search

aws-cloudformation / aws-guard-rules-registry

Rules Registry for Compliance Frameworks
Apache License 2.0
105 stars 21 forks source link

(dynamodb): Rule suppression for `DYNAMODB_PITR_ENABLED` not working #251

Open plinioh opened 10 months ago

plinioh commented 10 months ago

What is the problem?

The suppression rule for DYNAMODB_PITR_ENABLED is not working as expected.

Reproduction Steps

template.yaml

Resources:
  Table:
    DeletionPolicy: Delete
    UpdateReplacePolicy: Delete
    Type: AWS::DynamoDB::Table
    Metadata:
      guard:
        SuppressedRules:
          - DYNAMODB_PITR_ENABLED
    Properties:
      AttributeDefinitions:
        - { AttributeName: "partition_key", AttributeType: "S" }
      KeySchema:
        - { AttributeName: "partition_key", KeyType: "HASH" }

Rule Set: Currently using wa-Reliability-Pillar.guard from Release v1.0.2

Command:

 cfn-guard validate -r ~/Downloads/output/wa-Reliability-Pillar.guard -d template.yaml

Result:

cfn-guard validate -r ~/Downloads/output/wa-Reliability-Pillar.guard -d template.yaml          
template.yaml Status = FAIL
FAILED rules
wa-Reliability-Pillar.guard/DYNAMODB_PITR_ENABLED                          FAIL
---
Evaluating data template.yaml against rules wa-Reliability-Pillar.guard
Number of non-compliant resources 1
Resource = Table {
  Type      = AWS::DynamoDB::Table
  Rule = DYNAMODB_PITR_ENABLED {
    ALL {
      Check =  %aws_dynamodb_table_resources[*].Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled EQUALS  true {
        Message {
          Guard Rule Set: wa-Reliability-Pillar
          Controls: REL-9
          Violation: All DynamoDB Tables must have Point-In-Time-Recovery enabled.
          Fix: Set the dynamodb table property PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled to true.
        }
        RequiredPropertyError {
          PropertyPath = /Resources/Table/Properties[L:10,C:6]
          MissingProperty = PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled
          Reason = Could not find key PointInTimeRecoverySpecification inside struct at path /Resources/Table/Properties[L:10,C:6]
          Code:
                8.        SuppressedRules:
                9.          - DYNAMODB_PITR_ENABLED
               10.    Properties:
               11.      AttributeDefinitions:
               12.        - { AttributeName: "partition_key", AttributeType: "S" }
               13.      KeySchema:
        }
      }
    }
  }
}

What did you expect to happen?

I expected the that cfn-guard validate exited cleanly since the rule for DYNAMODB_PITR_ENABLED is Supressed.

What actually happened?

cfn-guard validate evaluated the template as non-compliant

CloudFormation Guard Version

cfn-guard 3.0.1

OS

MacOS

OS Version

Sonoma 14.1.1

Other information

N/A

cm-kazup0n commented 6 months ago

@plinioh I also encountered the same issue. I believe the problem has been resolved since the conditions have been fixed in the main branch.

Conditions for SupressedRules are added in main as follows

let dynamodb_pitr_enabled = Resources.*[ Type == "AWS::DynamoDB::Table" 
  Metadata.guard.SuppressedRules not exists or
  Metadata.guard.SuppressedRules.* != "DYNAMODB_PITR_ENABLED"
]

https://github.com/aws-cloudformation/aws-guard-rules-registry/blob/main/rules/aws/dynamodb/dynamodb_pitr_enabled.guard#L31-L34