diff --git a/src/typescript/detector/high/improper_access_control_cdk/improper_access_control_cdk.ts b/src/typescript/detector/high/improper_access_control_cdk/improper_access_control_cdk.ts new file mode 100644 index 0000000..c5389d2 --- /dev/null +++ b/src/typescript/detector/high/improper_access_control_cdk/improper_access_control_cdk.ts @@ -0,0 +1,44 @@ +/* + * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. + * SPDX-License-Identifier: Apache-2.0 + */ + + +// {fact rule=improper-access-control-cdk@v1.0 defects=1} +import * as cdk from '@aws-cdk/core' +import { Repository } from 'aws-cdk-lib/aws-ecr' +import { PolicyStatement, Effect, AccountPrincipal, AccountRootPrincipal, } from 'aws-cdk-lib/aws-iam' +import { Stack } from 'aws-cdk-lib/core' + + +export class CdkStarterStack extends cdk.Stack { + constructor(scope: cdk.App, id: string, props?: cdk.StackProps) { + super(scope, id, props) + + const repo = new Repository(Stack, 'rRepo') + + // Noncompliant: '*' principals in an ECR Repository is used. + repo.addToResourcePolicy( + new PolicyStatement({ + effect: Effect.ALLOW, + actions: ['*'], + principals: [new AccountPrincipal('*'), new AccountRootPrincipal()], + }) + ) +} +// {/fact} + +// {fact rule=improper-access-control-cdk@v1.0 defects=0} +import * as cdk from '@aws-cdk/core' +import { Stack } from 'aws-cdk-lib/core' + + +export class CdkStarterStack extends cdk.Stack { + constructor(scope: cdk.App, id: string, props?: cdk.StackProps) { + super(scope, id, props) + + // Compliant: '*' principals in an ECR Repository is not used. + new Repository(Stack, 'rRepo') + } +} +// {/fact} diff --git a/src/typescript/detector/high/insufficient_logging_cdk/insufficient_logging_cdk.ts b/src/typescript/detector/high/insufficient_logging_cdk/insufficient_logging_cdk.ts new file mode 100644 index 0000000..c955c98 --- /dev/null +++ b/src/typescript/detector/high/insufficient_logging_cdk/insufficient_logging_cdk.ts @@ -0,0 +1,49 @@ +/* + * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. + * SPDX-License-Identifier: Apache-2.0 + */ + + +// {fact rule=insufficient-logging-cdk@v1.0 defects=1} +import * as cdk from '@aws-cdk/core' +import { StateMachine, Wait, WaitTime, LogLevel, } from 'aws-cdk-lib/aws-stepfunctions' +import { Duration, Stack } from 'aws-cdk-lib/core' + +export class CdkStarterStack extends cdk.Stack { + constructor(scope: cdk.App, id: string, props?: cdk.StackProps) { + super(scope, id, props) + + // Noncompliant: `ALL` events logs is not used + new StateMachine(Stack, 'rStateMachine', { + definition: new Wait(Stack, 'rWait30', { + time: WaitTime.duration(Duration.seconds(30)) + }) + }) + } +} +// {/fact} + +// {fact rule=insufficient-logging-cdk@v1.0 defects=0} +import * as cdk from '@aws-cdk/core' +import { LogGroup } from 'aws-cdk-lib/aws-logs' +import { StateMachine, Wait, WaitTime, LogLevel, } from 'aws-cdk-lib/aws-stepfunctions' +import { Duration, Stack } from 'aws-cdk-lib/core' + + +export class CdkStarterStack extends cdk.Stack { + constructor(scope: cdk.App, id: string, props?: cdk.StackProps) { + super(scope, id, props) + + // Compliant: `ALL` events logs is used + new StateMachine(Stack, 'rStateMachine',{ + definition: new Wait(Stack, 'rWait30', { + time: WaitTime.duration(Duration.seconds(30)) + }), + logs: { + level: LogLevel.ALL, + destination: new LogGroup(Stack, 'rSfnLog') + } + }); + } +} +// {/fact}