Fix cfn-nag violations - Githubissues

aws-solutions / media-services-application-mapper

Media Services Application Mapper is a browser-based tool that allows operators to visualize the structure and logical connections among AWS Media Services and supporting services in the cloud. The tool can be used as a top-down resource monitoring tool when integrated with CloudWatch.

Apache License 2.0

84 stars 27 forks source link

Fix cfn-nag violations #204

Closed JimTharioAmazon closed 3 years ago

JimTharioAmazon commented 3 years ago

./msam-events-release.template

WARN W58
Resources: ["Collector", "AlarmUpdater"]
Line Numbers: [-1, -1]
Lambda functions require permission to write CloudWatch Logs

Failures count: 0 Warnings count: 2

./aws-media-services-application-mapper-release.template

Failures count: 0 Warnings count: 0

./msam-core-release.template

WARN W58
Resources: ["IncomingCloudwatchAlarm", "UpdateNodes", "UpdateConnections", "UpdateFromTags", "SsmRunCommand", "ProcessSsmRunCommand", "UpdateSsmNodes", "APIHandler"]
Line Numbers: [-1, -1, -1, -1, -1, -1, -1, -1]
Lambda functions require permission to write CloudWatch Logs

Failures count: 0 Warnings count: 8

./msam-dynamodb-release.template

WARN W78
Resources: ["Channels", "Events", "Layout", "Settings", "Content", "Alarms", "CloudWatchEvents"]
Line Numbers: [51, 75, 152, 186, 200, 242, 298]
DynamoDB table should have backup enabled, should be set using PointInTimeRecoveryEnabled

WARN W74
Resources: ["Channels", "Events", "Layout", "Settings", "Content", "Alarms", "CloudWatchEvents"]
Line Numbers: [51, 75, 152, 186, 200, 242, 298]
DynamoDB table should have encryption enabled using a CMK stored in KMS

WARN W58
Resources: ["DefaultSettingsResource"]
Line Numbers: [6]
Lambda functions require permission to write CloudWatch Logs

Failures count: 0 Warnings count: 15

./msam-browser-app-release.template

WARN W10
Resources: ["MSAMAppBucketCloudFrontDistribution"]
Line Numbers: [23]
CloudFront Distribution should enable access logging

WARN W70
Resources: ["MSAMAppBucketCloudFrontDistribution"]
Line Numbers: [23]
Cloudfront should use minimum protocol version TLS 1.2

WARN W58
Resources: ["MSAMWebContentResource", "MSAMWebInvalidationResource"]
Line Numbers: [164, 214]
Lambda functions require permission to write CloudWatch Logs

WARN W35
Resources: ["MSAMBrowserAppBucket"]
Line Numbers: [146]
S3 Bucket should have access logging configured

WARN W41
Resources: ["MSAMBrowserAppBucket"]
Line Numbers: [146]
S3 Bucket should have encryption option set

Failures count: 0 Warnings count: 6

./msam-iam-roles-release.template

FAIL F5
Resources: ["InstallationManagedPolicy"]
Line Numbers: [278]
IAM managed policy should not allow * action

WARN W13
Resources: ["InstallationManagedPolicy"]
Line Numbers: [278]
IAM managed policy should not allow * resource

FAIL F39
Resources: ["InstallationPolicy"]
Line Numbers: [243]
IAM policy should not allow * resource with PassRole action

FAIL F4
Resources: ["InstallationPolicy"]
Line Numbers: [243]
IAM policy should not allow * action

WARN W12
Resources: ["InstallationPolicy"]
Line Numbers: [243]
IAM policy should not allow * resource

WARN W11
Resources: ["EventsRole", "DynamoDBRole", "CoreRole", "WebRole"]
Line Numbers: [6, 47, 82, 205]
IAM role should not allow * resource on its permissions policy

WARN W76
Resources: ["CoreRole"]
Line Numbers: [82]
SPCM for IAM policy document is higher than 25

Failures count: 3 Warnings count: 7

JimTharioAmazon commented 3 years ago

Several '*' resource issues required suppressing in the IAM template. That template is general and applied first by compartmentalized groups before actual resource ARNs are known from the following templates.