private checkNetworkDelivery()

in src/packs/aws-solutions.ts [728:837]

• 110 lines of code
• 1 McCabe index (conditional complexity)

  private checkNetworkDelivery(node: CfnResource): void {
    this.applyRule({
      ruleSuffixOverride: 'VPC3',
      info: 'A Network ACL or Network ACL entry has been implemented.',
      explanation:
        'Network ACLs should be used sparingly for the following reasons: they can be complex to manage, they are stateless, every IP address must be explicitly opened in each (inbound/outbound) direction, and they affect a complete subnet. Use security groups when possible as they are stateful and easier to manage.',
      level: NagMessageLevel.WARN,
      rule: VPCNoNACLs,
      node: node,
    });
    this.applyRule({
      ruleSuffixOverride: 'VPC7',
      info: 'The VPC does not have an associated Flow Log.',
      explanation:
        'VPC Flow Logs capture network flow information for a VPC, subnet, or network interface and stores it in Amazon CloudWatch Logs. Flow log data can help customers troubleshoot network issues; for example, to diagnose why specific traffic is not reaching an instance, which might be a result of overly restrictive security group rules.',
      level: NagMessageLevel.ERROR,
      rule: VPCFlowLogsEnabled,
      node: node,
    });
    this.applyRule({
      ruleSuffixOverride: 'CFR1',
      info: 'The CloudFront distribution may require Geo restrictions.',
      explanation:
        'Geo restriction may need to be enabled for the distribution in order to allow or deny a country in order to allow or restrict users in specific locations from accessing content.',
      level: NagMessageLevel.WARN,
      rule: CloudFrontDistributionGeoRestrictions,
      node: node,
    });
    this.applyRule({
      ruleSuffixOverride: 'CFR2',
      info: 'The CloudFront distribution may require integration with AWS WAF.',
      explanation:
        'The Web Application Firewall can help protect against application-layer attacks that can compromise the security of the system or place unnecessary load on them.',
      level: NagMessageLevel.WARN,
      rule: CloudFrontDistributionWAFIntegration,
      node: node,
    });
    this.applyRule({
      ruleSuffixOverride: 'CFR3',
      info: 'The CloudFront distributions does not have access logging enabled.',
      explanation:
        'Enabling access logs helps operators track all viewer requests for the content delivered through the Content Delivery Network.',
      level: NagMessageLevel.ERROR,
      rule: CloudFrontDistributionAccessLogging,
      node: node,
    });
    this.applyRule({
      ruleSuffixOverride: 'CFR5',
      info: 'The CloudFront distributions uses SSLv3 or TLSv1 for communication to the origin.',
      explanation:
        'Vulnerabilities have been and continue to be discovered in the deprecated SSL and TLS protocols. Using a security policy with minimum TLSv1.1 or TLSv1.2 and appropriate security ciphers for HTTPS helps protect viewer connections.',
      level: NagMessageLevel.ERROR,
      rule: CloudFrontDistributionNoOutdatedSSL,
      node: node,
    });
    this.applyRule({
      ruleSuffixOverride: 'CFR6',
      info: 'The CloudFront distribution does not use an origin access identity an S3 origin.',
      explanation:
        'Origin access identities help with security by restricting any direct access to objects through S3 URLs.',
      level: NagMessageLevel.ERROR,
      rule: CloudFrontDistributionS3OriginAccessIdentity,
      node: node,
    });
    this.applyRule({
      ruleSuffixOverride: 'APIG1',
      info: 'The API does not have access logging enabled.',
      explanation:
        'Enabling access logs helps operators view who accessed an API and how the caller accessed the API.',
      level: NagMessageLevel.ERROR,
      rule: APIGWAccessLogging,
      node: node,
    });
    this.applyRule({
      ruleSuffixOverride: 'APIG2',
      info: 'The REST API does not have request validation enabled.',
      explanation:
        'The API should have basic request validation enabled. If the API is integrated with custom source (Lambda, ECS, etc..) in the backend, deeper input validation should be considered for implementation.',
      level: NagMessageLevel.ERROR,
      rule: APIGWRequestValidation,
      node: node,
    });
    this.applyRule({
      ruleSuffixOverride: 'APIG3',
      info: 'The REST API stage is not associated with AWS WAFv2 web ACL.',
      explanation:
        'AWS WAFv2 is a web application firewall that helps protect web applications and APIs from attacks by allowing configured rules to allow, block, or monitor (count) web requests based on customizable rules and conditions that are defined.',
      level: NagMessageLevel.WARN,
      rule: APIGWAssociatedWithWAF,
      node: node,
    });
    this.applyRule({
      ruleSuffixOverride: 'APIG4',
      info: 'The API does not implement authorization.',
      explanation:
        'In most cases an API needs to have an authentication and authorization implementation strategy. This includes using such approaches as IAM, Cognito User Pools, Custom authorizer, etc.',
      level: NagMessageLevel.ERROR,
      rule: APIGWAuthorization,
      node: node,
    });
    this.applyRule({
      ruleSuffixOverride: 'APIG6',
      info: 'The REST API Stage does not have CloudWatch logging enabled for all methods.',
      explanation:
        'Enabling CloudWatch logs at the stage level helps operators to track and analyze execution behavior at the API stage level.',
      level: NagMessageLevel.ERROR,
      rule: APIGWExecutionLoggingEnabled,
      node: node,
    });
  }