首页>JSP源码>其他类别
下载

配x现在,云形式扫描逻辑与Aquasecurity Trivy集成在一起。 CFSEC将不再以独立的扫描仪和Trivy的方式保持

这是什么?

CFSEC扫描您的YAML或JSON Cloud Formation配置文件,以了解常见的安全性错误。

安装

家用啤酒 - Mac和Linux 

brew tap cfsec/cfsec

巧克力 - 窗户

choco install cfsec

勺子 - 窗口

scoop install cfsec

从源安装最新

go install github.com/aquasecurity/cmd/cfsec@latest

一个例子

给定下面的云形式配置文件; 

---
AWSTemplateFormatVersion : " 2010-09-09 "
Description : An example Stack for a bucket
Parameters :
  BucketName :
    Type : String
    Default : naughty-bucket
  EncryptBucket :
    Type : Boolean
    Default : false
Resources :
  S3Bucket :
    Type : ' AWS::S3::Bucket '
    Properties :
      BucketName :
        Ref : BucketName
      PublicAccessBlockConfiguration :
        BlockPublicAcls : false
        BlockPublicPolicy : false
        IgnorePublicAcls : true
        RestrictPublicBuckets : false
      BucketEncryption :
        ServerSideEncryptionConfiguration :
          - BucketKeyEnabled : !Ref EncryptBucket

运行命令cfsec example.yaml

输出将是

  Result 1

  [aws-s3-block-public-acls][HIGH] Public access block does not block public ACLs
  /home/owen/code/aquasecurity/cfsec/example/bucket.yaml:12-24
   11 |   S3Bucket:
   12 |     Type: 'AWS::S3::Bucket'
   13 |     Properties:
   14 |       BucketName:
   15 |         Ref: BucketName
   16 |       PublicAccessBlockConfiguration:
   17 |         BlockPublicAcls: false    [false]
   18 |         BlockPublicPolicy: false
   19 |         IgnorePublicAcls: true
   20 |         RestrictPublicBuckets: false
   21 |       BucketEncryption:
   22 |         ServerSideEncryptionConfiguration:
   23 |         - BucketKeyEnabled: !Ref EncryptBucket
   24 | 


  Impact:     PUT calls with public ACLs specified can make objects public
  Resolution: Enable blocking any PUT calls with a public ACL specified

  More Info:
  - https://cfsec.dev/docs/s3/block-public-acls/#s3 
  - https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html 

  Result 2

  [aws-s3-block-public-policy][HIGH] Public access block does not block public policies
  /home/owen/code/aquasecurity/cfsec/example/bucket.yaml:12-24
   11 |   S3Bucket:
   12 |     Type: 'AWS::S3::Bucket'
   13 |     Properties:
   14 |       BucketName:
   15 |         Ref: BucketName
   16 |       PublicAccessBlockConfiguration:
   17 |         BlockPublicAcls: false
   18 |         BlockPublicPolicy: false    [false]
   19 |         IgnorePublicAcls: true
   20 |         RestrictPublicBuckets: false
   21 |       BucketEncryption:
   22 |         ServerSideEncryptionConfiguration:
   23 |         - BucketKeyEnabled: !Ref EncryptBucket
   24 | 


  Impact:     Users could put a policy that allows public access
  Resolution: Prevent policies that allow public access being PUT

  More Info:
  - https://cfsec.dev/docs/s3/block-public-policy/#s3 
  - https://docs.aws.amazon.com/AmazonS3/latest/dev-retired/access-control-block-public-access.html 

  Result 3

  [aws-s3-enable-bucket-encryption][HIGH] Bucket does not have encryption enabled
  /home/owen/code/aquasecurity/cfsec/example/bucket.yaml:12-24
   11 |   S3Bucket:
   12 |     Type: 'AWS::S3::Bucket'
   13 |     Properties:
   14 |       BucketName:
   15 |         Ref: BucketName
   16 |       PublicAccessBlockConfiguration:
   17 |         BlockPublicAcls: false
   18 |         BlockPublicPolicy: false
   19 |         IgnorePublicAcls: true
   20 |         RestrictPublicBuckets: false
   21 |       BucketEncryption:
   22 |         ServerSideEncryptionConfiguration:
   23 |         - BucketKeyEnabled: !Ref EncryptBucket    [false]
   24 | 


  Impact:     The bucket objects could be read if compromised
  Resolution: Configure bucket encryption

  More Info:
  - https://cfsec.dev/docs/s3/enable-bucket-encryption/#s3 
  - https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html 

  Result 4

  [aws-s3-enable-bucket-logging][MEDIUM] Bucket does not have logging enabled
  /home/owen/code/aquasecurity/cfsec/example/bucket.yaml:12-24
   11 |   S3Bucket:
   12 |     Type: 'AWS::S3::Bucket'
   13 |     Properties:
   14 |       BucketName:
   15 |         Ref: BucketName
   16 |       PublicAccessBlockConfiguration:
   17 |         BlockPublicAcls: false
   18 |         BlockPublicPolicy: false
   19 |         IgnorePublicAcls: true
   20 |         RestrictPublicBuckets: false
   21 |       BucketEncryption:
   22 |         ServerSideEncryptionConfiguration:
   23 |         - BucketKeyEnabled: !Ref EncryptBucket
   24 | 


  Impact:     There is no way to determine the access to this bucket
  Resolution: Add a logging block to the resource to enable access logging

  More Info:
  - https://cfsec.dev/docs/s3/enable-bucket-logging/#s3 
  - https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html 

  Result 5

  [aws-s3-enable-versioning][MEDIUM] Bucket does not have versioning enabled
  /home/owen/code/aquasecurity/cfsec/example/bucket.yaml:12-24
   11 |   S3Bucket:
   12 |     Type: 'AWS::S3::Bucket'
   13 |     Properties:
   14 |       BucketName:
   15 |         Ref: BucketName
   16 |       PublicAccessBlockConfiguration:
   17 |         BlockPublicAcls: false
   18 |         BlockPublicPolicy: false
   19 |         IgnorePublicAcls: true
   20 |         RestrictPublicBuckets: false
   21 |       BucketEncryption:
   22 |         ServerSideEncryptionConfiguration:
   23 |         - BucketKeyEnabled: !Ref EncryptBucket
   24 | 


  Impact:     Deleted or modified data would not be recoverable
  Resolution: Enable versioning to protect against accidental/malicious removal or modification

  More Info:
  - https://cfsec.dev/docs/s3/enable-versioning/#s3 
  - https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html 

  Result 6

  [aws-s3-no-public-buckets][HIGH] Public access block does not restrict public buckets
  /home/owen/code/aquasecurity/cfsec/example/bucket.yaml:12-24
   11 |   S3Bucket:
   12 |     Type: 'AWS::S3::Bucket'
   13 |     Properties:
   14 |       BucketName:
   15 |         Ref: BucketName
   16 |       PublicAccessBlockConfiguration:
   17 |         BlockPublicAcls: false
   18 |         BlockPublicPolicy: false
   19 |         IgnorePublicAcls: true
   20 |         RestrictPublicBuckets: false    [false]
   21 |       BucketEncryption:
   22 |         ServerSideEncryptionConfiguration:
   23 |         - BucketKeyEnabled: !Ref EncryptBucket
   24 | 


  Impact:     Public buckets can be accessed by anyone
  Resolution: Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront)

  More Info:
  - https://cfsec.dev/docs/s3/no-public-buckets/#s3 
  - https://docs.aws.amazon.com/AmazonS3/latest/dev-retired/access-control-block-public-access.html 


  6 potential problems detected.

更多信息

CFSEC扫描单文件堆栈配置,并支持参数,映射和资源。

忽略发现

忽略仅在YAML配置中可用。

要添加忽略资源 - 在支票行上添加忽略。

例如,要忽略S3存储桶加密错误,您可能会使用

---
Resources :
  UnencrypedBucketWithIgnore :
    Type : AWS::S3::Bucket
    Properties :
      AccessControl : Private
      BucketName : unencryptedbits
      BucketEncryption :
        ServerSideEncryptionConfiguration :
          - BucketKeyEnabled : false # cfsec:ignore:aws-s3-enable-bucket-encryption

支持的固有功能

并非所有云形式固有功能都得到支持,我们涵盖以下列表

 Ref
Fn::Base64
Fn::Equals
Fn::FindInMap
Fn::GetAtt
Fn::Join
Fn::Select
Fn::Split
Fn::Sub

在YAML配置中,CFSEC支持标准标准符号IE; !Base64Fn::Base64

限制

  • 并非所有固有功能都得到支持
    • ImportValue需要访问当前不支持的AWS帐户
    • GetAtt非常幼稚。我们没有属性值的可见性,所以最好的努力
  • 不支持嵌套堆栈。 CFSEC孤立地将单个文件占据,而AWS帐户中存在的内容却没有可见性

评论,建议,问题

CFSEC是很早的阶段,我们致力于使它成为最好的。请通过GitHub问题或适当的讨论提出问题或建议。

cfsec是一个Aqua Security开源项目。在此处了解我们的开源工作和投资组合。加入社区,与我们讨论GitHub讨论或懈怠中的任何事情。

展开
附加信息
相关应用
为您推荐
相关资讯 全部