홈페이지>JSP 소스 코드>기타 카테고리
다운로드

CloudFormation Scanning Logic은 이제 Aquasecurity Trivy와 통합되었습니다. CFSEC는 더 이상 독립형 스캐너로 유지되지 않으며 Trivy를 사용해야합니다.

무엇입니까?

CFSEC는 공통 보안 오해에 대해 YAML 또는 JSON CloudFormation 구성 파일을 스캔합니다.

설치

홈 브루 - 맥과 리눅스 

brew tap cfsec/cfsec

초콜릿 - 창 

choco install cfsec

Scoop- 창 

scoop install cfsec

소스에서 최신 설치 

go install github.com/aquasecurity/cmd/cfsec@latest

아래의 CloudFormation 구성 파일이 주어지면; 

---
AWSTemplateFormatVersion : " 2010-09-09 "
Description : An example Stack for a bucket
Parameters :
  BucketName :
    Type : String
    Default : naughty-bucket
  EncryptBucket :
    Type : Boolean
    Default : false
Resources :
  S3Bucket :
    Type : ' AWS::S3::Bucket '
    Properties :
      BucketName :
        Ref : BucketName
      PublicAccessBlockConfiguration :
        BlockPublicAcls : false
        BlockPublicPolicy : false
        IgnorePublicAcls : true
        RestrictPublicBuckets : false
      BucketEncryption :
        ServerSideEncryptionConfiguration :
          - BucketKeyEnabled : !Ref EncryptBucket

명령 실행 cfsec example.yaml

출력이 될 것입니다 

  Result 1

  [aws-s3-block-public-acls][HIGH] Public access block does not block public ACLs
  /home/owen/code/aquasecurity/cfsec/example/bucket.yaml:12-24
   11 |   S3Bucket:
   12 |     Type: 'AWS::S3::Bucket'
   13 |     Properties:
   14 |       BucketName:
   15 |         Ref: BucketName
   16 |       PublicAccessBlockConfiguration:
   17 |         BlockPublicAcls: false    [false]
   18 |         BlockPublicPolicy: false
   19 |         IgnorePublicAcls: true
   20 |         RestrictPublicBuckets: false
   21 |       BucketEncryption:
   22 |         ServerSideEncryptionConfiguration:
   23 |         - BucketKeyEnabled: !Ref EncryptBucket
   24 | 


  Impact:     PUT calls with public ACLs specified can make objects public
  Resolution: Enable blocking any PUT calls with a public ACL specified

  More Info:
  - https://cfsec.dev/docs/s3/block-public-acls/#s3 
  - https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html 

  Result 2

  [aws-s3-block-public-policy][HIGH] Public access block does not block public policies
  /home/owen/code/aquasecurity/cfsec/example/bucket.yaml:12-24
   11 |   S3Bucket:
   12 |     Type: 'AWS::S3::Bucket'
   13 |     Properties:
   14 |       BucketName:
   15 |         Ref: BucketName
   16 |       PublicAccessBlockConfiguration:
   17 |         BlockPublicAcls: false
   18 |         BlockPublicPolicy: false    [false]
   19 |         IgnorePublicAcls: true
   20 |         RestrictPublicBuckets: false
   21 |       BucketEncryption:
   22 |         ServerSideEncryptionConfiguration:
   23 |         - BucketKeyEnabled: !Ref EncryptBucket
   24 | 


  Impact:     Users could put a policy that allows public access
  Resolution: Prevent policies that allow public access being PUT

  More Info:
  - https://cfsec.dev/docs/s3/block-public-policy/#s3 
  - https://docs.aws.amazon.com/AmazonS3/latest/dev-retired/access-control-block-public-access.html 

  Result 3

  [aws-s3-enable-bucket-encryption][HIGH] Bucket does not have encryption enabled
  /home/owen/code/aquasecurity/cfsec/example/bucket.yaml:12-24
   11 |   S3Bucket:
   12 |     Type: 'AWS::S3::Bucket'
   13 |     Properties:
   14 |       BucketName:
   15 |         Ref: BucketName
   16 |       PublicAccessBlockConfiguration:
   17 |         BlockPublicAcls: false
   18 |         BlockPublicPolicy: false
   19 |         IgnorePublicAcls: true
   20 |         RestrictPublicBuckets: false
   21 |       BucketEncryption:
   22 |         ServerSideEncryptionConfiguration:
   23 |         - BucketKeyEnabled: !Ref EncryptBucket    [false]
   24 | 


  Impact:     The bucket objects could be read if compromised
  Resolution: Configure bucket encryption

  More Info:
  - https://cfsec.dev/docs/s3/enable-bucket-encryption/#s3 
  - https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html 

  Result 4

  [aws-s3-enable-bucket-logging][MEDIUM] Bucket does not have logging enabled
  /home/owen/code/aquasecurity/cfsec/example/bucket.yaml:12-24
   11 |   S3Bucket:
   12 |     Type: 'AWS::S3::Bucket'
   13 |     Properties:
   14 |       BucketName:
   15 |         Ref: BucketName
   16 |       PublicAccessBlockConfiguration:
   17 |         BlockPublicAcls: false
   18 |         BlockPublicPolicy: false
   19 |         IgnorePublicAcls: true
   20 |         RestrictPublicBuckets: false
   21 |       BucketEncryption:
   22 |         ServerSideEncryptionConfiguration:
   23 |         - BucketKeyEnabled: !Ref EncryptBucket
   24 | 


  Impact:     There is no way to determine the access to this bucket
  Resolution: Add a logging block to the resource to enable access logging

  More Info:
  - https://cfsec.dev/docs/s3/enable-bucket-logging/#s3 
  - https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html 

  Result 5

  [aws-s3-enable-versioning][MEDIUM] Bucket does not have versioning enabled
  /home/owen/code/aquasecurity/cfsec/example/bucket.yaml:12-24
   11 |   S3Bucket:
   12 |     Type: 'AWS::S3::Bucket'
   13 |     Properties:
   14 |       BucketName:
   15 |         Ref: BucketName
   16 |       PublicAccessBlockConfiguration:
   17 |         BlockPublicAcls: false
   18 |         BlockPublicPolicy: false
   19 |         IgnorePublicAcls: true
   20 |         RestrictPublicBuckets: false
   21 |       BucketEncryption:
   22 |         ServerSideEncryptionConfiguration:
   23 |         - BucketKeyEnabled: !Ref EncryptBucket
   24 | 


  Impact:     Deleted or modified data would not be recoverable
  Resolution: Enable versioning to protect against accidental/malicious removal or modification

  More Info:
  - https://cfsec.dev/docs/s3/enable-versioning/#s3 
  - https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html 

  Result 6

  [aws-s3-no-public-buckets][HIGH] Public access block does not restrict public buckets
  /home/owen/code/aquasecurity/cfsec/example/bucket.yaml:12-24
   11 |   S3Bucket:
   12 |     Type: 'AWS::S3::Bucket'
   13 |     Properties:
   14 |       BucketName:
   15 |         Ref: BucketName
   16 |       PublicAccessBlockConfiguration:
   17 |         BlockPublicAcls: false
   18 |         BlockPublicPolicy: false
   19 |         IgnorePublicAcls: true
   20 |         RestrictPublicBuckets: false    [false]
   21 |       BucketEncryption:
   22 |         ServerSideEncryptionConfiguration:
   23 |         - BucketKeyEnabled: !Ref EncryptBucket
   24 | 


  Impact:     Public buckets can be accessed by anyone
  Resolution: Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront)

  More Info:
  - https://cfsec.dev/docs/s3/no-public-buckets/#s3 
  - https://docs.aws.amazon.com/AmazonS3/latest/dev-retired/access-control-block-public-access.html 


  6 potential problems detected.

더 많은 정보

CFSEC는 매개 변수, 매핑 및 리소스를 지원하여 단일 파일 스택 구성을 스캔합니다.

결과를 무시합니다

YAML 구성으로만 무시할 수 있습니다.

리소스에 무시를 추가하려면 - 수표 라인에 무시를 추가하십시오.

예를 들어, S3 버킷 암호화 오류를 무시하려면 

---
Resources :
  UnencrypedBucketWithIgnore :
    Type : AWS::S3::Bucket
    Properties :
      AccessControl : Private
      BucketName : unencryptedbits
      BucketEncryption :
        ServerSideEncryptionConfiguration :
          - BucketKeyEnabled : false # cfsec:ignore:aws-s3-enable-bucket-encryption

지원되는 내재 기능

모든 CloudFormation 내재 기능이 지원되는 것은 아니며 아래 목록을 다룹니다. 

 Ref
Fn::Base64
Fn::Equals
Fn::FindInMap
Fn::GetAtt
Fn::Join
Fn::Select
Fn::Split
Fn::Sub

YAML 구성에서 CFSEC는 표준을 모두 지원합니다. 즉, 짧은 표기법 IE; !Base64 또는 Fn::Base64

제한

  • 모든 고유 기능이 지원되는 것은 아닙니다
    • ImportValue 현재 지원되지 않는 AWS 계정에 대한 액세스가 필요합니다.
    • GetAtt 매우 순진합니다. 우리는 속성 값의 가시성이 없으므로 최선의 노력입니다.
  • 중첩 된 스택에 대한 지원이 없습니다. CFSEC는 AWS 계정에 존재하는 것에 대한 가시성없이 개별 파일을 분리하여 가져옵니다.

의견, 제안, 문제

CFSEC는 매우 초기 단계이며, 우리는 최선을 다할 수 있도록 최선을 다하고 있습니다. GitHub 문제 또는 토론을 통해 문제 나 제안을 적절히 제기하십시오.

cfsec 는 Aqua Security 오픈 소스 프로젝트입니다. 여기에서 우리의 오픈 소스 작업 및 포트폴리오에 대해 알아보십시오. 지역 사회에 가입하고 Github 토론 또는 슬랙의 문제에 대해 이야기하십시오.

확장하다
추가 정보
관련 애플리케이션
추천
관련 정보 전체