Skip to content

Commit 0329fba

Browse files
Python cdk samples (#99)
* Add 'non-compliant' and 'compliant' samples for [email protected] and [email protected] * Add compliant and non-compliant examples for api-logging-disabled-cdk * Add compliant and non-compliant examples for aws-insecure-transmission-cdk, use-of-default-credentials-cdk * Add compliant and non-compliant examples for s3-partial-encrypt-cdk, exposure-of-sensitive-information-cdk
1 parent c55c2ba commit 0329fba

14 files changed

+223
-0
lines changed
Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,20 @@
1+
# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2+
# SPDX-License-Identifier: Apache-2.0
3+
4+
# {fact [email protected] defects=0}
5+
import aws_cdk as cdk
6+
from aws_cdk import aws_apigatewayv2
7+
8+
9+
class APILoggingDisabled(cdk.Stack):
10+
11+
def api_logging_disabled_compliant(self):
12+
# Compliant: logging present
13+
aws_apigatewayv2.CfnStage(self, 'rStage',
14+
access_log_settings=aws_apigatewayv2
15+
.CfnStage.access_log_settingsProperty(
16+
destination_arn='foo',
17+
format='$context.requestId'),
18+
api_id='bar',
19+
stage_name='baz')
20+
# {/fact}
Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,16 @@
1+
# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2+
# SPDX-License-Identifier: Apache-2.0
3+
4+
# {fact [email protected] defects=1}
5+
import aws_cdk as cdk
6+
from aws_cdk import aws_apigatewayv2
7+
8+
9+
class APILoggingDisabled(cdk.Stack):
10+
11+
def api_logging_disabled_noncompliant(self):
12+
# Noncompliant: logging disabled
13+
aws_apigatewayv2.CfnStage(self, 'rHttpApiDefaultStage',
14+
api_id='foo', stage_name='$default',
15+
auto_deploy=True)
16+
# {/fact}
Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,14 @@
1+
# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2+
# SPDX-License-Identifier: Apache-2.0
3+
4+
# {fact [email protected] defects=0}
5+
import aws_cdk as cdk
6+
from aws_cdk import aws_s3 as s3
7+
8+
9+
class BucketEnforceSSL(cdk.Stack):
10+
11+
def aws_insecure_transmission_cdk_compliant(self):
12+
# Compliant: SSL configuration present
13+
bucket = s3.Bucket(self, "s3-bucket", enforce_ssl=True)
14+
# {/fact}
Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,14 @@
1+
# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2+
# SPDX-License-Identifier: Apache-2.0
3+
4+
# {fact [email protected] defects=1}
5+
import aws_cdk as cdk
6+
from aws_cdk import aws_s3 as s3
7+
8+
9+
class BucketEnforceSSL(cdk.Stack):
10+
11+
def aws_insecure_transmission_cdk_noncompliant(self):
12+
# Noncompliant: SSL configuration missing
13+
bucket = s3.Bucket(self, "s3-bucket-bad")
14+
# {/fact}
Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,15 @@
1+
# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2+
# SPDX-License-Identifier: Apache-2.0
3+
4+
# {fact [email protected] defects=0}
5+
import aws_cdk as cdk
6+
from aws_cdk import aws_sqs as sqs
7+
8+
9+
class Stack(cdk.Stack):
10+
11+
def missing_encryption_compliant(self):
12+
# Compliant: encryption present
13+
encrypted_queue = sqs.Queue(self, 'encrypted_queue',
14+
encryption=sqs.QueueEncryption.KMS_MANAGED)
15+
# {/fact}
Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,14 @@
1+
# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2+
# SPDX-License-Identifier: Apache-2.0
3+
4+
# {fact [email protected] defects=1}
5+
import aws_cdk as cdk
6+
from aws_cdk import aws_sqs as sqs
7+
8+
9+
class Stack(cdk.Stack):
10+
11+
def missing_encryption_noncompliant(self):
12+
# Noncompliant: missing encryption
13+
unencrypted_queue = sqs.Queue(self, 'unencrypted_queue')
14+
# {/fact}
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,17 @@
1+
# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2+
# SPDX-License-Identifier: Apache-2.0
3+
4+
# {fact [email protected] defects=0}
5+
import aws_cdk as cdk
6+
from aws_cdk.aws_ec2 import CfnSecurityGroupIngress
7+
8+
9+
class SelectivePorts(cdk.Stack):
10+
11+
def exposure_of_sensitive_information_compliant(self):
12+
# Compliant: 0.0.0.0/0 range is not used
13+
CfnSecurityGroupIngress(cdk.Stack, 'rIngress',
14+
ip_protocol='tcp',
15+
cidr_ip='1.2.3.4/32')
16+
17+
# {/fact}
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,17 @@
1+
# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2+
# SPDX-License-Identifier: Apache-2.0
3+
4+
# {fact [email protected] defects=1}
5+
import aws_cdk as cdk
6+
from aws_cdk.aws_ec2 import CfnSecurityGroupIngress
7+
8+
9+
class SelectivePorts(cdk.Stack):
10+
11+
def exposure_of_sensitive_information_noncompliant(self):
12+
# Noncompliant: 0.0.0.0/0 range is used
13+
CfnSecurityGroupIngress(cdk.Stack, 'rIngress',
14+
ip_protocol='tcp',
15+
cidr_ip='0.0.0.0/0')
16+
17+
# {/fact}
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,14 @@
1+
# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2+
# SPDX-License-Identifier: Apache-2.0
3+
4+
# {fact [email protected] defects=0}
5+
import aws_cdk as cdk
6+
from aws_cdk import aws_s3 as s3
7+
8+
9+
class S3Stack(cdk.Stack):
10+
11+
def missing_authentication_compliant(self):
12+
# Compliant: bucket is private
13+
public_bucket = s3.Bucket(self, 'bucket')
14+
# {/fact}
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,15 @@
1+
# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2+
# SPDX-License-Identifier: Apache-2.0
3+
4+
# {fact [email protected] defects=1}
5+
import aws_cdk as cdk
6+
from aws_cdk import aws_s3 as s3
7+
8+
9+
class S3Stack(cdk.Stack):
10+
11+
def missing_authentication_noncompliant(self):
12+
# Noncompliant: bucket made public
13+
public_bucket = s3.Bucket(self, 'bucket')
14+
public_bucket.grant_public_access()
15+
# {/fact}
Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,15 @@
1+
# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2+
# SPDX-License-Identifier: Apache-2.0
3+
4+
# {fact [email protected] defects=0}
5+
import aws_cdk as cdk
6+
from aws_cdk import aws_s3 as s3
7+
8+
9+
class S3PartialEncrypt(cdk.Stack):
10+
11+
def s3_partial_encrypt_compliant(self):
12+
# Compliant: S3_MANAGED encryption specified
13+
bucket = s3.Bucket(self, 's3-bucket',
14+
encryption=s3.BucketEncryption.S3_MANAGED)
15+
# {/fact}
Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,14 @@
1+
# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2+
# SPDX-License-Identifier: Apache-2.0
3+
4+
# {fact [email protected] defects=1}
5+
import aws_cdk as cdk
6+
from aws_cdk import aws_s3 as s3
7+
8+
9+
class S3PartialEncrypt(cdk.Stack):
10+
11+
def s3_partial_encrypt_noncompliant(self):
12+
# Noncompliant: No encryption specified
13+
bucket = s3.Bucket(self, 's3-bucket-bad')
14+
# {/fact}
Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,19 @@
1+
# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2+
# SPDX-License-Identifier: Apache-2.0
3+
4+
# {fact [email protected] defects=0}
5+
from aws_cdk import aws_redshift as redshift
6+
import aws_cdk as cdk
7+
8+
9+
class CdkStarterStack(cdk.Stack):
10+
11+
def redshift_default_username_compliant(self):
12+
# Compliant: Custom username used
13+
cfn_cluster = redshift.CfnCluster(self, "MyCfnCluster",
14+
master_username='masteruser',
15+
master_user_password='secret',
16+
cluster_type='single-node',
17+
db_name='bar',
18+
node_type='ds2.xlarge')
19+
# {/fact}
Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,19 @@
1+
# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2+
# SPDX-License-Identifier: Apache-2.0
3+
4+
# {fact [email protected] defects=1}
5+
from aws_cdk import aws_redshift as redshift
6+
import aws_cdk as cdk
7+
8+
9+
class CdkStarterStack(cdk.Stack):
10+
11+
def redshift_default_username_noncompliant(self):
12+
# Noncompliant: Default master username used
13+
cfn_cluster = redshift.CfnCluster(self, "MyCfnCluster",
14+
master_username='awsuser',
15+
master_user_password='secret',
16+
cluster_type='single-node',
17+
db_name='bar',
18+
node_type='ds2.xlarge')
19+
# {/fact}

0 commit comments

Comments
 (0)