Rules
Rules are the heart of CFRipper. When running CFRipper the Cloudformation stack will be checked against each rule and the results will be combined.
Available Rules¶
CloudFormationAuthenticationRule¶
This rule checks for hardcoded credentials
CrossAccountCheckingRule¶
Base class not intended to be instantiated, but inherited from
This class provides common methods used to detect access permissions from other accounts
CrossAccountTrustRule¶
This rule checks for permissions granted to principals from other accounts
EBSVolumeHasSSERule¶
Check that server side encryption is enabled for all EBS volumes.
Defaults to monitor mode (rule not enforced)
FullWildcardPrincipalRule¶
Rule that checks for wildcard principals in resources
GenericWildcardPrincipalRule¶
Rule that checks for wildcard principals in resources
Defaults to monitor mode (rule not enforced)
HardcodedRDSPasswordRule¶
This rule checks that RDS clusters and instances don't expose their passwords
IAMManagedPolicyWildcardActionRule¶
This rule checks for wildcards in IAM Managed policies
IAMRoleWildcardActionOnPermissionsPolicyRule¶
Rule that checks for wildcards in actions in IAM role policies
IAMRoleWildcardActionOnTrustPolicyRule¶
Rule that checks for wildcards in actions in IAM role assume role policy documents
IAMRolesOverprivilegedRule¶
Rule that checks for wildcards in resources for a set of actions and restricts managed policies
KMSKeyCrossAccountTrustRule¶
This rule checks for KMS keys that allow cross-account principals to get access to the key
KMSKeyWildcardPrincipal¶
This rule checks for KMS keys that contain wildcards in the key policies
ManagedPolicyOnUserRule¶
Rule that checks for IAM managed policies attached directly to users
Defaults to monitor mode (rule not enforced)
PartialWildcardPrincipalRule¶
Rule that checks for partial wildcard principals or account-wide principals in resources
Defaults to monitor mode (rule not enforced)
PolicyOnUserRule¶
Rule that checks for IAM policies attached directly to users
Defaults to monitor mode (rule not enforced)
PrincipalCheckingRule¶
Abstract class for rules that check principals
PrivilegeEscalationRule¶
Rule that checks for actions that allow privilege escalation in IAM policies
S3BucketPolicyPrincipalRule¶
Rule that checks for non-whitelisted principals in S3 bucket policies.
This is designed to block unintended access from third party accounts to your buckets
S3BucketPolicyWildcardActionRule¶
Rule that checks for wildcard actions in S3 bucket policies
S3BucketPublicReadAclAndListStatementRule¶
Rule that checks for public read access to S3 bucket policies
Defaults to debug mode (rule not enforced)
S3BucketPublicReadWriteAclRule¶
Rule that checks for public read access to S3 buckets
S3CrossAccountTrustRule¶
This rule checks for permissions granted to principals from other accounts in S3 Buckets
SNSTopicPolicyNotPrincipalRule¶
Rule that checks for Allow
and NotPrincipal
at the same time in SNS Topic PolicyDocuments
Defaults to monitor mode (rule not enforced)
SQSQueuePolicyNotPrincipalRule¶
Rule that checks for Allow
and NotPrincipal
at the same time in SQS Queue PolicyDocuments
Defaults to monitor mode (rule not enforced)
SQSQueuePolicyPublicRule¶
Rule that checks for wildcards in SQS queue PolicyDocuments principals
SQSQueuePolicyWildcardActionRule¶
Rule that checks for wildcards in SQS queue PolicyDocuments actions
SecurityGroupIngressOpenToWorld¶
Rule that checks for open security groups ingress
SecurityGroupMissingEgressRule¶
Rule that checks for open security groups egress
Defaults to monitor mode (rule not enforced)
SecurityGroupOpenToWorldRule¶
Rule that checks for open security groups
Custom Rules¶
To add custom rules first extend the Rule
class. Then implement the invoke
method by adding your logic.
@abstractmethod def invoke(self, cfmodel: CFModel): pass
CFripper uses pycfmodel to create a Python model of the CloudFormation script.
This model is passed to the invoke
function as the cfmodel
parameter. You can use the model's iterate through the
resources and other objects of the model and use the helper functions to perform various checks. Look at the
current rules for examples.
class S3CrossAccountTrustRule(CrossAccountCheckingRule): """ This rule checks for permissions granted to principals from other accounts in S3 Buckets """ REASON = "{} has forbidden cross-account policy allow with {} for an S3 bucket." def invoke(self, cfmodel): for logical_id, resource in cfmodel.Resources.items(): if isinstance(resource, S3BucketPolicy): for statement in resource.Properties.PolicyDocument._statement_as_list(): self._do_statement_check(logical_id, statement)
Monitor Mode¶
By default, each rule has MONITOR_MODE
set to false. Monitor model will return the failed rules in another field in the
response, instead in the main "failed rules". This way new rules can be tested before they are removed from monitor
mode and start triggering alarms.