CFRipper is a Python-based Library and CLI security analyzer that functions as an AWS CloudFormation security scanning and audit tool, it aims to prevent vulnerabilities from getting to production infrastructure through vulnerable CloudFormation scripts.
You can use CFRipper to prevent deploying insecure AWS resources into your Cloud environment. You can write your own compliance checks by adding new custom plugins.
CFRipper should be part of your CI/CD pipeline. It runs just before a CloudFormation stack is deployed or updated and if the CloudFormation script fails to pass the security check it fails the deployment and notifies the team that owns the stack. Rules are the heart of CFRipper. When running CFRipper the CloudFormation stack will be checked against each rule and the results combined.
Usage of CFRipper for CloudFormation Security Scanning
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 |
Usage: [OPTIONS] [TEMPLATES]... Analyse AWS Cloudformation templates passed by parameter. Exit codes: - 0 = all templates valid and scanned successfully - 1 = error / issue in scanning at least one template - 2 = at least one template is not valid according to CFRipper (template scanned successfully) - 3 = unknown / unhandled exception in scanning the templates Options: --version Show the version and exit. --resolve / --no-resolve Resolves cloudformation variables and intrinsic functions [default: False] --resolve-parameters FILENAME JSON/YML file containing key-value pairs used for resolving CloudFormation files with templated parameters. For example, {"abc": "ABC"} will change all occurrences of {"Ref": "abc"} in the CloudFormation file to "ABC". --format [json|txt] Output format [default: txt] --output-folder DIRECTORY If not present, result will be sent to stdout --logging [ERROR|WARNING|INFO|DEBUG] Logging level [default: INFO] --rules-config-file FILENAME Loads rules configuration file (type: [.py, .pyc]) --rules-filters-folder DIRECTORY All files in the folder must be of type: [.py, .pyc] --aws-account-id TEXT A 12-digit AWS account number eg. 123456789012 --aws-principals TEXT A comma-separated list of AWS principals eg. arn:aws:iam::123456789012:root,234567890123, arn:aws:iam::111222333444:user/user-name --help Show this message and exit. |
You can download CFRipper here:
Or read more here.