【使ってみた】 “Security Anti-Patterns: Mistakes to Avoid”で紹介されたツール”cfn-nag”を使ってみた #reinvent #fsv301
はじめに
中山(順)です。
FSV301にて、cfn-nagというツールが紹介されていました。
なかなかおもしろそうでしたので、ちょっと触ってみました。
FSV301のレポートは、弊社豊崎が既に投稿しておりますので、ぜひご覧ください!
【レポート】セキュリティアンチパターンから学ぶミステイクを回避する方法 #reinvent #FSV301
概要
どんなツール?
GitHubで公開されています。
CloudFormationテンプレートにおけるSecurity的に良くない記述を検出してくれるツールです。
Background The cfn-nag tool looks for patterns in CloudFormation templates that may indicate insecure infrastructure. Roughly speaking it will look for:
- IAM rules that are too permissive (wildcards)
- Security group rules that are too permissive (wildcards)
- Access logs that aren't enabled
- Encryption that isn't enabled
何を検査してくれるの?
以下のコマンドでデフォルトで検査できるルールを確認できます。
ルール自体は独自に定義することも可能なようです。
cfn_nag_rules
WARNING VIOLATIONS: W1 Specifying credentials in the template itself is probably not the safest thing W2 Security Groups found with cidr open to world on ingress. This should never be true on instance. Permissible on ELB W5 Security Groups found with cidr open to world on egress W9 Security Groups found with ingress cidr that is not /32 W10 CloudFront Distribution should enable access logging W11 IAM role should not allow * resource on its permissions policy W12 IAM policy should not allow * resource W13 IAM managed policy should not allow * resource W14 IAM role should not allow Allow+NotAction on trust permissions W15 IAM role should not allow Allow+NotAction W16 IAM policy should not allow Allow+NotAction W17 IAM managed policy should not allow Allow+NotAction W18 SQS Queue policy should not allow Allow+NotAction W19 SNS Topic policy should not allow Allow+NotAction W20 S3 Bucket policy should not allow Allow+NotAction W21 IAM role should not allow Allow+NotResource W22 IAM policy should not allow Allow+NotResource W23 IAM managed policy should not allow Allow+NotResource W24 Lambda permission beside InvokeFunction might not be what you want? Not sure!? W26 Elastic Load Balancer should have access logging enabled W27 Security Groups found ingress with port range instead of just a single port W29 Security Groups found egress with port range instead of just a single port W31 S3 Bucket likely should not have a public read acl FAILING VIOLATIONS: F1 EBS volume should have server-side encryption enabled F2 IAM role should not allow * action on its trust policy F3 IAM role should not allow * action on its permissions policy F4 IAM policy should not allow * action F5 IAM managed policy should not allow * action F6 IAM role should not allow Allow+NotPrincipal in its trust policy F7 SQS Queue policy should not allow Allow+NotPrincipal F8 SNS Topic policy should not allow Allow+NotPrincipal F9 S3 Bucket policy should not allow Allow+NotPrincipal F10 IAM user should not have any inline policies. Should be centralized Policy object on group F11 IAM policy should not apply directly to users. Should be on group F12 IAM managed policy should not apply directly to users. Should be on group F13 Lambda permission principal should not be wildcard F14 S3 Bucket should not have a public read-write acl F15 S3 Bucket policy should not allow * action F16 S3 Bucket policy should not allow * principal F18 SNS topic policy should not allow * principal F20 SQS Queue policy should not allow * action F21 SQS Queue policy should not allow * principal F665 WebAcl DefaultAction should not be ALLOW F1000 Missing egress rule means all traffic is allowed outbound. Make this explicit if it is desired configuration F2000 User is not assigned to a group
検査対象となるテンプレートの作成
試しに、セキュリティ的にガバガバなCloudFormationテンプレートを作成してみます。
AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template for cfn-nag
Resources:
S3Bucket:
Type: AWS::S3::Bucket
Properties:
BucketName: TestBucket
BucketPolicy:
Type: "AWS::S3::BucketPolicy"
Properties:
Bucket:
Ref: "S3Bucket"
PolicyDocument:
Statement:
-
Action:
- "s3:*"
Effect: "Allow"
Resource: "*"
Principal: "*"
実際に試した結果がこちらです。
cfn_nag_scan --input-path xxxxxx.yml
------------------------------------------------------------ cfn-nag.yml ------------------------------------------------------------------------------------------------------------------------ | FAIL F15 | | Resources: ["BucketPolicy"] | | S3 Bucket policy should not allow * action ------------------------------------------------------------ | FAIL F16 | | Resources: ["BucketPolicy"] | | S3 Bucket policy should not allow * principal Failures count: 2 Warnings count: 0
検出できました!
まとめ
こういう便利ツールが発見できるのも、イベントのいいところですよね。
Config Rulesのように、すでに存在するリソースの問題を検出してくれるというアプローチもよいですが、
このツールのようにリソースの作成前に確認して問題を予防するというアプローチも重要可と思います。
とにかく、人に頼った運用は事故の原因になりがちなので、このようなツールも活用して楽で安全な運用を目指しましょう。
そして何より、何かいいツールを見つけたら、まずは触ってみましょう!(自戒も込めて)
![[アップデート] AWS CloudFormaiton でイベントのタイムラインビューを使ってデプロイの様子を視覚的に把握出来るようになりました](https://images.ctfassets.net/ct0aopd36mqt/wp-thumbnail-dcbaa2123fec72b4fafe12edd4285aaf/178121bca8a805d8af9e86e4e4bbe732/aws-cloudformation)
