fluidasserts.cloud.aws.cloudformation.ec2 module

AWS CloudFormation checks for EC2 (Elastic Cloud Compute).

Some rules were taken from CFN_NAG

fluidasserts.cloud.aws.cloudformation.ec2.allows_all_outbound_traffic(path, exclude=None)

Check if any EC2::SecurityGroup allows all outbound traffic.

The following checks are performed:

  • F1000 Missing egress rule means all traffic is allowed outbound,

    Make this explicit if it is desired configuration

When you specify a VPC security group, Amazon EC2 creates a default egress rule that allows egress traffic on all ports and IP protocols to any location.

The default rule is removed only when you specify one or more egress rules in the SecurityGroupEgress directive.

Parameters
  • path (str) – Location of CloudFormation’s template file.

  • exclude (typing.Optional[typing.List[str]]) – Paths that contains any string from this list are ignored.

Returns

  • OPEN if any of the referenced rules is not followed.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.cloud.aws.cloudformation.ec2.has_not_an_iam_instance_profile(path, exclude=None)

Verify if EC2::Instance uses an IamInstanceProfile.

EC2 instances need credentials to access other AWS services.

An IAM role attached to the instance provides these credentials in a secure way. With this, you don’t have to manage credentials because they are temporarily provided by the IAM Role and are rotated automatically.

See: https://docs.aws.amazon.com/en_us/AWSEC2/latest/UserGuide /iam-roles-for-amazon-ec2.html

Parameters
  • path (str) – Location of CloudFormation’s template file.

  • exclude (typing.Optional[typing.List[str]]) – Paths that contains any string from this list are ignored.

Returns

  • OPEN if the instance has not attached an IamInstanceProfile.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.cloud.aws.cloudformation.ec2.has_not_termination_protection(path, exclude=None)

Verify if EC2 has not deletion protection enabled.

By default EC2 Instances can be terminated using the Amazon EC2 console, CLI, or API.

This is not desirable, as terminated instances are deleted from the account automatically after some time, personal may take-down the service without intention, and volumes attached to the instance may be lost and therefore wiped.

Parameters
  • path (str) – Location of CloudFormation’s template file.

  • exclude (typing.Optional[typing.List[str]]) – Paths that contains any string from this list are ignored.

Returns

  • OPEN if the instance has not the DisableApiTermination parameter set to true.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.cloud.aws.cloudformation.ec2.has_terminate_shutdown_behavior(path, exclude=None)

Verify if EC2::LaunchTemplate has Terminate as Shutdown Behavior.

By default EC2 Instances can be terminated using the shutdown command, from the underlying operative system.

This is not desirable, as terminated instances are deleted from the account automatically after some time, personal may take-down the service without intention, and volumes attached to the instance may be lost and therefore wiped.

Parameters
  • path (str) – Location of CloudFormation’s template file.

  • exclude (typing.Optional[typing.List[str]]) – Paths that contains any string from this list are ignored.

Returns

  • OPEN if the instance has not the InstanceInitiatedShutdownBehavior attribute set to terminate.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.cloud.aws.cloudformation.ec2.has_unencrypted_volumes(path, exclude=None)

Verify if EC2::Volume has the encryption attribute set to true.

Parameters
  • path (str) – Location of CloudFormation’s template file.

  • exclude (typing.Optional[typing.List[str]]) – Paths that contains any string from this list are ignored.

Returns

  • OPEN if the volume is not encrypted.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.cloud.aws.cloudformation.ec2.has_unrestricted_cidrs(path, exclude=None)

Check if any EC2::SecurityGroup has 0.0.0.0/0 or ::/0 CIDRs.

The following checks are performed:

  • W2 Security Groups found with cidr open to world on ingress

  • W5 Security Groups found with cidr open to world on egress

  • W9 Security Groups found with ingress cidr that is not /32

Parameters
  • path (str) – Location of CloudFormation’s template file.

  • exclude (typing.Optional[typing.List[str]]) – Paths that contains any string from this list are ignored.

Returns

  • OPEN if any of the referenced rules is not followed.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.cloud.aws.cloudformation.ec2.has_unrestricted_ip_protocols(path, exclude=None)

Avoid EC2::SecurityGroup ingress/egress rules with any ip protocol.

The following checks are performed:

  • W40 Security Groups egress with an IpProtocol of -1 found

  • W42 Security Groups ingress with an ipProtocol of -1 found

Parameters
  • path (str) – Location of CloudFormation’s template file.

  • exclude (typing.Optional[typing.List[str]]) – Paths that contains any string from this list are ignored.

Returns

  • OPEN if any of the referenced rules is not followed.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.cloud.aws.cloudformation.ec2.has_unrestricted_ports(path, exclude=None)

Avoid EC2::SecurityGroup ingress/egress rules with port ranges.

The following checks are performed:

  • W27 Security Groups found ingress with port range

    instead of just a single port

  • W29 Security Groups found egress with port range

    instead of just a single port

Parameters
  • path (str) – Location of CloudFormation’s template file.

  • exclude (typing.Optional[typing.List[str]]) – Paths that contains any string from this list are ignored.

Returns

  • OPEN if any of the referenced rules is not followed.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.cloud.aws.cloudformation.ec2.is_associate_public_ip_address_enabled(path, exclude=None)

Verify if EC2::Instance has NetworkInterfaces with public IPs.

Parameters
  • path (str) – Location of CloudFormation’s template file.

  • exclude (typing.Optional[typing.List[str]]) – Paths that contains any string from this list are ignored.

Returns

  • OPEN if instance’s NetworkInterfaces attribute has the AssociatePublicIpAddress parameter set to true.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.cloud.aws.cloudformation.ec2.uses_default_security_group(path, exclude=None)

Verify if EC2 have not Security Groups explicitely set.

By default EC2 Instances that do not specify SecurityGroups or SecurityGroupIds are launched with the default security group (allow all).

Parameters
  • path (str) – Location of CloudFormation’s template file.

  • exclude (typing.Optional[typing.List[str]]) – Paths that contains any string from this list are ignored.

Returns

  • OPEN if the instance has not the SecurityGroups or SecurityGroupIds parameters set. (Either in the LaunchTemplate or in the Instance entities)

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result