(aws-kinesis): cfnguard reports incorrect rule name #277
Description
What is the problem?
If you don't have a Redshift destination configured for a Kinesis Firehose, cfn-guard reports a KINESIS_FIREHOSE_REDSHIFT_DESTINATION_CONFIGURATION_USES_SECURE_PARAMETER violation, but to suppress the error you need to use what appears to be the name of a subRule(?). Whatever is going on inside the tool, you need to use KINESIS_FIREHOSE_REDSHIFT_DESTINATION_CONFIGURATION_NO_PLAINTEXT_PASSWORD to suppress the warning if no Redshift destination configuration exists.
BTW - the same incorrect behavior happens for Splunk destinations.
Reproduction Steps
Triggers the KINESIS_FIREHOSE_REDSHIFT_DESTINATION_CONFIGURATION_USES_SECURE_PARAMETER warning despite suppression:
"testkinesisfirehoses3KinesisFirehose92F73280": {
"Type": "AWS::KinesisFirehose::DeliveryStream",
"Properties": {
"DeliveryStreamEncryptionConfigurationInput": {
"KeyType": "AWS_OWNED_CMK"
},
"DeliveryStreamName": "KinesisFirehosefhss3customLogginkettestkinesisfirehoses3C47A3354",
"ExtendedS3DestinationConfiguration": {
"BucketARN": {
"Fn::GetAtt": [
"testkinesisfirehoses3S3BucketA8942735",
"Arn"
]
},
"BufferingHints": {
"IntervalInSeconds": 300,
"SizeInMBs": 5
},
"CloudWatchLoggingOptions": {
"Enabled": true,
"LogGroupName": {
"Ref": "testkinesisfirehoses3firehoseloggroup3D11FB0D"
},
"LogStreamName": {
"Ref": "testkinesisfirehoses3firehoseloggroupfirehoselogstream3C52AF00"
}
},
"CompressionFormat": "GZIP",
"EncryptionConfiguration": {
"KMSEncryptionConfig": {
"AWSKMSKeyARN": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":kms:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":alias/aws/s3"
]
]
}
}
},
"RoleARN": {
"Fn::GetAtt": [
"testkinesisfirehoses3KinesisFirehoseRoleB23C3E93",
"Arn"
]
}
}
},
"Metadata": {
"guard": {
"SuppressedRules": [
"KINESIS_FIREHOSE_REDSHIFT_DESTINATION_CONFIGURATION_USES_SECURE_PARAMETER",
"KINESIS_FIREHOSE_SPLUNK_DESTINATION_CONFIGURATION_USES_SECURE_PARAMETER"
]
}
}
Doing this actually suppresses the KINESIS_FIREHOSE_REDSHIFT_DESTINATION_CONFIGURATION_USES_SECURE_PARAMETER warning:
"testkinesisfirehoses3KinesisFirehose92F73280": {
"Type": "AWS::KinesisFirehose::DeliveryStream",
"Properties": {
"DeliveryStreamEncryptionConfigurationInput": {
"KeyType": "AWS_OWNED_CMK"
},
"DeliveryStreamName": "KinesisFirehosefhss3customLogginkettestkinesisfirehoses3C47A3354",
"ExtendedS3DestinationConfiguration": {
"BucketARN": {
"Fn::GetAtt": [
"testkinesisfirehoses3S3BucketA8942735",
"Arn"
]
},
"BufferingHints": {
"IntervalInSeconds": 300,
"SizeInMBs": 5
},
"CloudWatchLoggingOptions": {
"Enabled": true,
"LogGroupName": {
"Ref": "testkinesisfirehoses3firehoseloggroup3D11FB0D"
},
"LogStreamName": {
"Ref": "testkinesisfirehoses3firehoseloggroupfirehoselogstream3C52AF00"
}
},
"CompressionFormat": "GZIP",
"EncryptionConfiguration": {
"KMSEncryptionConfig": {
"AWSKMSKeyARN": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":kms:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":alias/aws/s3"
]
]
}
}
},
"RoleARN": {
"Fn::GetAtt": [
"testkinesisfirehoses3KinesisFirehoseRoleB23C3E93",
"Arn"
]
}
}
},
"Metadata": {
"guard": {
"SuppressedRules": [
"KINESIS_FIREHOSE_REDSHIFT_DESTINATION_CONFIGURATION_USES_SECURE_PARAMETER",
"KINESIS_FIREHOSE_REDSHIFT_DESTINATION_CONFIGURATION_NO_PLAINTEXT_PASSWORD",
]
}
}
What did you expect to happen?
The reported error name should be the error that needs to be suppressed - you shouldn't have to go to the github repo to debug the actual name.
What actually happened?
A different error name has to be suppressed.
CloudFormation Guard Version
3.1.1
OS
MacOS
OS Version
No response
Other information
No response