Kanji
・クラウドエンジニア / フリーランス ・1993年生まれ ・愛媛県出身 / 東京都渋谷区在住 ・AWS歴5年 プロフィールの詳細
目次
cfn_nag_rules
% cfn_nag_rules WARNING VIOLATIONS: W1 Specifying credentials in the template itself is probably not the safest thing W2 Security Groups found with cidr open to world on ingress. This should never be true on instance. Permissible on ELB W5 Security Groups found with cidr open to world on egress W9 Security Groups found with ingress cidr that is not /32 W10 CloudFront Distribution should enable access logging W11 IAM role should not allow * resource on its permissions policy W12 IAM policy should not allow * resource W13 IAM managed policy should not allow * resource W14 IAM role should not allow Allow+NotAction on trust permissions W15 IAM role should not allow Allow+NotAction W16 IAM policy should not allow Allow+NotAction W17 IAM managed policy should not allow Allow+NotAction W18 SQS Queue policy should not allow Allow+NotAction W19 SNS Topic policy should not allow Allow+NotAction W20 S3 Bucket policy should not allow Allow+NotAction W21 IAM role should not allow Allow+NotResource W22 IAM policy should not allow Allow+NotResource W23 IAM managed policy should not allow Allow+NotResource W24 Lambda permission beside InvokeFunction might not be what you want? Not sure!? W26 Elastic Load Balancer should have access logging enabled W27 Security Groups found ingress with port range instead of just a single port W28 Resource found with an explicit name, this disallows updates that require replacement of this resource W29 Security Groups found egress with port range instead of just a single port W31 S3 Bucket likely should not have a public read acl W32 CodeBuild project should specify an EncryptionKey value W33 EC2 Subnet should not have MapPublicIpOnLaunch set to true W34 Batch Job Definition Container Properties should not have Privileged set to true W35 S3 Bucket should have access logging configured W36 Security group rules without a description obscure their purpose and may lead to bad practices in ensuring they only allow traffic from the ports and sources/destinations required. W37 EBS Volume should specify a KmsKeyId value W38 IOT policy should not allow * action W39 IoT policy should not allow * resource W40 Security Groups egress with an IpProtocol of -1 found W41 S3 Bucket should have encryption option set W42 Security Groups ingress with an ipProtocol of -1 found W43 IAM role should not have AdministratorAccess policy W44 IAM role should not have Elevated Managed policy W45 ApiGateway Deployment resource should have AccessLogSetting property configured when creating an API Stage itself (through specifying the StageName and StageDescription properties). W46 ApiGateway V2 should have access logging configured W47 SNS Topic should specify KmsMasterKeyId property W48 SQS Queue should specify KmsMasterKeyId property W49 Kinesis Stream should specify StreamEncryption. EncryptionType should be KMS and specify KMS Key Id. W50 IAM User Login Profile should exist and have PasswordResetRequired property set to true W51 S3 bucket should likely have a bucket policy W52 Elastic Load Balancer V2 should have access logging enabled W53 AmazonMQ Broker should specify EncryptionOptions W54 ElasticsearchcDomain should specify EncryptionAtRestOptions W55 Elastic Load Balancer V2 Listener SslPolicy should use TLS 1.2 W56 Elastic Load Balancer V2 Listener Protocol should use HTTPS for ALBs W57 AWS::Cognito::IdentityPool AllowUnauthenticatedIdentities property should be false but CAN be true if proper restrictive IAM roles and permissions are established for unauthenticated users. W58 Lambda functions require permission to write CloudWatch Logs W59 AWS::ApiGateway::Method should not have AuthorizationType set to 'NONE' unless it is of HttpMethod: OPTIONS. W60 VPC should have a flow log attached W61 EMR SecurityConfiguration should enable and properly configure encryption at rest and in transit. W62 ApiGateway SecurityPolicy should use TLS 1.2 W63 EMR Cluster should specify SecurityConfiguration. W64 AWS::ApiGateway::Stage resources should be associated with an AWS::ApiGateway::UsagePlan. W65 GameLift fleet EC2InboundPermissions found with port range instead of just a single port W66 To avoid opening all ports for Allow rules, EC2 NetworkACL Entry Protocol should be either 6 (for TCP), 17 (for UDP), 1 (for ICMP), or 58 (for ICMPv6, which must include an IPv6 CIDR block, ICMP type, and code). W67 TCP/UDP protocol NetworkACL entries possibly should not allow all ports. W68 AWS::ApiGateway::Deployment resources should be associated with an AWS::ApiGateway::UsagePlan. W69 AWS::ApiGateway::Stage should have the AccessLogSetting property defined. W70 Cloudfront should use minimum protocol version TLS 1.2 W71 NetworkACL Entry Deny rules should affect all CIDR ranges. W72 NetworkACL Entries are reusing or overlapping ports which may create ineffective rules. W73 DynamoDB table should have billing mode set to either PAY_PER_REQUEST or PROVISIONED W74 DynamoDB table should have encryption enabled using a CMK stored in KMS W75 RDS instance should have backup retention period greater than 0 W76 SPCM for IAM policy document is higher than 25 W77 Secrets Manager Secret should explicitly specify KmsKeyId. Besides control of the key this will allow the secret to be shared cross-account W78 DynamoDB table should have backup enabled, should be set using PointInTimeRecoveryEnabled W79 ECR Repository should have ScanOnPush enabled W80 Kendra Index ServerSideEncryptionConfiguration should specify a KmsKeyId value. W81 DLM LifecyclePolicy PolicyDetails Actions CrossRegionCopy EncryptionConfiguration should enable Encryption W82 EKS Cluster EncryptionConfig Provider should specify KeyArn to enable Encryption. W83 DynamoDB Accelerator (DAX) Cluster should have encryption enabled W84 CloudWatchLogs LogGroup should specify a KMS Key Id to encrypt the log data W85 ElasticsearchcDomain should have NodeToNodeEncryptionOptions enabled W86 CloudWatchLogs LogGroup should specify RetentionInDays to expire the log data W87 ApiGateway Deployment should have cache data encryption enabled when caching is enabled in StageDescription properties W88 Kinesis Firehose DeliveryStream of type DirectPut should specify SSE. W89 Lambda functions should be deployed inside a VPC W90 ElasticsearchcDomain should be inside vpc, should specify VPCOptions W91 Database Migration Service replication instances are public, property PubliclyAccessible should be set to false W92 Lambda functions should define ReservedConcurrentExecutions to reserve simultaneous executions W1200 SageMaker EndpointConfig should have a KmsKeyId property set. W1201 SageMaker NotebookInstance should have a KmsKeyId property set. FAILING VIOLATIONS: F1 EBS volume should have server-side encryption enabled F2 IAM role should not allow * action on its trust policy F3 IAM role should not allow * action on its permissions policy F4 IAM policy should not allow * action F5 IAM managed policy should not allow * action F6 IAM role should not allow Allow+NotPrincipal in its trust policy F7 SQS Queue policy should not allow Allow+NotPrincipal F8 SNS Topic policy should not allow Allow+NotPrincipal F9 S3 Bucket policy should not allow Allow+NotPrincipal F10 IAM user should not have any inline policies. Should be centralized Policy object on group F11 IAM policy should not apply directly to users. Should be on group F12 IAM managed policy should not apply directly to users. Should be on group F13 Lambda permission principal should not be wildcard F14 S3 Bucket should not have a public read-write acl F15 S3 Bucket policy should not allow * action F16 S3 Bucket policy should not allow * principal F18 SNS topic policy should not allow * principal F19 EnableKeyRotation should not be false or absent on KMS::Key resource F20 SQS Queue policy should not allow * action F21 SQS Queue policy should not allow * principal F22 RDS instance should not be publicly accessible F23 RDS instance master user password must not be a plaintext string or a Ref to a Parameter with a Default value. Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value. F24 RDS instance master username must not be a plaintext string or a Ref to a Parameter with a Default value. Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value. F25 ElastiCache ReplicationGroup should have encryption enabled for at rest F26 RDS DBCluster should have StorageEncrypted enabled F27 RDS DBInstance should have StorageEncrypted enabled F28 Redshift Cluster should have encryption enabled F29 Workspace should have encryption enabled F30 Neptune database cluster storage should have encryption enabled F31 DirectoryService SimpleAD password must not be a plaintext string or a Ref to a Parameter with a Default value. Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value. F32 EFS FileSystem should have encryption enabled F33 ElastiCache ReplicationGroup should have encryption enabled for in transit F34 RDS DB Cluster master user password must not be a plaintext string or a Ref to a Parameter with a Default value. Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value. F35 Redshift Cluster master user password must not be a plaintext string or a Ref to a Parameter with a Default value. Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value. F36 Directory Service Microsoft AD password must not be a plaintext string or a Ref to a Parameter with a Default value. Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value. F37 DMS Endpoint password must not be a plaintext string or a Ref to a Parameter with a Default value. Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value. F38 IAM role should not allow * resource with PassRole action on its permissions policy F39 IAM policy should not allow * resource with PassRole action F40 IAM managed policy should not allow a * resource with PassRole action F41 Amplify App AccessToken must not be a plaintext string or a Ref to a Parameter with a Default value. Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value. F42 Pinpoint APNSSandboxChannel PrivateKey must not be a plaintext string or a Ref to a Parameter with a Default value. Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value. F43 Pinpoint APNSSandboxChannel TokenKey must not be a plaintext string or a Ref to a Parameter with a Default value. Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value. F44 ElastiCache ReplicationGroup AuthToken must not be a plaintext string or a Ref to a Parameter with a Default value. Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value. F45 Lambda Permission EventSourceToken must not be a plaintext string or a Ref to a Parameter with a Default value. Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value. F46 Pinpoint APNSVoipSandboxChannel PrivateKey must not be a plaintext string or a Ref to a Parameter with a Default value. Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value. F47 Pinpoint APNSVoipSandboxChannel TokenKey must not be a plaintext string or a Ref to a Parameter with a Default value. Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value. F48 Pinpoint APNSVoipChannel PrivateKey must not be a plaintext string or a Ref to a Parameter with a Default value. Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value. F49 Pinpoint APNSChannel TokenKey must not be a plaintext string or a Ref to a Parameter with a Default value. Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value. F50 Amplify App BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value. Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value. F51 IAM User LoginProfile Password must not be a plaintext string or a Ref to a Parameter with a Default value. Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value. F52 AmazonMQ Broker Users Password must not be a plaintext string or a Ref to a Parameter with a Default value. Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value. F53 AppStream DirectoryConfig ServiceAccountCredentials AccountPassword must not be a plaintext string or a Ref to a Parameter with a Default value. Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value. F54 OpsWorks Stack RDS DbInstance DbPassword must not be a plaintext string or a Ref to a Parameter with a Default value. Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value. F55 DMS Endpoint MongoDbSettings Password must not be a plaintext string or a Ref to a Parameter with a Default value. Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value. F56 Pinpoint APNSChannel TokenKey must not be a plaintext string or a Ref to a Parameter with a Default value. Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value. F57 Pinpoint APNSChannel PrivateKey must not be a plaintext string or a Ref to a Parameter with a Default value. Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value. F58 Amplify App OauthToken must not be a plaintext string or a Ref to a Parameter with a Default value. Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value. F60 Amplify Branch BasicAuthConfig Password must not be a plaintext string or a Ref to a Parameter with a Default value. Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value. F61 OpsWorks App SslConfiguration PrivateKey must not be a plaintext string or a Ref to a Parameter with a Default value. Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value. F62 OpsWorks Stack CustomCookbooksSource Password must not be a plaintext string or a Ref to a Parameter with a Default value. Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value. F63 EMR Cluster KerberosAttributes AD Domain JoinPassword must not be a plaintext string or a Ref to a Parameter with a Default value. Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value. F64 EMR Cluster KerberosAttributes CrossRealmTrustPrincipal Password must not be a plaintext string or a Ref to a Parameter with a Default value. Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value. F65 EMR Cluster KerberosAttributes KdcAdmin Password must not be a plaintext string or a Ref to a Parameter with a Default value. Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value. F66 Kinesis Firehose DeliveryStream RedshiftDestinationConfiguration Password must not be a plaintext string or a Ref to a Parameter with a Default value. Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value. F67 OpsWorks App AppSource Password must not be a plaintext string or a Ref to a Parameter with a Default value. Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager/ssm-secure value. F68 Kinesis Firehose DeliveryStream SplunkDestinationConfiguration HECToken must not be a plaintext string or a Ref to a Parameter with a Default value. Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value. F69 CodePipeline Webhook AuthenticationConfiguration SecretToken must not be a plaintext string or a Ref to a Parameter with a Default value. Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value. F70 DocDB DB Cluster master user password must not be a plaintext string or a Ref to a Parameter with a Default value. Can be Ref to a NoEcho Parameter without a Default, or a dynamic reference to a secretsmanager value. F71 ManagedBlockchain Member MemberFabricConfiguration AdminPasswordRule must not be a plaintext string or a Ref to a NoEcho Parameter with a Default value. F74 Alexa ASK Skill AuthenticationConfiguration ClientSecret must not be a plaintext string or a Ref to a NoEcho Parameter with a Default value. F75 Alexa ASK Skill AuthenticationConfiguration RefreshToken must not be a plaintext string or a Ref to a NoEcho Parameter with a Default value. F76 KMS key should not allow * principal (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html) F77 SimpleDB Domain should not be a declared resource F78 AWS Cognito UserPool should have MfaConfiguration set to 'ON' (MUST be wrapped in quotes) or at least 'OPTIONAL' F79 A NetworkACL's rule numbers cannot be repeated unless one is egress and one is ingress. F80 RDS instance should have deletion protection enabled F665 WebAcl DefaultAction should not be ALLOW F1000 Missing egress rule means all traffic is allowed outbound. Make this explicit if it is desired configuration F2000 User is not assigned to a group
.cfnlintrc.yml
include_checks
include_checks: - E3030
ignore_checks
AWSTemplateFormatVersion: 2010-09-09 Metadata: cfn-lint: config: ignore_checks: - E3030 Resources: SampleInstance: Type: AWS::EC2::Instance Metadata: cfn-lint: config: ignore_checks: - E3030 Properties: InstanceType: t2.micro ImageId: ami-xxxxxxxx
deny-list.yml
--deny-list-path deny-list.yml
RulesToSuppress: - id: W3 reason: W3 is something we never care about at enterprise X
# Partial template PublicAlbSecurityGroup: Type: AWS::EC2::SecurityGroup Metadata: cfn_nag: rules_to_suppress: - id: W9 reason: "This is a public facing ELB and ingress from the internet should be permitted." - id: W2 reason: "This is a public facing ELB and ingress from the internet should be permitted." Properties: GroupDescription: "Security group for a public Application Load Balancer" VpcId: Ref: vpc PublicAlbSecurityGroupHttpIngress: Properties: CidrIp: 0.0.0.0/0 FromPort: 80 GroupId: Ref: PublicAlbSecurityGroup IpProtocol: tcp ToPort: 80 Type: AWS::EC2::SecurityGroupIngress
Resources: ProwlerExecRole: Type: AWS::IAM::Role Metadata: guard: SuppressedRules: # IAM_NO_INLINE_POLICY_CHECK の場合 - IAM_NO_INLINE_POLICY_CHECK
# コマンド実行例 cfn-guard validate \ --rules /Users/user01/Workspace/NIST800-53Rev5.guard \ --data template.yml
*.yml
aws cloudformation
--cli-input-json
parameters
parameters/ parameters/parameter.${環境名}.json parameters/parameter.prod.json template.yml template.nested-${用途}.yml # 命名例 parameters/ parameters/parameter.dev.json parameters/parameter.prod.json template.yml template.nested-vpc.yml
${用途}/ ${用途}/parameters/ ${用途}/parameters/parameter.${環境名}.json ${用途}/template.yml template.nested-${用途}.yml # 命名例 vpc/ vpc/parameters/ vpc/parameters/parameter.dev.json vpc/template.yml vpc/template.nested-vpc.yml
samconfig.yml
samconfig.yml template.yml template.nested-${用途}.yml # 命名例 samconfig.yml template.yml template.nested-vpc.yml
AWSTemplateFormatVersion: 2010-09-09 Description: '/* ~~~ */' Parameters: Parameter01: ... Parameter02: ... Resources: Resource01: Type: ... Properties: ... Resource01: Type: ... Properties: ... Outputs: Output01: Description: ... Value: ... Output02: Description: ... Value: ...
settings.json
{ "files.trimTrailingWhitespace": true, "files.insertFinalNewline": true, "files.eol": "\n", "yaml.format.singleQuote": true, "yaml.format.enable": true, "[json]": { "files.encoding": "utf8", }, "[yaml]": { "files.encoding": "utf8", } }
Resources: # トラブルシューティングのため一時的にコメントアウト # Resource01: # Type: # Properties: # ...
AWSTemplateFormatVersion: 2010-09-09 Description: cloudformation-cicd/template.yml
${用途}${AWSリソース名}${2桁の連番}
AWS::EC2::Instance
BastionInstance01
Value: !Ref AWS::NoValue
Value: Fn::Sub: !ImportValue "ImportedResource-${Param01}"
-
SecurityGroupIngress: - IpProtocol: tcp FromPort: 80 ToPort: 80 CidrIp: 192.168.11.1/24 - IpProtocol: tcp FromPort: 443 ToPort: 443 CidrIp: 192.168.11.1/24
[
]
Conditions: CreateBastionInstance01: !Equals [!Ref Environment, "com1"] CreateWebInstance01: !Or [ !Equals [!Ref Environment, "dev1"], !Equals [!Ref Environment, "prd1"] ]
{ "files.autoSave": "afterDelay", "files.autoSaveDelay": 1000, "files.trimTrailingWhitespace": true, "files.insertFinalNewline": true, "files.eol": "\n", "yaml.format.singleQuote": true, "yaml.format.enable": true, "[json]": { "files.encoding": "utf8", }, "[yaml]": { "files.encoding": "utf8", }, "yaml.schemas": { "https://d33vqc0rt9ld30.cloudfront.net/latest/gzip/CloudFormationResourceSpecification.json": [ "*.cf.yaml", "*.cf.yml", "cloud*formation/*.yaml", "cloud*formation/*.yml" ], "https://raw.githubusercontent.com/awslabs/goformation/master/schema/cloudformation.schema.json": "file:///Users/user01/template.config-rules.yml" }, "yaml.customTags": [ "!And sequence", "!Base64 scalar", "!Cidr scalar", "!Condition scalar", "!Equals sequence", "!FindInMap sequence", "!GetAZs scalar", "!GetAtt scalar", "!GetAtt sequence", "!If sequence", "!ImportValue scalar", "!Join sequence", "!Not sequence", "!Or sequence", "!Ref scalar", "!Select sequence", "!Split sequence", "!Sub scalar", "!Sub sequence", "!Transform mapping", ], "cfnLint.format.enable": true, "cfnLint.enableAutocomplete": true, "cfnNagLint.blacklistPath": ".cfn-nag-blacklist.yml" }