search

aws-cloudformation / aws-guard-rules-registry

Rules Registry for Compliance Frameworks
Apache License 2.0
107 stars 22 forks source link

False positive 'RDS_STORAGE_ENCRYPTED' when 'AWS::RDS::DBClusterParameterGroup' is defined in template #275

Open AkasakiTomohiro opened 6 months ago

AkasakiTomohiro commented 6 months ago

What is the problem?

False positive 'RDS_STORAGE_ENCRYPTED' when 'AWS::RDS::DBClusterParameterGroup' is defined in template.

Reproduction Steps

  1. Example rules and template that results in the error
{
 "Resources": {
  "ParameterGroup": {
   "Type": "AWS::RDS::DBClusterParameterGroup",
   "Properties": {
    "DBClusterParameterGroupName": "parameter-group",
    "Description": "description",
    "Family": "aurora-mysql8.0",
    "Parameters": {}
   },
   "Metadata": {
    "aws:cdk:path": "SampleStack/ParameterGroup"
   }
  }
 }
}
  1. The commands you used to invoke the tool

cfn-guard validate -r ./aws-guard-rules-registry/rules -d ./cdk.out/SampleStack.template.json -S none -o sarif --structured

  1. The output of a -v log level or the cfn-guard test -d output

Execution results are partially processed.

{
  "$schema": "https://docs.oasis-open.org/sarif/sarif/v2.1.0/errata01/os/schemas/sarif-schema-2.1.0.json",
  "version": "2.1.0",
  "runs": [
    {
      "tool": {
        "driver": {
          "name": "cfn-guard",
          "semanticVersion": "3.1.0",
          "fullName": "cfn-guard 3.1.0",
          "organization": "Amazon Web Services",
          "downloadUri": "https://github.com/aws-cloudformation/cloudformation-guard",
          "informationUri": "https://github.com/aws-cloudformation/cloudformation-guard",
          "shortDescription": {
            "text": "AWS CloudFormation Guard is an open-source general-purpose policy-as-code evaluation tool. It provides developers with a simple-to-use, yet powerful and expressive domain-specific language (DSL) to define policies and enables developers to validate JSON- or YAML- formatted structured data with those policies."
          }
        }
      },
      "artifacts": [
        {
          "location": {
            "uri": "cdk.out/SampleStack.template.json"
          }
        }
      ],
      "results": [
        {
          "ruleId": "RDS_STORAGE_ENCRYPTED",
          "level": "error",
          "message": {
            "text": "Check was not compliant as property [/Resources/ParameterGroup[L:2,C:20]] was not empty. \n    Violation: All RDS instances must have encrypted storage.\n    Fix: Set the StorageEncrypted parameter to true.\n  "
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "cdk.out/SampleStack.template.json"
                },
                "region": {
                  "startLine": 1,
                  "startColumn": 1
                }
              }
            }
          ]
        }
      ]
    }
  ]
}

What did you expect to happen?

It is recognized that it is not detected by 'AWS::RDS::DBClusterParameterGroup'.

What actually happened?

False positive 'RDS_STORAGE_ENCRYPTED' when 'AWS::RDS::DBClusterParameterGroup' is defined in template

CloudFormation Guard Version

3.1.0

OS

Ubuntu

OS Version

20.04

Other information

RDS_STORAGE_ENCRYPTED' is detected by mistake because 'AWS::RDS::DBCluster' is included in 'AWS::RDS::DBClusterParameterGroup'.