

Rules

Rules are the heart of CFRipper. When running CFRipper the Cloudformation stack will be checked against each rule and the results will be combined.

Available Rules¶

CloudFormationAuthenticationRule¶

This rule checks for hardcoded credentials

CrossAccountCheckingRule¶

Base class not intended to be instantiated, but inherited from

This class provides common methods used to detect access permissions from other accounts

CrossAccountTrustRule¶

This rule checks for permissions granted to principals from other accounts

EBSVolumeHasSSERule¶

Check that server side encryption is enabled for all EBS volumes.

Defaults to monitor mode (rule not enforced)

FullWildcardPrincipalRule¶

Rule that checks for wildcard principals in resources

GenericWildcardPrincipalRule¶

Rule that checks for wildcard principals in resources

Defaults to monitor mode (rule not enforced)

HardcodedRDSPasswordRule¶

This rule checks that RDS clusters and instances don't expose their passwords

IAMManagedPolicyWildcardActionRule¶

This rule checks for wildcards in IAM Managed policies

IAMRoleWildcardActionOnPermissionsPolicyRule¶

Rule that checks for wildcards in actions in IAM role policies

IAMRoleWildcardActionOnTrustPolicyRule¶

Rule that checks for wildcards in actions in IAM role assume role policy documents

IAMRolesOverprivilegedRule¶

Rule that checks for wildcards in resources for a set of actions and restricts managed policies

KMSKeyCrossAccountTrustRule¶

This rule checks for KMS keys that allow cross-account principals to get access to the key

KMSKeyWildcardPrincipal¶

This rule checks for KMS keys that contain wildcards in the key policies

ManagedPolicyOnUserRule¶

Rule that checks for IAM managed policies attached directly to users

Defaults to monitor mode (rule not enforced)

PartialWildcardPrincipalRule¶

Rule that checks for partial wildcard principals or account-wide principals in resources

Defaults to monitor mode (rule not enforced)

PolicyOnUserRule¶

Rule that checks for IAM policies attached directly to users

Defaults to monitor mode (rule not enforced)

PrincipalCheckingRule¶

Abstract class for rules that check principals

PrivilegeEscalationRule¶

Rule that checks for actions that allow privilege escalation in IAM policies

S3BucketPolicyPrincipalRule¶

Rule that checks for non-whitelisted principals in S3 bucket policies.

This is designed to block unintended access from third party accounts to your buckets

S3BucketPolicyWildcardActionRule¶

Rule that checks for wildcard actions in S3 bucket policies

S3BucketPublicReadAclAndListStatementRule¶

Rule that checks for public read access to S3 bucket policies

Defaults to debug mode (rule not enforced)

S3BucketPublicReadWriteAclRule¶

Rule that checks for public read access to S3 buckets

S3CrossAccountTrustRule¶

This rule checks for permissions granted to principals from other accounts in S3 Buckets

SNSTopicPolicyNotPrincipalRule¶

Rule that checks for Allow and NotPrincipal at the same time in SNS Topic PolicyDocuments

Defaults to monitor mode (rule not enforced)

SQSQueuePolicyNotPrincipalRule¶

Rule that checks for Allow and NotPrincipal at the same time in SQS Queue PolicyDocuments

Defaults to monitor mode (rule not enforced)

SQSQueuePolicyPublicRule¶

Rule that checks for wildcards in SQS queue PolicyDocuments principals

SQSQueuePolicyWildcardActionRule¶

Rule that checks for wildcards in SQS queue PolicyDocuments actions

SecurityGroupIngressOpenToWorld¶

Rule that checks for open security groups ingress

SecurityGroupMissingEgressRule¶

Rule that checks for open security groups egress

Defaults to monitor mode (rule not enforced)

SecurityGroupOpenToWorldRule¶

Rule that checks for open security groups

Custom Rules¶

To add custom rules first extend the Rule class. Then implement the invoke method by adding your logic.

    @abstractmethod
    def invoke(self, cfmodel: CFModel):
        pass

CFripper uses pycfmodel to create a Python model of the CloudFormation script. This model is passed to the invoke function as the cfmodel parameter. You can use the model's iterate through the resources and other objects of the model and use the helper functions to perform various checks. Look at the current rules for examples.

class S3CrossAccountTrustRule(CrossAccountCheckingRule):
    """
    This rule checks for permissions granted to principals from other accounts in S3 Buckets
    """

    REASON = "{} has forbidden cross-account policy allow with {} for an S3 bucket."

    def invoke(self, cfmodel):
        for logical_id, resource in cfmodel.Resources.items():
            if isinstance(resource, S3BucketPolicy):
                for statement in resource.Properties.PolicyDocument._statement_as_list():
                    self._do_statement_check(logical_id, statement)

Monitor Mode¶

By default, each rule has MONITOR_MODE set to false. Monitor model will return the failed rules in another field in the response, instead in the main "failed rules". This way new rules can be tested before they are removed from monitor mode and start triggering alarms.