GithubHelp home page GithubHelp logo

eslint-plugin-awscdk's Introduction

eslint-plugin-awscdk's People

Contributors

corymhall avatar dependabot[bot] avatar gjohnson avatar

Stargazers

avatar avatar avatar

Watchers

avatar avatar

eslint-plugin-awscdk's Issues

setup testing

Setup an action to run npm test. You know so I know when I break things :-)

KMS.2 IAM principals should not have IAM inline policies that allow decryption actions on all KMS keys

Category: Foundational

Rules:

The current rule checks all PolicyStatements, but we need to either find a way to check whether the PolicyStatement is part of a policy attached to an IAM principal or handle this some other way (change it to a warning, etc)

Determine defaults

We need to determine:

  1. What are the default configs that we will provide
  2. What are the default warning levels for the rules

In the docs there are 4 levels of severity, low, medium, high, critical.

Support for aws-cdk v2

The plugin is not working because aws-cdk v2 overhauled the bundling of the packages.

CloudFront.2 CloudFront distributions should have origin access identity enabled

This one will be more difficult. The Distribution construct will setup an OAI based on whether the bucket is setup as website hosting or not.

incorrect

const bucket = new s3.Bucket(this, 'WebsiteBucket', {
  websiteIndexDocument: 'index.html', // enables static website hosting
});

const s3Origin = new cloudfront_origins.S3Origin(this, 'S3Origin', bucket);

new cloudfront.Distribution(this, 'Distribution', {
  defaultBehavior: {
    origin: s3Origin,
    ...
  },
});

correct

const bucket = new s3.Bucket(this, 'WebsiteBucket');

const s3Origin = new cloudfront_origins.S3Origin(this, 'S3Origin', bucket);

new cloudfront.Distribution(this, 'Distribution', {
  defaultBehavior: {
    origin: s3Origin,
    ...
  },
});

Amazon S3 permissions granted to other AWS accounts in bucket policies should be restricted

Need to find a way to search for accountIDs in strings. For example:

new iam.PolicyStatement({
  principals: [
    new iam.ArnPrincipal('are:aws:iam::1111111111:role/mycrossaccountrole'),
    // or
    new iam.ArnPrincipal(stack.formatArn({
      account: '111111111',
      ...,
      })),
  ],
})

1 option is to force people to use the formatArn method and just make sure they don't provide the account parameter, which will default it to the current account.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.