fluidasserts.cloud.aws.cloudformation.ec2 module

AWS CloudFormation checks for EC2 (Elastic Cloud Compute).

Some rules were taken from CFN_NAG

fluidasserts.cloud.aws.cloudformation.ec2.allows_all_outbound_traffic(path, exclude=None)

Check if any EC2::SecurityGroup allows all outbound traffic.

The following checks are performed:

  • F1000 Missing egress rule means all traffic is allowed outbound,

    Make this explicit if it is desired configuration

When you specify a VPC security group, Amazon EC2 creates a default egress rule that allows egress traffic on all ports and IP protocols to any location.

The default rule is removed only when you specify one or more egress rules in the SecurityGroupEgress directive.

Parameters
  • path (str) – Location of CloudFormation’s template file.

  • exclude (typing.Optional[typing.List[str]]) – Paths that contains any string from this list are ignored.

Returns

  • OPEN if any of the referenced rules is not followed.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.cloud.aws.cloudformation.ec2.has_not_an_iam_instance_profile(path, exclude=None)

Verify if EC2::Instance uses an IamInstanceProfile.

EC2 instances need credentials to access other AWS services.

An IAM role attached to the instance provides these credentials in a secure way. With this, you don’t have to manage credentials because they are temporarily provided by the IAM Role and are rotated automatically.

See: https://docs.aws.amazon.com/en_us/AWSEC2/latest/UserGuide /iam-roles-for-amazon-ec2.html

Parameters
  • path (str) – Location of CloudFormation’s template file.

  • exclude (typing.Optional[typing.List[str]]) – Paths that contains any string from this list are ignored.

Returns

  • OPEN if the instance has not attached an IamInstanceProfile.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.cloud.aws.cloudformation.ec2.has_not_termination_protection(path, exclude=None)

Verify if EC2 has not deletion protection enabled.

By default EC2 Instances can be terminated using the Amazon EC2 console, CLI, or API.

This is not desirable, as terminated instances are deleted from the account automatically after some time, personal may take-down the service without intention, and volumes attached to the instance may be lost and therefore wiped.

Parameters
  • path (str) – Location of CloudFormation’s template file.

  • exclude (typing.Optional[typing.List[str]]) – Paths that contains any string from this list are ignored.

Returns

  • OPEN if the instance has not the DisableApiTermination parameter set to true.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.cloud.aws.cloudformation.ec2.has_open_all_ports_to_the_public(path, exclude=None)

Check if security groups has all ports or protocols open to the public..

Parameters
  • path (str) – Location of CloudFormation’s template file.

  • exclude (typing.Optional[typing.List[str]]) – Paths that contains any string from this list are ignored.

Returns

  • OPEN if any of the referenced rules is not followed.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.cloud.aws.cloudformation.ec2.has_security_groups_ip_ranges_in_rfc1918(path, exclude=None)

Check if inbound rules access from IP address ranges specified in RFC-1918.

Using RFC-1918 CIDRs within your EC2 security groups allow an entire private network to access EC2 instancess. Restrict access to only those private IP addresses that require, it in order to implement the principle of least privilege.

Parameters
  • key_id – AWS Key Id.

  • secret – AWS Key Secret.

  • path (str) – Location of CloudFormation’s template file.

  • exclude (typing.Optional[typing.List[str]]) – Paths that contains any string from this list are ignored.

Returns

  • OPEN if any of the referenced rules is not followed.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.cloud.aws.cloudformation.ec2.has_terminate_shutdown_behavior(path, exclude=None)

Verify if EC2::LaunchTemplate has Terminate as Shutdown Behavior.

By default EC2 Instances can be terminated using the shutdown command, from the underlying operative system.

This is not desirable, as terminated instances are deleted from the account automatically after some time, personal may take-down the service without intention, and volumes attached to the instance may be lost and therefore wiped.

Parameters
  • path (str) – Location of CloudFormation’s template file.

  • exclude (typing.Optional[typing.List[str]]) – Paths that contains any string from this list are ignored.

Returns

  • OPEN if the instance has not the InstanceInitiatedShutdownBehavior attribute set to terminate.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.cloud.aws.cloudformation.ec2.has_unencrypted_volumes(path, exclude=None)

Verify if EC2::Volume has the encryption attribute set to true.

Parameters
  • path (str) – Location of CloudFormation’s template file.

  • exclude (typing.Optional[typing.List[str]]) – Paths that contains any string from this list are ignored.

Returns

  • OPEN if the volume is not encrypted.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.cloud.aws.cloudformation.ec2.has_unrestricted_cidrs(path, exclude=None)

Check if any EC2::SecurityGroup has 0.0.0.0/0 or ::/0 CIDRs.

The following checks are performed:

  • W2 Security Groups found with cidr open to world on ingress

  • W5 Security Groups found with cidr open to world on egress

  • W9 Security Groups found with ingress cidr that is not /32

Parameters
  • path (str) – Location of CloudFormation’s template file.

  • exclude (typing.Optional[typing.List[str]]) – Paths that contains any string from this list are ignored.

Returns

  • OPEN if any of the referenced rules is not followed.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.cloud.aws.cloudformation.ec2.has_unrestricted_dns_access(path, exclude=None)

Check if inbound rules that allow unrestricted access to port 53.

TCP/UDP port 53 is used by the Domain Name Service during DNS resolution. Restrict access to TCP and UDP port 53 only those IP addresses that require, to implement the principle of least privilege and reduce the possibility of a attack.

Allowing unrestricted to DNS access can give chance of an attack such as Denial of Services (DOS) or Distributed Denial of Service Syn Flood (DDoS).

Parameters
  • key_id – AWS Key Id.

  • secret – AWS Key Secret.

  • path (str) – Location of CloudFormation’s template file.

  • exclude (typing.Optional[typing.List[str]]) – Paths that contains any string from this list are ignored.

Returns

  • OPEN if any of the referenced rules is not followed.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.cloud.aws.cloudformation.ec2.has_unrestricted_ftp_access(path, exclude=None)

Check if security groups allow unrestricted access to TCP ports 20 and 21.

Restrict access to TCP ports 20 y 21 to only IP addresses that require, it in order to implement the principle of least privilege. TCP ports 20 and 21 are used for data transfer and communication by the File Transfer Protocol (FTP) client-server applications:

Parameters
  • key_id – AWS Key Id.

  • secret – AWS Key Secret.

  • path (str) – Location of CloudFormation’s template file.

  • exclude (typing.Optional[typing.List[str]]) – Paths that contains any string from this list are ignored.

Returns

  • OPEN if any of the referenced rules is not followed.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.cloud.aws.cloudformation.ec2.has_unrestricted_ip_protocols(path, exclude=None)

Avoid EC2::SecurityGroup ingress/egress rules with any ip protocol.

The following checks are performed:

  • W40 Security Groups egress with an IpProtocol of -1 found

  • W42 Security Groups ingress with an ipProtocol of -1 found

Parameters
  • path (str) – Location of CloudFormation’s template file.

  • exclude (typing.Optional[typing.List[str]]) – Paths that contains any string from this list are ignored.

Returns

  • OPEN if any of the referenced rules is not followed.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.cloud.aws.cloudformation.ec2.has_unrestricted_ports(path, exclude=None)

Avoid EC2::SecurityGroup ingress/egress rules with port ranges.

The following checks are performed:

  • W27 Security Groups found ingress with port range

    instead of just a single port

  • W29 Security Groups found egress with port range

    instead of just a single port

Parameters
  • path (str) – Location of CloudFormation’s template file.

  • exclude (typing.Optional[typing.List[str]]) – Paths that contains any string from this list are ignored.

Returns

  • OPEN if any of the referenced rules is not followed.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.cloud.aws.cloudformation.ec2.is_associate_public_ip_address_enabled(path, exclude=None)

Verify if EC2::Instance has NetworkInterfaces with public IPs.

Parameters
  • path (str) – Location of CloudFormation’s template file.

  • exclude (typing.Optional[typing.List[str]]) – Paths that contains any string from this list are ignored.

Returns

  • OPEN if instance’s NetworkInterfaces attribute has the AssociatePublicIpAddress parameter set to true.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.cloud.aws.cloudformation.ec2.security_group_allows_anyone_to_admin_ports(path, exclude=None)

Check if EC2::SecurityGroup allows connection from internet to admin services.

Parameters
  • path (str) – Location of CloudFormation’s template file.

  • exclude (typing.Optional[typing.List[str]]) – Paths that contains any string from this list are ignored.

Returns

  • OPEN if any of the referenced rules is not followed.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.cloud.aws.cloudformation.ec2.uses_default_security_group(path, exclude=None)

Verify if EC2 have not Security Groups explicitely set.

By default EC2 Instances that do not specify SecurityGroups or SecurityGroupIds are launched with the default security group (allow all).

Parameters
  • path (str) – Location of CloudFormation’s template file.

  • exclude (typing.Optional[typing.List[str]]) – Paths that contains any string from this list are ignored.

Returns

  • OPEN if the instance has not the SecurityGroups or SecurityGroupIds parameters set. (Either in the LaunchTemplate or in the Instance entities)

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result