cfsec
v0.3.2
️ A lógica de varredura de formação em nuvem agora está integrada à curiosidade do aquasecurity. O CFSEC não será mais mantido como um scanner independente e o trivy deve ser usado
O CFSEC digitaliza seus arquivos de configuração do YAML ou JSON CloudFormation em busca de erros de segurança comum.
brew tap cfsec/cfsecchoco install cfsecscoop install cfsecgo install github.com/aquasecurity/cmd/cfsec@latestDado o arquivo de configuração do CloudFormation abaixo;
---
AWSTemplateFormatVersion : " 2010-09-09 "
Description : An example Stack for a bucket
Parameters :
BucketName :
Type : String
Default : naughty-bucket
EncryptBucket :
Type : Boolean
Default : false
Resources :
S3Bucket :
Type : ' AWS::S3::Bucket '
Properties :
BucketName :
Ref : BucketName
PublicAccessBlockConfiguration :
BlockPublicAcls : false
BlockPublicPolicy : false
IgnorePublicAcls : true
RestrictPublicBuckets : false
BucketEncryption :
ServerSideEncryptionConfiguration :
- BucketKeyEnabled : !Ref EncryptBucket Executando o comando cfsec example.yaml
A saída seria
Result 1
[aws-s3-block-public-acls][HIGH] Public access block does not block public ACLs
/home/owen/code/aquasecurity/cfsec/example/bucket.yaml:12-24
11 | S3Bucket:
12 | Type: 'AWS::S3::Bucket'
13 | Properties:
14 | BucketName:
15 | Ref: BucketName
16 | PublicAccessBlockConfiguration:
17 | BlockPublicAcls: false [false]
18 | BlockPublicPolicy: false
19 | IgnorePublicAcls: true
20 | RestrictPublicBuckets: false
21 | BucketEncryption:
22 | ServerSideEncryptionConfiguration:
23 | - BucketKeyEnabled: !Ref EncryptBucket
24 |
Impact: PUT calls with public ACLs specified can make objects public
Resolution: Enable blocking any PUT calls with a public ACL specified
More Info:
- https://cfsec.dev/docs/s3/block-public-acls/#s3
- https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html
Result 2
[aws-s3-block-public-policy][HIGH] Public access block does not block public policies
/home/owen/code/aquasecurity/cfsec/example/bucket.yaml:12-24
11 | S3Bucket:
12 | Type: 'AWS::S3::Bucket'
13 | Properties:
14 | BucketName:
15 | Ref: BucketName
16 | PublicAccessBlockConfiguration:
17 | BlockPublicAcls: false
18 | BlockPublicPolicy: false [false]
19 | IgnorePublicAcls: true
20 | RestrictPublicBuckets: false
21 | BucketEncryption:
22 | ServerSideEncryptionConfiguration:
23 | - BucketKeyEnabled: !Ref EncryptBucket
24 |
Impact: Users could put a policy that allows public access
Resolution: Prevent policies that allow public access being PUT
More Info:
- https://cfsec.dev/docs/s3/block-public-policy/#s3
- https://docs.aws.amazon.com/AmazonS3/latest/dev-retired/access-control-block-public-access.html
Result 3
[aws-s3-enable-bucket-encryption][HIGH] Bucket does not have encryption enabled
/home/owen/code/aquasecurity/cfsec/example/bucket.yaml:12-24
11 | S3Bucket:
12 | Type: 'AWS::S3::Bucket'
13 | Properties:
14 | BucketName:
15 | Ref: BucketName
16 | PublicAccessBlockConfiguration:
17 | BlockPublicAcls: false
18 | BlockPublicPolicy: false
19 | IgnorePublicAcls: true
20 | RestrictPublicBuckets: false
21 | BucketEncryption:
22 | ServerSideEncryptionConfiguration:
23 | - BucketKeyEnabled: !Ref EncryptBucket [false]
24 |
Impact: The bucket objects could be read if compromised
Resolution: Configure bucket encryption
More Info:
- https://cfsec.dev/docs/s3/enable-bucket-encryption/#s3
- https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html
Result 4
[aws-s3-enable-bucket-logging][MEDIUM] Bucket does not have logging enabled
/home/owen/code/aquasecurity/cfsec/example/bucket.yaml:12-24
11 | S3Bucket:
12 | Type: 'AWS::S3::Bucket'
13 | Properties:
14 | BucketName:
15 | Ref: BucketName
16 | PublicAccessBlockConfiguration:
17 | BlockPublicAcls: false
18 | BlockPublicPolicy: false
19 | IgnorePublicAcls: true
20 | RestrictPublicBuckets: false
21 | BucketEncryption:
22 | ServerSideEncryptionConfiguration:
23 | - BucketKeyEnabled: !Ref EncryptBucket
24 |
Impact: There is no way to determine the access to this bucket
Resolution: Add a logging block to the resource to enable access logging
More Info:
- https://cfsec.dev/docs/s3/enable-bucket-logging/#s3
- https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html
Result 5
[aws-s3-enable-versioning][MEDIUM] Bucket does not have versioning enabled
/home/owen/code/aquasecurity/cfsec/example/bucket.yaml:12-24
11 | S3Bucket:
12 | Type: 'AWS::S3::Bucket'
13 | Properties:
14 | BucketName:
15 | Ref: BucketName
16 | PublicAccessBlockConfiguration:
17 | BlockPublicAcls: false
18 | BlockPublicPolicy: false
19 | IgnorePublicAcls: true
20 | RestrictPublicBuckets: false
21 | BucketEncryption:
22 | ServerSideEncryptionConfiguration:
23 | - BucketKeyEnabled: !Ref EncryptBucket
24 |
Impact: Deleted or modified data would not be recoverable
Resolution: Enable versioning to protect against accidental/malicious removal or modification
More Info:
- https://cfsec.dev/docs/s3/enable-versioning/#s3
- https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html
Result 6
[aws-s3-no-public-buckets][HIGH] Public access block does not restrict public buckets
/home/owen/code/aquasecurity/cfsec/example/bucket.yaml:12-24
11 | S3Bucket:
12 | Type: 'AWS::S3::Bucket'
13 | Properties:
14 | BucketName:
15 | Ref: BucketName
16 | PublicAccessBlockConfiguration:
17 | BlockPublicAcls: false
18 | BlockPublicPolicy: false
19 | IgnorePublicAcls: true
20 | RestrictPublicBuckets: false [false]
21 | BucketEncryption:
22 | ServerSideEncryptionConfiguration:
23 | - BucketKeyEnabled: !Ref EncryptBucket
24 |
Impact: Public buckets can be accessed by anyone
Resolution: Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront)
More Info:
- https://cfsec.dev/docs/s3/no-public-buckets/#s3
- https://docs.aws.amazon.com/AmazonS3/latest/dev-retired/access-control-block-public-access.html
6 potential problems detected.
CFSEC Scannse as configurações de pilha de arquivos únicos com suporte para parâmetros, mapeamentos e recursos.
Os ignores estão disponíveis apenas nas configurações da YAML.
Para adicionar um ignorar a um recurso - na linha da verificação, adicione o ignorar.
Por exemplo, para ignorar erros de criptografia de balde S3, você pode usar
---
Resources :
UnencrypedBucketWithIgnore :
Type : AWS::S3::Bucket
Properties :
AccessControl : Private
BucketName : unencryptedbits
BucketEncryption :
ServerSideEncryptionConfiguration :
- BucketKeyEnabled : false # cfsec:ignore:aws-s3-enable-bucket-encryption
Nem todas as funções intrínsecas da CloudFormation são suportadas, cobrimos a lista abaixo
Ref
Fn::Base64
Fn::Equals
Fn::FindInMap
Fn::GetAtt
Fn::Join
Fn::Select
Fn::Split
Fn::Sub
Nas configurações da YAML, o CFSEC suporta ambos padrão uma notação curta, ou seja; !Base64 ou Fn::Base64
ImportValue requer acesso à conta da AWS, que não é suportada no momentoGetAtt é extremamente ingênuo. Não temos visibilidade dos valores de atributo, por isso é o melhor esforçoO CFSEC é um estágio muito inicial e estamos comprometidos em torná -lo o melhor que pode ser. Por favor, levante questões ou sugestões por meio de questões ou discussões do GitHub, conforme apropriado.
cfsec é um projeto de código aberto de segurança aqua. Aprenda sobre nosso trabalho de código aberto e portfólio aqui. Junte -se à comunidade e converse conosco sobre qualquer assunto em discussão ou folga no Github.
