Skip to content

CLI

Usage:  [OPTIONS] [TEMPLATES]...

  Analyse AWS Cloudformation templates passed by parameter. Exit codes:   -
  0 = all templates valid and scanned successfully   - 1 = error / issue in
  scanning at least one template   - 2 = at least one template is not valid
  according to CFRipper (template scanned successfully)   - 3 = unknown /
  unhandled exception in scanning the templates

Options:
  --version                       Show the version and exit.
  --resolve / --no-resolve        Resolves cloudformation variables and
                                  intrinsic functions  [default: False]

  --resolve-parameters FILENAME   JSON/YML file containing key-value pairs
                                  used for resolving CloudFormation files with
                                  templated parameters. For example, {"abc":
                                  "ABC"} will change all occurrences of
                                  {"Ref": "abc"} in the CloudFormation file to
                                  "ABC".

  --format [json|txt]             Output format  [default: txt]
  --output-folder DIRECTORY       If not present, result will be sent to
                                  stdout

  --logging [ERROR|WARNING|INFO|DEBUG]
                                  Logging level  [default: INFO]
  --rules-config-file FILENAME    Loads rules configuration file (type: [.py,
                                  .pyc])

  --rules-filters-folder DIRECTORY
                                  All files in the folder must be of type:
                                  [.py, .pyc]

  --help                          Show this message and exit.

Examples

Normal execution

$ cfripper /tmp/root.yaml /tmp/root_bypass.json --format txt
Analysing /tmp/root.yaml...
Not adding CrossAccountTrustRule failure in rootRole because no AWS Account ID was found in the config.
Valid: False
Issues found:
    - FullWildcardPrincipalRule: rootRole should not allow wildcards in principals (principal: '*')
    - IAMRolesOverprivilegedRule: Role 'rootRole' contains an insecure permission '*' in policy 'root'
Analysing /tmp/root_bypass.json...
Valid: True

Using resolve flag

$ cfripper /tmp/root.yaml /tmp/root_bypass.json --format txt --resolve
Analysing /tmp/root.yaml...
Not adding CrossAccountTrustRule failure in rootRole because no AWS Account ID was found in the config.
Valid: False
Issues found:
    - FullWildcardPrincipalRule: rootRole should not allow wildcards in principals (principal: '*')
    - IAMRolesOverprivilegedRule: Role 'rootRole' contains an insecure permission '*' in policy 'root'
Analysing /tmp/root_bypass.json...
Not adding CrossAccountTrustRule failure in rootRole because no AWS Account ID was found in the config.
Valid: False
Issues found:
    - IAMRolesOverprivilegedRule: Role 'rootRole' contains an insecure permission '*' in policy 'root'
Monitored issues found:
    - PartialWildcardPrincipalRule: rootRole contains an unknown principal: 123456789012
    - PartialWildcardPrincipalRule: rootRole should not allow wildcard in principals or account-wide principals 
(principal: 'arn:aws:iam::123456789012:root')

Using json format and output-folder argument

$ cfripper /tmp/root.yaml /tmp/root_bypass.json --format json --resolve --output-folder /tmp
Analysing /tmp/root.yaml...
Not adding CrossAccountTrustRule failure in rootRole because no AWS Account ID was found in the config.
Result saved in /tmp/root.yaml.cfripper.results.json
Analysing /tmp/root_bypass.json...
Not adding CrossAccountTrustRule failure in rootRole because no AWS Account ID was found in the config.
Result saved in /tmp/root_bypass.json.cfripper.results.json