Codestin Search App

shreyasdamle · 2021-06-02T01:19:56Z

Add support to pass multiple rule sets
Update to the latest lambda-runtime

Description of changes:
This PR adds the functionality to pass multiple rule sets as a list. This will allow customers to scan their template using multiple rules at a time.

I will add a support to fetch rule sets from an S3 bucket once AWS SDK for Rust is stable.

Tests
aws lambda invoke --function-name rustTest \ --payload '{"data": "<input data>", "rules" : "[rule0, rule1]"}' \ output.json

Lambda output (returns serde_json::Value object)

[Array([Object({"eval_type": String("Rule"), "context": String("aws_ddb_table_pitr_enabled"), "msg": String("DEFAULT MESSAGE(PASS)"), "from": Null, "to": Null, "status": String("PASS"), "children": Array([Object({"eval_type": String("Condition"), "context": String("aws_ddb_table_pitr_enabled"), "msg": String("DEFAULT MESSAGE(PASS)"), "from": Null, "to": Null, "status": String("PASS"), "children": Array([Object({"eval_type": String("Clause"), "context": String("Clause(Location[file:lambda, line:15, column:38], Check: %aws_dynamodb_table_resources NOT EMPTY )"), "msg": String("DEFAULT MESSAGE(PASS)"), "from": Object({"Map": Array([String("/Resources/LalTable85A8FD0C"), Object({"keys": Array([Object({"String": Array([String("/Resources/LalTable85A8FD0C/Type"), String("Type")])}), Object({"String": Array([String("/Resources/LalTable85A8FD0C/Properties"), String("Properties")])}), Object({"String": Array([String("/Resources/LalTable85A8FD0C/UpdateReplacePolicy"), String("UpdateReplacePolicy")])}), Object({"String": Array([String("/Resources/LalTable85A8FD0C/DeletionPolicy"), String("DeletionPolicy")])}), Object({"String": Array([String("/Resources/LalTable85A8FD0C/Metadata"), String("Metadata")])})]), "values": Object({"Type": Object({"String": Array([String("/Resources/LalTable85A8FD0C/Type"), String("AWS::DynamoDB::Table")])}), "Properties": Object({"Map": Array([String("/Resources/LalTable85A8FD0C/Properties"), Object({"keys": Array([Object({"String": Array([String("/Resources/LalTable85A8FD0C/Properties/KeySchema"), String("KeySchema")])}), Object({"String": Array([String("/Resources/LalTable85A8FD0C/Properties/AttributeDefinitions"), String("AttributeDefinitions")])}), Object({"String": Array([String("/Resources/LalTable85A8FD0C/Properties/ProvisionedThroughput"), String("ProvisionedThroughput")])}), Object({"String": Array([String("/Resources/LalTable85A8FD0C/Properties/BillingMode"), String("BillingMode")])}), Object({"String": Array([String("/Resources/LalTable85A8FD0C/Properties/PointInTimeRecoverySpecification"), String("PointInTimeRecoverySpecification")])}), Object({"String": Array([String("/Resources/LalTable85A8FD0C/Properties/SSESpecification"), String("SSESpecification")])})]), "values": Object({"KeySchema": Object({"List": Array([String("/Resources/LalTable85A8FD0C/Properties/KeySchema"), Array([Object({"Map": Array([String("/Resources/LalTable85A8FD0C/Properties/KeySchema/0"), Object({"keys": Array([Object({"String": Array([String("/Resources/LalTable85A8FD0C/Properties/KeySchema/0/AttributeName"), String("AttributeName")])}), Object({"String": Array([String("/Resources/LalTable85A8FD0C/Properties/KeySchema/0/KeyType"), String("KeyType")])})]), "values": Object({"AttributeName": Object({"String": Array([String("/Resources/LalTable85A8FD0C/Properties/KeySchema/0/AttributeName"), String("id")])}), "KeyType": Object({"String": Array([String("/Resources/LalTable85A8FD0C/Properties/KeySchema/0/KeyType"), String("HASH")])})})})])})])])}), "AttributeDefinitions": Object({"List": Array([String("/Resources/LalTable85A8FD0C/Properties/AttributeDefinitions"), Array([Object({"Map": Array([String("/Resources/LalTable85A8FD0C/Properties/AttributeDefinitions/0"), Object({"keys": Array([Object({"String": Array([String("/Resources/LalTable85A8FD0C/Properties/AttributeDefinitions/0/AttributeName"), String("AttributeName")])}), Object({"String": Array([String("/Resources/LalTable85A8FD0C/Properties/AttributeDefinitions/0/AttributeType"), String("AttributeType")])})]), "values": Object({"AttributeName": Object({"String": Array([String("/Resources/LalTable85A8FD0C/Properties/AttributeDefinitions/0/AttributeName"), String("id")])}), "AttributeType": Object({"String": Array([String("/Resources/LalTable85A8FD0C/Properties/AttributeDefinitions/0/AttributeType"), String("S")])})})})])})])])}), "ProvisionedThroughput": Object({"Map": Array([String("/Resources/LalTable85A8FD0C/Properties/ProvisionedThroughput"), Object({"keys": Array([Object({"String": Array([String("/Resources/LalTable85A8FD0C/Properties/ProvisionedThroughput/ReadCapacityUnits"), String("ReadCapacityUnits")])}), Object({"String": Array([String("/Resources/LalTable85A8FD0C/Properties/ProvisionedThroughput/WriteCapacityUnits"), String("WriteCapacityUnits")])})]), "values": Object({"ReadCapacityUnits": Object({"Int": Array([String("/Resources/LalTable85A8FD0C/Properties/ProvisionedThroughput/ReadCapacityUnits"), Number(5)])}), "WriteCapacityUnits": Object({"Int": Array([String("/Resources/LalTable85A8FD0C/Properties/ProvisionedThroughput/WriteCapacityUnits"), Number(5)])})})})])}), "BillingMode": Object({"String": Array([String("/Resources/LalTable85A8FD0C/Properties/BillingMode"), String("PAY_PER_REQUEST")])}), "PointInTimeRecoverySpecification": Object({"Map": Array([String("/Resources/LalTable85A8FD0C/Properties/PointInTimeRecoverySpecification"), Object({"keys": Array([Object({"String": Array([String("/Resources/LalTable85A8FD0C/Properties/PointInTimeRecoverySpecification/PointInTimeRecoveryEnabled"), String("PointInTimeRecoveryEnabled")])})]), "values": Object({"PointInTimeRecoveryEnabled": Object({"Bool": Array([String("/Resources/LalTable85A8FD0C/Properties/PointInTimeRecoverySpecification/PointInTimeRecoveryEnabled"), Bool(true)])})})})])}), "SSESpecification": Object({"Map": Array([String("/Resources/LalTable85A8FD0C/Properties/SSESpecification"), Object({"keys": Array([Object({"String": Array([String("/Resources/LalTable85A8FD0C/Properties/SSESpecification/SSEEnabled"), String("SSEEnabled")])})]), "values": Object({"SSEEnabled": Object({"Bool": Array([String("/Resources/LalTable85A8FD0C/Properties/SSESpecification/SSEEnabled"), Bool(false)])})})})])})})})])}), "UpdateReplacePolicy": Object({"String": Array([String("/Resources/LalTable85A8FD0C/UpdateReplacePolicy"), String("Retain")])}), "DeletionPolicy": Object({"String": Array([String("/Resources/LalTable85A8FD0C/DeletionPolicy"), String("Retain")])}), "Metadata": Object({"Map": Array([String("/Resources/LalTable85A8FD0C/Metadata"), Object({"keys": Array([Object({"String": Array([String("/Resources/LalTable85A8FD0C/Metadata/aws:cdk:path"), String("aws:cdk:path")])})]), "values": Object({"aws:cdk:path": Object({"String": Array([String("/Resources/LalTable85A8FD0C/Metadata/aws:cdk:path"), String("TestcdkStack/LalTable/Resource")])})})})])})})})])}), "to": Null, "status": String("PASS"), "children": Array([])})])}), Object({"eval_type": String("Clause"), "context": String("Clause(Location[file:lambda, line:18, column:5], Check: %aws_dynamodb_table_resources.Properties.PointInTimeRecoverySpecification  EXISTS )"), "msg": String("DEFAULT MESSAGE(PASS)"), "from": Object({"Map": Array([String("/Resources/LalTable85A8FD0C/Properties/PointInTimeRecoverySpecification"), Object({"keys": Array([Object({"String": Array([String("/Resources/LalTable85A8FD0C/Properties/PointInTimeRecoverySpecification/PointInTimeRecoveryEnabled"), String("PointInTimeRecoveryEnabled")])})]), "values": Object({"PointInTimeRecoveryEnabled": Object({"Bool": Array([String("/Resources/LalTable85A8FD0C/Properties/PointInTimeRecoverySpecification/PointInTimeRecoveryEnabled"), Bool(true)])})})})])}), "to": Null, "status": String("PASS"), "children": Array([])}), Object({"eval_type": String("Clause"), "context": String("Clause(Location[file:lambda, line:21, column:5], Check: %aws_dynamodb_table_resources.Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled  EQUALS Bool(true))"), "msg": String("DEFAULT MESSAGE(PASS)"), "from": Null, "to": Null, "status": String("PASS"), "children": Array([])})])})]), Array([Object({"eval_type": String("Rule"), "context": String("aws_s3_sse_customer_managed_cmk"), "msg": String("DEFAULT MESSAGE(PASS)"), "from": Null, "to": Null, "status": String("PASS"), "children": Array([Object({"eval_type": String("Condition"), "context": String("aws_s3_sse_customer_managed_cmk"), "msg": String("DEFAULT MESSAGE(PASS)"), "from": Null, "to": Null, "status": String("PASS"), "children": Array([Object({"eval_type": String("Clause"), "context": String("Clause(Location[file:lambda, line:17, column:43], Check: %s3_buckets NOT EMPTY )"), "msg": String("DEFAULT MESSAGE(PASS)"), "from": Object({"Map": Array([String("/Resources/MoteResource0D55A4DE"), Object({"keys": Array([Object({"String": Array([String("/Resources/MoteResource0D55A4DE/Type"), String("Type")])}), Object({"String": Array([String("/Resources/MoteResource0D55A4DE/Properties"), String("Properties")])}), Object({"String": Array([String("/Resources/MoteResource0D55A4DE/UpdateReplacePolicy"), String("UpdateReplacePolicy")])}), Object({"String": Array([String("/Resources/MoteResource0D55A4DE/DeletionPolicy"), String("DeletionPolicy")])}), Object({"String": Array([String("/Resources/MoteResource0D55A4DE/Metadata"), String("Metadata")])})]), "values": Object({"Type": Object({"String": Array([String("/Resources/MoteResource0D55A4DE/Type"), String("AWS::S3::Bucket")])}), "Properties": Object({"Map": Array([String("/Resources/MoteResource0D55A4DE/Properties"), Object({"keys": Array([Object({"String": Array([String("/Resources/MoteResource0D55A4DE/Properties/BucketEncryption"), String("BucketEncryption")])}), Object({"String": Array([String("/Resources/MoteResource0D55A4DE/Properties/PublicAccessBlockConfiguration"), String("PublicAccessBlockConfiguration")])})]), "values": Object({"BucketEncryption": Object({"Map": Array([String("/Resources/MoteResource0D55A4DE/Properties/BucketEncryption"), Object({"keys": Array([Object({"String": Array([String("/Resources/MoteResource0D55A4DE/Properties/BucketEncryption/ServerSideEncryptionConfiguration"), String("ServerSideEncryptionConfiguration")])})]), "values": Object({"ServerSideEncryptionConfiguration": Object({"List": Array([String("/Resources/MoteResource0D55A4DE/Properties/BucketEncryption/ServerSideEncryptionConfiguration"), Array([Object({"Map": Array([String("/Resources/MoteResource0D55A4DE/Properties/BucketEncryption/ServerSideEncryptionConfiguration/0"), Object({"keys": Array([Object({"String": Array([String("/Resources/MoteResource0D55A4DE/Properties/BucketEncryption/ServerSideEncryptionConfiguration/0/ServerSideEncryptionByDefault"), String("ServerSideEncryptionByDefault")])})]), "values": Object({"ServerSideEncryptionByDefault": Object({"Map": Array([String("/Resources/MoteResource0D55A4DE/Properties/BucketEncryption/ServerSideEncryptionConfiguration/0/ServerSideEncryptionByDefault"), Object({"keys": Array([Object({"String": Array([String("/Resources/MoteResource0D55A4DE/Properties/BucketEncryption/ServerSideEncryptionConfiguration/0/ServerSideEncryptionByDefault/KMSMasterKeyID"), String("KMSMasterKeyID")])}), Object({"String": Array([String("/Resources/MoteResource0D55A4DE/Properties/BucketEncryption/ServerSideEncryptionConfiguration/0/ServerSideEncryptionByDefault/SSEAlgorithm"), String("SSEAlgorithm")])})]), "values": Object({"KMSMasterKeyID": Object({"Map": Array([String("/Resources/MoteResource0D55A4DE/Properties/BucketEncryption/ServerSideEncryptionConfiguration/0/ServerSideEncryptionByDefault/KMSMasterKeyID"), Object({"keys": Array([Object({"String": Array([String("/Resources/MoteResource0D55A4DE/Properties/BucketEncryption/ServerSideEncryptionConfiguration/0/ServerSideEncryptionByDefault/KMSMasterKeyID/Fn::GetAtt"), String("Fn::GetAtt")])})]), "values": Object({"Fn::GetAtt": Object({"List": Array([String("/Resources/MoteResource0D55A4DE/Properties/BucketEncryption/ServerSideEncryptionConfiguration/0/ServerSideEncryptionByDefault/KMSMasterKeyID/Fn::GetAtt"), Array([Object({"String": Array([String("/Resources/MoteResource0D55A4DE/Properties/BucketEncryption/ServerSideEncryptionConfiguration/0/ServerSideEncryptionByDefault/KMSMasterKeyID/Fn::GetAtt/0"), String("MoteResourceKey3B7182FE")])}), Object({"String": Array([String("/Resources/MoteResource0D55A4DE/Properties/BucketEncryption/ServerSideEncryptionConfiguration/0/ServerSideEncryptionByDefault/KMSMasterKeyID/Fn::GetAtt/1"), String("Arn")])})])])})})})])}), "SSEAlgorithm": Object({"String": Array([String("/Resources/MoteResource0D55A4DE/Properties/BucketEncryption/ServerSideEncryptionConfiguration/0/ServerSideEncryptionByDefault/SSEAlgorithm"), String("aws:kms")])})})})])})})})])})])])})})})])}), "PublicAccessBlockConfiguration": Object({"Map": Array([String("/Resources/MoteResource0D55A4DE/Properties/PublicAccessBlockConfiguration"), Object({"keys": Array([Object({"String": Array([String("/Resources/MoteResource0D55A4DE/Properties/PublicAccessBlockConfiguration/BlockPublicAcls"), String("BlockPublicAcls")])}), Object({"String": Array([String("/Resources/MoteResource0D55A4DE/Properties/PublicAccessBlockConfiguration/BlockPublicPolicy"), String("BlockPublicPolicy")])}), Object({"String": Array([String("/Resources/MoteResource0D55A4DE/Properties/PublicAccessBlockConfiguration/IgnorePublicAcls"), String("IgnorePublicAcls")])}), Object({"String": Array([String("/Resources/MoteResource0D55A4DE/Properties/PublicAccessBlockConfiguration/RestrictPublicBuckets"), String("RestrictPublicBuckets")])})]), "values": Object({"BlockPublicAcls": Object({"Bool": Array([String("/Resources/MoteResource0D55A4DE/Properties/PublicAccessBlockConfiguration/BlockPublicAcls"), Bool(true)])}), "BlockPublicPolicy": Object({"Bool": Array([String("/Resources/MoteResource0D55A4DE/Properties/PublicAccessBlockConfiguration/BlockPublicPolicy"), Bool(true)])}), "IgnorePublicAcls": Object({"Bool": Array([String("/Resources/MoteResource0D55A4DE/Properties/PublicAccessBlockConfiguration/IgnorePublicAcls"), Bool(true)])}), "RestrictPublicBuckets": Object({"Bool": Array([String("/Resources/MoteResource0D55A4DE/Properties/PublicAccessBlockConfiguration/RestrictPublicBuckets"), Bool(true)])})})})])})})})])}), "UpdateReplacePolicy": Object({"String": Array([String("/Resources/MoteResource0D55A4DE/UpdateReplacePolicy"), String("Retain")])}), "DeletionPolicy": Object({"String": Array([String("/Resources/MoteResource0D55A4DE/DeletionPolicy"), String("Retain")])}), "Metadata": Object({"Map": Array([String("/Resources/MoteResource0D55A4DE/Metadata"), Object({"keys": Array([Object({"String": Array([String("/Resources/MoteResource0D55A4DE/Metadata/aws:cdk:path"), String("aws:cdk:path")])})]), "values": Object({"aws:cdk:path": Object({"String": Array([String("/Resources/MoteResource0D55A4DE/Metadata/aws:cdk:path"), String("TestcdkStack/MoteResource/Resource")])})})})])})})})])}), "to": Null, "status": String("PASS"), "children": Array([])})])}), Object({"eval_type": String("Clause"), "context": String("Clause(Location[file:lambda, line:20, column:5], Check: %encryption  EXISTS )"), "msg": String("DEFAULT MESSAGE(PASS)"), "from": Object({"Map": Array([String("/Resources/MoteResource0D55A4DE/Properties/BucketEncryption"), Object({"keys": Array([Object({"String": Array([String("/Resources/MoteResource0D55A4DE/Properties/BucketEncryption/ServerSideEncryptionConfiguration"), String("ServerSideEncryptionConfiguration")])})]), "values": Object({"ServerSideEncryptionConfiguration": Object({"List": Array([String("/Resources/MoteResource0D55A4DE/Properties/BucketEncryption/ServerSideEncryptionConfiguration"), Array([Object({"Map": Array([String("/Resources/MoteResource0D55A4DE/Properties/BucketEncryption/ServerSideEncryptionConfiguration/0"), Object({"keys": Array([Object({"String": Array([String("/Resources/MoteResource0D55A4DE/Properties/BucketEncryption/ServerSideEncryptionConfiguration/0/ServerSideEncryptionByDefault"), String("ServerSideEncryptionByDefault")])})]), "values": Object({"ServerSideEncryptionByDefault": Object({"Map": Array([String("/Resources/MoteResource0D55A4DE/Properties/BucketEncryption/ServerSideEncryptionConfiguration/0/ServerSideEncryptionByDefault"), Object({"keys": Array([Object({"String": Array([String("/Resources/MoteResource0D55A4DE/Properties/BucketEncryption/ServerSideEncryptionConfiguration/0/ServerSideEncryptionByDefault/KMSMasterKeyID"), String("KMSMasterKeyID")])}), Object({"String": Array([String("/Resources/MoteResource0D55A4DE/Properties/BucketEncryption/ServerSideEncryptionConfiguration/0/ServerSideEncryptionByDefault/SSEAlgorithm"), String("SSEAlgorithm")])})]), "values": Object({"KMSMasterKeyID": Object({"Map": Array([String("/Resources/MoteResource0D55A4DE/Properties/BucketEncryption/ServerSideEncryptionConfiguration/0/ServerSideEncryptionByDefault/KMSMasterKeyID"), Object({"keys": Array([Object({"String": Array([String("/Resources/MoteResource0D55A4DE/Properties/BucketEncryption/ServerSideEncryptionConfiguration/0/ServerSideEncryptionByDefault/KMSMasterKeyID/Fn::GetAtt"), String("Fn::GetAtt")])})]), "values": Object({"Fn::GetAtt": Object({"List": Array([String("/Resources/MoteResource0D55A4DE/Properties/BucketEncryption/ServerSideEncryptionConfiguration/0/ServerSideEncryptionByDefault/KMSMasterKeyID/Fn::GetAtt"), Array([Object({"String": Array([String("/Resources/MoteResource0D55A4DE/Properties/BucketEncryption/ServerSideEncryptionConfiguration/0/ServerSideEncryptionByDefault/KMSMasterKeyID/Fn::GetAtt/0"), String("MoteResourceKey3B7182FE")])}), Object({"String": Array([String("/Resources/MoteResource0D55A4DE/Properties/BucketEncryption/ServerSideEncryptionConfiguration/0/ServerSideEncryptionByDefault/KMSMasterKeyID/Fn::GetAtt/1"), String("Arn")])})])])})})})])}), "SSEAlgorithm": Object({"String": Array([String("/Resources/MoteResource0D55A4DE/Properties/BucketEncryption/ServerSideEncryptionConfiguration/0/ServerSideEncryptionByDefault/SSEAlgorithm"), String("aws:kms")])})})})])})})})])})])])})})})])}), "to": Null, "status": String("PASS"), "children": Array([])}), Object({"eval_type": String("Clause"), "context": String("Clause(Location[file:lambda, line:22, column:5], Check: %encryption.ServerSideEncryptionConfiguration[*].ServerSideEncryptionByDefault.SSEAlgorithm  IN %allowed_algos)"), "msg": String("DEFAULT MESSAGE(PASS)"), "from": Null, "to": Null, "status": String("PASS"), "children": Array([])}), Object({"eval_type": String("Clause"), "context": String("Clause(Location[file:lambda, line:24, column:5], Check: %encryption.ServerSideEncryptionConfiguration[*].ServerSideEncryptionByDefault.KMSMasterKeyID  EXISTS )"), "msg": String("DEFAULT MESSAGE(PASS)"), "from": Object({"Map": Array([String("/Resources/MoteResource0D55A4DE/Properties/BucketEncryption/ServerSideEncryptionConfiguration/0/ServerSideEncryptionByDefault/KMSMasterKeyID"), Object({"keys": Array([Object({"String": Array([String("/Resources/MoteResource0D55A4DE/Properties/BucketEncryption/ServerSideEncryptionConfiguration/0/ServerSideEncryptionByDefault/KMSMasterKeyID/Fn::GetAtt"), String("Fn::GetAtt")])})]), "values": Object({"Fn::GetAtt": Object({"List": Array([String("/Resources/MoteResource0D55A4DE/Properties/BucketEncryption/ServerSideEncryptionConfiguration/0/ServerSideEncryptionByDefault/KMSMasterKeyID/Fn::GetAtt"), Array([Object({"String": Array([String("/Resources/MoteResource0D55A4DE/Properties/BucketEncryption/ServerSideEncryptionConfiguration/0/ServerSideEncryptionByDefault/KMSMasterKeyID/Fn::GetAtt/0"), String("MoteResourceKey3B7182FE")])}), Object({"String": Array([String("/Resources/MoteResource0D55A4DE/Properties/BucketEncryption/ServerSideEncryptionConfiguration/0/ServerSideEncryptionByDefault/KMSMasterKeyID/Fn::GetAtt/1"), String("Arn")])})])])})})})])}), "to": Null, "status": String("PASS"), "children": Array([])})])})])]

CloudWatch logs snippet


2021-06-03T10:29:50.594-07:00 | START RequestId: 7ad2d291-2d96-4292-bb44-eed176dc293e Version: $LATEST
-- | --
&nbsp; | 2021-06-03T10:29:50.639-07:00 | LOGS Name: cloudwatch_lambda_agent State: Subscribed Types: [platform]
&nbsp; | 2021-06-03T10:29:50.639-07:00 | EXTENSION Name: cloudwatch_lambda_agent State: Ready Events: [INVOKE,SHUTDOWN]
&nbsp; | 2021-06-03T10:29:50.688-07:00 | 2021-06-03 17:29:50,686 INFO [cfn_guard_function] Template is: [{"Metadata":{"HighCastleBlueprintID#3c5b7308-d575-48bd-bd28-bce1ff16a0d9":"7.0","HighCastleDeploymentType":"Pipelines"},"Resources":{"Role1ABCC5F0":{"Type":"AWS::IAM::Role","Properties":{"AssumeRolePolicyDocument":{"Statement":[{"Action":"sts:AssumeRole","Effect":"Allow","Principal":{"Service":"lambda.amazonaws.com"}}],"Version":"2012-10-17"},"Tags":[{"Key":"HighCastleBlueprintID-3c5b7308-d575-48bd-bd28-bce1ff16a0d9","Value":"7.0"},{"Key":"HighCastleDeploymentType","Value":"Pipelines"}]},"Metadata":{"aws:cdk:path":"TestcdkStack/Role/Resource"}},"RoleDefaultPolicy5FFB7DAB":{"Type":"AWS::IAM::Policy","Properties":{"PolicyDocument":{"Statement":[{"Action":["s3:GetObject*","s3:GetBucket*","s3:List*","s3:DeleteObject*","s3:PutObject*","s3:Abort*"],"Effect":"Allow","Resource":[{"Fn::GetAtt":["MoteResource0D55A4DE","Arn"]},{"Fn::Join":["",[{"Fn::GetAtt":["MoteResource0D55A4DE","Arn"]},"/*"]]}]},{"Action":["kms:Decrypt","kms:DescribeKey","kms:Encrypt","kms:ReEncrypt*","kms:GenerateDataKey*"],"Effect":"Allow","Resource":{"Fn::GetAtt":["MoteResourceKey3B7182FE","Arn"]}},{"Action":["dynamodb:BatchGetItem","dynamodb:GetRecords","dynamodb:GetShardIterator","dynamodb:Query","dynamodb:GetItem","dynamodb:Scan"],"Effect":"Allow","Resource":[{"Fn::GetAtt":["LalTable85A8FD0C","Arn"]},{"Ref":"AWS::NoValue"}]}],"Version":"2012-10-17"},"PolicyName":"RoleDefaultPolicy5FFB7DAB","Roles":[{"Ref":"Role1ABCC5F0"}]},"Metadata":{"aws:cdk:path":"TestcdkStack/Role/DefaultPolicy/Resource"}},"MoteUser28C7ADAF":{"Type":"AWS::IAM::User","Metadata":{"aws:cdk:path":"TestcdkStack/MoteUser/Resource"}},"MoteResourceKey3B7182FE":{"Type":"AWS::KMS::Key","Properties":{"KeyPolicy":{"Statement":[{"Action":["kms:Create*","kms:Describe*","kms:Enable*","kms:List*","kms:Put*","kms:Update*","kms:Revoke*","kms:Disable*","kms:Get*","kms:Delete*","kms:ScheduleKeyDeletion","kms:CancelKeyDeletion","kms:GenerateDataKey","kms:TagResource","kms:UntagResource"],"Effect":"Allow","Principal":{"AWS":{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":iam::",{"Ref":"AWS::AccountId"},":root"]]}},"Resource":"*"},{"Action":["kms:Decrypt","kms:DescribeKey","kms:Encrypt","kms:ReEncrypt*","kms:GenerateDataKey*"],"Effect":"Allow","Principal":{"AWS":{"Fn::GetAtt":["Role1ABCC5F0","Arn"]}},"Resource":"*"}],"Version":"2012-10-17"},"Description":"Created by TestcdkStack/MoteResource"},"UpdateReplacePolicy":"Retain","DeletionPolicy":"Retain","Metadata":{"aws:cdk:path":"TestcdkStack/MoteResource/Key/Resource"}},"MoteResource0D55A4DE":{"Type":"AWS::S3::Bucket","Properties":{"BucketEncryption":{"ServerSideEncryptionConfiguration":[{"ServerSideEncryptionByDefault":{"KMSMasterKeyID":{"Fn::GetAtt":["MoteResourceKey3B7182FE","Arn"]},"SSEAlgorithm":"aws:kms"}}]},"PublicAccessBlockConfiguration":{"BlockPublicAcls":true,"BlockPublicPolicy":true,"IgnorePublicAcls":true,"RestrictPublicBuckets":true}},"UpdateReplacePolicy":"Retain","DeletionPolicy":"Retain","Metadata":{"aws:cdk:path":"TestcdkStack/MoteResource/Resource"}},"MytableKeyD6CF3084":{"Type":"AWS::KMS::Key","Properties":{"KeyPolicy":{"Statement":[{"Action":["kms:Create*","kms:Describe*","kms:Enable*","kms:List*","kms:Put*","kms:Update*","kms:Revoke*","kms:Disable*","kms:Get*","kms:Delete*","kms:ScheduleKeyDeletion","kms:CancelKeyDeletion","kms:GenerateDataKey","kms:TagResource","kms:UntagResource"],"Effect":"Allow","Principal":{"AWS":{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":iam::",{"Ref":"AWS::AccountId"},":root"]]}},"Resource":"*"}],"Version":"2012-10-17"},"Description":"Customer-managed key auto-created for encrypting DynamoDB table at TestcdkStack/Mytable","EnableKeyRotation":false,"Tags":[{"Key":"HighCastleBlueprintID-3c5b7308-d575-48bd-bd28-bce1ff16a0d9","Value":"7.0"},{"Key":"HighCastleDeploymentType","Value":"Pipelines"}]},"UpdateReplacePolicy":"Retain","DeletionPolicy":"Retain","Metadata":{"aws:cdk:path":"TestcdkStack/Mytable/Key/Resource"}},"LalTable85A8FD0C":{"Type":"AWS::DynamoDB::Table","Properties":{"KeySchema":[{"AttributeName":"id","KeyType":"HASH"}],"AttributeDefinitions":[{"AttributeName":"id","AttributeType":"S"}],"ProvisionedThroughput":{"ReadCapacityUnits":5,"WriteCapacityUnits":5},"BillingMode":"PAY_PER_REQUEST","PointInTimeRecoverySpecification":{"PointInTimeRecoveryEnabled":true},"SSESpecification":{"SSEEnabled":false}},"UpdateReplacePolicy":"Retain","DeletionPolicy":"Retain","Metadata":{"aws:cdk:path":"TestcdkStack/LalTable/Resource"}},"Mytable3CF392D5":{"Type":"AWS::DynamoDB::Table","Properties":{"KeySchema":[{"AttributeName":"id","KeyType":"HASH"}],"AttributeDefinitions":[{"AttributeName":"id","AttributeType":"S"}],"ProvisionedThroughput":{"ReadCapacityUnits":5,"WriteCapacityUnits":5},"BillingMode":"PAY_PER_REQUEST","PointInTimeRecoverySpecification":{"PointInTimeRecoveryEnabled":true},"Tags":[{"Key":"HighCastleBlueprintID-3c5b7308-d575-48bd-bd28-bce1ff16a0d9","Value":"7.0"},{"Key":"HighCastleDeploymentType","Value":"Pipelines"}]},"UpdateReplacePolicy":"Retain","DeletionPolicy":"Retain","Metadata":{"aws:cdk:path":"TestcdkStack/Mytable/Resource"}},"Queue4A7E3555":{"Type":"AWS::SQS::Queue","Properties":{"KmsMasterKeyId":"alias/aws/sqs","Tags":[{"Key":"HighCastleBlueprintID-3c5b7308-d575-48bd-bd28-bce1ff16a0d9","Value":"7.0"},{"Key":"HighCastleDeploymentType","Value":"Pipelines"}]},"Metadata":{"aws:cdk:path":"TestcdkStack/Queue/Resource"}},"QueuePolicy25439813":{"Type":"AWS::SQS::QueuePolicy","Properties":{"PolicyDocument":{"Statement":[{"Action":"sqs:*","Condition":{"Bool":{"aws:SecureTransport":"false"}},"Effect":"Deny","Principal":"*","Sid":"Enforce - HTTPS"}],"Version":"2012-10-17"},"Queues":[{"Ref":"Queue4A7E3555"}]},"Metadata":{"aws:cdk:path":"TestcdkStack/Queue/Policy/Resource"}},"Key961B73FD":{"Type":"AWS::KMS::Key","Properties":{"KeyPolicy":{"Statement":[{"Action":["kms:Create*","kms:Describe*","kms:Enable*","kms:List*","kms:Put*","kms:Update*","kms:Revoke*","kms:Disable*","kms:Get*","kms:Delete*","kms:ScheduleKeyDeletion","kms:CancelKeyDeletion","kms:GenerateDataKey","kms:TagResource","kms:UntagResource"],"Effect":"Allow","Principal":{"AWS":{"Fn::Join":["",["arn:",{"Ref":"AWS::Partition"},":iam::",{"Ref":"AWS::AccountId"},":root"]]}},"Resource":"*"}],"Version":"2012-10-17"},"EnableKeyRotation":true,"Tags":[{"Key":"HighCastleBlueprintID-3c5b7308-d575-48bd-bd28-bce1ff16a0d9","Value":"7.0"},{"Key":"HighCastleDeploymentType","Value":"Pipelines"}]},"UpdateReplacePolicy":"Retain","DeletionPolicy":"Retain","Metadata":{"aws:cdk:path":"TestcdkStack/Key/Resource"}},"TopicBFC7AF6E":{"Type":"AWS::SNS::Topic","Properties":{"KmsMasterKeyId":{"Ref":"Key961B73FD"},"Tags":[{"Key":"HighCastleBlueprintID-3c5b7308-d575-48bd-bd28-bce1ff16a0d9","Value":"7.0"},{"Key":"HighCastleDeploymentType","Value":"Pipelines"}]},"Metadata":{"aws:cdk:path":"TestcdkStack/Topic/Resource"}},"SubEEDFF70A":{"Type":"AWS::SNS::Subscription","Properties":{"Protocol":"lambda","TopicArn":{"Ref":"TopicBFC7AF6E"},"Endpoint":"endpoint"},"Metadata":{"aws:cdk:path":"TestcdkStack/Sub/Resource"}}}}]
&nbsp; | 2021-06-03T10:29:50.688-07:00 | 2021-06-03 17:29:50,688 INFO [cfn_guard_function] Rule Set is: [["# Rule Intent: ALL DynamoDB Tables must have Point-In-Time-Recovery enabled\n\n# Expectations:\n# a) SKIP: when there are no DynamoDB Tables present\n# b) PASS: when all DynamoDB Tables have PITR enabled\n# c) FAIL: when all DynamoDB Tables have PITR disabled\n\n#\n# Select all DynamoDB Table resources from incoming template (payload)\n#\n\nlet aws_dynamodb_table_resources = Resources.*[ Type == \'AWS::DynamoDB::Table\' ]\n\n\nrule aws_ddb_table_pitr_enabled when %aws_dynamodb_table_resources !empty {\n\n # must exists\n %aws_dynamodb_table_resources.Properties.PointInTimeRecoverySpecification exists\n \n # Ensure ALL DynamoDB Tables have Point-In-Time-Recovery enabled\n %aws_dynamodb_table_resources.Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled == true &lt;&lt;PITR must be enabled: https://skb.highcastle.a2z.com/guides/3#Resiliency&gt;&gt;\n}", "# Rule Intent: ALL S3 Buckets must have SSE with Customer managed CMK\n\n# Expectations:\n# a) SKIP: when there are no S3 Buckets present\n# b) PASS: when all S3 Buckets are encrypted with Customer managed CMK\n# c) FAIL: when all S3 Buckets are not are encrypted with Customer managed CMK\n\n\n#\n# Select all S3 Buckets resources from incoming template (payload)\n#\nlet s3_buckets = Resources.*[ Type == \'AWS::S3::Bucket\' ]\n\n# Define allowed algorithm\nlet allowed_algos = [\"aws:kms\"]\n\nrule aws_s3_sse_customer_managed_cmk when %s3_buckets !empty {\n let encryption = %s3_buckets.Properties.BucketEncryption\n # Check if encryption property is set\n %encryption exists\n # Check if using KMS encryption\n %encryption.ServerSideEncryptionConfiguration[*].ServerSideEncryptionByDefault.SSEAlgorithm in %allowed_algos\n # Ensure ALL S3 Buckets are encrypted with Customer managed CMK\n %encryption.ServerSideEncryptionConfiguration[*].ServerSideEncryptionByDefault.KMSMasterKeyID exists &lt;&lt;Bucket must be encrypted with Customer managed CMK: https://skb.highcastle.a2z.com/guides/9#encryption-at-rest&gt;&gt;\n\n}"]]
&nbsp; | 2021-06-03T10:29:51.007-07:00 | END RequestId: 7ad2d291-2d96-4292-bb44-eed176dc293e
&nbsp; | 2021-06-03T10:29:51.007-07:00 | REPORT RequestId: 7ad2d291-2d96-4292-bb44-eed176dc293e Duration: 359.13 ms Billed Duration: 516 ms Memory Size: 128 MB Max Memory Used: 45 MB Init Duration: 155.88 ms XRAY T

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

omkhegde · 2021-06-02T22:02:26Z


+    SimpleLogger::new().with_level(LevelFilter::Info).init().unwrap();
+    let func = handler_fn(call_cfn_guard);
+    lambda_runtime::run(func).await?;


What is the advantage of using async-await here?

lambda-runtime v 0.3.0 expects a Future trait to be implemented for handler. I have basically followed the example in aws-lambda-rust-runtime repo.

gandhek

Shreyas, would you be able to paste the output from a test run in your PR description?

shreyasdamle · 2021-06-03T17:44:22Z

Shreyas, would you be able to paste the output from a test run in your PR description?

I have added the lambda output and Cloudwatch logs. Please let me know if you need more information.

dchakrav-github · 2021-06-04T21:38:26Z

-        Err(e) => (e.to_string()),
-    };
-
+pub(crate) async fn call_cfn_guard(e: CustomEvent, _c: Context) -> Result<CustomOutput, Error> {


With #154 we have support for output reporters that can provide lesser detail but sufficient for 80% of the use cases. Would you want to expose these options via lambda invocation as well? Take the look at example on that PR esp. with --show-summary none --output-format yaml

Yes, I can make those changes. Thanks!

Let us do that as a separate PR

Sounds good.

…s-cloudformation#158, aws-cloudformation#159 and aws-cloudformation#154.

…#174)

…formation#155

* Update guard-lambda/README.md for reflecting the changes in #155

Update rust lambda runtime

e1e5822

omkhegde requested review from dchakrav-github, gandhek, omkhegde and priyap286 June 2, 2021 16:55

omkhegde reviewed Jun 2, 2021

View reviewed changes

shreyasdamle requested a review from omkhegde June 3, 2021 01:21

gandhek reviewed Jun 3, 2021

View reviewed changes

omkhegde approved these changes Jun 3, 2021

View reviewed changes

shreyasdamle requested review from gandhek and omkhegde June 3, 2021 17:44

gandhek approved these changes Jun 3, 2021

View reviewed changes

omkhegde approved these changes Jun 3, 2021

View reviewed changes

dchakrav-github suggested changes Jun 4, 2021

View reviewed changes

dchakrav-github approved these changes Jun 8, 2021

View reviewed changes

Merge branch 'main' into guard-lambda

998827d

gandhek merged commit cc398a5 into aws-cloudformation:main Jun 8, 2021

shreyasdamle deleted the guard-lambda branch June 8, 2021 20:52

priyap286 added a commit to priyap286/cloudformation-guard that referenced this pull request Jun 25, 2021

Patch version bump to release improvements aws-cloudformation#155, aw…

c3a948d

…s-cloudformation#158, aws-cloudformation#159 and aws-cloudformation#154.

priyap286 mentioned this pull request Jun 25, 2021

Patch version bump to release improvements #155, #158, #159 and #154. #174

Merged

priyap286 added a commit that referenced this pull request Jun 25, 2021

Patch version bump to release improvements #155, #158, #159 and #154. (…

33c43e3

…#174)

priyap286 added a commit to priyap286/cloudformation-guard that referenced this pull request Jul 9, 2021

Update guard-lambda/README.md for reflecting the changes in aws-cloud…

213ad18

…formation#155

priyap286 added a commit that referenced this pull request Jul 9, 2021

Small correction in cfn-guard lambda README.md (#185)

eed3d85

* Update guard-lambda/README.md for reflecting the changes in #155

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Allow multiple rule sets and update rust lambda runtime#155

Allow multiple rule sets and update rust lambda runtime#155
gandhek merged 2 commits into
aws-cloudformation:mainfrom
shreyasdamle:guard-lambda

shreyasdamle commented Jun 2, 2021 •

edited

Loading

Uh oh!

omkhegde Jun 2, 2021

Uh oh!

shreyasdamle Jun 3, 2021

Uh oh!

gandhek left a comment

Uh oh!

shreyasdamle commented Jun 3, 2021

Uh oh!

dchakrav-github Jun 4, 2021

Uh oh!

shreyasdamle Jun 4, 2021

Uh oh!

dchakrav-github Jun 8, 2021

Uh oh!

shreyasdamle Jun 8, 2021

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Conversation

shreyasdamle commented Jun 2, 2021 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

omkhegde Jun 2, 2021

Choose a reason for hiding this comment

Uh oh!

shreyasdamle Jun 3, 2021

Choose a reason for hiding this comment

Uh oh!

gandhek left a comment

Choose a reason for hiding this comment

Uh oh!

shreyasdamle commented Jun 3, 2021

Uh oh!

dchakrav-github Jun 4, 2021

Choose a reason for hiding this comment

Uh oh!

shreyasdamle Jun 4, 2021

Choose a reason for hiding this comment

Uh oh!

dchakrav-github Jun 8, 2021

Choose a reason for hiding this comment

Uh oh!

shreyasdamle Jun 8, 2021

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

shreyasdamle commented Jun 2, 2021 •

edited

Loading