Skip to content

✨ Add missing AWS runtime and CloudFormation check variants#2734

Open
tas50 wants to merge 6 commits into
mainfrom
add-missing-aws-cfn-variants
Open

✨ Add missing AWS runtime and CloudFormation check variants#2734
tas50 wants to merge 6 commits into
mainfrom
add-missing-aws-cfn-variants

Conversation

@tas50

@tas50 tas50 commented Jun 8, 2026

Copy link
Copy Markdown
Member

Summary

Fills in missing variants across mondoo-aws-security.mql.yaml so checks run against the live AWS runtime and CloudFormation templates, not only Terraform assets. Started from the three checks flagged manually, then swept the policy with inspect-policies.py for other genuinely-addable variants.

New variants

Check Added
route53-resolver-query-logging-enabled aws runtime + cloudformation
datasync-task-cloudwatch-logging-encryption cloudformation
ecr-no-public-access cloudformation
eks-cluster-private-controlplane cloudformation
cloudfront-sni-only cloudformation
rds-cluster-parameter-group-ssl cloudformation
eks-nodegroup-encrypted-volumes cloudformation

Each new cloudformation variant lines up with an existing id: cloudformation remediation entry; route53-resolver and datasync also gained the matching CloudFormation remediation block.

Fixes pulled in along the way

  • Removed a stale comment that claimed the provider doesn't expose Route 53 Resolver query log configs — it does (aws.route53.resolver.queryLogConfigAssociations), so the runtime variant is now real.
  • Fixed two CloudFormation remediation property-name bugs found while verifying against the real CFN spec:
    • AWS::EKS::ClusterResourcesVpcConfig (was VpcConfig)
    • AWS::CloudFront::Distribution ViewerCertificateSslSupportMethod (was SSLSupportMethod)
  • Reworded all cnquerymql in the # No runtime variant: comments, and removed a duplicate Kinesis Video comment.

Intentionally not added

These were flagged by the script but are genuinely not addable, and stay documented in-line:

  • kinesis-video-stream-cmk-encryption (aws) — the mql aws.kinesis resource exposes only Data Streams/Firehose, not Kinesis Video.
  • datasync-task-... (aws) — no DataSync resource in the provider.
  • ssm-document-not-public (CFN) — document sharing isn't a CloudFormation property.
  • ec2-snapshot-not-public (CFN) — no CloudFormation snapshot-sharing resource.
  • ec2-launch-template-no-secrets (CFN) — UserData is base64-encoded in CloudFormation, so the secret-detection regexes can't match.
  • cloudfront-trust-store-not-empty (CFN) — no corresponding CloudFormation resource type.

Many other "MISSING aws" rows from the script are false positives: the runtime variant exists under a resource-specific suffix (-distribution, -cluster) the script doesn't recognize.

Test plan

  • cnspec policy lint content/mondoo-aws-security.mql.yaml → valid policy bundle (only pre-existing query-deprecated-symbol warnings remain).

🤖 Generated with Claude Code

@mondoo-code-review mondoo-code-review Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well-structured addition of CloudFormation check variants and minor fixes; one check has a potential false-negative logic issue.

Comment thread content/mondoo-aws-security.mql.yaml
Comment thread content/mondoo-aws-security.mql.yaml
Comment thread content/mondoo-aws-security.mql.yaml
@github-actions

github-actions Bot commented Jun 8, 2026

Copy link
Copy Markdown
Contributor

Test Results

  1 files  ±0   44 suites  ±0   1m 24s ⏱️ -15s
854 tests ±0  853 ✅ ±0  1 💤 ±0  0 ❌ ±0 
855 runs  ±0  854 ✅ ±0  1 💤 ±0  0 ❌ ±0 

Results for commit 5ac05ff. ± Comparison against base commit 5c0d2f3.

♻️ This comment has been updated with latest results.

@tas50

tas50 commented Jun 8, 2026

Copy link
Copy Markdown
Member Author

Addressed the review feedback in 2aa6c25:

  • ECR Statement guard (ecr-no-public-access-cloudformation): added properties['RepositoryPolicyText']['Statement'] == empty || ahead of .none(...), so a repository policy with no Statement passes instead of evaluating .none() against a missing/null key.
  • EKS node group launch-template scope: added a comment documenting that the CloudFormation variant inspects every launch template in the stack — matching the existing Terraform hcl/plan/state variants, which also scan all aws_launch_template resources. Narrowing to only EKS-referenced templates would require cross-resource correlation that none of the variants do, and would diverge from the runtime/Terraform behavior, so I documented the scope rather than changing it.
  • CloudFront SslSupportMethod casing: confirmed — the MQL check uses properties['DistributionConfig']['ViewerCertificate']['SslSupportMethod'] (matching the CloudFormation property). The remaining SSLSupportMethod occurrences are in CLI/API --query strings, where the AWS API field genuinely is SSLSupportMethod; only the CloudFormation property name differs. No change needed there (thanks @tas50 for confirming).

cnspec policy lint remains clean.

@mondoo-code-review mondoo-code-review Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well-structured addition of CloudFormation check variants and runtime checks with minor correctness concerns

Comment thread content/mondoo-aws-security.mql.yaml
Comment thread content/mondoo-aws-security.mql.yaml
Comment thread content/mondoo-aws-security.mql.yaml
Comment thread content/mondoo-aws-security.mql.yaml
@tas50

tas50 commented Jun 8, 2026

Copy link
Copy Markdown
Member Author

/review

@mondoo-code-review mondoo-code-review Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well-structured addition of CloudFormation check variants and bug fixes for AWS property names; one check only verifies logging presence but not the encryption requirement stated in its title.

Comment thread content/mondoo-aws-security.mql.yaml
Comment thread content/mondoo-aws-security.mql.yaml
Comment thread content/mondoo-aws-security.mql.yaml
@tas50 tas50 force-pushed the add-missing-aws-cfn-variants branch from 2aa6c25 to 796189e Compare June 10, 2026 14:53

@mondoo-code-review mondoo-code-review Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well-structured addition of CloudFormation check variants and runtime checks with minor issues in the CloudFront SNI check and a naming inconsistency.

Comment thread content/mondoo-aws-security.mql.yaml
Comment thread content/mondoo-aws-security.mql.yaml
Comment thread content/mondoo-aws-security.mql.yaml
Comment thread content/mondoo-aws-security.mql.yaml
@tas50 tas50 force-pushed the add-missing-aws-cfn-variants branch from 796189e to a271bfd Compare June 11, 2026 05:33

@mondoo-code-review mondoo-code-review Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well-structured addition of CloudFormation check variants and runtime checks with minor correctness concerns

Comment thread content/mondoo-aws-security.mql.yaml
Comment thread content/mondoo-aws-security.mql.yaml
Comment thread content/mondoo-aws-security.mql.yaml
@github-actions

This comment has been minimized.

@tas50 tas50 force-pushed the add-missing-aws-cfn-variants branch from a271bfd to af3f4cf Compare June 11, 2026 05:48

@mondoo-code-review mondoo-code-review Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well-structured addition of CloudFormation check variants and AWS runtime checks with minor correctness concerns

Comment thread content/mondoo-aws-security.mql.yaml
Comment thread content/mondoo-aws-security.mql.yaml
Comment thread content/mondoo-aws-security.mql.yaml
Comment thread content/mondoo-aws-security.mql.yaml
Comment thread content/mondoo-aws-security.mql.yaml
@tas50 tas50 force-pushed the add-missing-aws-cfn-variants branch from af3f4cf to 2f7cee1 Compare June 11, 2026 05:51

@mondoo-code-review mondoo-code-review Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well-structured PR adding CloudFormation check variants and fixing property names; one check title mismatch and a minor logic concern worth noting.

Comment thread content/mondoo-aws-security.mql.yaml
Comment thread content/mondoo-aws-security.mql.yaml
Comment thread content/mondoo-aws-security.mql.yaml
@tas50 tas50 force-pushed the add-missing-aws-cfn-variants branch from 2f7cee1 to 61074d3 Compare June 12, 2026 14:48

@mondoo-code-review mondoo-code-review Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well-structured addition of CloudFormation check variants and AWS runtime checks with minor correctness concerns

Comment thread content/mondoo-aws-security.mql.yaml
Comment thread content/mondoo-aws-security.mql.yaml
Comment thread content/mondoo-aws-security.mql.yaml
Comment thread content/mondoo-aws-security.mql.yaml
Comment thread content/mondoo-aws-security.mql.yaml

@mondoo-code-review mondoo-code-review Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well-structured addition of CloudFormation check variants and AWS runtime checks with minor correctness concerns

Additional findings (file/line not in diff):

  • 🔵 content/mondoo-aws-security.mql.yaml:48549 — The CloudFormation DataSync task check only verifies CloudWatchLogGroupArn != empty but the check title says "logging encryption". Unlike the Terraform variant which can cross-reference the log group's KMS key, this CloudFormation variant doesn't verify the referenced log group actually uses a CMK. Consider adding a comment noting this limitation, or cross-checking AWS::Logs::LogGroup resources for KmsKeyId.

Comment thread content/mondoo-aws-security.mql.yaml
Comment thread content/mondoo-aws-security.mql.yaml
Comment thread content/mondoo-aws-security.mql.yaml

@mondoo-code-review mondoo-code-review Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well-structured addition of CloudFormation check variants and AWS runtime checks with minor correctness concerns

Comment thread content/mondoo-aws-security.mql.yaml
Comment thread content/mondoo-aws-security.mql.yaml
Comment thread content/mondoo-aws-security.mql.yaml
Comment thread content/mondoo-aws-security.mql.yaml
@tas50 tas50 force-pushed the add-missing-aws-cfn-variants branch from 0616914 to f3eca24 Compare June 18, 2026 05:04

@mondoo-code-review mondoo-code-review Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well-structured addition of CloudFormation check variants and AWS runtime checks with minor issues

Additional findings (file/line not in diff):

  • 🔵 content/mondoo-aws-security.mql.yaml:67700 — The Route 53 Resolver runtime check uses a string-join trick ("," + ... + ",") to avoid substring false positives. This is clever but fragile — if VPC IDs ever contain commas or if the API returns unexpected whitespace, it could break. Consider adding a brief inline comment explaining this assumption (that VPC IDs are always vpc-xxxx format with no commas/spaces).
  • 🔵 content/mondoo-aws-security.mql.yaml:48977 — The EKS nodegroup encrypted volumes CloudFormation check flags all AWS::EC2::LaunchTemplate resources, not just those referenced by EKS node groups. The comment explains this intentional design, which is good. Just noting that this is a broader scope than the check title implies — users may get unexpected findings for non-EKS launch templates.

Comment thread content/mondoo-aws-security.mql.yaml
Comment thread content/mondoo-aws-security.mql.yaml
@tas50 tas50 force-pushed the add-missing-aws-cfn-variants branch from f3eca24 to 61d521e Compare June 21, 2026 04:07

@mondoo-code-review mondoo-code-review Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well-structured PR adding CloudFormation check variants and a Route 53 runtime check, with minor correctness concerns

Comment thread content/mondoo-aws-security.mql.yaml
Comment thread content/mondoo-aws-security.mql.yaml
Comment thread content/mondoo-aws-security.mql.yaml
Comment thread content/mondoo-aws-security.mql.yaml

@mondoo-code-review mondoo-code-review Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well-structured addition of CloudFormation check variants and minor fixes; one check only verifies logging presence but not encryption as the title promises.

Comment thread content/mondoo-aws-security.mql.yaml
Comment thread content/mondoo-aws-security.mql.yaml
@tas50 tas50 force-pushed the add-missing-aws-cfn-variants branch 2 times, most recently from f632f96 to fa63f36 Compare June 24, 2026 16:05

@mondoo-code-review mondoo-code-review Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well-structured addition of CloudFormation check variants and bug fixes; one check name doesn't match its stated purpose.

Comment thread content/mondoo-aws-security.mql.yaml
Comment thread content/mondoo-aws-security.mql.yaml
Comment thread content/mondoo-aws-security.mql.yaml
@tas50 tas50 force-pushed the add-missing-aws-cfn-variants branch 2 times, most recently from 58d5925 to 9cc03e2 Compare June 26, 2026 21:16

@mondoo-code-review mondoo-code-review Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well-structured addition of CloudFormation check variants and bug fixes for AWS security policies

Comment thread content/mondoo-aws-security.mql.yaml
Comment thread content/mondoo-aws-security.mql.yaml
tas50 and others added 6 commits June 29, 2026 10:22
Fill in missing variants across the AWS security policy so checks run
against the live AWS runtime and CloudFormation templates, not just
Terraform assets.

New variants:
- route53-resolver-query-logging-enabled: aws runtime + cloudformation
- datasync-task-cloudwatch-logging-encryption: cloudformation
- ecr-no-public-access: cloudformation
- eks-cluster-private-controlplane: cloudformation
- cloudfront-sni-only: cloudformation
- rds-cluster-parameter-group-ssl: cloudformation
- eks-nodegroup-encrypted-volumes: cloudformation

Also:
- Remove a stale comment claiming the provider doesn't expose Route 53
  Resolver query log configs (it does, via aws.route53.resolver).
- Fix two CloudFormation remediation property-name bugs: AWS::EKS::Cluster
  uses ResourcesVpcConfig (not VpcConfig); AWS::CloudFront::Distribution
  ViewerCertificate uses SslSupportMethod (not SSLSupportMethod).
- Reword "cnquery" -> "mql" in all No-runtime-variant comments and drop a
  duplicate Kinesis Video comment.

Kinesis Video Streams and DataSync have no aws runtime variant because the
mql aws provider exposes neither resource; both are documented in comments.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- ecr-no-public-access CloudFormation variant: also pass when
  RepositoryPolicyText has no Statement, so .none() never runs against a
  missing/null Statement key.
- eks-nodegroup-encrypted-volumes CloudFormation variant: document that it
  inspects every launch template (matching the existing Terraform variants),
  not only EKS-referenced ones.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Rewrite the Route 53 resolver query-logging runtime check to use a
proper list-membership test (`id.in(loggedVpcIds)`) instead of a
comma-delimited string with `contains`, eliminating the false-match
risk when an association resourceId is empty.

Allow the CloudFront SNI CloudFormation check to pass distributions
that use the default CloudFront certificate, where `SslSupportMethod`
is absent because SNI does not apply.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@tas50 tas50 force-pushed the add-missing-aws-cfn-variants branch from 9cc03e2 to 5ac05ff Compare June 29, 2026 17:22

@mondoo-code-review mondoo-code-review Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well-structured addition of CloudFormation check variants and runtime queries with minor correctness concerns

@@ -52475,7 +52544,7 @@ queries:
DistributionConfig:

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟡 warning — The remediation example changed SSLSupportMethod to SslSupportMethod, and the new check at line 52583 uses SslSupportMethod. The actual CloudFormation property name is SslSupportMethod, so this fix is correct — just flagging that this is a breaking change to the remediation docs for anyone who copy-pasted the old example.

Comment on lines +49755 to +49757
properties['RepositoryPolicyText'] == empty ||
properties['RepositoryPolicyText']['Statement'] == empty ||
properties['RepositoryPolicyText']['Statement'].none(

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔵 suggestion — The ECR public-access check passes when RepositoryPolicyText is empty OR Statement is empty. This means a repository with no policy at all is considered compliant, which is the right default. However, the comment notes that string-form policies "pass through unevaluated" — this is a silent false-negative. Consider adding a guard that fails if RepositoryPolicyText is a non-empty value but Statement is absent (i.e., it's likely a string), so users get a warning rather than a silent pass.

Comment on lines +25415 to +25421
mql: |
cloudformation.template.resources.where(type == "AWS::EC2::LaunchTemplate").all(
properties['LaunchTemplateData']['BlockDeviceMappings'] != empty &&
properties['LaunchTemplateData']['BlockDeviceMappings'].all(
_['Ebs'] != empty &&
_['Ebs']['Encrypted'] == true
)

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔵 suggestion — The EKS nodegroup encrypted volumes CloudFormation check requires BlockDeviceMappings != empty, meaning a launch template that omits BlockDeviceMappings entirely will fail. Some launch templates legitimately rely on AMI-default block device mappings. If the intent is to only flag templates that have explicit unencrypted mappings, consider making BlockDeviceMappings != empty part of a filter rather than a failure condition, or document that omission is intentionally treated as non-compliant.

- uid: mondoo-aws-security-route53-resolver-query-logging-enabled-aws
tags:
mondoo.com/filter-title: AWS Account
mondoo.com/filter-icon: aws

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔵 suggestion — The new Route 53 runtime check aws.vpcs.all(id.in(loggedVpcIds)) requires every VPC to have an active query log association. This is a strict posture — default VPCs or utility VPCs that carry no workloads will cause failures. This may be intentional, but worth documenting or noting in the check description so users understand the scope.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant