Usage: [OPTIONS][TEMPLATES]...
Analyse AWS Cloudformation templates passed by parameter.
Options:
--version Show the version and exit.
--resolve / --no-resolve Resolves cloudformation variables and
intrinsic functions [default: False]
--resolve-parameters FILENAME JSON/YML file containing key-value pairs
used for resolving CloudFormation files with
templated parameters. For example, {"abc":
"ABC"} will change all occurrences of
{"Ref": "abc"} in the CloudFormation file to
"ABC".
--format [json|txt] Output format [default: txt]
--output-folder DIRECTORY If not present, result will be sent to
stdout
--logging [ERROR|WARNING|INFO|DEBUG]
Logging level [default: INFO]
--rules-config-file FILENAME Loads rules configuration file (type: [.py,
.pyc])
--help Show this message and exit.
$ cfripper /tmp/root.yaml /tmp/root_bypass.json --format txt
Analysing /tmp/root.yaml...
Not adding CrossAccountTrustRule failure in rootRole because no AWS Account ID was found in the config.
Valid: False
Issues found:
- FullWildcardPrincipalRule: rootRole should not allow wildcards in principals (principal: '*')
- IAMRolesOverprivilegedRule: Role 'rootRole' contains an insecure permission '*' in policy 'root'
Analysing /tmp/root_bypass.json...
Valid: True
$ cfripper /tmp/root.yaml /tmp/root_bypass.json --format txt --resolve
Analysing /tmp/root.yaml...
Not adding CrossAccountTrustRule failure in rootRole because no AWS Account ID was found in the config.
Valid: False
Issues found:
- FullWildcardPrincipalRule: rootRole should not allow wildcards in principals (principal: '*')
- IAMRolesOverprivilegedRule: Role 'rootRole' contains an insecure permission '*' in policy 'root'
Analysing /tmp/root_bypass.json...
Not adding CrossAccountTrustRule failure in rootRole because no AWS Account ID was found in the config.
Valid: False
Issues found:
- IAMRolesOverprivilegedRule: Role 'rootRole' contains an insecure permission '*' in policy 'root'
Monitored issues found:
- PartialWildcardPrincipalRule: rootRole contains an unknown principal: 123456789012
- PartialWildcardPrincipalRule: rootRole should not allow wildcard in principals or account-wide principals
(principal: 'arn:aws:iam::123456789012:root')
$ cfripper /tmp/root.yaml /tmp/root_bypass.json --format json --resolve --output-folder /tmp
Analysing /tmp/root.yaml...
Not adding CrossAccountTrustRule failure in rootRole because no AWS Account ID was found in the config.
Result saved in /tmp/root.yaml.cfripper.results.json
Analysing /tmp/root_bypass.json...
Not adding CrossAccountTrustRule failure in rootRole because no AWS Account ID was found in the config.
Result saved in /tmp/root_bypass.json.cfripper.results.json