Library and CLI tool for analysing CloudFormation templates and check them for security compliance.

Project description

CFRipper

CFRipper is a Library and CLI security analyzer for AWS CloudFormation templates. You can use CFRipper to prevent deploying insecure AWS resources into your Cloud environment. You can write your own compliance checks by adding new custom plugins.

Docs and more details available in https://cfripper.readthedocs.io/

CLI Usage

Normal execution

$ cfripper /tmp/root.yaml /tmp/root_bypass.json --format txt
Analysing /tmp/root.yaml...
Not adding CrossAccountTrustRule failure in rootRole because no AWS Account ID was found in the config.
Valid: False
Issues found:
	- FullWildcardPrincipalRule: rootRole should not allow wildcards in principals (principal: '*')
	- IAMRolesOverprivilegedRule: Role 'rootRole' contains an insecure permission '*' in policy 'root'
Analysing /tmp/root_bypass.json...
Valid: True

Using the "resolve" flag

$ cfripper /tmp/root.yaml /tmp/root_bypass.json --format txt --resolve
Analysing /tmp/root.yaml...
Not adding CrossAccountTrustRule failure in rootRole because no AWS Account ID was found in the config.
Valid: False
Issues found:
	- FullWildcardPrincipalRule: rootRole should not allow wildcards in principals (principal: '*')
	- IAMRolesOverprivilegedRule: Role 'rootRole' contains an insecure permission '*' in policy 'root'
Analysing /tmp/root_bypass.json...
Not adding CrossAccountTrustRule failure in rootRole because no AWS Account ID was found in the config.
Valid: False
Issues found:
	- IAMRolesOverprivilegedRule: Role 'rootRole' contains an insecure permission '*' in policy 'root'
Monitored issues found:
	- PartialWildcardPrincipalRule: rootRole contains an unknown principal: 123456789012
	- PartialWildcardPrincipalRule: rootRole should not allow wildcard in principals or account-wide principals 
(principal: 'arn:aws:iam::123456789012:root')

Using json format and output-folder argument

$ cfripper /tmp/root.yaml /tmp/root_bypass.json --format json --resolve --output-folder /tmp
Analysing /tmp/root.yaml...
Not adding CrossAccountTrustRule failure in rootRole because no AWS Account ID was found in the config.
Result saved in /tmp/root.yaml.cfripper.results.json
Analysing /tmp/root_bypass.json...
Not adding CrossAccountTrustRule failure in rootRole because no AWS Account ID was found in the config.
Result saved in /tmp/root_bypass.json.cfripper.results.json

Project details

Release history Release notifications | RSS feed

1.19.1

Dec 23, 2025

1.19.0

Oct 20, 2025

1.18.0

Jul 15, 2025

1.17.2

May 14, 2025

1.17.1

May 6, 2025

1.17.0

Mar 3, 2025

1.16.0

Jul 18, 2024

1.15.7

Jun 11, 2024

1.15.6

Mar 4, 2024

1.15.5

Feb 26, 2024

1.15.4

Feb 13, 2024

1.15.3

Jan 16, 2024

1.15.2

Dec 4, 2023

1.15.1

Nov 21, 2023

1.15.0

Nov 20, 2023

1.14.0

Sep 27, 2023

1.13.2

Apr 20, 2023

1.13.1

Sep 23, 2022

1.13.0

Aug 17, 2022

1.12.0

Jun 1, 2022

1.11.0

May 30, 2022

1.10.0

May 23, 2022

1.9.0

Apr 19, 2022

1.8.0

Apr 6, 2022

1.7.1

Apr 1, 2022

1.7.0

Mar 23, 2022

1.6.0

Mar 17, 2022

1.5.3

Mar 16, 2022

1.5.2

Mar 14, 2022

1.5.1

Mar 7, 2022

1.5.0

Mar 3, 2022

1.4.2

Feb 28, 2022

1.4.1

Feb 25, 2022

1.4.0

Feb 21, 2022

1.3.3

Feb 9, 2022

1.3.2

Feb 9, 2022

1.3.1

Jan 19, 2022

1.3.0

Jan 17, 2022

1.2.2

Jan 7, 2022

1.2.1

Jan 4, 2022

1.2.0

Nov 3, 2021

1.1.2

Oct 7, 2021

1.1.1

Sep 30, 2021

1.1.0

Sep 22, 2021

1.0.9

Sep 10, 2021

1.0.8

Aug 19, 2021

1.0.7

Aug 16, 2021

1.0.6

Aug 10, 2021

1.0.5

Jul 29, 2021

1.0.4

Jun 3, 2021

1.0.3

Mar 30, 2021

1.0.2

Mar 26, 2021

1.0.1

Mar 25, 2021

1.0.0

Mar 16, 2021

0.23.3

Feb 15, 2021

0.23.2

Feb 4, 2021

0.23.1

Jan 26, 2021

0.23.0

Jan 21, 2021

0.22.0

Dec 11, 2020

0.21.1

Dec 9, 2020

0.21.0

Dec 1, 2020

0.20.1

Oct 26, 2020

0.20.0

Oct 1, 2020

0.19.2

Sep 16, 2020

0.19.1

Sep 2, 2020

0.19.0

May 21, 2020

0.18.1

Apr 14, 2020

0.18.0

Apr 7, 2020

0.17.1

Mar 30, 2020

This version

0.17.0

Mar 27, 2020

0.16.0

Mar 27, 2020

0.15.0

Mar 25, 2020

0.14.2

Mar 4, 2020

0.14.1

Feb 25, 2020

0.14.0

Feb 7, 2020

0.13.0

Jan 22, 2020

0.12.1

Jan 9, 2020

0.12.0

Jan 8, 2020

0.11.3

Dec 17, 2019

0.11.2

Nov 26, 2019

0.11.1

Nov 25, 2019

0.11.0

Nov 21, 2019

0.10.2

Nov 20, 2019

0.10.1

Nov 14, 2019

0.10.0

Nov 8, 2019

0.9.1

Oct 30, 2019

0.9.0

Oct 25, 2019

0.8.1

Oct 24, 2019

0.8.0

Oct 24, 2019

0.7.2

Oct 17, 2019

0.7.1

Oct 8, 2019

0.7.0

Sep 25, 2019

0.6.1

Sep 4, 2019

0.6.0

Sep 3, 2019

0.5.0

Apr 17, 2019

0.4.0

Jan 29, 2019

0.3.3

Jan 28, 2019

0.3.2

Jan 25, 2019

0.3.1

Jan 18, 2019

0.2.2

Sep 3, 2018

0.1.1

Aug 8, 2018

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

cfripper-0.17.0.tar.gz (25.6 kB view details)

Uploaded Mar 27, 2020 Source

File details

Details for the file cfripper-0.17.0.tar.gz.

File metadata

Download URL: cfripper-0.17.0.tar.gz
Upload date: Mar 27, 2020
Size: 25.6 kB
Tags: Source
Uploaded using Trusted Publishing? No
Uploaded via: twine/3.1.1 pkginfo/1.5.0.1 requests/2.23.0 setuptools/46.1.3 requests-toolbelt/0.9.1 tqdm/4.43.0 CPython/3.7.1

File hashes

Hashes for cfripper-0.17.0.tar.gz
Algorithm	Hash digest
SHA256	`2adaa904125c7f4dfa467258cedc9fc8d3a9056deb871401d4da6b866b53beac`
MD5	`f71c3527085b72fc93417632773500ba`
BLAKE2b-256	`19c899ff0f5e9bcf27aea91856aca3726f20722142fc3f8f6fb1059a3684f7fa`

See more details on using hashes here.

cfripper 0.17.0

Navigation

Verified details

Maintainers

Unverified details

Project links

Meta