class EMRSecurityConfigurationEncryptionsEnabledAndConfiguredRule

Public Instance Methods

audit_impl(cfn_model) click to toggle source
# File lib/cfn-nag/custom_rules/EMRSecurityConfigurationEncryptionsEnabledAndConfiguredRule.rb, line 19
def audit_impl(cfn_model)
  violating_emr_sec_configs = cfn_model.resources_by_type('AWS::EMR::SecurityConfiguration').select do |sec_config|
    bad_security_config?(sec_config)
  end

  violating_emr_sec_configs.map(&:logical_resource_id)
end
rule_id() click to toggle source
# File lib/cfn-nag/custom_rules/EMRSecurityConfigurationEncryptionsEnabledAndConfiguredRule.rb, line 15
def rule_id
  'W61'
end
rule_text() click to toggle source
# File lib/cfn-nag/custom_rules/EMRSecurityConfigurationEncryptionsEnabledAndConfiguredRule.rb, line 7
def rule_text
  'EMR SecurityConfiguration should enable and properly configure encryption at rest and in transit.'
end
rule_type() click to toggle source
# File lib/cfn-nag/custom_rules/EMRSecurityConfigurationEncryptionsEnabledAndConfiguredRule.rb, line 11
def rule_type
  Violation::WARNING
end

Private Instance Methods

bad_at_rest_encryption?(config) click to toggle source
# File lib/cfn-nag/custom_rules/EMRSecurityConfigurationEncryptionsEnabledAndConfiguredRule.rb, line 41
def bad_at_rest_encryption?(config)
  # Missing AtRestEncryptionConfiguration
  return true unless config.key?('AtRestEncryptionConfiguration')

  # AtRest encryptions misconfigured
  return true unless \
    (config['AtRestEncryptionConfiguration'].key?('LocalDiskEncryptionConfiguration') &&
     config['AtRestEncryptionConfiguration']['LocalDiskEncryptionConfiguration'].key?('EncryptionKeyProviderType')) ||
    (config['AtRestEncryptionConfiguration'].key?('S3EncryptionConfiguration') &&
     config['AtRestEncryptionConfiguration']['S3EncryptionConfiguration'].key?('EncryptionMode'))

  false
end
bad_in_transit_encryption?(config) click to toggle source
# File lib/cfn-nag/custom_rules/EMRSecurityConfigurationEncryptionsEnabledAndConfiguredRule.rb, line 55
def bad_in_transit_encryption?(config)
  # Missing InTransitEncryptionConfiguration
  return true unless config.key?('InTransitEncryptionConfiguration')

  # InTransit encryptions misconfigured
  return true unless \
    config['InTransitEncryptionConfiguration'].key?('TLSCertificateConfiguration') &&
    config['InTransitEncryptionConfiguration']['TLSCertificateConfiguration'].key?('CertificateProviderType')

  false
end
bad_security_config?(security_config_object) click to toggle source
# File lib/cfn-nag/custom_rules/EMRSecurityConfigurationEncryptionsEnabledAndConfiguredRule.rb, line 29
def bad_security_config?(security_config_object)
  # Poorly formatted SecurityConfiguration
  return true unless security_config_object.securityConfiguration['EncryptionConfiguration']

  encryption_config = security_config_object.securityConfiguration['EncryptionConfiguration']

  # Either encryption type disabled
  return true unless encryption_config['EnableAtRestEncryption'] && encryption_config['EnableInTransitEncryption']

  bad_at_rest_encryption?(encryption_config) || bad_in_transit_encryption?(encryption_config)
end