Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(aws-kinesis): cfnguard reports incorrect rule name #277

Open
biffgaut opened this issue Aug 3, 2024 · 1 comment
Open

(aws-kinesis): cfnguard reports incorrect rule name #277

biffgaut opened this issue Aug 3, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@biffgaut
Copy link

biffgaut commented Aug 3, 2024

What is the problem?

If you don't have a Redshift destination configured for a Kinesis Firehose, cfn-guard reports a KINESIS_FIREHOSE_REDSHIFT_DESTINATION_CONFIGURATION_USES_SECURE_PARAMETER violation, but to suppress the error you need to use what appears to be the name of a subRule(?). Whatever is going on inside the tool, you need to use KINESIS_FIREHOSE_REDSHIFT_DESTINATION_CONFIGURATION_NO_PLAINTEXT_PASSWORD to suppress the warning if no Redshift destination configuration exists.

BTW - the same incorrect behavior happens for Splunk destinations.

Reproduction Steps

Triggers the KINESIS_FIREHOSE_REDSHIFT_DESTINATION_CONFIGURATION_USES_SECURE_PARAMETER warning despite suppression:

  "testkinesisfirehoses3KinesisFirehose92F73280": {
   "Type": "AWS::KinesisFirehose::DeliveryStream",
   "Properties": {
    "DeliveryStreamEncryptionConfigurationInput": {
     "KeyType": "AWS_OWNED_CMK"
    },
    "DeliveryStreamName": "KinesisFirehosefhss3customLogginkettestkinesisfirehoses3C47A3354",
    "ExtendedS3DestinationConfiguration": {
     "BucketARN": {
      "Fn::GetAtt": [
       "testkinesisfirehoses3S3BucketA8942735",
       "Arn"
      ]
     },
     "BufferingHints": {
      "IntervalInSeconds": 300,
      "SizeInMBs": 5
     },
     "CloudWatchLoggingOptions": {
      "Enabled": true,
      "LogGroupName": {
       "Ref": "testkinesisfirehoses3firehoseloggroup3D11FB0D"
      },
      "LogStreamName": {
       "Ref": "testkinesisfirehoses3firehoseloggroupfirehoselogstream3C52AF00"
      }
     },
     "CompressionFormat": "GZIP",
     "EncryptionConfiguration": {
      "KMSEncryptionConfig": {
       "AWSKMSKeyARN": {
        "Fn::Join": [
         "",
         [
          "arn:",
          {
           "Ref": "AWS::Partition"
          },
          ":kms:",
          {
           "Ref": "AWS::Region"
          },
          ":",
          {
           "Ref": "AWS::AccountId"
          },
          ":alias/aws/s3"
         ]
        ]
       }
      }
     },
     "RoleARN": {
      "Fn::GetAtt": [
       "testkinesisfirehoses3KinesisFirehoseRoleB23C3E93",
       "Arn"
      ]
     }
    }
   },
   "Metadata": {
    "guard": {
     "SuppressedRules": [
      "KINESIS_FIREHOSE_REDSHIFT_DESTINATION_CONFIGURATION_USES_SECURE_PARAMETER",
      "KINESIS_FIREHOSE_SPLUNK_DESTINATION_CONFIGURATION_USES_SECURE_PARAMETER"
     ]
    }
   }

Doing this actually suppresses the KINESIS_FIREHOSE_REDSHIFT_DESTINATION_CONFIGURATION_USES_SECURE_PARAMETER warning:

  "testkinesisfirehoses3KinesisFirehose92F73280": {
   "Type": "AWS::KinesisFirehose::DeliveryStream",
   "Properties": {
    "DeliveryStreamEncryptionConfigurationInput": {
     "KeyType": "AWS_OWNED_CMK"
    },
    "DeliveryStreamName": "KinesisFirehosefhss3customLogginkettestkinesisfirehoses3C47A3354",
    "ExtendedS3DestinationConfiguration": {
     "BucketARN": {
      "Fn::GetAtt": [
       "testkinesisfirehoses3S3BucketA8942735",
       "Arn"
      ]
     },
     "BufferingHints": {
      "IntervalInSeconds": 300,
      "SizeInMBs": 5
     },
     "CloudWatchLoggingOptions": {
      "Enabled": true,
      "LogGroupName": {
       "Ref": "testkinesisfirehoses3firehoseloggroup3D11FB0D"
      },
      "LogStreamName": {
       "Ref": "testkinesisfirehoses3firehoseloggroupfirehoselogstream3C52AF00"
      }
     },
     "CompressionFormat": "GZIP",
     "EncryptionConfiguration": {
      "KMSEncryptionConfig": {
       "AWSKMSKeyARN": {
        "Fn::Join": [
         "",
         [
          "arn:",
          {
           "Ref": "AWS::Partition"
          },
          ":kms:",
          {
           "Ref": "AWS::Region"
          },
          ":",
          {
           "Ref": "AWS::AccountId"
          },
          ":alias/aws/s3"
         ]
        ]
       }
      }
     },
     "RoleARN": {
      "Fn::GetAtt": [
       "testkinesisfirehoses3KinesisFirehoseRoleB23C3E93",
       "Arn"
      ]
     }
    }
   },
   "Metadata": {
    "guard": {
     "SuppressedRules": [
      "KINESIS_FIREHOSE_REDSHIFT_DESTINATION_CONFIGURATION_USES_SECURE_PARAMETER",
      "KINESIS_FIREHOSE_REDSHIFT_DESTINATION_CONFIGURATION_NO_PLAINTEXT_PASSWORD",
     ]
    }
   }

What did you expect to happen?

The reported error name should be the error that needs to be suppressed - you shouldn't have to go to the github repo to debug the actual name.

What actually happened?

A different error name has to be suppressed.

CloudFormation Guard Version

3.1.1

OS

MacOS

OS Version

No response

Other information

No response
@biffgaut biffgaut added the bug Something isn't working label Aug 3, 2024
@biffgaut
Copy link
Author

biffgaut commented Aug 4, 2024

I believe this line is the cause?

aws-guard-rules-registry/rules/aws/aws_kinesis/kinesis_firehose_splunk_destination_configuration_no_plaintext_password.guard

Line 78 in 7f7340c

# One rule to rule them all...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@biffgaut