Inicio>código fuente JSP>Otras categorias
Descargar

La lógica de escaneo CloudFormation ahora está integrada con AquaSecurity Trivy. CFSEC ya no se mantendrá como un escáner independiente y se debe usar trivado

¿Qué es?

CFSEC escanea sus archivos de configuración YAML o JSON CloudFormation para configuraciones erróneas de seguridad común.

Instalación

Home Brew - Mac y Linux 

brew tap cfsec/cfsec

Chocolate - Windows 

choco install cfsec

SCOOP - Windows 

scoop install cfsec

Instalación de lo último desde la fuente 

go install github.com/aquasecurity/cmd/cfsec@latest

Un ejemplo

Dado el archivo de configuración de CloudFormation a continuación; 

---
AWSTemplateFormatVersion : " 2010-09-09 "
Description : An example Stack for a bucket
Parameters :
  BucketName :
    Type : String
    Default : naughty-bucket
  EncryptBucket :
    Type : Boolean
    Default : false
Resources :
  S3Bucket :
    Type : ' AWS::S3::Bucket '
    Properties :
      BucketName :
        Ref : BucketName
      PublicAccessBlockConfiguration :
        BlockPublicAcls : false
        BlockPublicPolicy : false
        IgnorePublicAcls : true
        RestrictPublicBuckets : false
      BucketEncryption :
        ServerSideEncryptionConfiguration :
          - BucketKeyEnabled : !Ref EncryptBucket

Ejecutando el comando cfsec example.yaml

La salida sería 

  Result 1

  [aws-s3-block-public-acls][HIGH] Public access block does not block public ACLs
  /home/owen/code/aquasecurity/cfsec/example/bucket.yaml:12-24
   11 |   S3Bucket:
   12 |     Type: 'AWS::S3::Bucket'
   13 |     Properties:
   14 |       BucketName:
   15 |         Ref: BucketName
   16 |       PublicAccessBlockConfiguration:
   17 |         BlockPublicAcls: false    [false]
   18 |         BlockPublicPolicy: false
   19 |         IgnorePublicAcls: true
   20 |         RestrictPublicBuckets: false
   21 |       BucketEncryption:
   22 |         ServerSideEncryptionConfiguration:
   23 |         - BucketKeyEnabled: !Ref EncryptBucket
   24 | 


  Impact:     PUT calls with public ACLs specified can make objects public
  Resolution: Enable blocking any PUT calls with a public ACL specified

  More Info:
  - https://cfsec.dev/docs/s3/block-public-acls/#s3 
  - https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html 

  Result 2

  [aws-s3-block-public-policy][HIGH] Public access block does not block public policies
  /home/owen/code/aquasecurity/cfsec/example/bucket.yaml:12-24
   11 |   S3Bucket:
   12 |     Type: 'AWS::S3::Bucket'
   13 |     Properties:
   14 |       BucketName:
   15 |         Ref: BucketName
   16 |       PublicAccessBlockConfiguration:
   17 |         BlockPublicAcls: false
   18 |         BlockPublicPolicy: false    [false]
   19 |         IgnorePublicAcls: true
   20 |         RestrictPublicBuckets: false
   21 |       BucketEncryption:
   22 |         ServerSideEncryptionConfiguration:
   23 |         - BucketKeyEnabled: !Ref EncryptBucket
   24 | 


  Impact:     Users could put a policy that allows public access
  Resolution: Prevent policies that allow public access being PUT

  More Info:
  - https://cfsec.dev/docs/s3/block-public-policy/#s3 
  - https://docs.aws.amazon.com/AmazonS3/latest/dev-retired/access-control-block-public-access.html 

  Result 3

  [aws-s3-enable-bucket-encryption][HIGH] Bucket does not have encryption enabled
  /home/owen/code/aquasecurity/cfsec/example/bucket.yaml:12-24
   11 |   S3Bucket:
   12 |     Type: 'AWS::S3::Bucket'
   13 |     Properties:
   14 |       BucketName:
   15 |         Ref: BucketName
   16 |       PublicAccessBlockConfiguration:
   17 |         BlockPublicAcls: false
   18 |         BlockPublicPolicy: false
   19 |         IgnorePublicAcls: true
   20 |         RestrictPublicBuckets: false
   21 |       BucketEncryption:
   22 |         ServerSideEncryptionConfiguration:
   23 |         - BucketKeyEnabled: !Ref EncryptBucket    [false]
   24 | 


  Impact:     The bucket objects could be read if compromised
  Resolution: Configure bucket encryption

  More Info:
  - https://cfsec.dev/docs/s3/enable-bucket-encryption/#s3 
  - https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html 

  Result 4

  [aws-s3-enable-bucket-logging][MEDIUM] Bucket does not have logging enabled
  /home/owen/code/aquasecurity/cfsec/example/bucket.yaml:12-24
   11 |   S3Bucket:
   12 |     Type: 'AWS::S3::Bucket'
   13 |     Properties:
   14 |       BucketName:
   15 |         Ref: BucketName
   16 |       PublicAccessBlockConfiguration:
   17 |         BlockPublicAcls: false
   18 |         BlockPublicPolicy: false
   19 |         IgnorePublicAcls: true
   20 |         RestrictPublicBuckets: false
   21 |       BucketEncryption:
   22 |         ServerSideEncryptionConfiguration:
   23 |         - BucketKeyEnabled: !Ref EncryptBucket
   24 | 


  Impact:     There is no way to determine the access to this bucket
  Resolution: Add a logging block to the resource to enable access logging

  More Info:
  - https://cfsec.dev/docs/s3/enable-bucket-logging/#s3 
  - https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html 

  Result 5

  [aws-s3-enable-versioning][MEDIUM] Bucket does not have versioning enabled
  /home/owen/code/aquasecurity/cfsec/example/bucket.yaml:12-24
   11 |   S3Bucket:
   12 |     Type: 'AWS::S3::Bucket'
   13 |     Properties:
   14 |       BucketName:
   15 |         Ref: BucketName
   16 |       PublicAccessBlockConfiguration:
   17 |         BlockPublicAcls: false
   18 |         BlockPublicPolicy: false
   19 |         IgnorePublicAcls: true
   20 |         RestrictPublicBuckets: false
   21 |       BucketEncryption:
   22 |         ServerSideEncryptionConfiguration:
   23 |         - BucketKeyEnabled: !Ref EncryptBucket
   24 | 


  Impact:     Deleted or modified data would not be recoverable
  Resolution: Enable versioning to protect against accidental/malicious removal or modification

  More Info:
  - https://cfsec.dev/docs/s3/enable-versioning/#s3 
  - https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html 

  Result 6

  [aws-s3-no-public-buckets][HIGH] Public access block does not restrict public buckets
  /home/owen/code/aquasecurity/cfsec/example/bucket.yaml:12-24
   11 |   S3Bucket:
   12 |     Type: 'AWS::S3::Bucket'
   13 |     Properties:
   14 |       BucketName:
   15 |         Ref: BucketName
   16 |       PublicAccessBlockConfiguration:
   17 |         BlockPublicAcls: false
   18 |         BlockPublicPolicy: false
   19 |         IgnorePublicAcls: true
   20 |         RestrictPublicBuckets: false    [false]
   21 |       BucketEncryption:
   22 |         ServerSideEncryptionConfiguration:
   23 |         - BucketKeyEnabled: !Ref EncryptBucket
   24 | 


  Impact:     Public buckets can be accessed by anyone
  Resolution: Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront)

  More Info:
  - https://cfsec.dev/docs/s3/no-public-buckets/#s3 
  - https://docs.aws.amazon.com/AmazonS3/latest/dev-retired/access-control-block-public-access.html 


  6 potential problems detected.

Más información

CFSEC escanea configuraciones de pila de archivos únicos con soporte para parámetros, asignaciones y recursos.

Ignorando los hallazgos

Los ignorantes están disponibles solo en configuraciones de YAML.

Para agregar una ignoración a un recurso, en la línea de la verificación, agregue el Ignore.

Por ejemplo, para ignorar los errores de cifrado de cubos S3, puede usar 

---
Resources :
  UnencrypedBucketWithIgnore :
    Type : AWS::S3::Bucket
    Properties :
      AccessControl : Private
      BucketName : unencryptedbits
      BucketEncryption :
        ServerSideEncryptionConfiguration :
          - BucketKeyEnabled : false # cfsec:ignore:aws-s3-enable-bucket-encryption

Funciones intrínsecas compatibles

No se admiten todas las funciones intrínsecas de CloudFormation, cubrimos la lista a continuación 

 Ref
Fn::Base64
Fn::Equals
Fn::FindInMap
Fn::GetAtt
Fn::Join
Fn::Select
Fn::Split
Fn::Sub

En las configuraciones de YAML, CFSEC admite ambos estándar una notación corta, es decir; !Base64 o Fn::Base64

Limitaciones

  • No todas las funciones intrínsecas son compatibles
    • ImportValue requiere acceso a la cuenta AWS que actualmente no es compatible
    • GetAtt es extremadamente ingenuo. No tenemos visibilidad de los valores de atributos, por lo que es el mejor esfuerzo
  • No hay apoyo para pilas anidadas. CFSEC toma los archivos individuales de forma aislada sin visibilidad de lo que existe en la cuenta de AWS

Comentarios, sugerencias, problemas

CFSEC es una etapa muy temprana, y estamos comprometidos a hacerlo lo mejor que pueda ser. Plantea problemas o sugerencias a través de temas o discusión de GitHub según corresponda.

cfsec es un proyecto de código abierto AQUA Security. Aprenda sobre nuestro trabajo de código abierto y cartera aquí. Únase a la comunidad y hable con cualquier asunto en la discusión o holgura de GitHub.

Expandir
Información adicional
Aplicaciones relacionadas
Recomendado para ti
Información relacionada Todo