class CloudfrontMinimumProtocolVersionRule

Public Instance Methods

audit_impl(cfn_model) click to toggle source
# File lib/cfn-nag/custom_rules/CloudfrontMinimumProtocolVersionRule.rb, line 19
def audit_impl(cfn_model)
  violating_distributions = cfn_model.resources_by_type('AWS::CloudFront::Distribution')
                                     .select do |dist|
    dist.distributionConfig['ViewerCertificate'].nil? || tls_version?(dist.distributionConfig['ViewerCertificate'])
  end

  violating_distributions.map(&:logical_resource_id)
end
rule_id() click to toggle source
# File lib/cfn-nag/custom_rules/CloudfrontMinimumProtocolVersionRule.rb, line 15
def rule_id
  'W70'
end
rule_text() click to toggle source
# File lib/cfn-nag/custom_rules/CloudfrontMinimumProtocolVersionRule.rb, line 7
def rule_text
  'Cloudfront should use minimum protocol version TLS 1.2'
end
rule_type() click to toggle source
# File lib/cfn-nag/custom_rules/CloudfrontMinimumProtocolVersionRule.rb, line 11
def rule_type
  Violation::WARNING
end

Private Instance Methods

cert_has_bad_tls_version?(min_protocol_version) click to toggle source
# File lib/cfn-nag/custom_rules/CloudfrontMinimumProtocolVersionRule.rb, line 34
def cert_has_bad_tls_version?(min_protocol_version)
  min_protocol_version.nil? ||
    (min_protocol_version.is_a?(String) && !min_protocol_version.start_with?('TLSv1.2'))
end
override_tls_config?(viewer_certificate) click to toggle source
# File lib/cfn-nag/custom_rules/CloudfrontMinimumProtocolVersionRule.rb, line 39
def override_tls_config?(viewer_certificate)
  !viewer_certificate['CloudFrontDefaultCertificate'].nil? && viewer_certificate['CloudFrontDefaultCertificate']
end
tls_version?(viewer_certificate) click to toggle source
# File lib/cfn-nag/custom_rules/CloudfrontMinimumProtocolVersionRule.rb, line 30
def tls_version?(viewer_certificate)
  cert_has_bad_tls_version?(viewer_certificate['MinimumProtocolVersion']) || override_tls_config?(viewer_certificate)
end