Faulty json output on cfn_nag_scan

Question

Faulty json output on cfn_nag_scan

isuftin opened this issue 2 years ago · 2 comments

Running cfn-nag 0.8.10, scanning a nested CloudFormation template, outputting json and am seeing:

Experimental SPCM rule is failing. Please report undefined method `gsub' for {"Ref"=>"RDSKMSKeyAlias"}:Hash

      value = value.gsub("${#{special_character}}", '')
                   ^^^^^ with the violating template

[ ... rest of json output ... ]

While the CloudFormation template(s) may be erroneous, we would not expect plaintext errors to make their way into JSON output as this output gets scanned later for test reporting in GitLab.

Answer 1 · 2022-09-02T15:28:37.000Z

The problem was found in the template and corrected which fixed the error in the output. Original template:

Wrong:

---
AWSTemplateFormatVersion: "2010-09-09"
Description: My IAM role
Resources:
  Role:
    Type: AWS::IAM::Role
    Properties:
      Description: My Description
      PermissionsBoundary: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:policy/my-policy-boundary
      ManagedPolicyArns:
        - !Sub arn:${AWS::Partition}:iam::aws:policy/ReadOnlyAccess
        - !Sub arn:${AWS::Partition}:iam::aws:policy/AmazonSSMManagedInstanceCore
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - ec2.amazonaws.com
            Action:
              - sts:AssumeRole
      Policies:
        - PolicyName: AliasBasedKMSAccess
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                  - kms:List*
                  - kms:Describe*
                  - kms:Decrypt
                  - kms:Encrypt
                Resource: !Sub arn:${AWS::Partition}:kms:*:${AWS::AccountId}:key/*
                Condition:
                  ForAnyValue:StringEquals:
                    kms:ResourceAliases:
                      - !Ref RDSKMSKeyAlias

Right:

---
AWSTemplateFormatVersion: "2010-09-09"
Description: My IAM role
Resources:
  Role:
    Type: AWS::IAM::Role
    Properties:
      Description: My Description
      PermissionsBoundary: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:policy/my-policy-boundary
      ManagedPolicyArns:
        - !Sub arn:${AWS::Partition}:iam::aws:policy/ReadOnlyAccess
        - !Sub arn:${AWS::Partition}:iam::aws:policy/AmazonSSMManagedInstanceCore
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - ec2.amazonaws.com
            Action:
              - sts:AssumeRole
      Policies:
        - PolicyName: AliasBasedKMSAccess
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                  - kms:List*
                  - kms:Describe*
                  - kms:Decrypt
                  - kms:Encrypt
                Resource: !Sub arn:${AWS::Partition}:kms:*:${AWS::AccountId}:key/*
                Condition:
                  ForAnyValue:StringEquals:
                    kms:ResourceAliases: !Ref RDSKMSKeyAlias

Specifically, cfn-nag was puking on this having a list instead of a string:

Condition:
  ForAnyValue:StringEquals:
    kms:ResourceAliases: ...

Answer 2 · 2022-12-19T13:04:34.000Z

Bumping as this caught me out today expecting valid JSON on stdout with -o.

I've raised a PR with the simplest fix I could see :)