fluidasserts.cloud.aws.cloudformation.iam module

AWS CloudFormation checks for IAM (Identity and Access Management).

Some rules were taken from CFN_NAG

fluidasserts.cloud.aws.cloudformation.iam.has_privileges_over_iam(path, exclude=None)

Check if a policy documents has privileges over iam.

Parameters
  • path (str) – Location of CloudFormation’s template file.

  • exclude (typing.Optional[typing.List[str]]) – Paths that contains any string from this list are ignored.

Returns

  • OPEN if any policy documents has privileges over iam.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.cloud.aws.cloudformation.iam.has_wildcard_resource_on_write_action(path, exclude=None)

Check if write actions are allowed on all resources.

Do not allow "Resource": "*" to have write actions.

Parameters
  • path (str) – Location of CloudFormation’s template file.

  • exclude (typing.Optional[typing.List[str]]) – Paths that contains any string from this list are ignored.

Returns

  • OPEN if any of the referenced rules is not followed.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.cloud.aws.cloudformation.iam.is_managed_policy_miss_configured(path, exclude=None)

Check if any IAM::ManagedPolicy is miss configured.

The following checks are performed:

  • F5 IAM managed policy should not allow * action

  • F12 IAM managed policy should not apply directly to users.

    Should be on group

  • F40 IAM managed policy should not allow a * resource with PassRole action

  • W13 IAM managed policy should not allow * resource

  • W17 IAM managed policy should not allow Allow+NotAction

  • W23 IAM managed policy should not allow Allow+NotResource

Parameters
  • path (str) – Location of CloudFormation’s template file.

  • exclude (typing.Optional[typing.List[str]]) – Paths that contains any string from this list are ignored.

Returns

  • OPEN if any of the referenced rules is not followed.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.cloud.aws.cloudformation.iam.is_policy_miss_configured(path, exclude=None)

Check if any IAM::Policy is miss configured.

The following checks are performed:

  • F4 IAM policy should not allow * action

  • F11 IAM policy should not apply directly to users.

    Should be on group

  • F39 IAM policy should not allow * resource with PassRole action

  • W12 IAM policy should not allow * resource

  • W16 IAM policy should not allow Allow+NotAction

  • W22 IAM policy should not allow Allow+NotResource

Parameters
  • path (str) – Location of CloudFormation’s template file.

  • exclude (typing.Optional[typing.List[str]]) – Paths that contains any string from this list are ignored.

Returns

  • OPEN if any of the referenced rules is not followed.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.cloud.aws.cloudformation.iam.is_role_over_privileged(path, exclude=None)

Check if any IAM::Role is miss configured.

The following checks are performed:

  • F2 IAM role should not allow * action on its trust policy

  • F3 IAM role should not allow * action on its permissions policy

  • F6 IAM role should not allow Allow+NotPrincipal in its trust policy

  • F38 IAM role should not allow * resource with PassRole action on its

    permissions policy

  • W11 IAM role should not allow * resource on its permissions policy

  • W14 IAM role should not allow Allow+NotAction on trust permissions

  • W15 IAM role should not allow Allow+NotAction

  • W21 IAM role should not allow Allow+NotResource

  • W43 IAM role should not have AdministratorAccess policy

Parameters
  • path (str) – Location of CloudFormation’s template file.

  • exclude (typing.Optional[typing.List[str]]) – Paths that contains any string from this list are ignored.

Returns

  • OPEN if any of the referenced rules is not followed.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result

fluidasserts.cloud.aws.cloudformation.iam.missing_role_based_security(path, exclude=None)

Check if any IAM::User is granted privileges but not through a Role.

The following checks are performed:

  • F10 IAM user should not have any inline policies.

    Should be centralized Policy object on group (Role)

Parameters
  • path (str) – Location of CloudFormation’s template file.

  • exclude (typing.Optional[typing.List[str]]) – Paths that contains any string from this list are ignored.

Returns

  • OPEN if any of the referenced rules is not followed.

  • UNKNOWN on errors.

  • CLOSED otherwise.

Return type

fluidasserts.Result