Added MQ

aquasecurity · Oct 7, 2021 · ce7af87 · ce7af87
1 parent c69d03b
commit ce7af87
Show file tree

Hide file tree

Showing 14 changed files with 320 additions and 49 deletions.
diff --git a/internal/app/cfsec/adapter/aws/adapt.go b/internal/app/cfsec/adapter/aws/adapt.go
@@ -21,6 +21,7 @@ import (
 	"github.com/aquasecurity/cfsec/internal/app/cfsec/adapter/aws/elasticsearch"
 	"github.com/aquasecurity/cfsec/internal/app/cfsec/adapter/aws/elb"
 	"github.com/aquasecurity/cfsec/internal/app/cfsec/adapter/aws/iam"
+	"github.com/aquasecurity/cfsec/internal/app/cfsec/adapter/aws/mq"
 	"github.com/aquasecurity/cfsec/internal/app/cfsec/adapter/aws/msk"
 	"github.com/aquasecurity/cfsec/internal/app/cfsec/adapter/aws/neptune"
 	"github.com/aquasecurity/cfsec/internal/app/cfsec/adapter/aws/rds"
@@ -58,6 +59,7 @@ func Adapt(cfFile parser.FileContext) aws.AWS {
 		Elasticsearch: elasticsearch.Adapt(cfFile),
 		ELB:           elb.Adapt(cfFile),
 		MSK:           msk.Adapt(cfFile),
+		MQ:            mq.Adapt(cfFile),
 		Neptune:       neptune.Adapt(cfFile),
 		RDS:           rds.Adapt(cfFile),
 		Redshift:      redshift.Adapt(cfFile),

diff --git a/internal/app/cfsec/adapter/aws/mq/mq.go b/internal/app/cfsec/adapter/aws/mq/mq.go
@@ -0,0 +1,46 @@
+package mq
+
+import (
+	"github.com/aquasecurity/cfsec/internal/app/cfsec/parser"
+	"github.com/aquasecurity/defsec/provider/aws/mq"
+	"github.com/aquasecurity/defsec/types"
+)
+
+func Adapt(cfFile parser.FileContext) mq.MQ {
+	return mq.MQ{
+		Brokers: getBrokers(cfFile),
+	}
+}
+
+func getBrokers(ctx parser.FileContext) (brokers []mq.Broker) {
+	for _, brokerResource := range ctx.GetResourceByType("AWS::AmazonMQ::Broker") {
+
+		var broker mq.Broker
+		broker.Metadata = brokerResource.Metadata()
+
+		if publicProp := brokerResource.GetProperty("PubliclyAccessible"); publicProp.IsBool() {
+			broker.PublicAccess = publicProp.AsBoolValue()
+		} else {
+			broker.PublicAccess = types.BoolDefault(false, brokerResource.Metadata())
+		}
+
+		if logsProp := brokerResource.GetProperty("Logs"); logsProp.IsNotNil() {
+			if auditProp := logsProp.GetProperty("Audit"); auditProp.IsBool() {
+				broker.Logging.Audit = auditProp.AsBoolValue()
+			} else {
+				broker.Logging.Audit = types.BoolDefault(false, logsProp.Metadata())
+			}
+			if generalProp := logsProp.GetProperty("General"); generalProp.IsBool() {
+				broker.Logging.General = generalProp.AsBoolValue()
+			} else {
+				broker.Logging.General = types.BoolDefault(false, logsProp.Metadata())
+			}
+		} else {
+			broker.Logging.Audit = types.BoolDefault(false, brokerResource.Metadata())
+			broker.Logging.General = types.BoolDefault(false, brokerResource.Metadata())
+		}
+
+		brokers = append(brokers, broker)
+	}
+	return brokers
+}
diff --git a/internal/app/cfsec/rules/aws/mq/enable_audit_logging_rule.go b/internal/app/cfsec/rules/aws/mq/enable_audit_logging_rule.go
@@ -0,0 +1,41 @@
+package rds
+
+import (
+	"github.com/aquasecurity/cfsec/internal/app/cfsec/rule"
+	"github.com/aquasecurity/cfsec/internal/app/cfsec/scanner"
+	"github.com/aquasecurity/defsec/rules/aws/mq"
+)
+
+func init() {
+	scanner.RegisterCheckRule(rule.Rule{
+
+		BadExample: []string{
+			`---
+AWSTemplateFormatVersion: 2010-09-09
+Description: Bad example
+Resources:
+  Broker:
+    Type: AWS::AmazonMQ::Broker
+    Properties:
+      Logs:
+        Audit: false
+
+`,
+		},
+
+		GoodExample: []string{
+			`---
+AWSTemplateFormatVersion: 2010-09-09
+Description: Good example
+Resources:
+  Broker:
+    Type: AWS::AmazonMQ::Broker
+    Properties:
+      Logs:
+        Audit: true
+
+`,
+		},
+		Base: mq.CheckEnableAuditLogging,
+	})
+}
diff --git a/internal/app/cfsec/rules/aws/mq/enable_audit_logging_rule_test.go b/internal/app/cfsec/rules/aws/mq/enable_audit_logging_rule_test.go
@@ -0,0 +1,17 @@
+package rds
+
+import (
+	"testing"
+
+	"github.com/aquasecurity/cfsec/internal/app/cfsec/test"
+)
+
+func Test_MQ_AuditLogs_FailureExamples(t *testing.T) {
+	expectedCode := "aws-mq-enable-audit-logging"
+	test.RunFailureExamplesTest(t, expectedCode)
+}
+
+func Test_MQ_AuditLogs_SuccessExamples(t *testing.T) {
+	expectedCode := "aws-mq-enable-audit-logging"
+	test.RunPassingExamplesTest(t, expectedCode)
+}
diff --git a/internal/app/cfsec/rules/aws/mq/enable_general_logging_rule.go b/internal/app/cfsec/rules/aws/mq/enable_general_logging_rule.go
@@ -0,0 +1,41 @@
+package rds
+
+import (
+	"github.com/aquasecurity/cfsec/internal/app/cfsec/rule"
+	"github.com/aquasecurity/cfsec/internal/app/cfsec/scanner"
+	"github.com/aquasecurity/defsec/rules/aws/mq"
+)
+
+func init() {
+	scanner.RegisterCheckRule(rule.Rule{
+
+		BadExample: []string{
+			`---
+AWSTemplateFormatVersion: 2010-09-09
+Description: Bad example
+Resources:
+  Broker:
+    Type: AWS::AmazonMQ::Broker
+    Properties:
+      Logs:
+        General: false
+
+`,
+		},
+
+		GoodExample: []string{
+			`---
+AWSTemplateFormatVersion: 2010-09-09
+Description: Good example
+Resources:
+  Broker:
+    Type: AWS::AmazonMQ::Broker
+    Properties:
+      Logs:
+        General: true
+
+`,
+		},
+		Base: mq.CheckEnableGeneralLogging,
+	})
+}
diff --git a/internal/app/cfsec/rules/aws/mq/enable_general_logging_rule_test.go b/internal/app/cfsec/rules/aws/mq/enable_general_logging_rule_test.go
@@ -0,0 +1,17 @@
+package rds
+
+import (
+	"testing"
+
+	"github.com/aquasecurity/cfsec/internal/app/cfsec/test"
+)
+
+func Test_MQ_GeneralLogs_FailureExamples(t *testing.T) {
+	expectedCode := "aws-mq-enable-audit-logging"
+	test.RunFailureExamplesTest(t, expectedCode)
+}
+
+func Test_MQ_GeneralLogs_SuccessExamples(t *testing.T) {
+	expectedCode := "aws-mq-enable-audit-logging"
+	test.RunPassingExamplesTest(t, expectedCode)
+}
diff --git a/internal/app/cfsec/rules/aws/mq/no_public_access_rule.go b/internal/app/cfsec/rules/aws/mq/no_public_access_rule.go
@@ -0,0 +1,39 @@
+package rds
+
+import (
+	"github.com/aquasecurity/cfsec/internal/app/cfsec/rule"
+	"github.com/aquasecurity/cfsec/internal/app/cfsec/scanner"
+	"github.com/aquasecurity/defsec/rules/aws/mq"
+)
+
+func init() {
+	scanner.RegisterCheckRule(rule.Rule{
+
+		BadExample: []string{
+			`---
+AWSTemplateFormatVersion: 2010-09-09
+Description: Bad example
+Resources:
+  Broker:
+    Type: AWS::AmazonMQ::Broker
+    Properties:
+      PubliclyAccessible: true
+
+`,
+		},
+
+		GoodExample: []string{
+			`---
+AWSTemplateFormatVersion: 2010-09-09
+Description: Good example
+Resources:
+  Broker:
+    Type: AWS::AmazonMQ::Broker
+    Properties:
+      PubliclyAccessible: false
+
+`,
+		},
+		Base: mq.CheckNoPublicAccess,
+	})
+}
diff --git a/internal/app/cfsec/rules/aws/mq/no_public_access_rule_test.go b/internal/app/cfsec/rules/aws/mq/no_public_access_rule_test.go
@@ -0,0 +1,17 @@
+package rds
+
+import (
+	"testing"
+
+	"github.com/aquasecurity/cfsec/internal/app/cfsec/test"
+)
+
+func Test_MQ_Public_FailureExamples(t *testing.T) {
+	expectedCode := "aws-mq-no-public-access"
+	test.RunFailureExamplesTest(t, expectedCode)
+}
+
+func Test_MQ_Public_SuccessExamples(t *testing.T) {
+	expectedCode := "aws-mq-no-public-access"
+	test.RunPassingExamplesTest(t, expectedCode)
+}
diff --git a/internal/app/cfsec/rules/aws/msk/msk.yaml b/internal/app/cfsec/rules/aws/msk/msk.yaml
diff --git a/internal/app/cfsec/rules/aws/neptune/neptune.yaml b/internal/app/cfsec/rules/aws/neptune/neptune.yaml
diff --git a/vendor/github.com/aquasecurity/defsec/rules/aws/mq/enable_audit_logging.go b/vendor/github.com/aquasecurity/defsec/rules/aws/mq/enable_audit_logging.go
diff --git a/vendor/github.com/aquasecurity/defsec/rules/aws/mq/enable_general_logging.go b/vendor/github.com/aquasecurity/defsec/rules/aws/mq/enable_general_logging.go
diff --git a/vendor/github.com/aquasecurity/defsec/rules/aws/mq/no_public_access.go b/vendor/github.com/aquasecurity/defsec/rules/aws/mq/no_public_access.go