cfsec
v0.3.2
️ تم دمج منطق المسح السحابية الآن مع Aquasecurity Trivy. لن يتم الحفاظ على CFSEC كماسح ضوئي بذاتها وينبغي استخدام Trivy
يقوم CFSEC بمسح ملفات تكوين YAML أو JSON CloudFormation الخاصة بك لتكوين أمنية الأمان الشائعة.
brew tap cfsec/cfsecchoco install cfsecscoop install cfsecgo install github.com/aquasecurity/cmd/cfsec@latestبالنظر إلى ملف تكوين CloudFormation أدناه ؛
---
AWSTemplateFormatVersion : " 2010-09-09 "
Description : An example Stack for a bucket
Parameters :
BucketName :
Type : String
Default : naughty-bucket
EncryptBucket :
Type : Boolean
Default : false
Resources :
S3Bucket :
Type : ' AWS::S3::Bucket '
Properties :
BucketName :
Ref : BucketName
PublicAccessBlockConfiguration :
BlockPublicAcls : false
BlockPublicPolicy : false
IgnorePublicAcls : true
RestrictPublicBuckets : false
BucketEncryption :
ServerSideEncryptionConfiguration :
- BucketKeyEnabled : !Ref EncryptBucket تشغيل الأمر cfsec example.yaml
سيكون الإخراج
Result 1
[aws-s3-block-public-acls][HIGH] Public access block does not block public ACLs
/home/owen/code/aquasecurity/cfsec/example/bucket.yaml:12-24
11 | S3Bucket:
12 | Type: 'AWS::S3::Bucket'
13 | Properties:
14 | BucketName:
15 | Ref: BucketName
16 | PublicAccessBlockConfiguration:
17 | BlockPublicAcls: false [false]
18 | BlockPublicPolicy: false
19 | IgnorePublicAcls: true
20 | RestrictPublicBuckets: false
21 | BucketEncryption:
22 | ServerSideEncryptionConfiguration:
23 | - BucketKeyEnabled: !Ref EncryptBucket
24 |
Impact: PUT calls with public ACLs specified can make objects public
Resolution: Enable blocking any PUT calls with a public ACL specified
More Info:
- https://cfsec.dev/docs/s3/block-public-acls/#s3
- https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html
Result 2
[aws-s3-block-public-policy][HIGH] Public access block does not block public policies
/home/owen/code/aquasecurity/cfsec/example/bucket.yaml:12-24
11 | S3Bucket:
12 | Type: 'AWS::S3::Bucket'
13 | Properties:
14 | BucketName:
15 | Ref: BucketName
16 | PublicAccessBlockConfiguration:
17 | BlockPublicAcls: false
18 | BlockPublicPolicy: false [false]
19 | IgnorePublicAcls: true
20 | RestrictPublicBuckets: false
21 | BucketEncryption:
22 | ServerSideEncryptionConfiguration:
23 | - BucketKeyEnabled: !Ref EncryptBucket
24 |
Impact: Users could put a policy that allows public access
Resolution: Prevent policies that allow public access being PUT
More Info:
- https://cfsec.dev/docs/s3/block-public-policy/#s3
- https://docs.aws.amazon.com/AmazonS3/latest/dev-retired/access-control-block-public-access.html
Result 3
[aws-s3-enable-bucket-encryption][HIGH] Bucket does not have encryption enabled
/home/owen/code/aquasecurity/cfsec/example/bucket.yaml:12-24
11 | S3Bucket:
12 | Type: 'AWS::S3::Bucket'
13 | Properties:
14 | BucketName:
15 | Ref: BucketName
16 | PublicAccessBlockConfiguration:
17 | BlockPublicAcls: false
18 | BlockPublicPolicy: false
19 | IgnorePublicAcls: true
20 | RestrictPublicBuckets: false
21 | BucketEncryption:
22 | ServerSideEncryptionConfiguration:
23 | - BucketKeyEnabled: !Ref EncryptBucket [false]
24 |
Impact: The bucket objects could be read if compromised
Resolution: Configure bucket encryption
More Info:
- https://cfsec.dev/docs/s3/enable-bucket-encryption/#s3
- https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html
Result 4
[aws-s3-enable-bucket-logging][MEDIUM] Bucket does not have logging enabled
/home/owen/code/aquasecurity/cfsec/example/bucket.yaml:12-24
11 | S3Bucket:
12 | Type: 'AWS::S3::Bucket'
13 | Properties:
14 | BucketName:
15 | Ref: BucketName
16 | PublicAccessBlockConfiguration:
17 | BlockPublicAcls: false
18 | BlockPublicPolicy: false
19 | IgnorePublicAcls: true
20 | RestrictPublicBuckets: false
21 | BucketEncryption:
22 | ServerSideEncryptionConfiguration:
23 | - BucketKeyEnabled: !Ref EncryptBucket
24 |
Impact: There is no way to determine the access to this bucket
Resolution: Add a logging block to the resource to enable access logging
More Info:
- https://cfsec.dev/docs/s3/enable-bucket-logging/#s3
- https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html
Result 5
[aws-s3-enable-versioning][MEDIUM] Bucket does not have versioning enabled
/home/owen/code/aquasecurity/cfsec/example/bucket.yaml:12-24
11 | S3Bucket:
12 | Type: 'AWS::S3::Bucket'
13 | Properties:
14 | BucketName:
15 | Ref: BucketName
16 | PublicAccessBlockConfiguration:
17 | BlockPublicAcls: false
18 | BlockPublicPolicy: false
19 | IgnorePublicAcls: true
20 | RestrictPublicBuckets: false
21 | BucketEncryption:
22 | ServerSideEncryptionConfiguration:
23 | - BucketKeyEnabled: !Ref EncryptBucket
24 |
Impact: Deleted or modified data would not be recoverable
Resolution: Enable versioning to protect against accidental/malicious removal or modification
More Info:
- https://cfsec.dev/docs/s3/enable-versioning/#s3
- https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html
Result 6
[aws-s3-no-public-buckets][HIGH] Public access block does not restrict public buckets
/home/owen/code/aquasecurity/cfsec/example/bucket.yaml:12-24
11 | S3Bucket:
12 | Type: 'AWS::S3::Bucket'
13 | Properties:
14 | BucketName:
15 | Ref: BucketName
16 | PublicAccessBlockConfiguration:
17 | BlockPublicAcls: false
18 | BlockPublicPolicy: false
19 | IgnorePublicAcls: true
20 | RestrictPublicBuckets: false [false]
21 | BucketEncryption:
22 | ServerSideEncryptionConfiguration:
23 | - BucketKeyEnabled: !Ref EncryptBucket
24 |
Impact: Public buckets can be accessed by anyone
Resolution: Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront)
More Info:
- https://cfsec.dev/docs/s3/no-public-buckets/#s3
- https://docs.aws.amazon.com/AmazonS3/latest/dev-retired/access-control-block-public-access.html
6 potential problems detected.
يقوم CFSEC بمسح تكوينات مكدس ملفات واحدة بدعم للمعلمات والتعيينات والموارد.
تتوفر تجاهل في تكوينات YAML فقط.
لإضافة تجاهل إلى مورد - على خط الشيك ، أضف التجاهل.
على سبيل المثال ، لتجاهل أخطاء تشفير دلو S3 ، قد تستخدم
---
Resources :
UnencrypedBucketWithIgnore :
Type : AWS::S3::Bucket
Properties :
AccessControl : Private
BucketName : unencryptedbits
BucketEncryption :
ServerSideEncryptionConfiguration :
- BucketKeyEnabled : false # cfsec:ignore:aws-s3-enable-bucket-encryption
لا يتم دعم جميع الوظائف الجوهرية لل CloudFormation ، ونحن نغطي القائمة أدناه
Ref
Fn::Base64
Fn::Equals
Fn::FindInMap
Fn::GetAtt
Fn::Join
Fn::Select
Fn::Split
Fn::Sub
في تكوينات YAML ، يدعم CFSEC كلا القياسيين ترميزًا قصيرًا أي ؛ !Base64 أو Fn::Base64
ImportValue الوصول إلى حساب AWS الذي لم يتم دعمه حاليًاGetAtt ساذج للغاية. ليس لدينا رؤية لقيم السمات ، لذا فهو أفضل جهدCFSEC مراحل مبكرة للغاية ، ونحن ملتزمون بجعلها أفضل ما يمكن أن يكون. يرجى إثارة القضايا أو الاقتراحات من خلال قضايا جيثب أو المناقشة حسب الاقتضاء.
cfsec هو مشروع Open Source Security Aqua. تعرف على عملنا مفتوح المصدر ومحفظة هنا. انضم إلى المجتمع ، وتحدث إلينا عن أي مسألة في مناقشة جيثب أو الركود.
