class EMRSecurityConfigurationEncryptionsEnabledAndConfiguredRule
Public Instance Methods
audit_impl(cfn_model)
click to toggle source
# File lib/cfn-nag/custom_rules/EMRSecurityConfigurationEncryptionsEnabledAndConfiguredRule.rb, line 19 def audit_impl(cfn_model) violating_emr_sec_configs = cfn_model.resources_by_type('AWS::EMR::SecurityConfiguration').select do |sec_config| bad_security_config?(sec_config) end violating_emr_sec_configs.map(&:logical_resource_id) end
rule_id()
click to toggle source
# File lib/cfn-nag/custom_rules/EMRSecurityConfigurationEncryptionsEnabledAndConfiguredRule.rb, line 15 def rule_id 'W61' end
rule_text()
click to toggle source
# File lib/cfn-nag/custom_rules/EMRSecurityConfigurationEncryptionsEnabledAndConfiguredRule.rb, line 7 def rule_text 'EMR SecurityConfiguration should enable and properly configure encryption at rest and in transit.' end
rule_type()
click to toggle source
# File lib/cfn-nag/custom_rules/EMRSecurityConfigurationEncryptionsEnabledAndConfiguredRule.rb, line 11 def rule_type Violation::WARNING end
Private Instance Methods
bad_at_rest_encryption?(config)
click to toggle source
# File lib/cfn-nag/custom_rules/EMRSecurityConfigurationEncryptionsEnabledAndConfiguredRule.rb, line 41 def bad_at_rest_encryption?(config) # Missing AtRestEncryptionConfiguration return true unless config.key?('AtRestEncryptionConfiguration') # AtRest encryptions misconfigured return true unless \ (config['AtRestEncryptionConfiguration'].key?('LocalDiskEncryptionConfiguration') && config['AtRestEncryptionConfiguration']['LocalDiskEncryptionConfiguration'].key?('EncryptionKeyProviderType')) || (config['AtRestEncryptionConfiguration'].key?('S3EncryptionConfiguration') && config['AtRestEncryptionConfiguration']['S3EncryptionConfiguration'].key?('EncryptionMode')) false end
bad_in_transit_encryption?(config)
click to toggle source
# File lib/cfn-nag/custom_rules/EMRSecurityConfigurationEncryptionsEnabledAndConfiguredRule.rb, line 55 def bad_in_transit_encryption?(config) # Missing InTransitEncryptionConfiguration return true unless config.key?('InTransitEncryptionConfiguration') # InTransit encryptions misconfigured return true unless \ config['InTransitEncryptionConfiguration'].key?('TLSCertificateConfiguration') && config['InTransitEncryptionConfiguration']['TLSCertificateConfiguration'].key?('CertificateProviderType') false end
bad_security_config?(security_config_object)
click to toggle source
# File lib/cfn-nag/custom_rules/EMRSecurityConfigurationEncryptionsEnabledAndConfiguredRule.rb, line 29 def bad_security_config?(security_config_object) # Poorly formatted SecurityConfiguration return true unless security_config_object.securityConfiguration['EncryptionConfiguration'] encryption_config = security_config_object.securityConfiguration['EncryptionConfiguration'] # Either encryption type disabled return true unless encryption_config['EnableAtRestEncryption'] && encryption_config['EnableInTransitEncryption'] bad_at_rest_encryption?(encryption_config) || bad_in_transit_encryption?(encryption_config) end