Changelog¶
All notable changes to this project will be documented in this file.
[1.2.0] - 2021-11-03¶
Updates¶
- The rules
EC2SecurityGroupOpenToWorldRule
andEC2SecurityGroupIngressOpenToWorldRule
were by default allowing ports 80 and 443. This has now been migrated to use a filter object, that can be optionally applied. See the README for further details. This means if the filter is not applied, Security Groups open to the world on ports 80 and 443 will start failing in CFRipper.
[1.1.2] - 2021-10-06¶
Fixes¶
- Add a fix to the
KMSKeyEnabledKeyRotation
rule to be able to detect theEnableKeyRotation
property properly.
[1.1.1] - 2021-09-30¶
Fixes¶
- Add a fix to the
PartialWildcardPrincipal
rule to be able to detect policies where whole account access is specified via just the account ID. - For example, if the Principal was defined as
Principal: AWS: 123456789012
as opposed toPrincipal: AWS: arn:aws:iam::123456789012:root
. - These are identical: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html
[1.1.0] - 2021-09-22¶
Improvements¶
- Add
S3ObjectVersioning
rule - Update
pycfmodel
to0.11.0
- This includes model support for S3 Buckets. Rules against these resources have been updated (alongside tests).
[1.0.9] - 2021-09-10¶
Improvements¶
- Update valid AWS Account IDs that might be included as principals on policies.
- This list now covers ELB Logs, CloudTrail Logs, Redshift Audit, and ElastiCache backups.
WildCardResourceRule
is now triggered by resources that only limit by service (ex:arn:aws:s3:::*
)
[1.0.8] - 2021-08-18¶
Improvements¶
- Add
S3LifecycleConfiguraton
rule
[1.0.7] - 2021-08-16¶
Improvements¶
- Add
KMSKeyEnabledKeyRotation
rule - Bump
pycfmodel
to0.10.4
[1.0.6] - 2021-07-28¶
Improvements¶
- Add
S3BucketPublicReadAclRule
rule
[1.0.5] - 2021-07-28¶
Improvements¶
- Add EKS permissions that accept wildcard resource only
[1.0.4] - 2021-06-03¶
Improvements¶
- Add
stack_id
to log output when failing to convert a YML template to JSON. - Various minor test improvements
- Added CLI args for aws account id and aws principals
- Fix an issue in
S3BucketPublicReadAclAndListStatementRule
where it could crash if the model was unresolved - Center logo (thanks @lpmi-13)
- Run tests in python 3.9
[1.0.3] - 2021-03-26¶
Improvements¶
- Downgrade logging severity from exception to warning when there is no stack in AWS
[1.0.2] - 2021-03-25¶
Improvements¶
- Handle AWS throttling errors when listing exports for a given account and region
- If we get a throttling error, we actually sleep for some time before retrying (before we were sleeping for 0 seconds)
[1.0.1] - 2021-03-25¶
Improvements¶
- Decrease logging level when loading external filters
- Decrease logging level on known AWS errors such as AccessDenied when listing exports and throttling errors on getting a template from AWS CloudFormation.
[1.0.0] - 2021-03-16¶
Breaking changes¶
Filter
include the set of rules in which it is applied.RuleConfig
only containsrule_mode
andrisk_value
now.- Removes old whitelisting methods in favour of Filters
- Rename
RuleMode.WHITELISTED
toRuleMode.ALLOWED
, and allwhitelist
word in strings. - Add debug flag to
Filter
class.
Improvements¶
- Implements
pluggy
https://github.com/pytest-dev/pluggy to enable dynamic rule loading. - Add support to load filters from external files
[0.23.3] - 2021-02-11¶
Additions¶
- All rules now support filter contexts!
Improvements¶
- Update
WildcardResourceRule
to allow for certain resources to be excluded.
[0.23.2] - 2021-02-04¶
Bugfix¶
GenericWildcardPrincipalRule
to ignore account IDs where full or partial wildcard is required in the Principal. These accounts should be AWS Service Accounts defined in the config.- Fix CLI flag
--rules-config-file
Improvements¶
- Update
ResourceSpecificRule
to allow for certain resources to be excluded. In particular, thePrivilegeEscalationRule
will now no longer be invoked forS3BucketPolicy
resources. - Add rules config for Kinesis Data Firehose IPs that can be applied
[0.23.1] - 2021-01-26¶
Improvements¶
- Add more X-Ray permissions that accept wildcard resource only
- CLI handles case of empty template by returning appropriate exception message
- CLI now returns exit code 2 for scenarios where CFRipper finds a template violating any of the rules
[0.23.0] - 2021-01-20¶
Breaking changes¶
- Rule config files using filters must now use
ingress_obj
and notingress
.
Additions¶
- Rules using IP Address Ranges now export both
ingress_obj
andingress_ip
filter fields. - Add support to load an external rules configuration file
[0.22.0] - 2020-12-11¶
Breaking changes¶
- Classes inheriting from
ResourceSpecificRule
now must allow anextra
field in theresource_invoke
function
Improvements¶
- Improved context data for
BaseDangerousPolicyActions
and classes inheriting from it
Bugfix¶
CrossAccountCheckingRule
did not check properly for calculated mock fields.
[0.21.1] - 2020-12-9¶
Improvements¶
- Add SNS actions that only allow wildcards
[0.21.0] - 2020-11-30¶
Improvements¶
- Upgraded to pycfmodel 0.8.1 (this will improve policy action detection)
- Refactored a few classes to use improvements from new base classes and pycfmodel
PrivilegeEscalationRule
now detects issues in all policies
Additions¶
- New Rules:
SNSTopicDangerousPolicyActionsRule
andSQSDangerousPolicyActionsRule
- New abstract base rule: BaseDangerousPolicyActions
Fixes¶
- Various typo fixes
[0.20.1] - 2020-10-26¶
Improvements¶
- Added more actions that only allow wildcard as resource
Fixes¶
- Require pycfmodel 0.7.2
Other¶
- Bump pip-tools dev requirement to 5.3.1
[0.20.0] - 2020-09-30¶
Improvements¶
- Add
WildcardResourceRule
rule
[0.19.2] - 2020-09-16¶
Improvements¶
- Add
regex:ignorecase
filter function
[0.19.1] - 2020-09-01¶
Improvements¶
- Add support for this new S3 url format:
https://bucket.s3.aws-region.amazonaws.com/path1/path2
[0.19.0] - 2020-05-21¶
Breaking changes¶
rule_mode
is nowBLOCKING
for all Rules.
[0.18.1] - 2020-04-14¶
Fixed¶
CrossAccountCheckingRule
callingadd_failure_to_result
onUNDEFINED_
was missing context variable.
[0.18.0] - 2020-04-07¶
Improvements¶
EC2SecurityGroupIngressOpenToWorldRule
,EC2SecurityGroupMissingEgressRule
andEC2SecurityGroupOpenToWorldRule
include support for filters.EC2SecurityGroupIngressOpenToWorldRule
andEC2SecurityGroupOpenToWorldRule
support adding errors for port ranges.
Breaking changes¶
Config.DEFAULT_ALLOWED_WORLD_OPEN_PORTS
type changes toList[int]
- Rename
SecurityGroupIngressOpenToWorldRule
toEC2SecurityGroupIngressOpenToWorldRule
- Rename
SecurityGroupMissingEgressRule
toEC2SecurityGroupMissingEgressRule
- Rename
SecurityGroupOpenToWorldRule
toEC2SecurityGroupOpenToWorldRule
- Improved message for users when failing the
SecurityGroupOpenToWorldRule
andSecurityGroupIngressOpenToWorldRule
rules. - Improved documentation for the above rules, including styling fixes which have now been tested.
[0.17.2] - 2020-04-01¶
Improvements¶
- Improved message for users when failing the
SecurityGroupOpenToWorldRule
andSecurityGroupIngressOpenToWorldRule
rules. - Improved documentation for the above rules, including styling fixes which have now been tested.
[0.17.1] - 2020-03-30¶
Improvements¶
- Add
exists
andempty
functions to filters - Add
param_resolver
to filters to evaluate just necessary params
Fixed¶
- Add protection when a filter is evaluated to catch the exception and continue
[0.17.0] - 2020-03-27¶
Improvements¶
CrossAccountCheckingRule
,CrossAccountTrustRule
,S3CrossAccountTrustRule
andKMSKeyCrossAccountTrustRule
include support for filters.
Breaking changes¶
CrossAccountCheckingRule
now includes the invoke method. Statements of PolicyDocument are now analysed usingRESOURCE_TYPE
andPROPERTY_WITH_POLICYDOCUMENT
class variables.
[0.16.0] - 2020-03-27¶
Improvements¶
- Add new
RuleConfig
, allows to overwrite the default behaviour of the rule changing rule mode and risk value. - Add new
Filter
, allows setting custom rule configuration to matching coincidences. - New RuleModes supported:
RuleMode.DISABLED
andRuleMode.WHITELISTED
.
Breaking changes¶
- Class variables
Rule.RULE_MODE
andRule.RISK_VALUE
should be changed to use propertiesrule_mode
andrisk_value
. These properties take in consideration the custom config that might be applied. - If rule mode is
DISABLED
orWHITELISTED
; methodsadd_failure_to_result
andadd_warning_to_result
will have no effect. add_failure_to_result
andadd_warning_to_result
accepts a new optional parameter namedcontext
. This variable is going to be evaluated by filters defined in the custom config.
[0.15.1] - 2020-03-26¶
Improvements¶
SecurityGroupOpenToWorldRule
andSecurityGroupIngressOpenToWorldRule
are now more accurately scoped to block potentially public CIDR ranges. It it utilising the latestpycfmodel
release (0.7.0).
[0.15.0] - 2020-03-25¶
Improvements¶
- Generate DEFAULT_RULES and BASE_CLASSES using code instead of hardcoding
Fixed¶
- Whitelist did not work if it didn't have the
Rule
prefix
Breaking changes¶
- Sufix
KMSKeyWildcardPrincipal
andSecurityGroupIngressOpenToWorld
withRule
- Sufix whitelist constant
FullWildcardPrincipal
andPartialWildcardPrincipal
withRule
[0.14.2] - 2020-03-04¶
Improvements¶
- Update dependencies
[0.14.1] - 2020-02-24¶
Improvements¶
- Rule processor now accepts an extras parameter that will be forwarded to the rules
- Main gets extra information from the event and forwards it to the rule formatter
[0.14.0] - 2020-02-07¶
Breaking changes¶
- Completely changed base
Rule
abstract class signature and adapted rule classes to match it:- Init now only takes a
Config
invoke
method now accepts an optional extra Dictinvoke
method returns aResult
instead ofNone
add_failure
has been renamed toadd_failure_to_result
. It now takes a result instead of a reason (that now it's inferred)add_warning
has been renamed toadd_warning_to_result
. It now has the same signature thanadd_failure_to_result
- Init now only takes a
Improvements¶
- Rule Invoke extras parameter has been added to allow changing the rule behaviour depending on state besides the cfmodel itself:
- Stack naming rules
- Stack tags
- User restrictions
- ...
[0.13.0] - 2020-01-22¶
Fixed¶
- Regular expressions had an unescaped '.' before 'amazonaws.com', so it might match more hosts than expected.
Changed¶
CloudFormationAuthenticationRule
now inMONITOR
mode and new test addedIAMRoleWildcardActionOnPolicyRule
combines three previous unused rules inIAMManagedPolicyWildcardActionRule
,IAMRoleWildcardActionOnPermissionsPolicyRule
, andIAMRoleWildcardActionOnTrustPolicyRule
IAMRoleWildcardActionOnPolicyRule
now inDEBUG
modeS3BucketPolicyWildcardActionRule
has now been changed to be an instantiation of the new generic ruleGenericWildcardPolicyRule
. It is set inDEBUG
modeS3BucketPolicyWildcardActionRule
has had updated regex filter to make it more aligned with both further rules to do with wildcards in actions, and the existingSQSQueuePolicyWildcardActionRule
SQSQueuePolicyWildcardActionRule
has now been changed to be an instantiation of the new generic ruleGenericWildcardPolicyRule
. It is set inDEBUG
modeSecurityGroupMissingEgressRule
now inDEBUG
mode and a new test addedSNSTopicPolicyWildcardActionRule
has beed added. It is an instantiation of the new generic ruleGenericWildcardPolicyRule
. It is set inDEBUG
mode
Breaking changes¶
- The following rules are no longer available:
IAMRoleWildcardActionOnPermissionsPolicyRule
IAMRoleWildcardActionOnTrustPolicyRule
IAMManagedPolicyWildcardActionRule
- The following rules have been moved:
S3BucketPolicyWildcardActionRule
SQSQueuePolicyWildcardActionRule
[0.12.2] - 2020-01-13¶
Improvements¶
- Documentation updated to show the risk of rules and possible fixes where available, as well as a large set of updates to the content. The macros for parsing the documentation have also been updated.
[0.12.1] - 2020-01-09¶
Fixes¶
- Fix for
CrossAccountCheckingRule
was adding errors when the principal was sts when it shouldn't.
Added¶
get_account_id_from_sts_arn
andget_aws_service_from_arn
in utils.
[0.12.0] - 2020-01-08¶
Added¶
- Adds CLI to package
KMSKeyCrossAccountTrustRule
Changed¶
GenericWildcardPrincipalRule
,PartialWildcardPrincipalRule
,FullWildcardPrincipalRule
no longer check for wildcards in KMSKey principals.- Improved granularity of most rules
[0.11.3] - 2019-12-17¶
Improvements¶
S3CrossAccountTrustRule
now accepts resource level exceptions- New documentation!
Breaking changes¶
cfripper.rules.s3_bucked_policy
renamed tocfripper.rules.s3_bucket_policy
(typo)
[0.11.2] - 2019-11-26¶
Fixes¶
- Fix
get_template
when AWS doesn't return a dict.
[0.11.1] - 2019-11-25¶
Changed¶
HardcodedRDSPasswordRule
now reports two different messages when there is a missing echo or a readable password.
Fixes¶
HardcodedRDSPasswordRule
was wrongly adding an error when a value is provided.
[0.11.0] - 2019-11-20¶
Breaking changes¶
- Moved some files from model to rules, renamed rules to match pythonic style. Moved tons of classes around
Fixes¶
- Fix a regression that caused
S3CrossAccountTrustRule
andCrossAccountTrustRule
not to alert whenever cross-account permissions are found within the allowed list of aws accounts. CrossAccountTrustRule
wrongly say that AWS canonical ids and services were a cross-account relationship.
[0.10.2] - 2019-11-20¶
Added¶
- Added
PrincipalCheckingRule
, it has a property calledvalid_principals
. It's a list with all allowed principals. This list can be customized using_get_whitelist_from_config()
. - Added
AWS_ELASTICACHE_BACKUP_CANONICAL_IDS
which contains the aws canonical ids used for backups.
Changed¶
CrossAccountTrustRule
outputs warning log message if the AWS Account ID is not present in the config.HardcodedRDSPasswordRule
updated to check for both RDS Clusters and RDS Instances, and reduce false positives on valid instances.CrossAccountTrustRule
,GenericWildcardPrincipalRule
,S3BucketPolicyPrincipalRule
,S3BucketPolicyPrincipalRule
andS3CrossAccountTrustRule
now check the account against a list. The list is composed of AWS service accounts, configured AWS principals and the account id where the event came from.- Rename
AWS_ELB_ACCOUNT_IDS
toAWS_ELB_LOGS_ACCOUNT_IDS
[0.10.1] - 2019-11-14¶
Added¶
- New regexes and utility methods to get parts of arns
Changed¶
S3CrossAccountTrustRule
andS3BucketPolicyPrincipalRule
won't trigger if the principal comes from one of the AWS ELB service account ids
[0.10.0] - 2019-11-08¶
Added¶
- New regex
REGEX_IS_STAR
, matches only a*
character.
Changed¶
GenericWildcardPrincipalRule
,S3BucketPolicyPrincipalRule
,S3CrossAccountTrustRule
,SQSQueuePolicyPublicRule
andKMSKeyWildcardPrincipal
now trust the condition to reduce false positives.- Rules check the resource type using
isinstance
instead of comparing type to a string if pycfmodel implements the resource. - Instance method
add_failure
now acceptsrisk_value
andrisk_mode
as optional parameters. CrossAccountTrustRule
only runs if config has definedself._config.aws_account_id
.IAMRoleWildcardActionOnPermissionsPolicyRule
now usesREGEX_WILDCARD_POLICY_ACTION
.
Fixed¶
IAMRolesOverprivilegedRule
now usesREGEX_IS_STAR
for finding statements instead ofREGEX_CONTAINS_STAR
.