Python cdk samples (#99)

* Add 'non-compliant' and 'compliant' samples for [email protected] and [email protected]

* Add compliant and non-compliant examples for api-logging-disabled-cdk

* Add compliant and non-compliant examples for aws-insecure-transmission-cdk, use-of-default-credentials-cdk

* Add compliant and non-compliant examples for s3-partial-encrypt-cdk, exposure-of-sensitive-information-cdk

Author: saurabh-amazon

src/python/detectors/api_logging_disabled_cdk/api_logging_disabled_cdk_compliant.py

@@ -0,0 +1,20 @@
+#  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#  SPDX-License-Identifier: Apache-2.0
+
+# {fact [email protected] defects=0}
+import aws_cdk as cdk
+from aws_cdk import aws_apigatewayv2
+
+
+class APILoggingDisabled(cdk.Stack):
+
+    def api_logging_disabled_compliant(self):
+        # Compliant: logging present
+        aws_apigatewayv2.CfnStage(self, 'rStage',
+                                  access_log_settings=aws_apigatewayv2
+                                  .CfnStage.access_log_settingsProperty(
+                                      destination_arn='foo',
+                                      format='$context.requestId'),
+                                  api_id='bar',
+                                  stage_name='baz')
+# {/fact}

src/python/detectors/api_logging_disabled_cdk/api_logging_disabled_cdk_noncompliant.py

@@ -0,0 +1,16 @@
+#  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#  SPDX-License-Identifier: Apache-2.0
+
+# {fact [email protected] defects=1}
+import aws_cdk as cdk
+from aws_cdk import aws_apigatewayv2
+
+
+class APILoggingDisabled(cdk.Stack):
+
+    def api_logging_disabled_noncompliant(self):
+        # Noncompliant: logging disabled
+        aws_apigatewayv2.CfnStage(self, 'rHttpApiDefaultStage',
+                                  api_id='foo', stage_name='$default',
+                                  auto_deploy=True)
+# {/fact}

src/python/detectors/aws_insecure_transmission_cdk/aws_insecure_transmission_cdk_compliant.py

@@ -0,0 +1,14 @@
+#  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#  SPDX-License-Identifier: Apache-2.0
+
+# {fact [email protected] defects=0}
+import aws_cdk as cdk
+from aws_cdk import aws_s3 as s3
+
+
+class BucketEnforceSSL(cdk.Stack):
+
+    def aws_insecure_transmission_cdk_compliant(self):
+        # Compliant: SSL configuration present
+        bucket = s3.Bucket(self, "s3-bucket", enforce_ssl=True)
+# {/fact}

src/python/detectors/aws_insecure_transmission_cdk/aws_insecure_transmission_cdk_noncompliant.py

@@ -0,0 +1,14 @@
+#  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#  SPDX-License-Identifier: Apache-2.0
+
+# {fact [email protected] defects=1}
+import aws_cdk as cdk
+from aws_cdk import aws_s3 as s3
+
+
+class BucketEnforceSSL(cdk.Stack):
+
+    def aws_insecure_transmission_cdk_noncompliant(self):
+        # Noncompliant: SSL configuration missing
+        bucket = s3.Bucket(self, "s3-bucket-bad")
+# {/fact}

src/python/detectors/aws_missing_encryption_cdk/aws_missing_encryption_cdk_compliant.py

@@ -0,0 +1,15 @@
+#  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#  SPDX-License-Identifier: Apache-2.0
+
+# {fact [email protected] defects=0}
+import aws_cdk as cdk
+from aws_cdk import aws_sqs as sqs
+
+
+class Stack(cdk.Stack):
+
+    def missing_encryption_compliant(self):
+        # Compliant: encryption present
+        encrypted_queue = sqs.Queue(self, 'encrypted_queue',
+                                    encryption=sqs.QueueEncryption.KMS_MANAGED)
+# {/fact}

src/python/detectors/aws_missing_encryption_cdk/aws_missing_encryption_cdk_noncompliant.py

@@ -0,0 +1,14 @@
+#  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#  SPDX-License-Identifier: Apache-2.0
+
+# {fact [email protected] defects=1}
+import aws_cdk as cdk
+from aws_cdk import aws_sqs as sqs
+
+
+class Stack(cdk.Stack):
+
+    def missing_encryption_noncompliant(self):
+        # Noncompliant: missing encryption
+        unencrypted_queue = sqs.Queue(self, 'unencrypted_queue')
+# {/fact}

src/python/detectors/exposure_of_sensitive_information_cdk/exposure_of_sensitive_information_cdk_compliant.py

@@ -0,0 +1,17 @@
+#  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#  SPDX-License-Identifier: Apache-2.0
+
+# {fact [email protected] defects=0}
+import aws_cdk as cdk
+from aws_cdk.aws_ec2 import CfnSecurityGroupIngress
+
+
+class SelectivePorts(cdk.Stack):
+
+    def exposure_of_sensitive_information_compliant(self):
+        # Compliant: 0.0.0.0/0 range is not used
+        CfnSecurityGroupIngress(cdk.Stack, 'rIngress',
+                                ip_protocol='tcp',
+                                cidr_ip='1.2.3.4/32')
+
+# {/fact}

src/python/detectors/exposure_of_sensitive_information_cdk/exposure_of_sensitive_information_cdk_noncompliant.py

@@ -0,0 +1,17 @@
+#  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#  SPDX-License-Identifier: Apache-2.0
+
+# {fact [email protected] defects=1}
+import aws_cdk as cdk
+from aws_cdk.aws_ec2 import CfnSecurityGroupIngress
+
+
+class SelectivePorts(cdk.Stack):
+
+    def exposure_of_sensitive_information_noncompliant(self):
+        # Noncompliant: 0.0.0.0/0 range is used
+        CfnSecurityGroupIngress(cdk.Stack, 'rIngress',
+                                ip_protocol='tcp',
+                                cidr_ip='0.0.0.0/0')
+
+# {/fact}

src/python/detectors/missing_authentication_for_critical_function_cdk/missing_authentication_for_critical_function_cdk_compliant.py

@@ -0,0 +1,14 @@
+#  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#  SPDX-License-Identifier: Apache-2.0
+
+# {fact [email protected] defects=0}
+import aws_cdk as cdk
+from aws_cdk import aws_s3 as s3
+
+
+class S3Stack(cdk.Stack):
+
+    def missing_authentication_compliant(self):
+        # Compliant: bucket is private
+        public_bucket = s3.Bucket(self, 'bucket')
+# {/fact}

src/python/detectors/missing_authentication_for_critical_function_cdk/missing_authentication_for_critical_function_cdk_noncompliant.py

@@ -0,0 +1,15 @@
+#  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#  SPDX-License-Identifier: Apache-2.0
+
+# {fact [email protected] defects=1}
+import aws_cdk as cdk
+from aws_cdk import aws_s3 as s3
+
+
+class S3Stack(cdk.Stack):
+
+    def missing_authentication_noncompliant(self):
+        # Noncompliant: bucket made public
+        public_bucket = s3.Bucket(self, 'bucket')
+        public_bucket.grant_public_access()
+# {/fact}

src/python/detectors/s3_partial_encrypt_cdk/s3_partial_encrypt_cdk_compliant.py

@@ -0,0 +1,15 @@
+#  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#  SPDX-License-Identifier: Apache-2.0
+
+# {fact [email protected] defects=0}
+import aws_cdk as cdk
+from aws_cdk import aws_s3 as s3
+
+
+class S3PartialEncrypt(cdk.Stack):
+
+    def s3_partial_encrypt_compliant(self):
+        # Compliant: S3_MANAGED encryption specified
+        bucket = s3.Bucket(self, 's3-bucket',
+                           encryption=s3.BucketEncryption.S3_MANAGED)
+# {/fact}

src/python/detectors/s3_partial_encrypt_cdk/s3_partial_encrypt_cdk_noncompliant.py

@@ -0,0 +1,14 @@
+#  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#  SPDX-License-Identifier: Apache-2.0
+
+# {fact [email protected] defects=1}
+import aws_cdk as cdk
+from aws_cdk import aws_s3 as s3
+
+
+class S3PartialEncrypt(cdk.Stack):
+
+    def s3_partial_encrypt_noncompliant(self):
+        # Noncompliant: No encryption specified
+        bucket = s3.Bucket(self, 's3-bucket-bad')
+# {/fact}

src/python/detectors/use_of_default_credentials_cdk/use_of_default_credentials_cdk_compliant.py

@@ -0,0 +1,19 @@
+#  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#  SPDX-License-Identifier: Apache-2.0
+
+# {fact [email protected] defects=0}
+from aws_cdk import aws_redshift as redshift
+import aws_cdk as cdk
+
+
+class CdkStarterStack(cdk.Stack):
+
+    def redshift_default_username_compliant(self):
+        # Compliant: Custom username used
+        cfn_cluster = redshift.CfnCluster(self, "MyCfnCluster",
+                                          master_username='masteruser',
+                                          master_user_password='secret',
+                                          cluster_type='single-node',
+                                          db_name='bar',
+                                          node_type='ds2.xlarge')
+# {/fact}

src/python/detectors/use_of_default_credentials_cdk/use_of_default_credentials_cdk_noncompliant.py

@@ -0,0 +1,19 @@
+#  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#  SPDX-License-Identifier: Apache-2.0
+
+# {fact [email protected] defects=1}
+from aws_cdk import aws_redshift as redshift
+import aws_cdk as cdk
+
+
+class CdkStarterStack(cdk.Stack):
+
+    def redshift_default_username_noncompliant(self):
+        # Noncompliant: Default master username used
+        cfn_cluster = redshift.CfnCluster(self, "MyCfnCluster",
+                                          master_username='awsuser',
+                                          master_user_password='secret',
+                                          cluster_type='single-node',
+                                          db_name='bar',
+                                          node_type='ds2.xlarge')
+# {/fact}