adds cfn guard checks

.github/workflows/cfn-guard.yml

@@ -0,0 +1,18 @@
+name: CloudFormation Guard Validate
+
+on:
+  pull_request:
+
+jobs:
+  guard:
+    runs-on: ubuntu-latest
+    permissions:
+      # only required when create-review is true (default)
+      pull-requests: write
+    name: CloudFormation Guard validate
+    steps:
+      - name: CloudFormation Guard validate
+        uses: aws-cloudformation/[email protected]
+        with:
+          rules: './cfn-guard-rules/'
+          data: './MultiAccountApplication/'

MultiAccountApplication/ccft-org-read-role/ccft-role/ccft-read-role.yaml

@@ -14,6 +14,11 @@ Parameters:
 Resources:
   CCFTReadAccountDataRole:
     Type: 'AWS::IAM::Role'
+    Metadata:
+      guard:
+        SuppressedRules:
+          # we don't need to reuse the policy in other roles and inline it
+          - IAM_NO_INLINE_POLICY_CHECK
     Properties:
       RoleName:
         !Ref CCFTReadDataRole

MultiAccountApplication/template.yaml

@@ -47,22 +47,83 @@ Resources:
 
   CarbonEmissionsDataBucket:
     Type: AWS::S3::Bucket
+    Metadata:
+      guard:
+        SuppressedRules:
+        # We neither log nor version the bucket for the code sample to reduce storage.
+        # Do versioning and lifecycling of deleted versions as needed.
+        - S3_BUCKET_LOGGING_ENABLED
+        - S3_BUCKET_VERSIONING_ENABLED
     Properties:
       BucketName: !Sub "${AWS::AccountId}-${AWS::Region}-${CarbonEmissionsDataBucketName}"
+      PublicAccessBlockConfiguration:
+        BlockPublicAcls: true
+        BlockPublicPolicy: true
+        IgnorePublicAcls: true
+        RestrictPublicBuckets: true
+      BucketEncryption:
+        ServerSideEncryptionConfiguration:
+          - ServerSideEncryptionByDefault:
+              SSEAlgorithm: AES256
+
+  CarbonEmissionsDataBucketPolicy:
+    Type: AWS::S3::BucketPolicy
+    Properties:
+      Bucket: !Ref CarbonEmissionsDataBucket
+      PolicyDocument:
+        Statement:
+          - Effect: Deny
+            Principal: "*"
+            Action: "s3:*"
+            Resource: "*"
+            Condition:
+              Bool:
+                aws:SecureTransport: false
 
   # -------------------------------------------------------------------------------------------------------------------
   # Create an S3 bucket to be used as Athena output location, with a retention time of files of 1 day.
   # -------------------------------------------------------------------------------------------------------------------
 
   AthenaResultBucket:
     Type: AWS::S3::Bucket
+    Metadata:
+      guard:
+        SuppressedRules:
+        # We neither log nor version the bucket for the code sample to reduce storage.
+        # Do versioning and lifecycling of deleted versions as needed.
+        - S3_BUCKET_LOGGING_ENABLED
+        - S3_BUCKET_VERSIONING_ENABLED
     Properties:
       BucketName: !Sub "${AWS::AccountId}-${AWS::Region}-athenaresults"
       LifecycleConfiguration:
         Rules:
           - Id: DeleteAfterOneDay
             Status: Enabled
             ExpirationInDays: 1
+      PublicAccessBlockConfiguration:
+        BlockPublicAcls: true
+        BlockPublicPolicy: true
+        IgnorePublicAcls: true
+        RestrictPublicBuckets: true
+      BucketEncryption:
+        ServerSideEncryptionConfiguration:
+          - ServerSideEncryptionByDefault:
+              SSEAlgorithm: AES256
+
+  AthenaResultBucketPolicy:
+    Type: AWS::S3::BucketPolicy
+    Properties:
+      Bucket: !Ref AthenaResultBucket
+      PolicyDocument:
+        Statement:
+          - Effect: Deny
+            Principal: "*"
+            Action: "s3:*"
+            Resource: "*"
+            Condition:
+              Bool:
+                aws:SecureTransport: false
+
 
   # -------------------------------------------------------------------------------------------------------------------
   # Create an AWS Step Function State Machine and a EventBridge rule to trigger the Step Functions workflow.
@@ -132,6 +193,12 @@ Resources:
 
   GetAccountIDsFunctionLogGroup:
     Type: AWS::Logs::LogGroup
+    Metadata:
+      guard:
+        SuppressedRules:
+        # Log group data is always encrypted in CloudWatch Logs.
+        # By default, CloudWatch Logs uses server-side encryption for the log data at rest.
+        - CLOUDWATCH_LOG_GROUP_ENCRYPTED
     Properties:
       LogGroupName: !Sub "/aws/lambda/${GetAccountIDsFunction}"
       RetentionInDays: 1
@@ -170,6 +237,12 @@ Resources:
 
   CheckFirstInvocationFunctionLogGroup:
     Type: AWS::Logs::LogGroup
+    Metadata:
+      guard:
+        SuppressedRules:
+        # Log group data is always encrypted in CloudWatch Logs.
+        # By default, CloudWatch Logs uses server-side encryption for the log data at rest.
+        - CLOUDWATCH_LOG_GROUP_ENCRYPTED
     Properties:
       LogGroupName: !Sub "/aws/lambda/${CheckFirstInvocationFunction}"
       RetentionInDays: 1
@@ -213,6 +286,12 @@ Resources:
 
   ExtractCarbonEmissionsFunctionLogGroup:
     Type: AWS::Logs::LogGroup
+    Metadata:
+      guard:
+        SuppressedRules:
+        # Log group data is always encrypted in CloudWatch Logs.
+        # By default, CloudWatch Logs uses server-side encryption for the log data at rest.
+        - CLOUDWATCH_LOG_GROUP_ENCRYPTED
     Properties:
       LogGroupName: !Sub "/aws/lambda/${ExtractCarbonEmissionsFunction}"
       RetentionInDays: 1