0.18.1

Fixed

• CrossAccountCheckingRule calling add_failure_to_result on UNDEFINED_ was missing context variable.

0.18.0

Improvements

• EC2SecurityGroupIngressOpenToWorldRule, EC2SecurityGroupMissingEgressRule and EC2SecurityGroupOpenToWorldRule include support for filters.
• EC2SecurityGroupIngressOpenToWorldRule and EC2SecurityGroupOpenToWorldRule support adding errors for port ranges.

Breaking changes

• Config.DEFAULT_ALLOWED_WORLD_OPEN_PORTS type changes to List[int]
• Rename SecurityGroupIngressOpenToWorldRule to EC2SecurityGroupIngressOpenToWorldRule
• Rename SecurityGroupMissingEgressRule to EC2SecurityGroupMissingEgressRule
• Rename SecurityGroupOpenToWorldRule to EC2SecurityGroupOpenToWorldRule
• Improved message for users when failing the SecurityGroupOpenToWorldRule and SecurityGroupIngressOpenToWorldRule rules.
• Improved documentation for the above rules, including styling fixes which have now been tested.

0.17.1

Improvements

• Add exists and empty functions to filters
• Add param_resolver to filters to evaluate just necessary params

Fixed

• Add protection when a filter is evaluated to catch the exception and continue

0.17.0

Improvements

• CrossAccountCheckingRule, CrossAccountTrustRule, S3CrossAccountTrustRule and KMSKeyCrossAccountTrustRule include support for filters.

Breaking changes

• CrossAccountCheckingRule now includes the invoke method. Statements of PolicyDocument are now analysed using RESOURCE_TYPE and PROPERTY_WITH_POLICYDOCUMENT class variables.

0.16.0

Improvements

• Add new RuleConfig, allows to overwrite the default behaviour of the rule changing rule mode and risk value.
• Add new Filter, allows setting custom rule configuration to matching coincidences.
• New RuleModes supported: RuleMode.DISABLED and RuleMode.WHITELISTED.

Breaking changes

• Class variables Rule.RULE_MODE and Rule.RISK_VALUE should be changed to use properties rule_mode and risk_value. These properties take in consideration the custom config that might be applied.
• If rule mode is DISABLED or WHITELISTED; methods add_failure_to_result and add_warning_to_result will have no effect.
• add_failure_to_result and add_warning_to_result accepts a new optional parameter named context. This variable is going to be evaluated by filters defined in the custom config.

0.15.0

Improvements

• Generate DEFAULT_RULES and BASE_CLASSES using code instead of hardcoding

Fixed

• Whitelist did not work if it didn't have the Rule prefix

Breaking changes

• Sufix KMSKeyWildcardPrincipal and SecurityGroupIngressOpenToWorld with Rule
• Sufix whitelist constant FullWildcardPrincipal and PartialWildcardPrincipal with Rule

0.14.2

Improvements

• Update dependencies

0.14.1

Improvements

• Rule processor now accepts an extras parameter that will be forwarded to the rules
• Main gets extra information from the event and forwards it to the rule formatter

0.14.0

[0.14.0] - 2020-02-07

Breaking changes

• Completely changed base Rule abstract class signature and adapted rule classes to match it:
  • Init now only takes a Config
  • invoke method now accepts an optional extra Dict
  • invoke method returns a Result instead of None
  • add_failure has been renamed to add_failure_to_result. It now takes a result instead of a reason
    (that now it's inferred)
  • add_warning has been renamed to add_warning_to_result. It now has the same signature than add_failure_to_result

Improvements

• Rule Invoke extras parameter has been added to allow changing the rule behaviour depending on state besides the cfmodel itself:
  • Stack naming rules
  • Stack tags
  • User restrictions
  • ...

0.13.0

Fixed

• Regular expressions had an unescaped '.' before 'amazonaws.com', so it might match more hosts than expected.

Changed

• CloudFormationAuthenticationRule now in MONITOR mode and new test added
• IAMRoleWildcardActionOnPolicyRule combines three previous unused rules in IAMManagedPolicyWildcardActionRule, IAMRoleWildcardActionOnPermissionsPolicyRule, and IAMRoleWildcardActionOnTrustPolicyRule
• IAMRoleWildcardActionOnPolicyRule now in DEBUG mode
• S3BucketPolicyWildcardActionRule has now been changed to be an instantiation of the new generic rule GenericWildcardPolicyRule. It is set in DEBUG mode
• S3BucketPolicyWildcardActionRule has had updated regex filter to make it more aligned with both further rules to do with wildcards in actions, and the existing SQSQueuePolicyWildcardActionRule
• SQSQueuePolicyWildcardActionRule has now been changed to be an instantiation of the new generic rule GenericWildcardPolicyRule. It is set in DEBUG mode
• SecurityGroupMissingEgressRule now in DEBUG mode and a new test added
• SNSTopicPolicyWildcardActionRule has beed added. It is an instantiation of the new generic rule GenericWildcardPolicyRule. It is set in DEBUG mode

Breaking changes

• The following rules are no longer available:
  • IAMRoleWildcardActionOnPermissionsPolicyRule
  • IAMRoleWildcardActionOnTrustPolicyRule
  • IAMManagedPolicyWildcardActionRule
• The following rules have been moved:
  • S3BucketPolicyWildcardActionRule
  • SQSQueuePolicyWildcardActionRule