首頁>JSP源碼>其他類別
下載

配x現在,雲形式掃描邏輯與Aquasecurity Trivy集成在一起。 CFSEC將不再以獨立的掃描儀和Trivy的方式保持

這是什麼?

CFSEC掃描您的YAML或JSON Cloud Formation配置文件,以了解常見的安全性錯誤。

安裝

家用啤酒 - Mac和Linux 

brew tap cfsec/cfsec

巧克力 - 窗戶

choco install cfsec

勺子 - 窗口

scoop install cfsec

從源安裝最新

go install github.com/aquasecurity/cmd/cfsec@latest

一個例子

給定下面的雲形式配置文件; 

---
AWSTemplateFormatVersion : " 2010-09-09 "
Description : An example Stack for a bucket
Parameters :
  BucketName :
    Type : String
    Default : naughty-bucket
  EncryptBucket :
    Type : Boolean
    Default : false
Resources :
  S3Bucket :
    Type : ' AWS::S3::Bucket '
    Properties :
      BucketName :
        Ref : BucketName
      PublicAccessBlockConfiguration :
        BlockPublicAcls : false
        BlockPublicPolicy : false
        IgnorePublicAcls : true
        RestrictPublicBuckets : false
      BucketEncryption :
        ServerSideEncryptionConfiguration :
          - BucketKeyEnabled : !Ref EncryptBucket

運行命令cfsec example.yaml

輸出將是

  Result 1

  [aws-s3-block-public-acls][HIGH] Public access block does not block public ACLs
  /home/owen/code/aquasecurity/cfsec/example/bucket.yaml:12-24
   11 |   S3Bucket:
   12 |     Type: 'AWS::S3::Bucket'
   13 |     Properties:
   14 |       BucketName:
   15 |         Ref: BucketName
   16 |       PublicAccessBlockConfiguration:
   17 |         BlockPublicAcls: false    [false]
   18 |         BlockPublicPolicy: false
   19 |         IgnorePublicAcls: true
   20 |         RestrictPublicBuckets: false
   21 |       BucketEncryption:
   22 |         ServerSideEncryptionConfiguration:
   23 |         - BucketKeyEnabled: !Ref EncryptBucket
   24 | 


  Impact:     PUT calls with public ACLs specified can make objects public
  Resolution: Enable blocking any PUT calls with a public ACL specified

  More Info:
  - https://cfsec.dev/docs/s3/block-public-acls/#s3 
  - https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html 

  Result 2

  [aws-s3-block-public-policy][HIGH] Public access block does not block public policies
  /home/owen/code/aquasecurity/cfsec/example/bucket.yaml:12-24
   11 |   S3Bucket:
   12 |     Type: 'AWS::S3::Bucket'
   13 |     Properties:
   14 |       BucketName:
   15 |         Ref: BucketName
   16 |       PublicAccessBlockConfiguration:
   17 |         BlockPublicAcls: false
   18 |         BlockPublicPolicy: false    [false]
   19 |         IgnorePublicAcls: true
   20 |         RestrictPublicBuckets: false
   21 |       BucketEncryption:
   22 |         ServerSideEncryptionConfiguration:
   23 |         - BucketKeyEnabled: !Ref EncryptBucket
   24 | 


  Impact:     Users could put a policy that allows public access
  Resolution: Prevent policies that allow public access being PUT

  More Info:
  - https://cfsec.dev/docs/s3/block-public-policy/#s3 
  - https://docs.aws.amazon.com/AmazonS3/latest/dev-retired/access-control-block-public-access.html 

  Result 3

  [aws-s3-enable-bucket-encryption][HIGH] Bucket does not have encryption enabled
  /home/owen/code/aquasecurity/cfsec/example/bucket.yaml:12-24
   11 |   S3Bucket:
   12 |     Type: 'AWS::S3::Bucket'
   13 |     Properties:
   14 |       BucketName:
   15 |         Ref: BucketName
   16 |       PublicAccessBlockConfiguration:
   17 |         BlockPublicAcls: false
   18 |         BlockPublicPolicy: false
   19 |         IgnorePublicAcls: true
   20 |         RestrictPublicBuckets: false
   21 |       BucketEncryption:
   22 |         ServerSideEncryptionConfiguration:
   23 |         - BucketKeyEnabled: !Ref EncryptBucket    [false]
   24 | 


  Impact:     The bucket objects could be read if compromised
  Resolution: Configure bucket encryption

  More Info:
  - https://cfsec.dev/docs/s3/enable-bucket-encryption/#s3 
  - https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html 

  Result 4

  [aws-s3-enable-bucket-logging][MEDIUM] Bucket does not have logging enabled
  /home/owen/code/aquasecurity/cfsec/example/bucket.yaml:12-24
   11 |   S3Bucket:
   12 |     Type: 'AWS::S3::Bucket'
   13 |     Properties:
   14 |       BucketName:
   15 |         Ref: BucketName
   16 |       PublicAccessBlockConfiguration:
   17 |         BlockPublicAcls: false
   18 |         BlockPublicPolicy: false
   19 |         IgnorePublicAcls: true
   20 |         RestrictPublicBuckets: false
   21 |       BucketEncryption:
   22 |         ServerSideEncryptionConfiguration:
   23 |         - BucketKeyEnabled: !Ref EncryptBucket
   24 | 


  Impact:     There is no way to determine the access to this bucket
  Resolution: Add a logging block to the resource to enable access logging

  More Info:
  - https://cfsec.dev/docs/s3/enable-bucket-logging/#s3 
  - https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerLogs.html 

  Result 5

  [aws-s3-enable-versioning][MEDIUM] Bucket does not have versioning enabled
  /home/owen/code/aquasecurity/cfsec/example/bucket.yaml:12-24
   11 |   S3Bucket:
   12 |     Type: 'AWS::S3::Bucket'
   13 |     Properties:
   14 |       BucketName:
   15 |         Ref: BucketName
   16 |       PublicAccessBlockConfiguration:
   17 |         BlockPublicAcls: false
   18 |         BlockPublicPolicy: false
   19 |         IgnorePublicAcls: true
   20 |         RestrictPublicBuckets: false
   21 |       BucketEncryption:
   22 |         ServerSideEncryptionConfiguration:
   23 |         - BucketKeyEnabled: !Ref EncryptBucket
   24 | 


  Impact:     Deleted or modified data would not be recoverable
  Resolution: Enable versioning to protect against accidental/malicious removal or modification

  More Info:
  - https://cfsec.dev/docs/s3/enable-versioning/#s3 
  - https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html 

  Result 6

  [aws-s3-no-public-buckets][HIGH] Public access block does not restrict public buckets
  /home/owen/code/aquasecurity/cfsec/example/bucket.yaml:12-24
   11 |   S3Bucket:
   12 |     Type: 'AWS::S3::Bucket'
   13 |     Properties:
   14 |       BucketName:
   15 |         Ref: BucketName
   16 |       PublicAccessBlockConfiguration:
   17 |         BlockPublicAcls: false
   18 |         BlockPublicPolicy: false
   19 |         IgnorePublicAcls: true
   20 |         RestrictPublicBuckets: false    [false]
   21 |       BucketEncryption:
   22 |         ServerSideEncryptionConfiguration:
   23 |         - BucketKeyEnabled: !Ref EncryptBucket
   24 | 


  Impact:     Public buckets can be accessed by anyone
  Resolution: Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront)

  More Info:
  - https://cfsec.dev/docs/s3/no-public-buckets/#s3 
  - https://docs.aws.amazon.com/AmazonS3/latest/dev-retired/access-control-block-public-access.html 


  6 potential problems detected.

更多信息

CFSEC掃描單文件堆棧配置,並支持參數,映射和資源。

忽略發現

忽略僅在YAML配置中可用。

要添加忽略資源 - 在支票行上添加忽略。

例如,要忽略S3存儲桶加密錯誤,您可能會使用

---
Resources :
  UnencrypedBucketWithIgnore :
    Type : AWS::S3::Bucket
    Properties :
      AccessControl : Private
      BucketName : unencryptedbits
      BucketEncryption :
        ServerSideEncryptionConfiguration :
          - BucketKeyEnabled : false # cfsec:ignore:aws-s3-enable-bucket-encryption

支持的固有功能

並非所有云形式固有功能都得到支持,我們涵蓋以下列表

 Ref
Fn::Base64
Fn::Equals
Fn::FindInMap
Fn::GetAtt
Fn::Join
Fn::Select
Fn::Split
Fn::Sub

在YAML配置中,CFSEC支持標準標準符號IE; !Base64Fn::Base64

限制

  • 並非所有固有功能都得到支持
    • ImportValue需要訪問當前不支持的AWS帳戶
    • GetAtt非常幼稚。我們沒有屬性值的可見性,所以最好的努力
  • 不支持嵌套堆棧。 CFSEC孤立地將單個文件佔據,而AWS帳戶中存在的內容卻沒有可見性

評論,建議,問題

CFSEC是很早的階段,我們致力於使它成為最好的。請通過GitHub問題或適當的討論提出問題或建議。

cfsec是一個Aqua Security開源項目。在此處了解我們的開源工作和投資組合。加入社區,與我們討論GitHub討論或懈怠中的任何事情。

展開
附加信息
相關應用
爲您推薦
相關資訊 全部