search

aws-cloudformation / aws-guard-rules-registry

Rules Registry for Compliance Frameworks
Apache License 2.0
105 stars 21 forks source link

(aws-kinesis): cfnguard reports incorrect rule name #277

Open biffgaut opened 1 month ago

biffgaut commented 1 month ago

What is the problem?

If you don't have a Redshift destination configured for a Kinesis Firehose, cfn-guard reports a KINESIS_FIREHOSE_REDSHIFT_DESTINATION_CONFIGURATION_USES_SECURE_PARAMETER violation, but to suppress the error you need to use what appears to be the name of a subRule(?). Whatever is going on inside the tool, you need to use KINESIS_FIREHOSE_REDSHIFT_DESTINATION_CONFIGURATION_NO_PLAINTEXT_PASSWORD to suppress the warning if no Redshift destination configuration exists.

BTW - the same incorrect behavior happens for Splunk destinations.

Reproduction Steps

Triggers the KINESIS_FIREHOSE_REDSHIFT_DESTINATION_CONFIGURATION_USES_SECURE_PARAMETER warning despite suppression:

  "testkinesisfirehoses3KinesisFirehose92F73280": {
   "Type": "AWS::KinesisFirehose::DeliveryStream",
   "Properties": {
    "DeliveryStreamEncryptionConfigurationInput": {
     "KeyType": "AWS_OWNED_CMK"
    },
    "DeliveryStreamName": "KinesisFirehosefhss3customLogginkettestkinesisfirehoses3C47A3354",
    "ExtendedS3DestinationConfiguration": {
     "BucketARN": {
      "Fn::GetAtt": [
       "testkinesisfirehoses3S3BucketA8942735",
       "Arn"
      ]
     },
     "BufferingHints": {
      "IntervalInSeconds": 300,
      "SizeInMBs": 5
     },
     "CloudWatchLoggingOptions": {
      "Enabled": true,
      "LogGroupName": {
       "Ref": "testkinesisfirehoses3firehoseloggroup3D11FB0D"
      },
      "LogStreamName": {
       "Ref": "testkinesisfirehoses3firehoseloggroupfirehoselogstream3C52AF00"
      }
     },
     "CompressionFormat": "GZIP",
     "EncryptionConfiguration": {
      "KMSEncryptionConfig": {
       "AWSKMSKeyARN": {
        "Fn::Join": [
         "",
         [
          "arn:",
          {
           "Ref": "AWS::Partition"
          },
          ":kms:",
          {
           "Ref": "AWS::Region"
          },
          ":",
          {
           "Ref": "AWS::AccountId"
          },
          ":alias/aws/s3"
         ]
        ]
       }
      }
     },
     "RoleARN": {
      "Fn::GetAtt": [
       "testkinesisfirehoses3KinesisFirehoseRoleB23C3E93",
       "Arn"
      ]
     }
    }
   },
   "Metadata": {
    "guard": {
     "SuppressedRules": [
      "KINESIS_FIREHOSE_REDSHIFT_DESTINATION_CONFIGURATION_USES_SECURE_PARAMETER",
      "KINESIS_FIREHOSE_SPLUNK_DESTINATION_CONFIGURATION_USES_SECURE_PARAMETER"
     ]
    }
   }

Doing this actually suppresses the KINESIS_FIREHOSE_REDSHIFT_DESTINATION_CONFIGURATION_USES_SECURE_PARAMETER warning:

  "testkinesisfirehoses3KinesisFirehose92F73280": {
   "Type": "AWS::KinesisFirehose::DeliveryStream",
   "Properties": {
    "DeliveryStreamEncryptionConfigurationInput": {
     "KeyType": "AWS_OWNED_CMK"
    },
    "DeliveryStreamName": "KinesisFirehosefhss3customLogginkettestkinesisfirehoses3C47A3354",
    "ExtendedS3DestinationConfiguration": {
     "BucketARN": {
      "Fn::GetAtt": [
       "testkinesisfirehoses3S3BucketA8942735",
       "Arn"
      ]
     },
     "BufferingHints": {
      "IntervalInSeconds": 300,
      "SizeInMBs": 5
     },
     "CloudWatchLoggingOptions": {
      "Enabled": true,
      "LogGroupName": {
       "Ref": "testkinesisfirehoses3firehoseloggroup3D11FB0D"
      },
      "LogStreamName": {
       "Ref": "testkinesisfirehoses3firehoseloggroupfirehoselogstream3C52AF00"
      }
     },
     "CompressionFormat": "GZIP",
     "EncryptionConfiguration": {
      "KMSEncryptionConfig": {
       "AWSKMSKeyARN": {
        "Fn::Join": [
         "",
         [
          "arn:",
          {
           "Ref": "AWS::Partition"
          },
          ":kms:",
          {
           "Ref": "AWS::Region"
          },
          ":",
          {
           "Ref": "AWS::AccountId"
          },
          ":alias/aws/s3"
         ]
        ]
       }
      }
     },
     "RoleARN": {
      "Fn::GetAtt": [
       "testkinesisfirehoses3KinesisFirehoseRoleB23C3E93",
       "Arn"
      ]
     }
    }
   },
   "Metadata": {
    "guard": {
     "SuppressedRules": [
      "KINESIS_FIREHOSE_REDSHIFT_DESTINATION_CONFIGURATION_USES_SECURE_PARAMETER",
      "KINESIS_FIREHOSE_REDSHIFT_DESTINATION_CONFIGURATION_NO_PLAINTEXT_PASSWORD",
     ]
    }
   }

What did you expect to happen?

The reported error name should be the error that needs to be suppressed - you shouldn't have to go to the github repo to debug the actual name.

What actually happened?

A different error name has to be suppressed.

CloudFormation Guard Version

3.1.1

OS

MacOS

OS Version

No response

Other information

No response

biffgaut commented 1 month ago

I believe this line is the cause?

https://github.com/aws-cloudformation/aws-guard-rules-registry/blob/7f7340c26ae5d5e8874651dbffeb12e0e9f505b6/rules/aws/aws_kinesis/kinesis_firehose_splunk_destination_configuration_no_plaintext_password.guard#L78