in src/packs/aws-solutions.ts [1093:1175]
private checkSecurityCompliance(node: CfnResource): void {
this.applyRule({
ruleSuffixOverride: 'IAM4',
info: 'The IAM user, role, or group uses AWS managed policies.',
explanation:
'An AWS managed policy is a standalone policy that is created and administered by AWS. Currently, many AWS managed policies do not restrict resource scope. Replace AWS managed policies with system specific (customer) managed policies.',
level: NagMessageLevel.ERROR,
rule: IAMNoManagedPolicies,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'IAM5',
info: 'The IAM entity contains wildcard permissions and does not have a cdk_nag rule suppression with evidence for those permission.',
explanation:
'Metadata explaining the evidence (e.g. via supporting links) for wildcard permissions allows for transparency to operators.',
level: NagMessageLevel.ERROR,
rule: IAMNoWildcardPermissions,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'COG1',
info: 'The Cognito user pool does not have a password policy that minimally specify a password length of at least 8 characters, as well as requiring uppercase, numeric, and special characters.',
explanation:
'Strong password policies increase system security by encouraging users to create reliable and secure passwords.',
level: NagMessageLevel.ERROR,
rule: CognitoUserPoolStrongPasswordPolicy,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'COG2',
info: 'The Cognito user pool does not require MFA.',
explanation:
'Multi-factor authentication (MFA) increases security for the application by adding another authentication method, and not relying solely on user name and password.',
level: NagMessageLevel.WARN,
rule: CognitoUserPoolMFA,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'COG3',
info: 'The Cognito user pool does not have AdvancedSecurityMode set to ENFORCED.',
explanation:
'Advanced security features enable the system to detect and act upon malicious sign-in attempts.',
level: NagMessageLevel.ERROR,
rule: CognitoUserPoolAdvancedSecurityModeEnforced,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'COG4',
info: 'The API GW method does not use a Cognito user pool authorizer.',
explanation:
'API Gateway validates the tokens from a successful user pool authentication, and uses them to grant your users access to resources including Lambda functions, or your own API.',
level: NagMessageLevel.ERROR,
rule: CognitoUserPoolAPIGWAuthorizer,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'COG7',
info: 'The Cognito identity pool allows for unauthenticated logins and does not have a cdk_nag rule suppression with a reason.',
explanation:
'In many cases applications do not warrant unauthenticated guest access applications. Metadata explaining the use case allows for transparency to operators.',
level: NagMessageLevel.ERROR,
rule: CognitoUserPoolNoUnauthenticatedLogins,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'KMS5',
info: 'The KMS Symmetric key does not have automatic key rotation enabled.',
explanation:
'KMS key rotation allow a system to set an yearly rotation schedule for a KMS key so when a AWS KMS key is required to encrypt new data, the KMS service can automatically use the latest version of the HSA backing key to perform the encryption.',
level: NagMessageLevel.ERROR,
rule: KMSBackingKeyRotationEnabled,
node: node,
});
this.applyRule({
ruleSuffixOverride: 'SMG4',
info: 'The secret does not have automatic rotation scheduled.',
explanation:
'AWS Secrets Manager can be configured to automatically rotate the secret for a secured service or database.',
level: NagMessageLevel.ERROR,
rule: SecretsManagerRotationEnabled,
node: node,
});
}