Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

feat: More granular suppressions

See original GitHub issue

Description

When suppressing a rule, I would like to be able to suppress the rule only for a certain section of the resource.

Use Case

One example would be AwsSolutions-IAM5, which is triggered whenever there is a * anywhere in the policy. There are certain CDK methods, like <dynamodbTable>.grantReadWriteData(myRole) that add wildcard actions like kms:ReEncrypt*. This will trigger the nag rule and if I suppress it, I will be unable to detect any other problems on this role that may arise in future.

Proposed Solution

It should be possible to add metadata to rule suppressions that the rules can evaluate based on their specific needs. For example

NagSuppressions.addResourceSuppressions(myResource, [{
  id: 'AwsSolutions-IAM5'
  reason: 'Dynamo Table Access'
  metadata: {
    allowedActions: ['kms:ReEncrypt*']
  }
}]

I realise, that the metadata field will have a different structure for different rules, maybe this can be made type safe by the rule specifying an interface or some kind of validation.

Maybe we can even have a NagSuppressionBuilder that provides a fluent API for this?

Other information

No response

Acknowledge

I may be able to implement this feature request
This feature might incur a breaking change

Issue Analytics

State:
Created 2 years ago
Comments:9

Top GitHub Comments

1reaction

tkglasercommented, Feb 17, 2022

You make some excellent points and I like your suggestion of making the appliesTo a simple string array. It still covers all the use cases and is a whole lot easier. So, abandoning the ARN-like rule ids but keeping the string-array filters gives:

// API
NagSuppressions.addResourceSuppressions(myRole, [{
  id: 'AwsSolutions-IAM5, 
  appliesTo: ['Action::kms:ReEncrypt*', `Resource::${myBucket.arnForObjects('*')}`],
  reason: 'My Suppressions',
}])

// CFN
"Metadata": {
  "cdk_nag": {
    "rules_to_suppress": [
      {
        "id": "AwsSolutions-IAM5",
        "applies_to": ["Action::kms:ReEncrypt*", "Resource::arn:aws:s3:::mybucket/*"],
        "reason": "My Suppressions"
      }
    ]
  }

This is probably as tight as we can pack this while still being human-readable. The change to the rules engine should be easy too.

1reaction

dontiruncommented, Feb 16, 2022

I like that! I think we could generalize to apply a similar approach could be applied to rules with ports, like EC2RestrictedCommonPorts or log types in AuroraMySQLLogging.

Top Results From Across the Web

cdklabs/cdk-nag - GitHub

Available Rules and Packs. See RULES for more information on all the available packs. ... Example 6) Granular Suppressions of findings.

The Andersons: Prophesy® Granular Fungicide

Featuring Dispersing Granule (DG) Technology and providing up to four weeks of residual control with a cost-in-use up to 40% less expensive per ......

The root of many evils: indolent large granular lymphocyte ...

Large granular lymphocyte (LGL) leukemia can arise from either natural killer (NK) cells or cytotoxic T lymphocytes (CTL). The T-cell form of LGL...

Insecticide | Lawncare | Quali-Pro | Product Listing

Imidacloprid 0.5G. Insecticide Granules. Imidacloprid 0.5G provides foliar and systemic insect control in turfgrass featuring low use rates,... Learn More.

Suppressed data (left-censored counts) - free range statistics

National stats offices rarely rely alone on cell suppression. ... or addresses more granular than meshblock), a snooper with full access ...