diff --git a/src/python/detectors/exposure_of_sensitive_information_cdk/exposure_of_sensitive_information_cdk_compliant.py b/src/python/detectors/exposure_of_sensitive_information_cdk/exposure_of_sensitive_information_cdk_compliant.py new file mode 100644 index 0000000..0b4ac4f --- /dev/null +++ b/src/python/detectors/exposure_of_sensitive_information_cdk/exposure_of_sensitive_information_cdk_compliant.py @@ -0,0 +1,17 @@ +# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +# SPDX-License-Identifier: Apache-2.0 + +# {fact rule=exposure-of-sensitive-information-cdk@v1.0 defects=0} +import aws_cdk as cdk +from aws_cdk.aws_ec2 import CfnSecurityGroupIngress + + +class SelectivePorts(cdk.Stack): + + def exposure_of_sensitive_information_compliant(self): + # Compliant: 0.0.0.0/0 range is not used + CfnSecurityGroupIngress(cdk.Stack, 'rIngress', + ip_protocol='tcp', + cidr_ip='1.2.3.4/32') + +# {/fact} diff --git a/src/python/detectors/exposure_of_sensitive_information_cdk/exposure_of_sensitive_information_cdk_noncompliant.py b/src/python/detectors/exposure_of_sensitive_information_cdk/exposure_of_sensitive_information_cdk_noncompliant.py new file mode 100644 index 0000000..65ea07c --- /dev/null +++ b/src/python/detectors/exposure_of_sensitive_information_cdk/exposure_of_sensitive_information_cdk_noncompliant.py @@ -0,0 +1,17 @@ +# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +# SPDX-License-Identifier: Apache-2.0 + +# {fact rule=exposure-of-sensitive-information-cdk@v1.0 defects=1} +import aws_cdk as cdk +from aws_cdk.aws_ec2 import CfnSecurityGroupIngress + + +class SelectivePorts(cdk.Stack): + + def exposure_of_sensitive_information_noncompliant(self): + # Noncompliant: 0.0.0.0/0 range is used + CfnSecurityGroupIngress(cdk.Stack, 'rIngress', + ip_protocol='tcp', + cidr_ip='0.0.0.0/0') + +# {/fact} diff --git a/src/python/detectors/s3_partial_encrypt_cdk/s3_partial_encrypt_cdk_compliant.py b/src/python/detectors/s3_partial_encrypt_cdk/s3_partial_encrypt_cdk_compliant.py new file mode 100644 index 0000000..f151239 --- /dev/null +++ b/src/python/detectors/s3_partial_encrypt_cdk/s3_partial_encrypt_cdk_compliant.py @@ -0,0 +1,15 @@ +# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +# SPDX-License-Identifier: Apache-2.0 + +# {fact rule=s3-partial-encrypt-cdk@v1.0 defects=0} +import aws_cdk as cdk +from aws_cdk import aws_s3 as s3 + + +class S3PartialEncrypt(cdk.Stack): + + def s3_partial_encrypt_compliant(self): + # Compliant: S3_MANAGED encryption specified + bucket = s3.Bucket(self, 's3-bucket', + encryption=s3.BucketEncryption.S3_MANAGED) +# {/fact} diff --git a/src/python/detectors/s3_partial_encrypt_cdk/s3_partial_encrypt_cdk_noncompliant.py b/src/python/detectors/s3_partial_encrypt_cdk/s3_partial_encrypt_cdk_noncompliant.py new file mode 100644 index 0000000..d990a88 --- /dev/null +++ b/src/python/detectors/s3_partial_encrypt_cdk/s3_partial_encrypt_cdk_noncompliant.py @@ -0,0 +1,14 @@ +# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +# SPDX-License-Identifier: Apache-2.0 + +# {fact rule=s3-partial-encrypt-cdk@v1.0 defects=1} +import aws_cdk as cdk +from aws_cdk import aws_s3 as s3 + + +class S3PartialEncrypt(cdk.Stack): + + def s3_partial_encrypt_noncompliant(self): + # Noncompliant: No encryption specified + bucket = s3.Bucket(self, 's3-bucket-bad') +# {/fact}