Add rule that checks if SSE is enabled for Kinesis Firehose delivery …

…stream (of type DirectPut) (#523)

Closes #521

lib/cfn-nag/custom_rules/KinesisFirehoseDeliveryStreamEncryptionRule.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+require 'cfn-nag/violation'
+require_relative 'base'
+
+class KinesisFirehoseDeliveryStreamEncryptionRule < BaseRule
+  def rule_text
+    'Kinesis Firehose DeliveryStream of type DirectPut should specify SSE.'
+  end
+
+  def rule_type
+    Violation::WARNING
+  end
+
+  def rule_id
+    'W88'
+  end
+
+  def audit_impl(cfn_model)
+    violating_delivery_streams = cfn_model.resources_by_type('AWS::KinesisFirehose::DeliveryStream').select do |delivery_stream|
+      violating_delivery_stream?(delivery_stream)
+    end
+
+    violating_delivery_streams.map(&:logical_resource_id)
+  end
+
+  private
+
+  def violating_delivery_stream?(delivery_stream)
+    if delivery_stream.deliveryStreamType == 'KinesisStreamAsSource'
+      false
+    elsif delivery_stream.deliveryStreamEncryptionConfigurationInput.nil?
+      true
+    else
+      delivery_stream.deliveryStreamEncryptionConfigurationInput['KeyType'].nil?
+    end
+  end
+end

spec/custom_rules/KinesisFirehoseDeliveryStreamEncryptionRule_spec.rb

@@ -0,0 +1,49 @@
+require 'spec_helper'
+require 'cfn-model'
+require 'cfn-nag/custom_rules/KinesisFirehoseDeliveryStreamEncryptionRule'
+
+describe KinesisFirehoseDeliveryStreamEncryptionRule do
+  context 'Kinesis Firehose DeliveryStream with encryption defined.' do
+    it 'returns an empty list' do
+      cfn_model = CfnParser.new.parse read_test_template('yaml/kinesisfirehose_deliverystream/kinesisfirehose_deliverystream_encryption_defined.yaml')
+
+      actual_logical_resource_ids = KinesisFirehoseDeliveryStreamEncryptionRule.new.audit_impl cfn_model
+      expected_logical_resource_ids = %w[]
+
+      expect(actual_logical_resource_ids).to eq expected_logical_resource_ids
+    end
+  end
+
+  context 'Kinesis Firehose DeliveryStream with encryption not defined.' do
+    it 'returns offending logical resource ids' do
+      cfn_model = CfnParser.new.parse read_test_template('yaml/kinesisfirehose_deliverystream/kinesisfirehose_deliverystream_encryption_not_defined.yaml')
+
+      actual_logical_resource_ids = KinesisFirehoseDeliveryStreamEncryptionRule.new.audit_impl cfn_model
+      expected_logical_resource_ids = %w[DeliveryStream1]
+
+      expect(actual_logical_resource_ids).to eq expected_logical_resource_ids
+    end
+  end
+
+  context 'Kinesis Firehose DeliveryStream with encryption defined and referencing parameter.' do
+    it 'returns an empty list' do
+      cfn_model = CfnParser.new.parse read_test_template('yaml/kinesisfirehose_deliverystream/kinesisfirehose_deliverystream_encryption_defined_with_parameter.yaml')
+
+      actual_logical_resource_ids = KinesisFirehoseDeliveryStreamEncryptionRule.new.audit_impl cfn_model
+      expected_logical_resource_ids = %w[]
+
+      expect(actual_logical_resource_ids).to eq expected_logical_resource_ids
+    end
+  end
+
+  context 'Kinesis Firehose DeliveryStream with encryption defined without KeyType.' do
+    it 'returns offending logical resource ids' do
+      cfn_model = CfnParser.new.parse read_test_template('yaml/kinesisfirehose_deliverystream/kinesisfirehose_deliverystream_encryption_defined_without_key_type.yaml')
+
+      actual_logical_resource_ids = KinesisFirehoseDeliveryStreamEncryptionRule.new.audit_impl cfn_model
+      expected_logical_resource_ids = %w[DeliveryStream1]
+
+      expect(actual_logical_resource_ids).to eq expected_logical_resource_ids
+    end
+  end
+end

spec/test_templates/yaml/kinesisfirehose_deliverystream/kinesisfirehose_deliverystream_encryption_defined.yaml

@@ -0,0 +1,22 @@
+---
+Resources:
+  DeliveryStream1:
+    Type: AWS::KinesisFirehose::DeliveryStream
+    Properties:
+      DeliveryStreamEncryptionConfigurationInput:
+        KeyType: AWS_OWNED_CMK
+      DeliveryStreamType: DirectPut
+      ExtendedS3DestinationConfiguration:
+        BucketARN: arn:aws:s3:::foobar-bucket
+        RoleARN: arn:aws:iam::123456789012:role/KinesisFirehose-foobar
+
+  DeliveryStream2:
+    Type: AWS::KinesisFirehose::DeliveryStream
+    Properties:
+      DeliveryStreamEncryptionConfigurationInput:
+        KeyARN: arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
+        KeyType: CUSTOMER_MANAGED_CMK
+      DeliveryStreamType: DirectPut
+      ExtendedS3DestinationConfiguration:
+        BucketARN: arn:aws:s3:::foobar-bucket
+        RoleARN: arn:aws:iam::123456789012:role/KinesisFirehose-foobar

spec/test_templates/yaml/kinesisfirehose_deliverystream/kinesisfirehose_deliverystream_encryption_defined_with_parameter.yaml

@@ -0,0 +1,16 @@
+---
+Parameters:
+  KmsKeyId:
+    Type: String
+    Default: arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
+Resources:
+  DeliveryStream1:
+    Type: AWS::KinesisFirehose::DeliveryStream
+    Properties:
+      DeliveryStreamEncryptionConfigurationInput:
+        KeyARN: !Ref KmsKeyId
+        KeyType: CUSTOMER_MANAGED_CMK
+      DeliveryStreamType: DirectPut
+      ExtendedS3DestinationConfiguration:
+        BucketARN: arn:aws:s3:::foobar-bucket
+        RoleARN: arn:aws:iam::123456789012:role/KinesisFirehose-foobar

spec/test_templates/yaml/kinesisfirehose_deliverystream/kinesisfirehose_deliverystream_encryption_defined_without_key_type.yaml

@@ -0,0 +1,32 @@
+---
+Resources:
+  DeliveryStream1:
+    Type: AWS::KinesisFirehose::DeliveryStream
+    Properties:
+      DeliveryStreamEncryptionConfigurationInput:
+        KeyType:
+      DeliveryStreamType: DirectPut
+      ExtendedS3DestinationConfiguration:
+        BucketARN: arn:aws:s3:::foobar-bucket
+        RoleARN: arn:aws:iam::123456789012:role/KinesisFirehose-foobar
+
+  DeliveryStream2:
+    Type: AWS::KinesisFirehose::DeliveryStream
+    Properties:
+      DeliveryStreamEncryptionConfigurationInput:
+        KeyType: AWS_OWNED_CMK
+      DeliveryStreamType: DirectPut
+      ExtendedS3DestinationConfiguration:
+        BucketARN: arn:aws:s3:::foobar-bucket
+        RoleARN: arn:aws:iam::123456789012:role/KinesisFirehose-foobar
+
+  DeliveryStream3:
+    Type: AWS::KinesisFirehose::DeliveryStream
+    Properties:
+      DeliveryStreamEncryptionConfigurationInput:
+        KeyARN: arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
+        KeyType: CUSTOMER_MANAGED_CMK
+      DeliveryStreamType: DirectPut
+      ExtendedS3DestinationConfiguration:
+        BucketARN: arn:aws:s3:::foobar-bucket
+        RoleARN: arn:aws:iam::123456789012:role/KinesisFirehose-foobar

spec/test_templates/yaml/kinesisfirehose_deliverystream/kinesisfirehose_deliverystream_encryption_not_defined.yaml

@@ -0,0 +1,20 @@
+---
+Resources:
+  DeliveryStream1:
+    Type: AWS::KinesisFirehose::DeliveryStream
+    Properties:
+      DeliveryStreamType: DirectPut
+      ExtendedS3DestinationConfiguration:
+        BucketARN: arn:aws:s3:::foobar-bucket
+        RoleARN: arn:aws:iam::123456789012:role/KinesisFirehose-foobar
+
+  DeliveryStream2:
+    Type: AWS::KinesisFirehose::DeliveryStream
+    Properties:
+      DeliveryStreamType: KinesisStreamAsSource
+      ExtendedS3DestinationConfiguration:
+        BucketARN: arn:aws:s3:::foobar-bucket
+        RoleARN: arn:aws:iam::123456789012:role/KinesisFirehose-foobar
+      KinesisStreamSourceConfiguration:
+        KinesisStreamARN: arn:aws:kinesis:us-east-1:123456789012:stream/test-stream
+        RoleARN: arn:aws:iam::123456789012:role/KinesisFirehose-foobar