class SPCMRule
Constants
- DEFAULT_THRESHOLD
Attributes
spcm_threshold[RW]
Public Instance Methods
audit_impl(cfn_model)
click to toggle source
# File lib/cfn-nag/custom_rules/SPCMRule.rb, line 24 def audit_impl(cfn_model) logical_resource_ids = [] begin policy_documents = SPCM.new.metric_impl(cfn_model) rescue StandardError => catch_all_exception puts "Experimental SPCM rule is failing. Please report #{catch_all_exception} with the violating template" policy_documents = { 'AWS::IAM::Policy' => {}, 'AWS::IAM::Role' => {} } end threshold = spcm_threshold.nil? ? DEFAULT_THRESHOLD : spcm_threshold.to_i logical_resource_ids += violating_policy_resources(policy_documents, threshold) logical_resource_ids += violating_role_resources(policy_documents, threshold) logical_resource_ids end
rule_id()
click to toggle source
# File lib/cfn-nag/custom_rules/SPCMRule.rb, line 20 def rule_id 'W76' end
rule_text()
click to toggle source
# File lib/cfn-nag/custom_rules/SPCMRule.rb, line 12 def rule_text "SPCM for IAM policy document is higher than #{spcm_threshold || DEFAULT_THRESHOLD}" end
rule_type()
click to toggle source
# File lib/cfn-nag/custom_rules/SPCMRule.rb, line 16 def rule_type Violation::WARNING end
Private Instance Methods
violating_policy_resources(policy_documents, threshold)
click to toggle source
# File lib/cfn-nag/custom_rules/SPCMRule.rb, line 61 def violating_policy_resources(policy_documents, threshold) logical_resource_ids = [] policy_documents['AWS::IAM::Policy'].each do |logical_resource_id, metric| if metric >= threshold logical_resource_ids << logical_resource_id end end logical_resource_ids end
violating_role_resources(policy_documents, threshold)
click to toggle source
# File lib/cfn-nag/custom_rules/SPCMRule.rb, line 45 def violating_role_resources(policy_documents, threshold) logical_resource_ids = [] # unfortunately the line numbers will break if we don't return # the logical resource id - so there isn't a good way to communicate # the specific policy within the role that is offending policy_documents['AWS::IAM::Role'].each do |logical_resource_id, policies| policies.each do |_, metric| if metric >= threshold logical_resource_ids << logical_resource_id end end end logical_resource_ids end