Skip to content
/ pycfa Public

CloudFormation templates security auditing tool

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

davinerd/pycfa

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
CFAudit
CFAudit
 
 
.gitignore
.gitignore
 
 
CHANGELOG.md
CHANGELOG.md
 
 
README.md
README.md
 
 
pycfa.py
pycfa.py
 
 
requirements.txt
requirements.txt
 
 
screenshot.png
screenshot.png
 
 
utils.py
utils.py
 
 

Repository files navigation

Python CloudFormation Audit script

pycfais a python script to audit CloudFormation template files for security misconfigurations. It supports both JSON and YAML formats.

Why?

I was looking to something similar to Scout2 but without the hassle of spinning up the whole infrastructure. pycfais particularly useful when you have to do a security audit of a series of CloudFormation template files. I was looking for something quick and reliable. Here it is pycfa.

How it works

pycfa reads rules from a file in JSON format (by default in rules/rules.json). It provides a colorful output to stdout (by default) or in JSON format if -j flag is provided (without colors though). The rule file syntax is as follow:

  {
    "rules": [
      {
        "type": "<resource::type>",
        "key": "<path.to.key>",
        "match": "<strict | bool | regex>",
        "<what-to-check>": "<value>"
      }
    ],
    "level": "<info | warning | danger>",
    "description": "wut?"
  }

What the hell they mean? Here we go:

  • type: the resource type as specified by the Type tag (optional)
  • key: path to the rule's parent key, starting after the Proprieties key. e.g. if you want to check an IAM Policy Action key, then this value will be PolicyDocument.Statement
  • match: the way the field rules is interpreted.strictmeans "equal",boolcheck if the what-to-check value exists, andregexpinterpreters the <value> as a regular expression.
  • what-to-check: this is the leaf key you want to check. It's in the form key:value, and this is actually the core of your rule.
  • level: level of risk
  • description: a description of the rule

Please notethat the rules are evaluated as AND at the moment.

Usage

» python pycfa.py
.______   ____    ____  ______  _______    ___      
|   _  \  \   \  /   / /      ||   ____|  /   \     
|  |_)  |  \   \/   / |  ,----'|  |__    /  ^  \    
|   ___/    \_    _/  |  |     |   __|  /  /_\  \   
|  |          |  |    |  `----.|  |    /  _____  \  
| _|          |__|     \______||__|   /__/     \__\ 
                                                    

version 0.1
by Davide Barbato
@DavBarbato
====================
usage: pycfa.py [-h] [-d DIRPATH | -f CFTEMPLATE] [-p CFPARAMS]
                [-r CUSTOM_RULE] [-j]

optional arguments:
  -h, --help            show this help message and exit
  -d DIRPATH, --dir DIRPATH
                        specify a directory
  -f CFTEMPLATE, --file CFTEMPLATE
                        a CF template file
  -p CFPARAMS, --parameters CFPARAMS
                        parameters file for the CF template
  -r CUSTOM_RULE, --rules CUSTOM_RULE
                        specify a custom rule file
  -j, --json            output in JSON format

Example

screen

Roadmap

  • Make it context aware to better correlate resources
  • Optimize code
  • Terraform support!!!! (thanks to json2hcl)
  • Add more rules
  • Better output (?)

About

CloudFormation templates security auditing tool

Resources

Readme
Activity

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages