Library and CLI tool for analysing CloudFormation templates and check them for security compliance.

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for aliceedwards from gravatar.com aliceedwards Avatar for ignaciobolonio from gravatar.com ignaciobolonio Avatar for jsoucheiron from gravatar.com jsoucheiron Avatar for msantamaria from gravatar.com msantamaria Avatar for skyscanner-security from gravatar.com skyscanner-security Avatar for w0rmr1d3r from gravatar.com w0rmr1d3r Avatar for x4vi_mendez from gravatar.com x4vi_mendez

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: Apache Software License (Apache License)
  • Author: Skyscanner Security
  • Tags security , cloudformation , aws , cli
  • Requires: Python >=3.10.0
  • Provides-Extra: dev , docs
Classifiers
Report project as malware

Project description

cfripper logo

CFRipper

Build Status PyPI version homebrew version License

CFRipper is a Library and CLI security analyzer for AWS CloudFormation templates. You can use CFRipper to prevent deploying insecure AWS resources into your Cloud environment. You can write your own compliance checks by adding new custom plugins.

Docs and more details available in https://cfripper.readthedocs.io/

CLI Usage

Normal execution

$ cfripper /tmp/root.yaml /tmp/root_bypass.json --format txt
Analysing /tmp/root.yaml...
Not adding CrossAccountTrustRule failure in rootRole because no AWS Account ID was found in the config.
Valid: False
Issues found:
 - FullWildcardPrincipalRule: rootRole should not allow full wildcard '*', or wildcard in account ID like 'arn:aws:iam::*:12345' at '*'
 - IAMRolesOverprivilegedRule: Role 'rootRole' contains an insecure permission '*' in policy 'root'
Analysing /tmp/root_bypass.json...
Valid: True

Using the "resolve" flag

$ cfripper /tmp/root.yaml /tmp/root_bypass.json --format txt --resolve
Analysing /tmp/root.yaml...
Not adding CrossAccountTrustRule failure in rootRole because no AWS Account ID was found in the config.
Valid: False
Issues found:
 - FullWildcardPrincipalRule: rootRole should not allow full wildcard '*', or wildcard in account ID like 'arn:aws:iam::*:12345' at '*'
 - IAMRolesOverprivilegedRule: Role 'rootRole' contains an insecure permission '*' in policy 'root'
Analysing /tmp/root_bypass.json...
Not adding CrossAccountTrustRule failure in rootRole because no AWS Account ID was found in the config.
Valid: False
Issues found:
 - IAMRolesOverprivilegedRule: Role 'rootRole' contains an insecure permission '*' in policy 'root'
Monitored issues found:
 - PartialWildcardPrincipalRule: rootRole contains an unknown principal: 123456789012
 - PartialWildcardPrincipalRule: rootRole should not allow wildcard, account-wide or root in resource-id like 'arn:aws:iam::12345:root' at 'arn:aws:iam::123456789012:root'

Using json format and output-folder argument

$ cfripper /tmp/root.yaml /tmp/root_bypass.json --format json --resolve --output-folder /tmp
Analysing /tmp/root.yaml...
Not adding CrossAccountTrustRule failure in rootRole because no AWS Account ID was found in the config.
Result saved in /tmp/root.yaml.cfripper.results.json
Analysing /tmp/root_bypass.json...
Not adding CrossAccountTrustRule failure in rootRole because no AWS Account ID was found in the config.
Result saved in /tmp/root_bypass.json.cfripper.results.json

Using rules config file

$ cfripper tests/test_templates/config/security_group_firehose_ips.json --rules-config-file cfripper/config/rule_configs/example_rules_config_for_cli.py
Analysing tests/test_templates/config/security_group_firehose_ips.json...
Valid: True

Using rules filters files

$ cfripper tests/test_templates/config/security_group_firehose_ips.json --rules-filters-folder cfripper/config/rule_configs/
example_rules_config_for_cli.py loaded
Analysing tests/test_templates/config/security_group_firehose_ips.json...
Valid: True

Exit Codes

"""
Analyse AWS Cloudformation templates passed by parameter.
Exit codes:
  - 0 = all templates valid and scanned successfully
  - 1 = error / issue in scanning at least one template
  - 2 = at least one template is not valid according to CFRipper (template scanned successfully)
  - 3 = unknown / unhandled exception in scanning the templates
"""

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for aliceedwards from gravatar.com aliceedwards Avatar for ignaciobolonio from gravatar.com ignaciobolonio Avatar for jsoucheiron from gravatar.com jsoucheiron Avatar for msantamaria from gravatar.com msantamaria Avatar for skyscanner-security from gravatar.com skyscanner-security Avatar for w0rmr1d3r from gravatar.com w0rmr1d3r Avatar for x4vi_mendez from gravatar.com x4vi_mendez

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: Apache Software License (Apache License)
  • Author: Skyscanner Security
  • Tags security , cloudformation , aws , cli
  • Requires: Python >=3.10.0
  • Provides-Extra: dev , docs
Classifiers

Release history Release notifications | RSS feed

This version

1.19.0

1.18.0

1.17.2

1.17.1

1.17.0

1.16.0

1.15.7

1.15.6

1.15.5

1.15.4

1.15.3

1.15.2

1.15.1

1.15.0

1.14.0

1.13.2

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.0

1.8.0

1.7.1

1.7.0

1.6.0

1.5.3

1.5.2

1.5.1

1.5.0

1.4.2

1.4.1

1.4.0

1.3.3

1.3.2

1.3.1

1.3.0

1.2.2

1.2.1

1.2.0

1.1.2

1.1.1

1.1.0

1.0.9

1.0.8

1.0.7

1.0.6

1.0.5

1.0.4

1.0.3

1.0.2

1.0.1

1.0.0

0.23.3

0.23.2

0.23.1

0.23.0

0.22.0

0.21.1

0.21.0

0.20.1

0.20.0

0.19.2

0.19.1

0.19.0

0.18.1

0.18.0

0.17.1

0.17.0

0.16.0

0.15.0

0.14.2

0.14.1

0.14.0

0.13.0

0.12.1

0.12.0

0.11.3

0.11.2

0.11.1

0.11.0

0.10.2

0.10.1

0.10.0

0.9.1

0.9.0

0.8.1

0.8.0

0.7.2

0.7.1

0.7.0

0.6.1

0.6.0

0.5.0

0.4.0

0.3.3

0.3.2

0.3.1

0.2.2

0.1.1

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

cfripper-1.19.0.tar.gz (215.4 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

cfripper-1.19.0-py3-none-any.whl (77.0 kB view details)

Uploaded Python 3

File details

Details for the file cfripper-1.19.0.tar.gz.

File metadata

  • Download URL: cfripper-1.19.0.tar.gz
  • Upload date:
  • Size: 215.4 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for cfripper-1.19.0.tar.gz
Algorithm Hash digest
SHA256 9b973e29ad884dd21408e652d5972b9860c8b3b490d0214b84989b641459073d
MD5 cb15771463f38b09f71d867f4be04c8f
BLAKE2b-256 150517d7f4ed22ad71c79c4d0c708101c3e72f643beb85ab70cb6a15e22aba17

See more details on using hashes here.

File details

Details for the file cfripper-1.19.0-py3-none-any.whl.

File metadata

  • Download URL: cfripper-1.19.0-py3-none-any.whl
  • Upload date:
  • Size: 77.0 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for cfripper-1.19.0-py3-none-any.whl
Algorithm Hash digest
SHA256 c76ad645faeedc5319bcc85ac5d1e71aac94122a6cbe23775f769e05c7e160a2
MD5 85598220c77e368782648cf22e1546d8
BLAKE2b-256 87584d79b528d02832b99ee91d95e60dd43751b739cd59f84c39484ff12094d5

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page