Releases: Hack23/sonar-cloudformation-plugin
Release 1.4.0
What’s Changed
- Update dependency org.mockito:mockito-core to v3.3.0 (#102) @renovate
- Update dependency org.mockito:mockito-core to v3.2.11 (#101) @renovate
Support new cfn-nag rules
F77 SimpleDB Domain should not be a declared resource
F78 AWS Cognito UserPool should have MfaConfiguration set to 'ON' (MUST be wrapped in quotes) or at least 'OPTIONAL'
W57 AWS::Cognito::IdentityPool AllowUnauthenticatedIdentities property should be false but CAN be true if proper restrictive IAM roles and permissions are established for unauthenticated users.
W58 Lambda functions require permission to write CloudWatch Logs
W59 AWS::ApiGateway::Method should not have AuthorizationType set to 'NONE'.
W62 ApiGateway SecurityPolicy should use TLS 1.2
Release 1.3.0
Release 1.2.0
What’s Changed
- Update dependency org.mockito:mockito-core to v3.2.8 (#95) @renovate
- Update dependency org.owasp:dependency-check-maven to v5.3.0 (#94) @renovate
Support new cfn-nag rules
- F19 EnableKeyRotation should not be false or absent on KMS::Key resource
- F42 Pinpoint APNSSandboxChannel PrivateKey must not be a plaintext string or a Ref to a NoEcho Parameter with a Default value.
- F43 Pinpoint APNSSandboxChannel TokenKey must not be a plaintext string or a Ref to a NoEcho Parameter with a Default value.
- F44 ElastiCache ReplicationGroup AuthToken must not be a plaintext string or a Ref to a NoEcho Parameter with a Default value.
- F45 Lambda Permission EventSourceToken must not be a plaintext string or a Ref to a NoEcho Parameter with a Default value.
- F46 Pinpoint APNSVoipSandboxChannel PrivateKey must not be a plaintext string or a Ref to a NoEcho Parameter with a Default value.
- F47 Pinpoint APNSVoipSandboxChannel TokenKey must not be a plaintext string or a Ref to a NoEcho Parameter with a Default value.
- F48 Pinpoint APNSVoipChannel PrivateKey must not be a plaintext string or a Ref to a NoEcho Parameter with a Default value.
- F49 Pinpoint APNSChannel TokenKey must not be a plaintext string or a Ref to a NoEcho Parameter with a Default value.
- F56 Pinpoint APNSChannel TokenKey must not be a plaintext string or a Ref to a NoEcho Parameter with a Default value.
- F57 Pinpoint APNSChannel PrivateKey must not be a plaintext string or a Ref to a NoEcho Parameter with a Default value.
- F61 OpsWorks App SslConfiguration PrivateKey must not be a plaintext string or a Ref to a NoEcho Parameter with a Default value.
- F62 OpsWorks Stack CustomCookbooksSource Password must not be a plaintext string or a Ref to a NoEcho Parameter with a Default value.
- F63 EMR Cluster KerberosAttributes AD Domain JoinPassword must not be a plaintext string or a Ref to a NoEcho Parameter with a Default value.
- F64 EMR Cluster KerberosAttributes CrossRealmTrustPrincipal Password must not be a plaintext string or a Ref to a NoEcho Parameter with a Default value.
- F65 EMR Cluster KerberosAttributes KdcAdmin Password must not be a plaintext string or a Ref to a NoEcho Parameter with a Default value.
- F66 Kinesis Firehose DeliveryStream RedshiftDestinationConfiguration Password must not be a plaintext string or a Ref to a NoEcho Parameter with a Default value.
- F67 OpsWorks App AppSource Password must not be a plaintext string or a Ref to a NoEcho Parameter with a Default value.
- F68 Kinesis Firehose DeliveryStream SplunkDestinationConfiguration HECToken must not be a plaintext string or a Ref to a NoEcho Parameter with a Default value.
- F69 CodePipeline Webhook AuthenticationConfiguration SecretToken must not be a plaintext string or a Ref to a NoEcho Parameter with a Default value.
- F70 DocDB DB Cluster master user password must not be a plaintext string or a Ref to a NoEcho Parameter with a Default value.
- F71 ManagedBlockchain Member MemberFabricConfiguration AdminPasswordRule must not be a plaintext string or a Ref to a NoEcho Parameter with a Default value.
Release 1.1.0
Changes
Support new rules cfn-nag rules
W55 KMS key should not allow * principal
F53 AppStream DirectoryConfig ServiceAccountCredentials AccountPassword
must not be a plaintext string or a Ref to a NoEcho Parameter with a
Default value.
F55 DMS Endpoint MongoDbSettings Password must not be a plaintext string
or a Ref to a NoEcho Parameter with a Default value.
F58 Amplify App OauthToken must not be a plaintext string or a Ref to a
NoEcho Parameter with a Default value.
F60 Amplify Branch BasicAuthConfig Password must not be a plaintext
string or a Ref to a NoEcho Parameter with a Default value.
F74 Alexa ASK Skill AuthenticationConfiguration ClientSecret must not be
a plaintext string or a Ref to a NoEcho Parameter with a Default value.
F75 Alexa ASK Skill AuthenticationConfiguration RefreshToken must not be
a plaintext string or a Ref to a NoEcho Parameter with a Default value.
Release 1.0.15
Changes
new rules : AmazonMQ Broker should specify EncryptionOptions,
ElasticsearchcDomain should specify EncryptionAtRestOptions.
Release 1.0.14
Changes
New rule: Kinesis Stream should specify StreamEncryption, EncryptionType should be KMS and specify KMS Key Id.
Release 1.0.13
Changes
New Rules
W47 SNS Topic should specify KmsMasterKeyId property
W48 SQS Queue should specify KmsMasterKeyId property
W52 Elastic Load Balancer V2 should have access logging enabled
Release 1.0.12
Changes
New rule : ApiGateway V2 should have access logging configured
Release 1.0.11
Changes
correct F27, wrong text should be "RDS DBInstance should have StorageEncrypted enabled"
Release 1.0.10
Changes
#New rules
F51 If the IAM user LoginProile property exists, then its Password value
should not show password in plain text, resolve an unsecure ssm string,
or have a default value for parameter.
F52 Amazon MQ Broker resource Users property should exist and its
Password property value should not show password in plain text, resolve
an unsecure ssm string, or have a default value for parameter.
F54 OpsWorks Stack RDS DBInstance Password property should not show
password in plain text, resolve an unsecure ssm string, or have a
default value for parameter.
W45 ApiGateway should have access logging configured
W50 IAM User Login Profile should exist and have PasswordResetRequired
property set to true
W51 S3 bucket should likely have a bucket policy