class SPCMRule

Constants

DEFAULT_THRESHOLD

Attributes

spcm_threshold[RW]

Public Instance Methods

audit_impl(cfn_model) click to toggle source
# File lib/cfn-nag/custom_rules/SPCMRule.rb, line 24
def audit_impl(cfn_model)
  logical_resource_ids = []
  begin
    policy_documents = SPCM.new.metric_impl(cfn_model)
  rescue StandardError => catch_all_exception
    puts "Experimental SPCM rule is failing. Please report #{catch_all_exception} with the violating template"
    policy_documents = {
      'AWS::IAM::Policy' => {},
      'AWS::IAM::Role' => {}
    }
  end

  threshold = spcm_threshold.nil? ? DEFAULT_THRESHOLD : spcm_threshold.to_i
  logical_resource_ids += violating_policy_resources(policy_documents, threshold)
  logical_resource_ids += violating_role_resources(policy_documents, threshold)

  logical_resource_ids
end
rule_id() click to toggle source
# File lib/cfn-nag/custom_rules/SPCMRule.rb, line 20
def rule_id
  'W76'
end
rule_text() click to toggle source
# File lib/cfn-nag/custom_rules/SPCMRule.rb, line 12
def rule_text
  "SPCM for IAM policy document is higher than #{spcm_threshold || DEFAULT_THRESHOLD}"
end
rule_type() click to toggle source
# File lib/cfn-nag/custom_rules/SPCMRule.rb, line 16
def rule_type
  Violation::WARNING
end

Private Instance Methods

violating_policy_resources(policy_documents, threshold) click to toggle source
# File lib/cfn-nag/custom_rules/SPCMRule.rb, line 61
def violating_policy_resources(policy_documents, threshold)
  logical_resource_ids = []
  policy_documents['AWS::IAM::Policy'].each do |logical_resource_id, metric|
    if metric >= threshold
      logical_resource_ids << logical_resource_id
    end
  end
  logical_resource_ids
end
violating_role_resources(policy_documents, threshold) click to toggle source
# File lib/cfn-nag/custom_rules/SPCMRule.rb, line 45
def violating_role_resources(policy_documents, threshold)
  logical_resource_ids = []

  # unfortunately the line numbers will break if we don't return
  # the logical resource id - so there isn't a good way to communicate
  # the specific policy within the role that is offending
  policy_documents['AWS::IAM::Role'].each do |logical_resource_id, policies|
    policies.each do |_, metric|
      if metric >= threshold
        logical_resource_ids << logical_resource_id
      end
    end
  end
  logical_resource_ids
end