cfsec
v0.3.2
️ La logique de balayage de la forme de cloud est désormais intégrée à Aquasecurity TRIVY. Le CFSEC ne sera plus maintenu en tant que scanner autonome et TRIVY doit être utilisé
CFSEC analyse vos fichiers de configuration YAML ou JSON CloudFormation pour les erreurs de sécurité communes.
brew tap cfsec/cfsecchoco install cfsecscoop install cfsecgo install github.com/aquasecurity/cmd/cfsec@latestCompte tenu du fichier de configuration CloudFormation ci-dessous;
---
AWSTemplateFormatVersion : " 2010-09-09 "
Description : An example Stack for a bucket
Parameters :
BucketName :
Type : String
Default : naughty-bucket
EncryptBucket :
Type : Boolean
Default : false
Resources :
S3Bucket :
Type : ' AWS::S3::Bucket '
Properties :
BucketName :
Ref : BucketName
PublicAccessBlockConfiguration :
BlockPublicAcls : false
BlockPublicPolicy : false
IgnorePublicAcls : true
RestrictPublicBuckets : false
BucketEncryption :
ServerSideEncryptionConfiguration :
- BucketKeyEnabled : !Ref EncryptBucket Exécution de la commande cfsec example.yaml
La sortie serait
Result 1
[aws-s3-block-public-acls][HIGH] Public access block does not block public ACLs
/home/owen/code/aquasecurity/cfsec/example/bucket.yaml:12-24
11 | S3Bucket:
12 | Type: 'AWS::S3::Bucket'
13 | Properties:
14 | BucketName:
15 | Ref: BucketName
16 | PublicAccessBlockConfiguration:
17 | BlockPublicAcls: false [false]
18 | BlockPublicPolicy: false
19 | IgnorePublicAcls: true
20 | RestrictPublicBuckets: false
21 | BucketEncryption:
22 | ServerSideEncryptionConfiguration:
23 | - BucketKeyEnabled: !Ref EncryptBucket
24 |
Impact: PUT calls with public ACLs specified can make objects public
Resolution: Enable blocking any PUT calls with a public ACL specified
More Info:
- https://cfsec.dev/docs/s3/block-public-acls/#s3
- https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html
Result 2
[aws-s3-block-public-policy][HIGH] Public access block does not block public policies
/home/owen/code/aquasecurity/cfsec/example/bucket.yaml:12-24
11 | S3Bucket:
12 | Type: 'AWS::S3::Bucket'
13 | Properties:
14 | BucketName:
15 | Ref: BucketName
16 | PublicAccessBlockConfiguration:
17 | BlockPublicAcls: false
18 | BlockPublicPolicy: false [false]
19 | IgnorePublicAcls: true
20 | RestrictPublicBuckets: false
21 | BucketEncryption:
22 | ServerSideEncryptionConfiguration:
23 | - BucketKeyEnabled: !Ref EncryptBucket
24 |
Impact: Users could put a policy that allows public access
Resolution: Prevent policies that allow public access being PUT
More Info:
- https://cfsec.dev/docs/s3/block-public-policy/#s3
- https://docs.aws.amazon.com/AmazonS3/latest/dev-retired/access-control-block-public-access.html
Result 3
[aws-s3-enable-bucket-encryption][HIGH] Bucket does not have encryption enabled
/home/owen/code/aquasecurity/cfsec/example/bucket.yaml:12-24
11 | S3Bucket:
12 | Type: 'AWS::S3::Bucket'
13 | Properties:
14 | BucketName:
15 | Ref: BucketName
16 | PublicAccessBlockConfiguration:
17 | BlockPublicAcls: false
18 | BlockPublicPolicy: false
19 | IgnorePublicAcls: true
20 | RestrictPublicBuckets: false
21 | BucketEncryption:
22 | ServerSideEncryptionConfiguration:
23 | - BucketKeyEnabled: !Ref EncryptBucket [false]
24 |
Impact: The bucket objects could be read if compromised
Resolution: Configure bucket encryption
More Info:
- https://cfsec.dev/docs/s3/enable-bucket-encryption/#s3
- https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html
Result 4
[aws-s3-enable-bucket-logging][MEDIUM] Bucket does not have logging enabled
/home/owen/code/aquasecurity/cfsec/example/bucket.yaml:12-24
11 | S3Bucket:
12 | Type: 'AWS::S3::Bucket'
13 | Properties:
14 | BucketName:
15 | Ref: BucketName
16 | PublicAccessBlockConfiguration:
17 | BlockPublicAcls: false
18 | BlockPublicPolicy: false
19 | IgnorePublicAcls: true
20 | RestrictPublicBuckets: false
21 | BucketEncryption:
22 | ServerSideEncryptionConfiguration:
23 | - BucketKeyEnabled: !Ref EncryptBucket
24 |
Impact: There is no way to determine the access to this bucket
Resolution: Add a logging block to the resource to enable access logging
More Info:
- https://cfsec.dev/docs/s3/enable-bucket-logging/#s3
- https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html
Result 5
[aws-s3-enable-versioning][MEDIUM] Bucket does not have versioning enabled
/home/owen/code/aquasecurity/cfsec/example/bucket.yaml:12-24
11 | S3Bucket:
12 | Type: 'AWS::S3::Bucket'
13 | Properties:
14 | BucketName:
15 | Ref: BucketName
16 | PublicAccessBlockConfiguration:
17 | BlockPublicAcls: false
18 | BlockPublicPolicy: false
19 | IgnorePublicAcls: true
20 | RestrictPublicBuckets: false
21 | BucketEncryption:
22 | ServerSideEncryptionConfiguration:
23 | - BucketKeyEnabled: !Ref EncryptBucket
24 |
Impact: Deleted or modified data would not be recoverable
Resolution: Enable versioning to protect against accidental/malicious removal or modification
More Info:
- https://cfsec.dev/docs/s3/enable-versioning/#s3
- https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html
Result 6
[aws-s3-no-public-buckets][HIGH] Public access block does not restrict public buckets
/home/owen/code/aquasecurity/cfsec/example/bucket.yaml:12-24
11 | S3Bucket:
12 | Type: 'AWS::S3::Bucket'
13 | Properties:
14 | BucketName:
15 | Ref: BucketName
16 | PublicAccessBlockConfiguration:
17 | BlockPublicAcls: false
18 | BlockPublicPolicy: false
19 | IgnorePublicAcls: true
20 | RestrictPublicBuckets: false [false]
21 | BucketEncryption:
22 | ServerSideEncryptionConfiguration:
23 | - BucketKeyEnabled: !Ref EncryptBucket
24 |
Impact: Public buckets can be accessed by anyone
Resolution: Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront)
More Info:
- https://cfsec.dev/docs/s3/no-public-buckets/#s3
- https://docs.aws.amazon.com/AmazonS3/latest/dev-retired/access-control-block-public-access.html
6 potential problems detected.
CFSEC analyse les configurations de pile de fichiers uniques avec la prise en charge des paramètres, des mappages et des ressources.
Les ignores sont disponibles uniquement dans les configurations YAML.
Pour ajouter une ignoration à une ressource - sur la ligne de la chèque, ajoutez l'ignorée.
Par exemple, pour ignorer les erreurs de chiffrement S3 Baquet, vous pouvez utiliser
---
Resources :
UnencrypedBucketWithIgnore :
Type : AWS::S3::Bucket
Properties :
AccessControl : Private
BucketName : unencryptedbits
BucketEncryption :
ServerSideEncryptionConfiguration :
- BucketKeyEnabled : false # cfsec:ignore:aws-s3-enable-bucket-encryption
Toutes les fonctions intrinsèques de CloudFormation ne sont pas prises en charge, nous couvrons la liste ci-dessous
Ref
Fn::Base64
Fn::Equals
Fn::FindInMap
Fn::GetAtt
Fn::Join
Fn::Select
Fn::Split
Fn::Sub
Dans les configurations YAML, CFSEC prend en charge les deux standard une notation courte, c'est-à-dire; !Base64 ou Fn::Base64
ImportValue nécessite l'accès au compte AWS qui n'est pas actuellement pris en chargeGetAtt est extrêmement naïf. Nous n'avons pas de visibilité des valeurs d'attribut, c'est donc le meilleur effortLe CFSEC est des stades très précoces, et nous nous engageons à en faire le meilleur possible. Veuillez soulever des problèmes ou des suggestions grâce à des problèmes de github ou à une discussion, le cas échéant.
cfsec est un projet open source Aqua Security. Renseignez-vous sur notre travail open source et notre portefeuille ici. Rejoignez la communauté et parlez-nous de toute question dans la discussion de Github ou Slack.
