Lambda inside vpc (#527)

* Add check https://docs.aws.amazon.com/config/latest/developerguide/lambda-inside-vpc.html in #503 (wip) * #503 lambdainsidevpc * Update spec/cfn_nag_integration/cfn_nag_lambda_permission_spec.rb Co-authored-by: Kevin Formsma <kevin.formsma@gmail.com> * Update lib/cfn-nag/custom_rules/LambdaFunctionInsideVPCRule.rb Co-authored-by: Kevin Formsma <kevin.formsma@gmail.com> Co-authored-by: Kevin Formsma <kevin.formsma@gmail.com>
stelligent · Apr 5, 2021 · cd54ba1 · cd54ba1
1 parent 633e5d0
commit cd54ba1
Show file tree

Hide file tree

Showing 6 changed files with 214 additions and 1 deletion.
diff --git a/lib/cfn-nag/custom_rules/LambdaFunctionInsideVPCRule.rb b/lib/cfn-nag/custom_rules/LambdaFunctionInsideVPCRule.rb
@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+require 'cfn-nag/violation'
+require_relative 'base'
+
+class LambdaFunctionInsideVPCRule < BaseRule
+  def rule_text
+    'Lambda functions should be deployed inside a VPC'
+  end
+
+  def rule_type
+    Violation::WARNING
+  end
+
+  def rule_id
+    'W89'
+  end
+
+  def audit_impl(cfn_model)
+    lambda_functions = cfn_model.resources_by_type('AWS::Lambda::Function')
+    violating_lambda_functions = lambda_functions.select do |lambda_function|
+      lambda_function.vpcConfig.nil?
+    end
+
+    violating_lambda_functions.map(&:logical_resource_id)
+  end
+end
diff --git a/spec/cfn_nag_integration/cfn_nag_lambda_permission_spec.rb b/spec/cfn_nag_integration/cfn_nag_lambda_permission_spec.rb
@@ -33,6 +33,11 @@
                             message: 'IAM role should not allow * resource on its permissions policy',
                             logical_resource_ids: %w[LambdaExecutionRole],
                             line_numbers: [49]),
+              Violation.new(id: 'W89',
+                            type: Violation::WARNING,
+                            message: 'Lambda functions should be deployed inside a VPC',
+                            logical_resource_ids: %w[AppendItemToListFunction],
+                            line_numbers: [4]),                            
               Violation.new(id: 'F13',
                             type: Violation::FAILING_VIOLATION,
                             message: 'Lambda permission principal should not be wildcard',

diff --git a/spec/cfn_nag_integration/cfn_nag_serverless_transform_spec.rb b/spec/cfn_nag_integration/cfn_nag_serverless_transform_spec.rb
@@ -26,7 +26,13 @@
                 message: LambdaFunctionCloudWatchLogsRule.new.rule_text,
                 logical_resource_ids: %w[SomeFunction2],
                 line_numbers: [-1]
-              )
+              ),
+              Violation.new(
+                id: 'W89', type: Violation::WARNING,
+                message: LambdaFunctionInsideVPCRule.new.rule_text,
+                logical_resource_ids: ["SomeFunction", "SomeFunction2"],
+                line_numbers: [-1,-1]
+              )              
             ]
           }
         }

diff --git a/spec/custom_rules/LambdaFunctionInsideVPCRule_spec.rb b/spec/custom_rules/LambdaFunctionInsideVPCRule_spec.rb
@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+require 'cfn-model'
+require 'cfn-nag/custom_rules/LambdaFunctionInsideVPCRule'
+
+describe LambdaFunctionInsideVPCRule do
+
+  describe 'AWS::Lambda::Function' do
+    context 'when lambda function is inside VPC' do
+      it 'does not return an offending logical resource id' do
+        cfn_model = CfnParser.new.parse read_test_template('json/lambda_function/lambda_inside_vpc.json')
+        actual_logical_resource_ids = LambdaFunctionInsideVPCRule.new.audit_impl cfn_model
+
+        expect(actual_logical_resource_ids).to eq []
+      end
+    end
+  end
+
+  describe 'AWS::Lambda::Function' do
+    context 'when lambda function is not inside VPC' do
+      it 'does return an offending logical resource id' do
+        cfn_model = CfnParser.new.parse read_test_template('json/lambda_function/lambda_not_inside_vpc.json')
+        actual_logical_resource_ids = LambdaFunctionInsideVPCRule.new.audit_impl cfn_model
+
+        expect(actual_logical_resource_ids).to eq ["FunctionNotInsideVpc"]
+      end
+    end
+   end
+
+end
diff --git a/spec/test_templates/json/lambda_function/lambda_inside_vpc.json b/spec/test_templates/json/lambda_function/lambda_inside_vpc.json
@@ -0,0 +1,76 @@
+{
+	"Resources": {
+		"FunctionInsideVpc": {
+			"Type": "AWS::Lambda::Function",
+			"Properties": {
+				"Role": {
+					"Ref": "RoleWithLambdaVPCAccessManagedPolicy"
+				},
+				"Handler": "index.handler",
+				"Code": {
+					"ZipFile": {
+						"Fn::Join": [
+							"",
+							[
+								"var response = require('cfn-response');",
+								"exports.handler = function(event, context) {",
+								"var responseData = {Value: event.ResourceProperties.List};",
+								"responseData.Value.push(event.ResourceProperties.AppendedItem);",
+								"response.send(event, context, response.SUCCESS, responseData);}"
+							]
+						]
+					}
+				},
+				"Runtime": "nodejs6.10",
+				"VpcConfig": {
+					"SecurityGroupIds": [
+						"secgroup"
+					],
+					"SubnetIds": [
+						"subnetid"
+					]
+				}
+			}
+		},
+		"RoleWithLambdaVPCAccessManagedPolicy": {
+			"Type": "AWS::IAM::Role",
+			"Properties": {
+				"AssumeRolePolicyDocument": {
+					"Version": "2012-10-17",
+					"Statement": [
+						{
+							"Effect": "Allow",
+							"Principal": {
+								"Service": "lambda.amazonaws.com"
+							},
+							"Action": [
+								"sts:AssumeRole"
+							]
+						}
+					]
+				},
+				"ManagedPolicyArns": [
+					"arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
+				],
+				"Path": "/",
+				"Policies": [
+					{
+						"PolicyName": "root",
+						"PolicyDocument": {
+							"Version": "2012-10-17",
+							"Statement": [
+								{
+									"Effect": "Allow",
+									"Action": [
+										"specific:ObscureAction"
+									],
+									"Resource": "*"
+								}
+							]
+						}
+					}
+				]
+			}
+		}
+	}
+}
diff --git a/spec/test_templates/json/lambda_function/lambda_not_inside_vpc.json b/spec/test_templates/json/lambda_function/lambda_not_inside_vpc.json
@@ -0,0 +1,68 @@
+{
+	"Resources": {
+		"FunctionNotInsideVpc": {
+			"Type": "AWS::Lambda::Function",
+			"Properties": {
+				"Role": {
+					"Ref": "RoleWithLambdaVPCAccessManagedPolicy"
+				},
+				"Handler": "index.handler",
+				"Code": {
+					"ZipFile": {
+						"Fn::Join": [
+							"",
+							[
+								"var response = require('cfn-response');",
+								"exports.handler = function(event, context) {",
+								"var responseData = {Value: event.ResourceProperties.List};",
+								"responseData.Value.push(event.ResourceProperties.AppendedItem);",
+								"response.send(event, context, response.SUCCESS, responseData);}"
+							]
+						]
+					}
+				},
+				"Runtime": "nodejs6.10"
+			}
+		},
+		"RoleWithLambdaVPCAccessManagedPolicy": {
+			"Type": "AWS::IAM::Role",
+			"Properties": {
+				"AssumeRolePolicyDocument": {
+					"Version": "2012-10-17",
+					"Statement": [
+						{
+							"Effect": "Allow",
+							"Principal": {
+								"Service": "lambda.amazonaws.com"
+							},
+							"Action": [
+								"sts:AssumeRole"
+							]
+						}
+					]
+				},
+				"ManagedPolicyArns": [
+					"arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
+				],
+				"Path": "/",
+				"Policies": [
+					{
+						"PolicyName": "root",
+						"PolicyDocument": {
+							"Version": "2012-10-17",
+							"Statement": [
+								{
+									"Effect": "Allow",
+									"Action": [
+										"specific:ObscureAction"
+									],
+									"Resource": "*"
+								}
+							]
+						}
+					}
+				]
+			}
+		}
+	}
+}