/cdk_integration_tests/src/python/RDSMultiAZEnabled/fail__1__.py b/cdk_integration_tests/src/python/RDSMultiAZEnabled/fail__1__.py new file mode 100644 index 00000000000..a05256d19d1 --- /dev/null +++ b/cdk_integration_tests/src/python/RDSMultiAZEnabled/fail__1__.py @@ -0,0 +1,20 @@ +from aws_cdk import core +from aws_cdk import aws_rds as rds + +class MyDBInstanceStack(core.Stack): + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Define RDS DB instance + my_db_instance = rds.CfnDBInstance( + self, 'MyDBInstance', + engine='mysql', # Change this to your desired engine type + db_instance_class='db.t2.micro', + allocated_storage=20, + multi_az=False, + # Other properties for your DB instance + ) + +app = core.App() +MyDBInstanceStack(app, "MyDBInstanceStack") +app.synth() diff --git a/cdk_integration_tests/src/python/RDSMultiAZEnabled/pass.py b/cdk_integration_tests/src/python/RDSMultiAZEnabled/pass.py new file mode 100644 index 00000000000..5197dd532dc --- /dev/null +++ b/cdk_integration_tests/src/python/RDSMultiAZEnabled/pass.py @@ -0,0 +1,20 @@ +from aws_cdk import core +from aws_cdk import aws_rds as rds + +class MyDBInstanceStack(core.Stack): + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Define RDS DB instance + my_db_instance = rds.CfnDBInstance( + self, 'MyDBInstance', + engine='mysql', # Change this to your desired engine type + db_instance_class='db.t2.micro', + allocated_storage=20, + multi_az=True, + # Other properties for your DB instance + ) + +app = core.App() +MyDBInstanceStack(app, "MyDBInstanceStack") +app.synth() diff --git a/cdk_integration_tests/src/python/SecurityGroupRuleDescription/fail__4__.py b/cdk_integration_tests/src/python/SecurityGroupRuleDescription/fail__4__.py new file mode 100644 index 00000000000..b71d802106d --- /dev/null +++ b/cdk_integration_tests/src/python/SecurityGroupRuleDescription/fail__4__.py @@ -0,0 +1,91 @@ +from aws_cdk import core +from aws_cdk import aws_ec2 as ec2 + +class MySecurityGroupStack(core.Stack): + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Define EC2 Security Group + security_group = ec2.CfnSecurityGroup( + self, 'MySecurityGroup', + group_description='My security group', + security_group_ingress=[ + { + 'description': 'False', + 'ipProtocol': 'tcp', + 'fromPort': 80, + 'toPort': 80, + 'cidrIp': '0.0.0.0/0' + } + ], + # Other properties for your Security Group + ) + +app = core.App() +MySecurityGroupStack(app, "MySecurityGroupStack") +app.synth() + + + +class MySecurityGroupStack(core.Stack): + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Define EC2 Security Group + security_group = ec2.CfnSecurityGroup( + self, 'MySecurityGroup', + group_description='My security group', + security_group_egress=[ + { + 'description': 'False', + 'ipProtocol': 'tcp', + 'fromPort': 80, + 'toPort': 80, + 'cidrIp': '0.0.0.0/0' + } + ], + # Other properties for your Security Group + ) + +app = core.App() +MySecurityGroupStack(app, "MySecurityGroupStack") +app.synth() + + +class MySecurityGroupIngressStack(core.Stack): + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Define EC2 Security Group Ingress + security_group_ingress = ec2.CfnSecurityGroupIngress( + self, 'MySecurityGroupIngress', + group_id='your-security-group-id', # Replace with your Security Group ID + ip_protocol='tcp', + from_port=80, + to_port=80, + cidr_ip='0.0.0.0/0', + # Other properties for your Security Group Ingress + ) + +app = core.App() +MySecurityGroupIngressStack(app, "MySecurityGroupIngressStack") +app.synth() + +class MySecurityGroupEgressStack(core.Stack): + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Define EC2 Security Group Ingress + security_group_ingress = ec2.CfnSecurityGroupEgress( + self, 'MySecurityGroupIngress', + group_id='your-security-group-id', # Replace with your Security Group ID + ip_protocol='tcp', + from_port=80, + to_port=80, + cidr_ip='0.0.0.0/0', + # Other properties for your Security Group Ingress + ) + +app = core.App() +MySecurityGroupEgressStack(app, "MySecurityGroupEgressStack") +app.synth() diff --git a/cdk_integration_tests/src/python/SecurityGroupRuleDescription/pass.py b/cdk_integration_tests/src/python/SecurityGroupRuleDescription/pass.py new file mode 100644 index 00000000000..343daa159fa --- /dev/null +++ b/cdk_integration_tests/src/python/SecurityGroupRuleDescription/pass.py @@ -0,0 +1,93 @@ +from aws_cdk import core +from aws_cdk import aws_ec2 as ec2 + +class MySecurityGroupStack(core.Stack): + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Define EC2 Security Group + security_group = ec2.CfnSecurityGroup( + self, 'MySecurityGroup', + group_description='My security group', + security_group_ingress=[ + { + 'description': 'True', + 'ipProtocol': 'tcp', + 'fromPort': 80, + 'toPort': 80, + 'cidrIp': '0.0.0.0/0' + } + ], + # Other properties for your Security Group + ) + +app = core.App() +MySecurityGroupStack(app, "MySecurityGroupStack") +app.synth() + + + +class MySecurityGroupStack(core.Stack): + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Define EC2 Security Group + security_group = ec2.CfnSecurityGroup( + self, 'MySecurityGroup', + group_description='My security group', + security_group_egress=[ + { + 'description': 'True', + 'ipProtocol': 'tcp', + 'fromPort': 80, + 'toPort': 80, + 'cidrIp': '0.0.0.0/0' + } + ], + # Other properties for your Security Group + ) + +app = core.App() +MySecurityGroupStack(app, "MySecurityGroupStack") +app.synth() + + +class MySecurityGroupIngressStack(core.Stack): + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Define EC2 Security Group Ingress + security_group_ingress = ec2.CfnSecurityGroupIngress( + self, 'MySecurityGroupIngress', + group_id='your-security-group-id', # Replace with your Security Group ID + ip_protocol='tcp', + from_port=80, + to_port=80, + cidr_ip='0.0.0.0/0', + description='abc' + # Other properties for your Security Group Ingress + ) + +app = core.App() +MySecurityGroupIngressStack(app, "MySecurityGroupIngressStack") +app.synth() + +class MySecurityGroupEgressStack(core.Stack): + def __init__(self, scope: core.Construct, id: str, **kwargs) -> None: + super().__init__(scope, id, **kwargs) + + # Define EC2 Security Group Ingress + security_group_ingress = ec2.CfnSecurityGroupEgress( + self, 'MySecurityGroupIngress', + group_id='your-security-group-id', # Replace with your Security Group ID + ip_protocol='tcp', + from_port=80, + to_port=80, + cidr_ip='0.0.0.0/0', + description='abc' + # Other properties for your Security Group Ingress + ) + +app = core.App() +MySecurityGroupEgressStack(app, "MySecurityGroupEgressStack") +app.synth() diff --git a/cdk_integration_tests/test_checks_python.py b/cdk_integration_tests/test_checks_python.py index ed2d8c0832d..8107dda343a 100644 --- a/cdk_integration_tests/test_checks_python.py +++ b/cdk_integration_tests/test_checks_python.py @@ -323,3 +323,39 @@ def test_CKV_AWS_88_EC2PublicIP(failed_checks): def test_CKV_AWS_8_LaunchConfigurationEBSEncryption(failed_checks): run_check(check_results=failed_checks, check_id="CKV_AWS_8", policy_name="LaunchConfigurationEBSEncryption", language="python") + + +def test_CKV_AWS_45_LambdaEnvironmentCredentials(failed_checks): + run_check(check_results=failed_checks, check_id="CKV_AWS_45", policy_name="LambdaEnvironmentCredentials", language="python") + + +def test_CKV_AWS_58_EKSSecretsEncryption(failed_checks): + run_check(check_results=failed_checks, check_id="CKV_AWS_58", policy_name="EKSSecretsEncryption", language="python") + + +def test_CKV_AWS_65_ECSClusterContainerInsights(failed_checks): + run_check(check_results=failed_checks, check_id="CKV_AWS_65", policy_name="ECSClusterContainerInsights", language="python") + + +def test_CKV_AWS_131_ALBDropHttpHeaders(failed_checks): + run_check(check_results=failed_checks, check_id="CKV_AWS_131", policy_name="ALBDropHttpHeaders", language="python") + + +def test_CKV_AWS_2_ALBListenerHTTPS(failed_checks): + run_check(check_results=failed_checks, check_id="CKV_AWS_2", policy_name="ALBListenerHTTPS", language="python") + + +def test_CKV_AWS_23_SecurityGroupRuleDescription(failed_checks): + run_check(check_results=failed_checks, check_id="CKV_AWS_23", policy_name="SecurityGroupRuleDescription", language="python") + + +def test_CKV_AWS_173_LambdaEnvironmentEncryptionSettings(failed_checks): + run_check(check_results=failed_checks, check_id="CKV_AWS_173", policy_name="LambdaEnvironmentEncryptionSettings", language="python") + + +def test_CKV_AWS_157_RDSMultiAZEnabled(failed_checks): + run_check(check_results=failed_checks, check_id="CKV_AWS_157", policy_name="RDSMultiAZEnabled", language="python") + + +def test_CKV_AWS_96_AuroraEncryption(failed_checks): + run_check(check_results=failed_checks, check_id="CKV_AWS_96", policy_name="AuroraEncryption", language="python") diff --git a/checkov/cdk/checks/python/ALBDropHttpHeaders.yaml b/checkov/cdk/checks/python/ALBDropHttpHeaders.yaml new file mode 100644 index 00000000000..90e03e6c394 --- /dev/null +++ b/checkov/cdk/checks/python/ALBDropHttpHeaders.yaml @@ -0,0 +1,20 @@ +metadata: + version: 0.2 + approach: define failing + id: CKV_AWS_131 + name: Ensure that ALB drops HTTP headers + category: NETWORKING +scope: + languages: + - python +definition: + pattern: aws_cdk.aws_elasticloadbalancingv2.CfnLoadBalancer() + conditions: + - not_pattern: | + aws_cdk.aws_elasticloadbalancingv2.CfnLoadBalancer(, type='application' ,, load_balancer_attributes=[, {'key': 'routing.http.drop_invalid_header_fields.enabled','value': 'true'} ,] ,) + - not_pattern: | + aws_cdk.aws_elasticloadbalancingv2.CfnLoadBalancer(, type='application' ,, load_balancer_attributes=[, {'value': 'true','key': 'routing.http.drop_invalid_header_fields.enabled'} ,] ,) + - not_pattern: | + aws_cdk.aws_elasticloadbalancingv2.CfnLoadBalancer(, load_balancer_attributes=[, {'key': 'routing.http.drop_invalid_header_fields.enabled','value': 'true'} ,] ,, type='application' ,) + - not_pattern: | + aws_cdk.aws_elasticloadbalancingv2.CfnLoadBalancer(, load_balancer_attributes=[, {'value': 'true','key': 'routing.http.drop_invalid_header_fields.enabled'} ,] ,, type='application' ,) \ No newline at end of file diff --git a/checkov/cdk/checks/python/ALBListenerHTTPS.yaml b/checkov/cdk/checks/python/ALBListenerHTTPS.yaml new file mode 100644 index 00000000000..e0a88f6e083 --- /dev/null +++ b/checkov/cdk/checks/python/ALBListenerHTTPS.yaml @@ -0,0 +1,19 @@ +metadata: + version: 0.2 + approach: define failing + id: CKV_AWS_2 + name: Ensure EFS is securely encrypted + category: ENCRYPTION +scope: + languages: + - python +definition: + pattern: aws_cdk.aws_elasticloadbalancingv2.CfnListener() + conditions: + - not_pattern: aws_cdk.aws_elasticloadbalancingv2.CfnListener(, protocol='HTTPS', ) + - not_pattern: aws_cdk.aws_elasticloadbalancingv2.CfnListener(, protocol='TLS', ) + - not_pattern: aws_cdk.aws_elasticloadbalancingv2.CfnListener(, protocol='TCP', ) + - not_pattern: aws_cdk.aws_elasticloadbalancingv2.CfnListener(, protocol='UDP', ) + - not_pattern: aws_cdk.aws_elasticloadbalancingv2.CfnListener(, protocol='TCP_UDP', ) + - not_pattern: | + aws_cdk.aws_elasticloadbalancingv2.CfnListener(, default_actions=[, {'type': 'redirect', 'redirectConfig':{'protocol': 'HTTPS'}} , ] , ) \ No newline at end of file diff --git a/checkov/cdk/checks/python/AuroraEncryption.yaml b/checkov/cdk/checks/python/AuroraEncryption.yaml new file mode 100644 index 00000000000..97f4696892c --- /dev/null +++ b/checkov/cdk/checks/python/AuroraEncryption.yaml @@ -0,0 +1,13 @@ +metadata: + version: 0.2 + approach: define failing + id: CKV_AWS_96 + name: Ensure all data stored in Aurora is securely encrypted at rest + category: ENCRYPTION +scope: + languages: + - python +definition: + pattern: aws_cdk.aws_rds.CfnDBCluster() + conditions: + - not_pattern: aws_cdk.aws_rds.CfnDBCluster(, storage_encrypted=True ,) \ No newline at end of file diff --git a/checkov/cdk/checks/python/ECSClusterContainerInsights.yaml b/checkov/cdk/checks/python/ECSClusterContainerInsights.yaml new file mode 100644 index 00000000000..052c42b3831 --- /dev/null +++ b/checkov/cdk/checks/python/ECSClusterContainerInsights.yaml @@ -0,0 +1,16 @@ +metadata: + version: 0.2 + approach: define failing + id: CKV_AWS_65 + name: Ensure container insights are enabled on ECS cluster + category: LOGGING +scope: + languages: + - python +definition: + pattern: aws_cdk.aws_ecs.CfnCluster() + conditions: + - not_pattern: | + aws_cdk.aws_ecs.CfnCluster(, cluster_settings=[, {'name': 'containerInsights', 'value': 'enabled'} ,], ) + - not_pattern: | + aws_cdk.aws_ecs.CfnCluster(, cluster_settings=[, {'value': 'enabled', 'name': 'containerInsights'} ,], ) \ No newline at end of file diff --git a/checkov/cdk/checks/python/EKSSecretsEncryption.yaml b/checkov/cdk/checks/python/EKSSecretsEncryption.yaml new file mode 100644 index 00000000000..23791e54d97 --- /dev/null +++ b/checkov/cdk/checks/python/EKSSecretsEncryption.yaml @@ -0,0 +1,14 @@ +metadata: + version: 0.2 + approach: define failing + id: CKV_AWS_58 + name: Ensure EKS Cluster has Secrets Encryption Enabled + category: KUBERNETES +scope: + languages: + - python +definition: + pattern: aws_cdk.aws_eks.CfnCluster() + conditions: + - not_pattern: | + aws_cdk.aws_eks.CfnCluster(, encryption_config=[, {'resources':[, 'secrets' ,]} ,] , ) \ No newline at end of file diff --git a/checkov/cdk/checks/python/LambdaEnvironmentCredentials.yaml b/checkov/cdk/checks/python/LambdaEnvironmentCredentials.yaml new file mode 100644 index 00000000000..aeb28496eaa --- /dev/null +++ b/checkov/cdk/checks/python/LambdaEnvironmentCredentials.yaml @@ -0,0 +1,16 @@ +metadata: + version: 0.2 + approach: define failing + id: CKV_AWS_45 + name: Ensure no hard-coded secrets exist in lambda environment + category: SECRETS +scope: + languages: + - python +definition: + patterns: + or: + - pattern: | + aws_cdk.aws_lambda.Function(, environment={'$ARG1':'$ARG2'} ,) + - pattern: | + aws_cdk.aws_sam.CfnFunction(, environment={'$ARG1':'$ARG2'} ,) \ No newline at end of file diff --git a/checkov/cdk/checks/python/LambdaEnvironmentEncryptionSettings.yaml b/checkov/cdk/checks/python/LambdaEnvironmentEncryptionSettings.yaml new file mode 100644 index 00000000000..4a7a6d09dcc --- /dev/null +++ b/checkov/cdk/checks/python/LambdaEnvironmentEncryptionSettings.yaml @@ -0,0 +1,24 @@ +metadata: + version: 0.2 + approach: define failing + id: CKV_AWS_173 + name: Check encryption settings for Lambda environmental variable + category: Encryption +scope: + languages: + - python +definition: + patterns: + or: + - pattern: aws_cdk.aws_lambda.Function(, environment={$ARG1:$ARG2} ,) + conditions: + - not_pattern: | + aws_cdk.aws_lambda.Function(, environment={$ARG1:$ARG2} ,, kms_key=aws_cdk.aws_lambda.Key.from_key_arn(), ) + - not_pattern: | + aws_cdk.aws_lambda.Function(, kms_key=aws_cdk.aws_lambda.Key.from_key_arn() ,, environment={$ARG1:$ARG2} , ) + - pattern: aws_cdk.aws_sam.CfnFunction(, environment={$ARG1:$ARG2} ,) + conditions: + - not_pattern: | + aws_cdk.aws_sam.CfnFunction(, environment={$ARG1:$ARG2} ,, kms_key_arn=$ARG, ) + - not_pattern: | + aws_cdk.aws_sam.CfnFunction(, kms_key_arn=$ARG ,, environment={$ARG1:$ARG2} , ) \ No newline at end of file diff --git a/checkov/cdk/checks/python/RDSMultiAZEnabled.yaml b/checkov/cdk/checks/python/RDSMultiAZEnabled.yaml new file mode 100644 index 00000000000..c6de911f7f9 --- /dev/null +++ b/checkov/cdk/checks/python/RDSMultiAZEnabled.yaml @@ -0,0 +1,13 @@ +metadata: + version: 0.2 + approach: define failing + id: CKV_AWS_157 + name: Ensure that RDS instances have Multi-AZ enabled + category: NETWORKING +scope: + languages: + - python +definition: + pattern: aws_cdk.aws_rds.CfnDBInstance() + conditions: + - not_pattern: aws_cdk.aws_rds.CfnDBInstance(, multi_az=True ,) \ No newline at end of file diff --git a/checkov/cdk/checks/python/SecurityGroupRuleDescription.yaml b/checkov/cdk/checks/python/SecurityGroupRuleDescription.yaml new file mode 100644 index 00000000000..47f7ba678ce --- /dev/null +++ b/checkov/cdk/checks/python/SecurityGroupRuleDescription.yaml @@ -0,0 +1,26 @@ +metadata: + version: 0.2 + approach: define failing + id: CKV_AWS_23 + name: Ensure every security groups rule has a description + category: NETWORKING +scope: + languages: + - python +definition: + patterns: + or: + - pattern: aws_cdk.aws_ec2.CfnSecurityGroup(, security_group_egress=[] ,) + conditions: + - not_pattern: | + aws_cdk.aws_ec2.CfnSecurityGroup(, security_group_egress=[, {, 'description': 'True' ,} ,] ,) + - pattern: aws_cdk.aws_ec2.CfnSecurityGroup(, security_group_ingress=[] ,) + conditions: + - not_pattern: | + aws_cdk.aws_ec2.CfnSecurityGroup(, security_group_ingress=[, {, 'description': 'True' ,} ,] ,) + - pattern: aws_cdk.aws_ec2.CfnSecurityGroupIngress() + conditions: + - not_pattern: aws_cdk.aws_ec2.CfnSecurityGroupIngress(, description=$ARG ,) + - pattern: aws_cdk.aws_ec2.CfnSecurityGroupEgress() + conditions: + - not_pattern: aws_cdk.aws_ec2.CfnSecurityGroupEgress(, description=$ARG ,) \ No newline at end of file diff --git a/pyproject.toml b/pyproject.toml index 51acaeec505..57c8b9218ed 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [tool.bandit] exclude_dirs = [ - "tests","cdk_integration_tests/src/python","checkov/cdk/checks/python" + "tests" ] [tool.black]