cfripper
v1.16.0
CFRIPPER adalah pustaka dan penganalisa keamanan CLI untuk templat AWS CloudFormation. Anda dapat menggunakan cfripper untuk mencegah menggunakan sumber daya AWS yang tidak aman ke lingkungan cloud Anda. Anda dapat menulis cek kepatuhan Anda sendiri dengan menambahkan plugin kustom baru.
Dokumen dan detail lebih lanjut tersedia di https://cfripper.readthedocs.io/
$ cfripper /tmp/root.yaml /tmp/root_bypass.json --format txt
Analysing /tmp/root.yaml...
Not adding CrossAccountTrustRule failure in rootRole because no AWS Account ID was found in the config.
Valid: False
Issues found:
- FullWildcardPrincipalRule: rootRole should not allow full wildcard ' * ' , or wildcard in account ID like ' arn:aws:iam::*:12345 ' at ' * '
- IAMRolesOverprivilegedRule: Role ' rootRole ' contains an insecure permission ' * ' in policy ' root '
Analysing /tmp/root_bypass.json...
Valid: True$ cfripper /tmp/root.yaml /tmp/root_bypass.json --format txt --resolve
Analysing /tmp/root.yaml...
Not adding CrossAccountTrustRule failure in rootRole because no AWS Account ID was found in the config.
Valid: False
Issues found:
- FullWildcardPrincipalRule: rootRole should not allow full wildcard ' * ' , or wildcard in account ID like ' arn:aws:iam::*:12345 ' at ' * '
- IAMRolesOverprivilegedRule: Role ' rootRole ' contains an insecure permission ' * ' in policy ' root '
Analysing /tmp/root_bypass.json...
Not adding CrossAccountTrustRule failure in rootRole because no AWS Account ID was found in the config.
Valid: False
Issues found:
- IAMRolesOverprivilegedRule: Role ' rootRole ' contains an insecure permission ' * ' in policy ' root '
Monitored issues found:
- PartialWildcardPrincipalRule: rootRole contains an unknown principal: 123456789012
- PartialWildcardPrincipalRule: rootRole should not allow wildcard, account-wide or root in resource-id like ' arn:aws:iam::12345:root ' at ' arn:aws:iam::123456789012:root '$ cfripper /tmp/root.yaml /tmp/root_bypass.json --format json --resolve --output-folder /tmp
Analysing /tmp/root.yaml...
Not adding CrossAccountTrustRule failure in rootRole because no AWS Account ID was found in the config.
Result saved in /tmp/root.yaml.cfripper.results.json
Analysing /tmp/root_bypass.json...
Not adding CrossAccountTrustRule failure in rootRole because no AWS Account ID was found in the config.
Result saved in /tmp/root_bypass.json.cfripper.results.json$ cfripper tests/test_templates/config/security_group_firehose_ips.json --rules-config-file cfripper/config/rule_configs/example_rules_config_for_cli.py
Analysing tests/test_templates/config/security_group_firehose_ips.json...
Valid: True$ cfripper tests/test_templates/config/security_group_firehose_ips.json --rules-filters-folder cfripper/config/rule_configs/
example_rules_config_for_cli.py loaded
Analysing tests/test_templates/config/security_group_firehose_ips.json...
Valid: True """
Analyse AWS Cloudformation templates passed by parameter.
Exit codes:
- 0 = all templates valid and scanned successfully
- 1 = error / issue in scanning at least one template
- 2 = at least one template is not valid according to CFRipper (template scanned successfully)
- 3 = unknown / unhandled exception in scanning the templates
"""
