Changelog¶
All notable changes to this project will be documented in this file.
[0.12.0] - 2020-01-08¶
Added¶
- Adds CLI to package
KMSKeyCrossAccountTrustRule
Changed¶
GenericWildcardPrincipalRule
,PartialWildcardPrincipalRule
,FullWildcardPrincipalRule
no longer check for wildcards in KMSKey principals.- Improved granularity of most rules
[0.11.3] - 2019-12-17¶
Improvements¶
S3CrossAccountTrustRule
now accepts resource level exceptions- New documentation!
Breaking changes¶
cfripper.rules.s3_bucked_policy
renamed tocfripper.rules.s3_bucket_policy
(typo)
[0.11.2] - 2019-11-26¶
Fixes¶
- Fix
get_template
when AWS doesn't return a dict.
[0.11.1] - 2019-11-25¶
Changed¶
HardcodedRDSPasswordRule
now reports two different messages when there is a missing echo or a readable password.
Fixes¶
HardcodedRDSPasswordRule
was wrongly adding an error when a value is provided.
[0.11.0] - 2019-11-20¶
Breaking changes¶
- Moved some files from model to rules, renamed rules to match pythonic style. Moved tons of classes around
Fixes¶
- Fix a regression that caused
S3CrossAccountTrustRule
andCrossAccountTrustRule
not to alert whenever cross-account permissions are found within the allowed list of aws accounts. CrossAccountTrustRule
wrongly say that AWS canonical ids and services were a cross-account relationship.
[0.10.2] - 2019-11-20¶
Added¶
- Added
PrincipalCheckingRule
, it has a property calledvalid_principals
. It's a list with all allowed principals. This list can be customized using_get_whitelist_from_config()
. - Added
AWS_ELASTICACHE_BACKUP_CANONICAL_IDS
which contains the aws canonical ids used for backups.
Changed¶
CrossAccountTrustRule
outputs warning log message if the AWS Account ID is not present in the config.HardcodedRDSPasswordRule
updated to check for both RDS Clusters and RDS Instances, and reduce false positives on valid instances.CrossAccountTrustRule
,GenericWildcardPrincipalRule
,S3BucketPolicyPrincipalRule
,S3BucketPolicyPrincipalRule
andS3CrossAccountTrustRule
now check the account against a list. The list is composed of AWS service accounts, configured AWS principals and the account id where the event came from.- Rename
AWS_ELB_ACCOUNT_IDS
toAWS_ELB_LOGS_ACCOUNT_IDS
[0.10.1] - 2019-11-14¶
Added¶
- New regexes and utility methods to get parts of arns
Changed¶
S3CrossAccountTrustRule
andS3BucketPolicyPrincipalRule
won't trigger if the principal comes from one of the AWS ELB service account ids
[0.10.0] - 2019-11-08¶
Added¶
- New regex
REGEX_IS_STAR
, matches only a*
character.
Changed¶
GenericWildcardPrincipalRule
,S3BucketPolicyPrincipalRule
,S3CrossAccountTrustRule
,SQSQueuePolicyPublicRule
andKMSKeyWildcardPrincipal
now trust the condition to reduce false positives.- Rules check the resource type using
isinstance
instead of comparing type to a string if pycfmodel implements the resource. - Instance method
add_failure
now acceptsrisk_value
andrisk_mode
as optional parameters. CrossAccountTrustRule
only runs if config has definedself._config.aws_account_id
.IAMRoleWildcardActionOnPermissionsPolicyRule
now usesREGEX_WILDCARD_POLICY_ACTION
.
Fixed¶
IAMRolesOverprivilegedRule
now usesREGEX_IS_STAR
for finding statements instead ofREGEX_CONTAINS_STAR
.