Changelog¶
All notable changes to this project will be documented in this file.
[0.17.1] - 2020-03-30¶
Improvements¶
- Add
existsandemptyfunctions to filters - Add
param_resolverto filters to evaluate just necessary params
Fixed¶
- Add protection when a filter is evaluated to catch the exception and continue
[0.17.0] - 2020-03-27¶
Improvements¶
CrossAccountCheckingRule,CrossAccountTrustRule,S3CrossAccountTrustRuleandKMSKeyCrossAccountTrustRuleinclude support for filters.
Breaking changes¶
CrossAccountCheckingRulenow includes the invoke method. Statements of PolicyDocument are now analysed usingRESOURCE_TYPEandPROPERTY_WITH_POLICYDOCUMENTclass variables.
[0.16.0] - 2020-03-27¶
Improvements¶
- Add new
RuleConfig, allows to overwrite the default behaviour of the rule changing rule mode and risk value. - Add new
Filter, allows setting custom rule configuration to matching coincidences. - New RuleModes supported:
RuleMode.DISABLEDandRuleMode.WHITELISTED.
Breaking changes¶
- Class variables
Rule.RULE_MODEandRule.RISK_VALUEshould be changed to use propertiesrule_modeandrisk_value. These properties take in consideration the custom config that might be applied. - If rule mode is
DISABLEDorWHITELISTED; methodsadd_failure_to_resultandadd_warning_to_resultwill have no effect. add_failure_to_resultandadd_warning_to_resultaccepts a new optional parameter namedcontext. This variable is going to be evaluated by filters defined in the custom config.
[0.15.1] - 2020-03-26¶
Improvements¶
SecurityGroupOpenToWorldRuleandSecurityGroupIngressOpenToWorldRuleare now more accurately scoped to block potentially public CIDR ranges. It it utilising the latestpycfmodelrelease (0.7.0).
[0.15.0] - 2020-03-25¶
Improvements¶
- Generate DEFAULT_RULES and BASE_CLASSES using code instead of hardcoding
Fixed¶
- Whitelist did not work if it didn't have the
Ruleprefix
Breaking changes¶
- Sufix
KMSKeyWildcardPrincipalandSecurityGroupIngressOpenToWorldwithRule - Sufix whitelist constant
FullWildcardPrincipalandPartialWildcardPrincipalwithRule
[0.14.2] - 2020-03-04¶
Improvements¶
- Update dependencies
[0.14.1] - 2020-02-24¶
Improvements¶
- Rule processor now accepts an extras parameter that will be forwarded to the rules
- Main gets extra information from the event and forwards it to the rule formatter
[0.14.0] - 2020-02-07¶
Breaking changes¶
- Completely changed base
Ruleabstract class signature and adapted rule classes to match it:- Init now only takes a
Config invokemethod now accepts an optional extra Dictinvokemethod returns aResultinstead ofNoneadd_failurehas been renamed toadd_failure_to_result. It now takes a result instead of a reason (that now it's inferred)add_warninghas been renamed toadd_warning_to_result. It now has the same signature thanadd_failure_to_result
- Init now only takes a
Improvements¶
- Rule Invoke extras parameter has been added to allow changing the rule behaviour depending on state besides the cfmodel itself:
- Stack naming rules
- Stack tags
- User restrictions
- ...
[0.13.0] - 2020-01-22¶
Fixed¶
- Regular expressions had an unescaped '.' before 'amazonaws.com', so it might match more hosts than expected.
Changed¶
CloudFormationAuthenticationRulenow inMONITORmode and new test addedIAMRoleWildcardActionOnPolicyRulecombines three previous unused rules inIAMManagedPolicyWildcardActionRule,IAMRoleWildcardActionOnPermissionsPolicyRule, andIAMRoleWildcardActionOnTrustPolicyRuleIAMRoleWildcardActionOnPolicyRulenow inDEBUGmodeS3BucketPolicyWildcardActionRulehas now been changed to be an instantiation of the new generic ruleGenericWildcardPolicyRule. It is set inDEBUGmodeS3BucketPolicyWildcardActionRulehas had updated regex filter to make it more aligned with both further rules to do with wildcards in actions, and the existingSQSQueuePolicyWildcardActionRuleSQSQueuePolicyWildcardActionRulehas now been changed to be an instantiation of the new generic ruleGenericWildcardPolicyRule. It is set inDEBUGmodeSecurityGroupMissingEgressRulenow inDEBUGmode and a new test addedSNSTopicPolicyWildcardActionRulehas beed added. It is an instantiation of the new generic ruleGenericWildcardPolicyRule. It is set inDEBUGmode
Breaking changes¶
- The following rules are no longer available:
IAMRoleWildcardActionOnPermissionsPolicyRuleIAMRoleWildcardActionOnTrustPolicyRuleIAMManagedPolicyWildcardActionRule- The following rules have been moved:
S3BucketPolicyWildcardActionRuleSQSQueuePolicyWildcardActionRule
[0.12.2] - 2020-01-13¶
Improvements¶
- Documentation updated to show the risk of rules and possible fixes where available, as well as a large set of updates to the content. The macros for parsing the documentation have also been updated.
[0.12.1] - 2020-01-09¶
Fixes¶
- Fix for
CrossAccountCheckingRulewas adding errors when the principal was sts when it shouldn't.
Added¶
get_account_id_from_sts_arnandget_aws_service_from_arnin utils.
[0.12.0] - 2020-01-08¶
Added¶
- Adds CLI to package
KMSKeyCrossAccountTrustRule
Changed¶
GenericWildcardPrincipalRule,PartialWildcardPrincipalRule,FullWildcardPrincipalRuleno longer check for wildcards in KMSKey principals.- Improved granularity of most rules
[0.11.3] - 2019-12-17¶
Improvements¶
S3CrossAccountTrustRulenow accepts resource level exceptions- New documentation!
Breaking changes¶
cfripper.rules.s3_bucked_policyrenamed tocfripper.rules.s3_bucket_policy(typo)
[0.11.2] - 2019-11-26¶
Fixes¶
- Fix
get_templatewhen AWS doesn't return a dict.
[0.11.1] - 2019-11-25¶
Changed¶
HardcodedRDSPasswordRulenow reports two different messages when there is a missing echo or a readable password.
Fixes¶
HardcodedRDSPasswordRulewas wrongly adding an error when a value is provided.
[0.11.0] - 2019-11-20¶
Breaking changes¶
- Moved some files from model to rules, renamed rules to match pythonic style. Moved tons of classes around
Fixes¶
- Fix a regression that caused
S3CrossAccountTrustRuleandCrossAccountTrustRulenot to alert whenever cross-account permissions are found within the allowed list of aws accounts. CrossAccountTrustRulewrongly say that AWS canonical ids and services were a cross-account relationship.
[0.10.2] - 2019-11-20¶
Added¶
- Added
PrincipalCheckingRule, it has a property calledvalid_principals. It's a list with all allowed principals. This list can be customized using_get_whitelist_from_config(). - Added
AWS_ELASTICACHE_BACKUP_CANONICAL_IDSwhich contains the aws canonical ids used for backups.
Changed¶
CrossAccountTrustRuleoutputs warning log message if the AWS Account ID is not present in the config.HardcodedRDSPasswordRuleupdated to check for both RDS Clusters and RDS Instances, and reduce false positives on valid instances.CrossAccountTrustRule,GenericWildcardPrincipalRule,S3BucketPolicyPrincipalRule,S3BucketPolicyPrincipalRuleandS3CrossAccountTrustRulenow check the account against a list. The list is composed of AWS service accounts, configured AWS principals and the account id where the event came from.- Rename
AWS_ELB_ACCOUNT_IDStoAWS_ELB_LOGS_ACCOUNT_IDS
[0.10.1] - 2019-11-14¶
Added¶
- New regexes and utility methods to get parts of arns
Changed¶
S3CrossAccountTrustRuleandS3BucketPolicyPrincipalRulewon't trigger if the principal comes from one of the AWS ELB service account ids
[0.10.0] - 2019-11-08¶
Added¶
- New regex
REGEX_IS_STAR, matches only a*character.
Changed¶
GenericWildcardPrincipalRule,S3BucketPolicyPrincipalRule,S3CrossAccountTrustRule,SQSQueuePolicyPublicRuleandKMSKeyWildcardPrincipalnow trust the condition to reduce false positives.- Rules check the resource type using
isinstanceinstead of comparing type to a string if pycfmodel implements the resource. - Instance method
add_failurenow acceptsrisk_valueandrisk_modeas optional parameters. CrossAccountTrustRuleonly runs if config has definedself._config.aws_account_id.IAMRoleWildcardActionOnPermissionsPolicyRulenow usesREGEX_WILDCARD_POLICY_ACTION.
Fixed¶
IAMRolesOverprivilegedRulenow usesREGEX_IS_STARfor finding statements instead ofREGEX_CONTAINS_STAR.