aws-cf-checker
aws-cf-checker copied to clipboard
widdix
Checks AWS CloudFormation templates for security, reliability and conformity
AWS CloudFormation Checker
Checks can guarantee high security, reliability and conformity of your CloudFormation templates. We provide a set of default checks that you can use to validate your templates.
CLI usage
install the module globally
npm install aws-cf-checker -g
reading template from file
cf-checker --templateFile ./path/to/template.json
cf-checker --templateFile ./path/to/template.json --checksFile ./path/to/checks.json
reading template from stdin
cat ./path/to/template.json | cf-checker
cat ./path/to/template.json | cf-checker --checksFile ./path/to/checks.json
as long as the exit code is 0 your template is fine
Programatic usage
install the module locally
npm install aws-cf-checker
reading template from file
var checker = require("aws-cf-checker")
checker.checkFile("./path/to/template.json", {"logicalID": {}}, function(err, findings) {
if (err) {
throw err;
} else {
if (findings.length > 0) {
console.error("findings", findings);
} else {
console.log("no findings");
}
}
});
using a template object
var checker = require("aws-cf-checker")
var template = {
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "minimal template"
};
checker.checkTemplate(template, {"logicalID": {}}, function(err, findings) {
if (err) {
throw err;
} else {
if (findings.length > 0) {
console.error("findings", findings);
} else {
console.log("no findings");
}
}
});
as long as the findings array is empty your template is fine
Checks
Checks are configured with a JSON file. Have a look at our default checks.
logicalID
Checks logical ids of your template.
Options: (Object)
-
case: (Enum["pascal", "camel"] default: "pascal")
resourceType
Checks if the resource types are allowed in the template. Wildcard * is supported.
By default, nothing is allowed (implicit deny). If you deny something it overrides what you allowed (explicit deny).
Options: (Object)
-
deny: (Array[String]) (whitelist, wildcard * can be used) -
allow: (Array[String]) (blacklist, wildcard * can be used)
securityGroupInbound
Checks that only security groups attached to:
- AWS::ElasticLoadBalancing::LoadBalancer (external)
allow traffic from public IP addresses.
Security groups attached to:
- AWS::ElasticLoadBalancing::LoadBalancer (internal)
- AWS::AutoScaling::LaunchConfiguration
- AWS::EC2::NetworkInterface
- AWS::EC2::Instance
- AWS::EC2::SpotFleet
- AWS::RDS::DBInstance
- AWS::RDS::DBCluster
- AWS::Redshift::Cluster
- AWS::ElastiCache::CacheCluster
- AWS::ElastiCache::ReplicationGroup
- AWS::EFS::MountTarget
- AWS::OpsWorks::Layer
should only allow inbound traffic from other security groups or private ip addresses.
Assumes that your account only supports the EC2 platform EC2-VPC.
Options: (Object)
none
iamInlinePolicy
Checks IAM Users, Groups and Roles for inline policies.
Options: (Boolean)
true := inline policies are allowed
false := inline policies are denied
iamPolicy
Checks allowed actions and resources of IAM policy statements. Wildcard * is supported.
A statement with NotAction is a finding. A statement with Effect != Allow is skipped.
By default, nothing is allowed (implicit deny). If you deny something it overrides what you allowed (explicit deny).
Options: (Object)
-
allow: (Array[Object]) List of allowed actions & resources (whitelist) -
action: (String | Array[String]) IAM action (wildcard * can be used) -
resource: (String | Array[String]) IAM resource (wildcard * can be used) -
deny: (Array[Object]) List of denied actions & resources (blacklist) -
action: (String | Array[String]) IAM action (wildcard * can be used) -
resource: (String | Array[String]) IAM resource (wildcard * can be used)
iamManagedPolicy
Checks IAM Users, Groups and Roles for managed policy attachments. Wildcard * is supported.
Options: (Object)
-
allow: (Array[String]) List of allowed ARNs (whitelist, wildcard * can be used) -
deny: (Array[String]) List of denied ARNs (blacklist, wildcard * can be used)
widdix