diff --git a/.github/workflows/security-guardian.yml b/.github/workflows/security-guardian.yml new file mode 100644 index 0000000000000..ea031f255d037 --- /dev/null +++ b/.github/workflows/security-guardian.yml @@ -0,0 +1,118 @@ +name: Security Guardian +on: + pull_request: {} + + # Triggered from a separate job when a review is added + workflow_run: + workflows: [PR Linter Trigger] + types: + - completed + + # Trigger when a status is updated (CodeBuild leads to statuses) + status: {} + + # Trigger when a check suite is completed (GitHub actions and CodeCov create checks) + check_suite: + types: [completed] + +jobs: + download-if-workflow-run: + runs-on: ubuntu-latest + outputs: + pr_number: ${{ steps.pr_output.outputs.pr_number }} + pr_sha: ${{ steps.pr_output.outputs.pr_sha }} + # if conditions on all individual steps because subsequent jobs depend on this job + # and we cannot skip it entirely + steps: + - name: 'Download workflow_run artifact' + if: github.event_name == 'workflow_run' + uses: dawidd6/action-download-artifact@v9 + with: + run_id: ${{ github.event.workflow_run.id }} + name: pr_info + path: pr/ + search_artifacts: true + + - name: 'Determine PR info' + # PR info comes from the artifact if downloaded, or GitHub context if not. + if: github.event_name == 'workflow_run' + id: 'pr_output' + run: | + if [[ ! -f pr/pr_number ]]; then + echo "${{ github.event.pull_request.number }}" > pr/pr_number + fi + if [[ ! -f pr/pr_sha ]]; then + echo "${{ github.event.pull_request.head.sha }}" > pr/pr_sha + fi + cat pr/* + echo "pr_number=$(cat pr/pr_number)" >> "$GITHUB_OUTPUT" + echo "pr_sha=$(cat pr/pr_sha)" >> "$GITHUB_OUTPUT" + + run-security-guardian: + # Necessary to have sufficient permissions to write to the PR + permissions: + contents: read + pull-requests: write + statuses: read + issues: read + checks: read + runs-on: ubuntu-latest + needs: download-if-workflow-run + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Get list of changed .template.json files + id: filter_files + run: | + echo "Getting changed CloudFormation templates..." + mkdir -p changed_templates + + git fetch origin main --depth=1 + + base_sha="${{ github.event.pull_request.base.sha }}" + head_sha="${{ github.event.pull_request.head.sha }}" + if [[ -z "$base_sha" ]]; then base_sha=$(git merge-base origin/main HEAD); fi + if [[ -z "$head_sha" ]]; then head_sha=HEAD; fi + + git diff --name-status "$base_sha" "$head_sha" \ + | grep -E '^(A|M)\s+.*\.template\.json$' \ + | awk '{print $2}' > changed_files.txt || true + + while IFS= read -r file; do + if [ -f "$file" ]; then + safe_name=$(echo "$file" | sed 's|/|_|g') + cp "$file" "changed_templates/$safe_name" + else + echo "::warning::Changed file not found in workspace: $file" + fi + done < changed_files.txt + + if [ -s changed_files.txt ]; then + echo "files_changed=true" >> $GITHUB_OUTPUT + else + echo "files_changed=false" >> $GITHUB_OUTPUT + fi + + - name: Install cfn-guard + if: steps.filter_files.outputs.files_changed == 'true' + run: | + mkdir -p $HOME/.local/bin + curl -L -o cfn-guard.tar.gz https://github.com/aws-cloudformation/cloudformation-guard/releases/latest/download/cfn-guard-v3-x86_64-ubuntu-latest.tar.gz + tar -xzf cfn-guard.tar.gz + mv cfn-guard-v3-*/cfn-guard $HOME/.local/bin/cfn-guard + chmod +x $HOME/.local/bin/cfn-guard + echo "$HOME/.local/bin" >> $GITHUB_PATH + + - name: Install & Build security-guardian + if: steps.filter_files.outputs.files_changed == 'true' + run: yarn install --frozen-lockfile && cd tools/@aws-cdk/security-guardian && yarn build + + - name: Run cfn-guard if templates changed + if: steps.filter_files.outputs.files_changed == 'true' + uses: ./tools/@aws-cdk/security-guardian + with: + data_directory: './changed_templates' + rule_set_path: './tools/@aws-cdk/security-guardian/rules/trust_scope_rules.guard' + show_summary: 'fail' + output_format: 'single-line-summary' diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-cluster-tags.js.snapshot/asset.12157b27d30ab71eb24ae65825f672ba5cc2c09dbb1703cd7adfcff3aeaca136.zip b/packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-cluster-tags.js.snapshot/asset.12157b27d30ab71eb24ae65825f672ba5cc2c09dbb1703cd7adfcff3aeaca136.zip index 63deb5e01673b..2556546dd5f0d 100644 Binary files a/packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-cluster-tags.js.snapshot/asset.12157b27d30ab71eb24ae65825f672ba5cc2c09dbb1703cd7adfcff3aeaca136.zip and b/packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-cluster-tags.js.snapshot/asset.12157b27d30ab71eb24ae65825f672ba5cc2c09dbb1703cd7adfcff3aeaca136.zip differ diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-cluster-tags.js.snapshot/asset.93d96d34e0d3cd20eb082652b91012b131bdc34fcf2bc16eb4170e04772fddb1.zip b/packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-cluster-tags.js.snapshot/asset.93d96d34e0d3cd20eb082652b91012b131bdc34fcf2bc16eb4170e04772fddb1.zip index 22515aed82d4a..270a85f97b1e6 100644 Binary files a/packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-cluster-tags.js.snapshot/asset.93d96d34e0d3cd20eb082652b91012b131bdc34fcf2bc16eb4170e04772fddb1.zip and b/packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.eks-cluster-tags.js.snapshot/asset.93d96d34e0d3cd20eb082652b91012b131bdc34fcf2bc16eb4170e04772fddb1.zip differ diff --git a/tools/@aws-cdk/security-guardian/.gitignore b/tools/@aws-cdk/security-guardian/.gitignore new file mode 100644 index 0000000000000..f052acebb3934 --- /dev/null +++ b/tools/@aws-cdk/security-guardian/.gitignore @@ -0,0 +1,5 @@ +*.js +*.js.map +*.d.ts +dist +node_modules diff --git a/tools/@aws-cdk/security-guardian/README.md b/tools/@aws-cdk/security-guardian/README.md new file mode 100644 index 0000000000000..3b4a8b0af142a --- /dev/null +++ b/tools/@aws-cdk/security-guardian/README.md @@ -0,0 +1,93 @@ +# Security Guardian + +A GitHub Action tool designed to validate changed AWS CloudFormation templates against custom [cfn-guard](https://github.com/aws-cloudformation/cloudformation-guard) rules. Supports both local paths and remote URLs for rule sets. + +--- + +## ๐Ÿš€ Features + +- Validates only changed `*.template.json` files in PRs +- Supports `cfn-guard v3` +- Accepts rules from a local file or remote URL +- Outputs validation results in summary format + +--- + +## ๐Ÿ“ฆ Inputs + +| Name | Description | Required | Default | +|------------------|-------------------------------------------------------------------|----------|---------| +| `data_directory` | Directory containing templates to validate | โœ… Yes | | +| `rule_file_path` | Local path to the rules file | โœ… Yes | | +| `show_summary` | Whether to show summary output (`fail`, `warn`, `none`) | โŒ No | `fail` | +| `output_format` | Output format (`single-line-summary`, `json`, etc.) | โŒ No | `single-line-summary` | + +> `data_directory` and `rule_file_path` must be set. + +--- + +## ๐Ÿ› ๏ธ Usage + +```yaml +- name: Run CFN Guard + uses: ./tools/@aws-cdk/security-guardian + with: + data_directory: './changed_templates' + rule_set_path: './tools/@aws-cdk/security-guardian/rules/trust_scope_rules.guard' + show_summary: 'fail' + output_format: 'single-line-summary' +``` + +--- + +## ๐Ÿงช Local Development + +### 1. Build +```bash +npm install +npm run build +``` + +### 2. Run Locally +```bash +node dist/index.js \ + --data_directory=./changed_templates \ + --rule_file_path=./rules.guard \ + --output_format=single-line-summary \ + --show_summary=fail +``` + +--- + +## ๐Ÿ“ License + +```text +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +``` + +--- + +## ๐Ÿ‘ Contributing + +PRs are welcome! Please follow conventional commit messages and test your changes before opening a pull request. + +--- + +## ๐Ÿ“ฃ Acknowledgments + +Built on top of [cfn-guard](https://github.com/aws-cloudformation/cloudformation-guard) and [GitHub Actions Toolkit](https://github.com/actions/toolkit). + +--- + +Happy Guarding! ๐Ÿ›ก๏ธ + diff --git a/tools/@aws-cdk/security-guardian/action.yml b/tools/@aws-cdk/security-guardian/action.yml new file mode 100644 index 0000000000000..76128b9ae20a5 --- /dev/null +++ b/tools/@aws-cdk/security-guardian/action.yml @@ -0,0 +1,26 @@ +name: 'Security Guardian' +description: 'Security Guardian for custom or granular guard rules' + +inputs: + data_directory: + description: "Path to CloudFormation templates" + required: true + rule_set_path: + description: "Path to a single .guard file locally" + required: true + show_summary: + description: "cfn-guard summary output. Options are all, pass, fail, skip or none" + required: false + default: "fail" + output_format: + description: "cfn-guard output format. Options: json, yaml, single-line-summary" + required: false + default: "single-line-summary" + +runs: + using: node20 + main: dist/index.js + +branding: + icon: shield + color: red diff --git a/tools/@aws-cdk/security-guardian/package-lock.json b/tools/@aws-cdk/security-guardian/package-lock.json new file mode 100644 index 0000000000000..a37a578ff2db0 --- /dev/null +++ b/tools/@aws-cdk/security-guardian/package-lock.json @@ -0,0 +1,116 @@ +{ + "name": "security-guardian", + "version": "1.0.0", + "lockfileVersion": 3, + "requires": true, + "packages": { + "": { + "name": "security-guardian", + "version": "1.0.0", + "dependencies": { + "@actions/core": "^1.10.0", + "@actions/exec": "^1.1.1" + }, + "devDependencies": { + "@types/node": "^22.14.0", + "typescript": "^5.2.2" + } + }, + "node_modules/@actions/core": { + "version": "1.11.1", + "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.11.1.tgz", + "integrity": "sha512-hXJCSrkwfA46Vd9Z3q4cpEpHB1rL5NG04+/rbqW9d3+CSvtB1tYe8UTpAlixa1vj0m/ULglfEK2UKxMGxCxv5A==", + "license": "MIT", + "dependencies": { + "@actions/exec": "^1.1.1", + "@actions/http-client": "^2.0.1" + } + }, + "node_modules/@actions/exec": { + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/@actions/exec/-/exec-1.1.1.tgz", + "integrity": "sha512-+sCcHHbVdk93a0XT19ECtO/gIXoxvdsgQLzb2fE2/5sIZmWQuluYyjPQtrtTHdU1YzTZ7bAPN4sITq2xi1679w==", + "license": "MIT", + "dependencies": { + "@actions/io": "^1.0.1" + } + }, + "node_modules/@actions/http-client": { + "version": "2.2.3", + "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-2.2.3.tgz", + "integrity": "sha512-mx8hyJi/hjFvbPokCg4uRd4ZX78t+YyRPtnKWwIl+RzNaVuFpQHfmlGVfsKEJN8LwTCvL+DfVgAM04XaHkm6bA==", + "license": "MIT", + "dependencies": { + "tunnel": "^0.0.6", + "undici": "^5.25.4" + } + }, + "node_modules/@actions/io": { + "version": "1.1.3", + "resolved": "https://registry.npmjs.org/@actions/io/-/io-1.1.3.tgz", + "integrity": "sha512-wi9JjgKLYS7U/z8PPbco+PvTb/nRWjeoFlJ1Qer83k/3C5PHQi28hiVdeE2kHXmIL99mQFawx8qt/JPjZilJ8Q==", + "license": "MIT" + }, + "node_modules/@fastify/busboy": { + "version": "2.1.1", + "resolved": "https://registry.npmjs.org/@fastify/busboy/-/busboy-2.1.1.tgz", + "integrity": "sha512-vBZP4NlzfOlerQTnba4aqZoMhE/a9HY7HRqoOPaETQcSQuWEIyZMHGfVu6w9wGtGK5fED5qRs2DteVCjOH60sA==", + "license": "MIT", + "engines": { + "node": ">=14" + } + }, + "node_modules/@types/node": { + "version": "22.14.0", + "resolved": "https://registry.npmjs.org/@types/node/-/node-22.14.0.tgz", + "integrity": "sha512-Kmpl+z84ILoG+3T/zQFyAJsU6EPTmOCj8/2+83fSN6djd6I4o7uOuGIH6vq3PrjY5BGitSbFuMN18j3iknubbA==", + "dev": true, + "license": "MIT", + "dependencies": { + "undici-types": "~6.21.0" + } + }, + "node_modules/tunnel": { + "version": "0.0.6", + "resolved": "https://registry.npmjs.org/tunnel/-/tunnel-0.0.6.tgz", + "integrity": "sha512-1h/Lnq9yajKY2PEbBadPXj3VxsDDu844OnaAo52UVmIzIvwwtBPIuNvkjuzBlTWpfJyUbG3ez0KSBibQkj4ojg==", + "license": "MIT", + "engines": { + "node": ">=0.6.11 <=0.7.0 || >=0.7.3" + } + }, + "node_modules/typescript": { + "version": "5.8.3", + "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.8.3.tgz", + "integrity": "sha512-p1diW6TqL9L07nNxvRMM7hMMw4c5XOo/1ibL4aAIGmSAt9slTE1Xgw5KWuof2uTOvCg9BY7ZRi+GaF+7sfgPeQ==", + "dev": true, + "license": "Apache-2.0", + "bin": { + "tsc": "bin/tsc", + "tsserver": "bin/tsserver" + }, + "engines": { + "node": ">=14.17" + } + }, + "node_modules/undici": { + "version": "5.29.0", + "resolved": "https://registry.npmjs.org/undici/-/undici-5.29.0.tgz", + "integrity": "sha512-raqeBD6NQK4SkWhQzeYKd1KmIG6dllBOTt55Rmkt4HtI9mwdWtJljnrXjAFUBLTSN67HWrOIZ3EPF4kjUw80Bg==", + "license": "MIT", + "dependencies": { + "@fastify/busboy": "^2.0.0" + }, + "engines": { + "node": ">=14.0" + } + }, + "node_modules/undici-types": { + "version": "6.21.0", + "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-6.21.0.tgz", + "integrity": "sha512-iwDZqg0QAGrg9Rav5H4n0M64c3mkR59cJ6wQp+7C4nI0gsmExaedaYLNO44eT4AtBBwjbTiGPMlt2Md0T9H9JQ==", + "dev": true, + "license": "MIT" + } + } +} diff --git a/tools/@aws-cdk/security-guardian/package.json b/tools/@aws-cdk/security-guardian/package.json new file mode 100644 index 0000000000000..350e84e92c96d --- /dev/null +++ b/tools/@aws-cdk/security-guardian/package.json @@ -0,0 +1,17 @@ +{ + "name": "security-guardian", + "version": "1.0.0", + "main": "dist/index.js", + "scripts": { + "build": "tsc", + "prepare": "npm run build" + }, + "dependencies": { + "@actions/core": "^1.10.0", + "@actions/exec": "^1.1.1" + }, + "devDependencies": { + "@types/node": "^22.14.0", + "typescript": "^5.2.2" + } +} diff --git a/tools/@aws-cdk/security-guardian/rules/trust_scope_rules.guard b/tools/@aws-cdk/security-guardian/rules/trust_scope_rules.guard new file mode 100644 index 0000000000000..c44676956c146 --- /dev/null +++ b/tools/@aws-cdk/security-guardian/rules/trust_scope_rules.guard @@ -0,0 +1,39 @@ +# Trust Scope Security Rules +# This rule file checks for overly broad trust scopes in IAM resources + +# Rule to check for overly permissive IAM role trust policies +rule iam_role_trust_policy_not_overly_permissive { + AWS::IAM::Role { + Properties exists + Properties is_struct + + Properties.AssumeRolePolicyDocument exists + Properties.AssumeRolePolicyDocument is_struct + + Properties.AssumeRolePolicyDocument { + Statement exists + Statement is_list + + # For each statement in the policy + Statement[*] { + # Check if Principal is overly permissive + when Principal exists { + # Check if Principal is a string (direct "*" case) + when Principal is_string { + Principal != "*" + } + + # Check if AWS principal exists + when Principal.AWS exists { + # Check if AWS is a string + when Principal.AWS is_string { + Principal.AWS != "*" + Principal.AWS != /(?i):root/ + } + } + } + } + } + } +} + diff --git a/tools/@aws-cdk/security-guardian/src/index.ts b/tools/@aws-cdk/security-guardian/src/index.ts new file mode 100644 index 0000000000000..820abd3f7eeb3 --- /dev/null +++ b/tools/@aws-cdk/security-guardian/src/index.ts @@ -0,0 +1,31 @@ +import * as core from '@actions/core'; +import * as exec from '@actions/exec'; + +async function run(): Promise { + try { + const dataDir = core.getInput('data_directory'); + const ruleSetPath = core.getInput('rule_set_path'); + const showSummary = core.getInput('show_summary') || 'fail'; + const outputFormat = core.getInput('output_format') || 'single-line-summary'; + + if (!ruleSetPath) { + throw new Error(" 'rule_set_path' input must be provided."); + } + + let rulePathToUse = ruleSetPath; + + core.info(`Running cfn-guard with rule set: ${rulePathToUse}`); + + await exec.exec('cfn-guard', [ + 'validate', + '--data', dataDir, + '--rules', rulePathToUse, + '--show-summary', showSummary, + '--output-format', outputFormat + ]); + } catch (error) { + core.setFailed((error as Error).message); + } +} + +run(); diff --git a/tools/@aws-cdk/security-guardian/test/templates/CMCMK-Stack.template.json b/tools/@aws-cdk/security-guardian/test/templates/CMCMK-Stack.template.json new file mode 100644 index 0000000000000..e19192fbee730 --- /dev/null +++ b/tools/@aws-cdk/security-guardian/test/templates/CMCMK-Stack.template.json @@ -0,0 +1,739 @@ +{ + "Resources": { + "LambdaExecutionRoleD5C26073": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "lambda.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ] + ] + } + ] + } + }, + "LambdaExecutionRoleDefaultPolicy6D69732F": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "kms:Decrypt", + "kms:Encrypt", + "kms:GenerateDataKey", + "kms:GenerateDataKey*", + "kms:ReEncrypt*" + ], + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "myImportedKey10DE2890", + "Arn" + ] + } + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "LambdaExecutionRoleDefaultPolicy6D69732F", + "Roles": [ + { + "Ref": "LambdaExecutionRoleD5C26073" + } + ] + } + }, + "myImportedKey10DE2890": { + "Type": "AWS::KMS::Key", + "Properties": { + "EnableKeyRotation": true, + "KeyPolicy": { + "Statement": [ + { + "Action": "kms:*", + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" + ] + ] + } + }, + "Resource": "*" + }, + { + "Action": [ + "kms:Decrypt", + "kms:GenerateDataKey" + ], + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::GetAtt": [ + "LambdaExecutionRoleD5C26073", + "Arn" + ] + }, + "Service": "lambda.amazonaws.com" + }, + "Resource": "*" + } + ], + "Version": "2012-10-17" + } + }, + "UpdateReplacePolicy": "Retain", + "DeletionPolicy": "Retain" + }, + "myFunction156294E5D": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Code": { + "S3Bucket": { + "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" + }, + "S3Key": "cab53c59addd4362c71a39b96e04505d5f53fa854b2ff7cbc6cd5925f5afca9d.zip", + "SourceKMSKeyArn": { + "Fn::GetAtt": [ + "myImportedKey10DE2890", + "Arn" + ] + } + }, + "Handler": "index.handler", + "Role": { + "Fn::GetAtt": [ + "LambdaExecutionRoleD5C26073", + "Arn" + ] + }, + "Runtime": "nodejs18.x" + }, + "DependsOn": [ + "LambdaExecutionRoleDefaultPolicy6D69732F", + "LambdaExecutionRoleD5C26073" + ] + }, + "S3486F821D": { + "Type": "AWS::S3::Bucket", + "Properties": { + "BucketName": "s3sourcekmskeyarnbucket", + "Tags": [ + { + "Key": "aws-cdk:auto-delete-objects", + "Value": "true" + }, + { + "Key": "aws-cdk:cr-owned:c0b774e4", + "Value": "true" + } + ] + }, + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + }, + "S3Policy2E4AA1D6": { + "Type": "AWS::S3::BucketPolicy", + "Properties": { + "Bucket": { + "Ref": "S3486F821D" + }, + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "s3:DeleteObject*", + "s3:GetBucket*", + "s3:List*", + "s3:PutBucketPolicy" + ], + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::GetAtt": [ + "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", + "Arn" + ] + } + }, + "Resource": [ + { + "Fn::GetAtt": [ + "S3486F821D", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "S3486F821D", + "Arn" + ] + }, + "/*" + ] + ] + } + ] + } + ], + "Version": "2012-10-17" + } + } + }, + "S3AutoDeleteObjectsCustomResource5A4102C9": { + "Type": "Custom::S3AutoDeleteObjects", + "Properties": { + "ServiceToken": { + "Fn::GetAtt": [ + "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", + "Arn" + ] + }, + "BucketName": { + "Ref": "S3486F821D" + } + }, + "DependsOn": [ + "S3Policy2E4AA1D6" + ], + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + }, + "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "lambda.amazonaws.com" + } + } + ] + }, + "ManagedPolicyArns": [ + { + "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + } + ] + } + }, + "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Code": { + "S3Bucket": { + "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" + }, + "S3Key": "44e9c4d7a5d3fd2d677e1a7e416b2b56f6b0104bd5eff9cac5557b4c65a9dc61.zip" + }, + "Timeout": 900, + "MemorySize": 128, + "Handler": "index.handler", + "Role": { + "Fn::GetAtt": [ + "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", + "Arn" + ] + }, + "Runtime": { + "Fn::FindInMap": [ + "LatestNodeRuntimeMap", + { + "Ref": "AWS::Region" + }, + "value" + ] + }, + "Description": { + "Fn::Join": [ + "", + [ + "Lambda function for auto-deleting objects in ", + { + "Ref": "S3486F821D" + }, + " S3 bucket." + ] + ] + } + }, + "DependsOn": [ + "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092" + ] + }, + "DeployLambdaCodeAwsCliLayer8743C498": { + "Type": "AWS::Lambda::LayerVersion", + "Properties": { + "Content": { + "S3Bucket": { + "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" + }, + "S3Key": "f24ba5e516d9d80b64bc7b0f406eedd12c36b20e7461f3e7719b7ffbdad72410.zip" + }, + "Description": "/opt/awscli/aws" + } + }, + "DeployLambdaCodeCustomResource0564AA4B": { + "Type": "Custom::CDKBucketDeployment", + "Properties": { + "ServiceToken": { + "Fn::GetAtt": [ + "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C81C01536", + "Arn" + ] + }, + "SourceBucketNames": [ + { + "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" + } + ], + "SourceObjectKeys": [ + "285f23e3fdafa13515eca3640773e339319628e600ff07e6a6f228748a1ac3e8.zip" + ], + "DestinationBucketName": { + "Ref": "S3486F821D" + }, + "Prune": true, + "OutputObjectKeys": true + }, + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + }, + "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "lambda.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + }, + "ManagedPolicyArns": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + ] + ] + } + ] + } + }, + "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRoleDefaultPolicy88902FDF": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "s3:GetBucket*", + "s3:GetObject*", + "s3:List*" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":s3:::", + { + "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" + }, + "/*" + ] + ] + }, + { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":s3:::", + { + "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" + } + ] + ] + } + ] + }, + { + "Action": [ + "s3:Abort*", + "s3:DeleteObject*", + "s3:GetBucket*", + "s3:GetObject*", + "s3:List*", + "s3:PutObject", + "s3:PutObjectLegalHold", + "s3:PutObjectRetention", + "s3:PutObjectTagging", + "s3:PutObjectVersionTagging" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::GetAtt": [ + "S3486F821D", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "S3486F821D", + "Arn" + ] + }, + "/*" + ] + ] + } + ] + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRoleDefaultPolicy88902FDF", + "Roles": [ + { + "Ref": "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265" + } + ] + } + }, + "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C81C01536": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Code": { + "S3Bucket": { + "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" + }, + "S3Key": "c6358465bf49dfae556bb430bf9c81fa578c221b82c308e3707901b1dd654762.zip" + }, + "Environment": { + "Variables": { + "AWS_CA_BUNDLE": "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem" + } + }, + "Handler": "index.handler", + "Layers": [ + { + "Ref": "DeployLambdaCodeAwsCliLayer8743C498" + } + ], + "Role": { + "Fn::GetAtt": [ + "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265", + "Arn" + ] + }, + "Runtime": "python3.11", + "Timeout": 900 + }, + "DependsOn": [ + "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRoleDefaultPolicy88902FDF", + "CustomCDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756CServiceRole89A01265" + ] + }, + "myFunction2CB7FFFBF": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Code": { + "S3Bucket": { + "Ref": "S3486F821D" + }, + "S3Key": "python-lambda-handler.zip", + "SourceKMSKeyArn": { + "Fn::GetAtt": [ + "myImportedKey10DE2890", + "Arn" + ] + } + }, + "Environment": { + "Variables": { + "SOURCE_KMS_KEY_ARN": { + "Fn::GetAtt": [ + "myImportedKey10DE2890", + "Arn" + ] + } + } + }, + "Handler": "index.handler", + "Role": { + "Fn::GetAtt": [ + "LambdaExecutionRoleD5C26073", + "Arn" + ] + }, + "Runtime": "nodejs18.x" + }, + "DependsOn": [ + "DeployLambdaCodeAwsCliLayer8743C498", + "DeployLambdaCodeCustomResource0564AA4B", + "LambdaExecutionRoleDefaultPolicy6D69732F", + "LambdaExecutionRoleD5C26073" + ] + }, + "myFunction343849752": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Code": { + "S3Bucket": { + "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}" + }, + "S3Key": "bfb85829d4e929cc311029ef8f4408970030d737cc6d4c1911f7abd2991fa051.zip", + "SourceKMSKeyArn": { + "Fn::GetAtt": [ + "myImportedKey10DE2890", + "Arn" + ] + } + }, + "Environment": { + "Variables": { + "SOURCE_KMS_KEY_ARN": { + "Fn::GetAtt": [ + "myImportedKey10DE2890", + "Arn" + ] + } + } + }, + "Handler": "index.handler", + "Role": { + "Fn::GetAtt": [ + "LambdaExecutionRoleD5C26073", + "Arn" + ] + }, + "Runtime": "python3.11" + }, + "DependsOn": [ + "LambdaExecutionRoleDefaultPolicy6D69732F", + "LambdaExecutionRoleD5C26073" + ] + } + }, + "Mappings": { + "LatestNodeRuntimeMap": { + "af-south-1": { + "value": "nodejs20.x" + }, + "ap-east-1": { + "value": "nodejs20.x" + }, + "ap-northeast-1": { + "value": "nodejs20.x" + }, + "ap-northeast-2": { + "value": "nodejs20.x" + }, + "ap-northeast-3": { + "value": "nodejs20.x" + }, + "ap-south-1": { + "value": "nodejs20.x" + }, + "ap-south-2": { + "value": "nodejs20.x" + }, + "ap-southeast-1": { + "value": "nodejs20.x" + }, + "ap-southeast-2": { + "value": "nodejs20.x" + }, + "ap-southeast-3": { + "value": "nodejs20.x" + }, + "ap-southeast-4": { + "value": "nodejs20.x" + }, + "ap-southeast-5": { + "value": "nodejs20.x" + }, + "ap-southeast-7": { + "value": "nodejs20.x" + }, + "ca-central-1": { + "value": "nodejs20.x" + }, + "ca-west-1": { + "value": "nodejs20.x" + }, + "cn-north-1": { + "value": "nodejs20.x" + }, + "cn-northwest-1": { + "value": "nodejs20.x" + }, + "eu-central-1": { + "value": "nodejs20.x" + }, + "eu-central-2": { + "value": "nodejs20.x" + }, + "eu-isoe-west-1": { + "value": "nodejs18.x" + }, + "eu-north-1": { + "value": "nodejs20.x" + }, + "eu-south-1": { + "value": "nodejs20.x" + }, + "eu-south-2": { + "value": "nodejs20.x" + }, + "eu-west-1": { + "value": "nodejs20.x" + }, + "eu-west-2": { + "value": "nodejs20.x" + }, + "eu-west-3": { + "value": "nodejs20.x" + }, + "il-central-1": { + "value": "nodejs20.x" + }, + "me-central-1": { + "value": "nodejs20.x" + }, + "me-south-1": { + "value": "nodejs20.x" + }, + "mx-central-1": { + "value": "nodejs20.x" + }, + "sa-east-1": { + "value": "nodejs20.x" + }, + "us-east-1": { + "value": "nodejs20.x" + }, + "us-east-2": { + "value": "nodejs20.x" + }, + "us-gov-east-1": { + "value": "nodejs20.x" + }, + "us-gov-west-1": { + "value": "nodejs20.x" + }, + "us-iso-east-1": { + "value": "nodejs18.x" + }, + "us-iso-west-1": { + "value": "nodejs18.x" + }, + "us-isob-east-1": { + "value": "nodejs18.x" + }, + "us-west-1": { + "value": "nodejs20.x" + }, + "us-west-2": { + "value": "nodejs20.x" + } + } + }, + "Parameters": { + "BootstrapVersion": { + "Type": "AWS::SSM::Parameter::Value", + "Default": "/cdk-bootstrap/hnb659fds/version", + "Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]" + } + }, + "Rules": { + "CheckBootstrapVersion": { + "Assertions": [ + { + "Assert": { + "Fn::Not": [ + { + "Fn::Contains": [ + [ + "1", + "2", + "3", + "4", + "5" + ], + { + "Ref": "BootstrapVersion" + } + ] + } + ] + }, + "AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI." + } + ] + } + } +} \ No newline at end of file diff --git a/tools/@aws-cdk/security-guardian/test/templates/StagingStack-default-resourcesmax-ACCOUNT-REGION.template.json b/tools/@aws-cdk/security-guardian/test/templates/StagingStack-default-resourcesmax-ACCOUNT-REGION.template.json new file mode 100644 index 0000000000000..f70bde51614e7 --- /dev/null +++ b/tools/@aws-cdk/security-guardian/test/templates/StagingStack-default-resourcesmax-ACCOUNT-REGION.template.json @@ -0,0 +1,728 @@ +{ + "Description": "This stack includes resources needed to deploy the AWS CDK app default-resourcesmax into this environment", + "Resources": { + "CdkFileRoleE26CEABA": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" + ] + ] + } + } + } + ], + "Version": "2012-10-17" + }, + "RoleName": { + "Fn::Join": [ + "", + [ + "cdk-default-resourcesmax-file-role-", + { + "Ref": "AWS::Region" + } + ] + ] + } + } + }, + "CdkFileRoleDefaultPolicy621C7E5B": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "s3:Abort*", + "s3:DeleteObject*", + "s3:GetBucket*", + "s3:GetObject*", + "s3:List*", + "s3:PutObject", + "s3:PutObjectLegalHold", + "s3:PutObjectRetention", + "s3:PutObjectTagging", + "s3:PutObjectVersionTagging" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::GetAtt": [ + "CdkStagingBucket1636058C", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "CdkStagingBucket1636058C", + "Arn" + ] + }, + "/*" + ] + ] + } + ] + }, + { + "Action": [ + "kms:Decrypt", + "kms:DescribeKey", + "kms:Encrypt", + "kms:GenerateDataKey*", + "kms:ReEncrypt*" + ], + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "BucketKey7092080A", + "Arn" + ] + } + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "CdkFileRoleDefaultPolicy621C7E5B", + "Roles": [ + { + "Ref": "CdkFileRoleE26CEABA" + } + ] + } + }, + "BucketKey7092080A": { + "Type": "AWS::KMS::Key", + "Properties": { + "KeyPolicy": { + "Statement": [ + { + "Action": "kms:*", + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" + ] + ] + } + }, + "Resource": "*" + }, + { + "Action": [ + "kms:CancelKeyDeletion", + "kms:Create*", + "kms:Delete*", + "kms:Describe*", + "kms:Disable*", + "kms:Enable*", + "kms:Get*", + "kms:List*", + "kms:Put*", + "kms:Revoke*", + "kms:ScheduleKeyDeletion", + "kms:TagResource", + "kms:UntagResource", + "kms:Update*" + ], + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" + ] + ] + } + }, + "Resource": "*" + } + ], + "Version": "2012-10-17" + } + }, + "UpdateReplacePolicy": "Retain", + "DeletionPolicy": "Retain" + }, + "BucketKeyAlias69A0886F": { + "Type": "AWS::KMS::Alias", + "Properties": { + "AliasName": "alias/cdk-default-resourcesmax-staging", + "TargetKeyId": { + "Fn::GetAtt": [ + "BucketKey7092080A", + "Arn" + ] + } + } + }, + "CdkStagingBucket1636058C": { + "Type": "AWS::S3::Bucket", + "Properties": { + "BucketEncryption": { + "ServerSideEncryptionConfiguration": [ + { + "ServerSideEncryptionByDefault": { + "KMSMasterKeyID": { + "Fn::GetAtt": [ + "BucketKey7092080A", + "Arn" + ] + }, + "SSEAlgorithm": "aws:kms" + } + } + ] + }, + "BucketName": { + "Fn::Join": [ + "", + [ + "cdk-default-resourcesmax-staging-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } + ] + ] + }, + "LifecycleConfiguration": { + "Rules": [ + { + "NoncurrentVersionExpiration": { + "NoncurrentDays": 365 + }, + "Status": "Enabled" + }, + { + "ExpirationInDays": 30, + "Prefix": "deploy-time/", + "Status": "Enabled" + } + ] + }, + "Tags": [ + { + "Key": "aws-cdk:auto-delete-objects", + "Value": "true" + } + ], + "VersioningConfiguration": { + "Status": "Enabled" + } + }, + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + }, + "CdkStagingBucketPolicy42BD1F92": { + "Type": "AWS::S3::BucketPolicy", + "Properties": { + "Bucket": { + "Ref": "CdkStagingBucket1636058C" + }, + "PolicyDocument": { + "Statement": [ + { + "Action": "s3:*", + "Condition": { + "Bool": { + "aws:SecureTransport": "false" + } + }, + "Effect": "Deny", + "Principal": { + "AWS": "*" + }, + "Resource": [ + { + "Fn::GetAtt": [ + "CdkStagingBucket1636058C", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "CdkStagingBucket1636058C", + "Arn" + ] + }, + "/*" + ] + ] + } + ] + }, + { + "Action": [ + "s3:DeleteObject*", + "s3:GetBucket*", + "s3:List*", + "s3:PutBucketPolicy" + ], + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::GetAtt": [ + "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", + "Arn" + ] + } + }, + "Resource": [ + { + "Fn::GetAtt": [ + "CdkStagingBucket1636058C", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "CdkStagingBucket1636058C", + "Arn" + ] + }, + "/*" + ] + ] + } + ] + }, + { + "Action": [ + "s3:GetBucket*", + "s3:GetObject*", + "s3:List*" + ], + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":role/cdk-hnb659fds-deploy-role-", + { + "Ref": "AWS::AccountId" + }, + "-", + { + "Ref": "AWS::Region" + } + ] + ] + } + }, + "Resource": [ + { + "Fn::GetAtt": [ + "CdkStagingBucket1636058C", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "CdkStagingBucket1636058C", + "Arn" + ] + }, + "/*" + ] + ] + } + ] + } + ], + "Version": "2012-10-17" + } + } + }, + "CdkStagingBucketAutoDeleteObjectsCustomResource800E998D": { + "Type": "Custom::S3AutoDeleteObjects", + "Properties": { + "ServiceToken": { + "Fn::GetAtt": [ + "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F", + "Arn" + ] + }, + "BucketName": { + "Ref": "CdkStagingBucket1636058C" + } + }, + "DependsOn": [ + "CdkStagingBucketPolicy42BD1F92" + ], + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + }, + "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Version": "2012-10-17", + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "lambda.amazonaws.com" + } + } + ] + }, + "ManagedPolicyArns": [ + { + "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + } + ] + } + }, + "CustomS3AutoDeleteObjectsCustomResourceProviderHandler9D90184F": { + "Type": "AWS::Lambda::Function", + "Properties": { + "Code": { + "ZipFile": "\"use strict\";var f=Object.create;var i=Object.defineProperty;var I=Object.getOwnPropertyDescriptor;var C=Object.getOwnPropertyNames;var w=Object.getPrototypeOf,P=Object.prototype.hasOwnProperty;var A=(t,e)=>{for(var o in e)i(t,o,{get:e[o],enumerable:!0})},d=(t,e,o,r)=>{if(e&&typeof e==\"object\"||typeof e==\"function\")for(let s of C(e))!P.call(t,s)&&s!==o&&i(t,s,{get:()=>e[s],enumerable:!(r=I(e,s))||r.enumerable});return t};var l=(t,e,o)=>(o=t!=null?f(w(t)):{},d(e||!t||!t.__esModule?i(o,\"default\",{value:t,enumerable:!0}):o,t)),B=t=>d(i({},\"__esModule\",{value:!0}),t);var q={};A(q,{autoDeleteHandler:()=>S,handler:()=>H});module.exports=B(q);var h=require(\"@aws-sdk/client-s3\");var y=l(require(\"https\")),m=l(require(\"url\")),a={sendHttpRequest:D,log:T,includeStackTraces:!0,userHandlerIndex:\"./index\"},p=\"AWSCDK::CustomResourceProviderFramework::CREATE_FAILED\",L=\"AWSCDK::CustomResourceProviderFramework::MISSING_PHYSICAL_ID\";function R(t){return async(e,o)=>{let r={...e,ResponseURL:\"...\"};if(a.log(JSON.stringify(r,void 0,2)),e.RequestType===\"Delete\"&&e.PhysicalResourceId===p){a.log(\"ignoring DELETE event caused by a failed CREATE event\"),await u(\"SUCCESS\",e);return}try{let s=await t(r,o),n=k(e,s);await u(\"SUCCESS\",n)}catch(s){let n={...e,Reason:a.includeStackTraces?s.stack:s.message};n.PhysicalResourceId||(e.RequestType===\"Create\"?(a.log(\"CREATE failed, responding with a marker physical resource id so that the subsequent DELETE will be ignored\"),n.PhysicalResourceId=p):a.log(`ERROR: Malformed event. \"PhysicalResourceId\" is required: ${JSON.stringify(e)}`)),await u(\"FAILED\",n)}}}function k(t,e={}){let o=e.PhysicalResourceId??t.PhysicalResourceId??t.RequestId;if(t.RequestType===\"Delete\"&&o!==t.PhysicalResourceId)throw new Error(`DELETE: cannot change the physical resource ID from \"${t.PhysicalResourceId}\" to \"${e.PhysicalResourceId}\" during deletion`);return{...t,...e,PhysicalResourceId:o}}async function u(t,e){let o={Status:t,Reason:e.Reason??t,StackId:e.StackId,RequestId:e.RequestId,PhysicalResourceId:e.PhysicalResourceId||L,LogicalResourceId:e.LogicalResourceId,NoEcho:e.NoEcho,Data:e.Data},r=m.parse(e.ResponseURL),s=`${r.protocol}//${r.hostname}/${r.pathname}?***`;a.log(\"submit response to cloudformation\",s,o);let n=JSON.stringify(o),E={hostname:r.hostname,path:r.path,method:\"PUT\",headers:{\"content-type\":\"\",\"content-length\":Buffer.byteLength(n,\"utf8\")}};await O({attempts:5,sleep:1e3},a.sendHttpRequest)(E,n)}async function D(t,e){return new Promise((o,r)=>{try{let s=y.request(t,n=>{n.resume(),!n.statusCode||n.statusCode>=400?r(new Error(`Unsuccessful HTTP response: ${n.statusCode}`)):o()});s.on(\"error\",r),s.write(e),s.end()}catch(s){r(s)}})}function T(t,...e){console.log(t,...e)}function O(t,e){return async(...o)=>{let r=t.attempts,s=t.sleep;for(;;)try{return await e(...o)}catch(n){if(r--<=0)throw n;await b(Math.floor(Math.random()*s)),s*=2}}}async function b(t){return new Promise(e=>setTimeout(e,t))}var g=\"aws-cdk:auto-delete-objects\",x=JSON.stringify({Version:\"2012-10-17\",Statement:[]}),c=new h.S3({}),H=R(S);async function S(t){switch(t.RequestType){case\"Create\":return;case\"Update\":return{PhysicalResourceId:(await F(t)).PhysicalResourceId};case\"Delete\":return N(t.ResourceProperties?.BucketName)}}async function F(t){let e=t,o=e.OldResourceProperties?.BucketName;return{PhysicalResourceId:e.ResourceProperties?.BucketName??o}}async function _(t){try{let e=(await c.getBucketPolicy({Bucket:t}))?.Policy??x,o=JSON.parse(e);o.Statement.push({Principal:\"*\",Effect:\"Deny\",Action:[\"s3:PutObject\"],Resource:[`arn:aws:s3:::${t}/*`]}),await c.putBucketPolicy({Bucket:t,Policy:JSON.stringify(o)})}catch(e){if(e.name===\"NoSuchBucket\")throw e;console.log(`Could not set new object deny policy on bucket '${t}' prior to deletion.`)}}async function U(t){let e;do{e=await c.listObjectVersions({Bucket:t});let o=[...e.Versions??[],...e.DeleteMarkers??[]];if(o.length===0)return;let r=o.map(s=>({Key:s.Key,VersionId:s.VersionId}));await c.deleteObjects({Bucket:t,Delete:{Objects:r}})}while(e?.IsTruncated)}async function N(t){if(!t)throw new Error(\"No BucketName was provided.\");try{if(!await W(t)){console.log(`Bucket does not have '${g}' tag, skipping cleaning.`);return}await _(t),await U(t)}catch(e){if(e.name===\"NoSuchBucket\"){console.log(`Bucket '${t}' does not exist.`);return}throw e}}async function W(t){return(await c.getBucketTagging({Bucket:t})).TagSet?.some(o=>o.Key===g&&o.Value===\"true\")}0&&(module.exports={autoDeleteHandler,handler});\n" + }, + "Timeout": 900, + "MemorySize": 128, + "Handler": "index.handler", + "Role": { + "Fn::GetAtt": [ + "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092", + "Arn" + ] + }, + "Runtime": { + "Fn::FindInMap": [ + "LatestNodeRuntimeMap", + { + "Ref": "AWS::Region" + }, + "value" + ] + }, + "Description": { + "Fn::Join": [ + "", + [ + "Lambda function for auto-deleting objects in ", + { + "Ref": "CdkStagingBucket1636058C" + }, + " S3 bucket." + ] + ] + } + }, + "DependsOn": [ + "CustomS3AutoDeleteObjectsCustomResourceProviderRole3B1BD092" + ] + }, + "CdkImageRoleF1394AC3": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "AWS": { + "Fn::Join": [ + "", + [ + "arn:", + { + "Ref": "AWS::Partition" + }, + ":iam::", + { + "Ref": "AWS::AccountId" + }, + ":root" + ] + ] + } + } + } + ], + "Version": "2012-10-17" + }, + "RoleName": { + "Fn::Join": [ + "", + [ + "cdk-default-resourcesmax-image-role-", + { + "Ref": "AWS::Region" + } + ] + ] + } + } + }, + "CdkImageRoleDefaultPolicy4A1572DE": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "ecr:BatchCheckLayerAvailability", + "ecr:BatchGetImage", + "ecr:CompleteLayerUpload", + "ecr:DescribeImages", + "ecr:DescribeRepositories", + "ecr:GetDownloadUrlForLayer", + "ecr:InitiateLayerUpload", + "ecr:PutImage", + "ecr:UploadLayerPart" + ], + "Effect": "Allow", + "Resource": [ + { + "Fn::GetAtt": [ + "defaultresourcesmaxecrasset13112F7F9", + "Arn" + ] + }, + { + "Fn::GetAtt": [ + "defaultresourcesmaxecrasset2904B88A7", + "Arn" + ] + } + ] + }, + { + "Action": "ecr:GetAuthorizationToken", + "Effect": "Allow", + "Resource": "*" + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "CdkImageRoleDefaultPolicy4A1572DE", + "Roles": [ + { + "Ref": "CdkImageRoleF1394AC3" + } + ] + } + }, + "defaultresourcesmaxecrasset13112F7F9": { + "Type": "AWS::ECR::Repository", + "Properties": { + "EmptyOnDelete": true, + "ImageTagMutability": "IMMUTABLE", + "LifecyclePolicy": { + "LifecyclePolicyText": "{\"rules\":[{\"rulePriority\":1,\"description\":\"Garbage collect old image versions\",\"selection\":{\"tagStatus\":\"any\",\"countType\":\"imageCountMoreThan\",\"countNumber\":3},\"action\":{\"type\":\"expire\"}}]}" + }, + "RepositoryName": "default-resourcesmax/ecr-asset/1" + }, + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + }, + "defaultresourcesmaxecrasset2904B88A7": { + "Type": "AWS::ECR::Repository", + "Properties": { + "EmptyOnDelete": true, + "ImageTagMutability": "IMMUTABLE", + "LifecyclePolicy": { + "LifecyclePolicyText": "{\"rules\":[{\"rulePriority\":1,\"description\":\"Garbage collect old image versions\",\"selection\":{\"tagStatus\":\"any\",\"countType\":\"imageCountMoreThan\",\"countNumber\":3},\"action\":{\"type\":\"expire\"}}]}" + }, + "RepositoryName": "default-resourcesmax/ecr-asset-2" + }, + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + } + }, + "Mappings": { + "LatestNodeRuntimeMap": { + "af-south-1": { + "value": "nodejs20.x" + }, + "ap-east-1": { + "value": "nodejs20.x" + }, + "ap-northeast-1": { + "value": "nodejs20.x" + }, + "ap-northeast-2": { + "value": "nodejs20.x" + }, + "ap-northeast-3": { + "value": "nodejs20.x" + }, + "ap-south-1": { + "value": "nodejs20.x" + }, + "ap-south-2": { + "value": "nodejs20.x" + }, + "ap-southeast-1": { + "value": "nodejs20.x" + }, + "ap-southeast-2": { + "value": "nodejs20.x" + }, + "ap-southeast-3": { + "value": "nodejs20.x" + }, + "ap-southeast-4": { + "value": "nodejs20.x" + }, + "ap-southeast-5": { + "value": "nodejs20.x" + }, + "ap-southeast-7": { + "value": "nodejs20.x" + }, + "ca-central-1": { + "value": "nodejs20.x" + }, + "ca-west-1": { + "value": "nodejs20.x" + }, + "cn-north-1": { + "value": "nodejs20.x" + }, + "cn-northwest-1": { + "value": "nodejs20.x" + }, + "eu-central-1": { + "value": "nodejs20.x" + }, + "eu-central-2": { + "value": "nodejs20.x" + }, + "eu-isoe-west-1": { + "value": "nodejs18.x" + }, + "eu-north-1": { + "value": "nodejs20.x" + }, + "eu-south-1": { + "value": "nodejs20.x" + }, + "eu-south-2": { + "value": "nodejs20.x" + }, + "eu-west-1": { + "value": "nodejs20.x" + }, + "eu-west-2": { + "value": "nodejs20.x" + }, + "eu-west-3": { + "value": "nodejs20.x" + }, + "il-central-1": { + "value": "nodejs20.x" + }, + "me-central-1": { + "value": "nodejs20.x" + }, + "me-south-1": { + "value": "nodejs20.x" + }, + "mx-central-1": { + "value": "nodejs20.x" + }, + "sa-east-1": { + "value": "nodejs20.x" + }, + "us-east-1": { + "value": "nodejs20.x" + }, + "us-east-2": { + "value": "nodejs20.x" + }, + "us-gov-east-1": { + "value": "nodejs20.x" + }, + "us-gov-west-1": { + "value": "nodejs20.x" + }, + "us-iso-east-1": { + "value": "nodejs18.x" + }, + "us-iso-west-1": { + "value": "nodejs18.x" + }, + "us-isob-east-1": { + "value": "nodejs18.x" + }, + "us-west-1": { + "value": "nodejs20.x" + }, + "us-west-2": { + "value": "nodejs20.x" + } + } + } +} \ No newline at end of file diff --git a/tools/@aws-cdk/security-guardian/test/templates/codepipelinenestedstackPipelineCrossRegionStack37C990C7.nested.template.json b/tools/@aws-cdk/security-guardian/test/templates/codepipelinenestedstackPipelineCrossRegionStack37C990C7.nested.template.json new file mode 100644 index 0000000000000..d56414cc3cf09 --- /dev/null +++ b/tools/@aws-cdk/security-guardian/test/templates/codepipelinenestedstackPipelineCrossRegionStack37C990C7.nested.template.json @@ -0,0 +1,384 @@ +{ + "Resources": { + "Role1ABCC5F0": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "Service": "codepipeline.amazonaws.com" + } + } + ], + "Version": "2012-10-17" + }, + "RoleName": "MyPipelineRoleName" + } + }, + "RoleDefaultPolicy5FFB7DAB": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "s3:Abort*", + "s3:DeleteObject*", + "s3:GetBucket*", + "s3:GetObject*", + "s3:List*", + "s3:PutObject", + "s3:PutObjectLegalHold", + "s3:PutObjectRetention", + "s3:PutObjectTagging", + "s3:PutObjectVersionTagging" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:s3:::cross-region-support-us-weplicationbucket8a287d3945436008ebfd", + "arn:aws:s3:::cross-region-support-us-weplicationbucket8a287d3945436008ebfd/*", + { + "Fn::GetAtt": [ + "PipelineArtifactsBucket22248F97", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "PipelineArtifactsBucket22248F97", + "Arn" + ] + }, + "/*" + ] + ] + } + ] + }, + { + "Action": [ + "kms:Decrypt", + "kms:DescribeKey", + "kms:Encrypt", + "kms:GenerateDataKey*", + "kms:ReEncrypt*" + ], + "Effect": "Allow", + "Resource": [ + "*", + { + "Fn::GetAtt": [ + "PipelineArtifactsBucketEncryptionKey01D58D69", + "Arn" + ] + } + ] + }, + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "PipelineTestCodePipelineActionRoleDD85885D", + "Arn" + ] + } + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "RoleDefaultPolicy5FFB7DAB", + "Roles": [ + { + "Ref": "Role1ABCC5F0" + } + ] + } + }, + "PipelineArtifactsBucketEncryptionKey01D58D69": { + "Type": "AWS::KMS::Key", + "Properties": { + "KeyPolicy": { + "Statement": [ + { + "Action": "kms:*", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::123456789012:root" + }, + "Resource": "*" + } + ], + "Version": "2012-10-17" + } + }, + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + }, + "PipelineArtifactsBucketEncryptionKeyAlias5C510EEE": { + "Type": "AWS::KMS::Alias", + "Properties": { + "AliasName": "alias/codepipeline-code-pipeline-nested-stack-pipelinecrossregionstack-pipeline-6b0d06de", + "TargetKeyId": { + "Fn::GetAtt": [ + "PipelineArtifactsBucketEncryptionKey01D58D69", + "Arn" + ] + } + }, + "UpdateReplacePolicy": "Delete", + "DeletionPolicy": "Delete" + }, + "PipelineArtifactsBucket22248F97": { + "Type": "AWS::S3::Bucket", + "Properties": { + "BucketEncryption": { + "ServerSideEncryptionConfiguration": [ + { + "ServerSideEncryptionByDefault": { + "KMSMasterKeyID": { + "Fn::GetAtt": [ + "PipelineArtifactsBucketEncryptionKey01D58D69", + "Arn" + ] + }, + "SSEAlgorithm": "aws:kms" + } + } + ] + }, + "PublicAccessBlockConfiguration": { + "BlockPublicAcls": true, + "BlockPublicPolicy": true, + "IgnorePublicAcls": true, + "RestrictPublicBuckets": true + } + }, + "UpdateReplacePolicy": "Retain", + "DeletionPolicy": "Retain" + }, + "PipelineArtifactsBucketPolicyD4F9712A": { + "Type": "AWS::S3::BucketPolicy", + "Properties": { + "Bucket": { + "Ref": "PipelineArtifactsBucket22248F97" + }, + "PolicyDocument": { + "Statement": [ + { + "Action": "s3:*", + "Condition": { + "Bool": { + "aws:SecureTransport": "false" + } + }, + "Effect": "Deny", + "Principal": { + "AWS": "*" + }, + "Resource": [ + { + "Fn::GetAtt": [ + "PipelineArtifactsBucket22248F97", + "Arn" + ] + }, + { + "Fn::Join": [ + "", + [ + { + "Fn::GetAtt": [ + "PipelineArtifactsBucket22248F97", + "Arn" + ] + }, + "/*" + ] + ] + } + ] + } + ], + "Version": "2012-10-17" + } + } + }, + "PipelineC660917D": { + "Type": "AWS::CodePipeline::Pipeline", + "Properties": { + "ArtifactStores": [ + { + "ArtifactStore": { + "EncryptionKey": { + "Id": "arn:aws:kms:us-west-2:123456789012:alias/ort-us-wtencryptionalias8f9701ce6a32f909886f", + "Type": "KMS" + }, + "Location": "cross-region-support-us-weplicationbucket8a287d3945436008ebfd", + "Type": "S3" + }, + "Region": "us-west-2" + }, + { + "ArtifactStore": { + "EncryptionKey": { + "Id": { + "Fn::GetAtt": [ + "PipelineArtifactsBucketEncryptionKey01D58D69", + "Arn" + ] + }, + "Type": "KMS" + }, + "Location": { + "Ref": "PipelineArtifactsBucket22248F97" + }, + "Type": "S3" + }, + "Region": "us-east-1" + } + ], + "RoleArn": { + "Fn::GetAtt": [ + "Role1ABCC5F0", + "Arn" + ] + }, + "Stages": [ + { + "Actions": [ + { + "ActionTypeId": { + "Category": "Source", + "Owner": "ThirdParty", + "Provider": "GitHub", + "Version": "1" + }, + "Configuration": { + "Owner": "aws", + "Repo": "aws-cdk", + "Branch": "master", + "OAuthToken": "test", + "PollForSourceChanges": false + }, + "Name": "Github", + "OutputArtifacts": [ + { + "Name": "Pipeline" + } + ], + "RunOrder": 1 + } + ], + "Name": "Source" + }, + { + "Actions": [ + { + "ActionTypeId": { + "Category": "Invoke", + "Owner": "AWS", + "Provider": "StepFunctions", + "Version": "1" + }, + "Configuration": { + "StateMachineArn": "arn:aws:states:us-west-2:123456789012:stateMachine/MyStateMachine", + "Input": "{}", + "InputType": "Literal" + }, + "Name": "Test", + "Region": "us-west-2", + "RoleArn": { + "Fn::GetAtt": [ + "PipelineTestCodePipelineActionRoleDD85885D", + "Arn" + ] + }, + "RunOrder": 1 + } + ], + "Name": "Test" + } + ] + }, + "DependsOn": [ + "RoleDefaultPolicy5FFB7DAB", + "Role1ABCC5F0" + ] + }, + "PipelineSourceGithubWebhookResource9724AEC2": { + "Type": "AWS::CodePipeline::Webhook", + "Properties": { + "Authentication": "GITHUB_HMAC", + "AuthenticationConfiguration": { + "SecretToken": "test" + }, + "Filters": [ + { + "JsonPath": "$.ref", + "MatchEquals": "refs/heads/{Branch}" + } + ], + "RegisterWithThirdParty": true, + "TargetAction": "Github", + "TargetPipeline": { + "Ref": "PipelineC660917D" + }, + "TargetPipelineVersion": 1 + } + }, + "PipelineTestCodePipelineActionRoleDD85885D": { + "Type": "AWS::IAM::Role", + "Properties": { + "AssumeRolePolicyDocument": { + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::123456789012:root" + } + } + ], + "Version": "2012-10-17" + } + } + }, + "PipelineTestCodePipelineActionRoleDefaultPolicy7ECDF2A5": { + "Type": "AWS::IAM::Policy", + "Properties": { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "states:DescribeStateMachine", + "states:StartExecution" + ], + "Effect": "Allow", + "Resource": "arn:aws:states:us-west-2:123456789012:stateMachine/MyStateMachine" + }, + { + "Action": "states:DescribeExecution", + "Effect": "Allow", + "Resource": "arn:aws:states:us-west-2:123456789012:execution:MyStateMachine:*" + } + ], + "Version": "2012-10-17" + }, + "PolicyName": "PipelineTestCodePipelineActionRoleDefaultPolicy7ECDF2A5", + "Roles": [ + { + "Ref": "PipelineTestCodePipelineActionRoleDD85885D" + } + ] + } + } + } +} \ No newline at end of file diff --git a/tools/@aws-cdk/security-guardian/tsconfig.json b/tools/@aws-cdk/security-guardian/tsconfig.json new file mode 100644 index 0000000000000..6fb1bbdbe133f --- /dev/null +++ b/tools/@aws-cdk/security-guardian/tsconfig.json @@ -0,0 +1,14 @@ +{ + "compilerOptions": { + "target": "ES2020", + "module": "commonjs", + "lib": ["ES2020"], + "outDir": "dist", + "esModuleInterop": true, + "forceConsistentCasingInFileNames": true, + "strict": true, + "skipLibCheck": true, + "types": ["node"] + }, + "include": ["src"] +}