aws-cf-checker - npm Package Compare versions

Comparing version 0.1.0 to 0.1.1

lib/securityGroupInbound.js

@@ -55,3 +55,3 @@ // TODO what about SourceSecurityGroupName parameter for ec2 classic? should be disallowed?
       "use strict";
-      return false; // TODO improve
+      return false; // TODO is the assumption that a database should be never accessible from the outside fine?
     }
@@ -58,0 +58,0 @@ }

package.json

 {
   "name": "aws-cf-checker",
-  "version": "0.1.0",
-  "description": "check AWS CloudFormation templates against certain rules",
+  "version": "0.1.1",
+  "description": "Checks AWS CloudFormation templates for security, reliability and conformity",
   "keywords": ["aws", "cloudformation", "cf"],
@@ -10,3 +10,3 @@ "main": "index.js",
   },
-  "author": "Michael Wittig <post@michaelwittig.info>",
+  "author": "Michael Wittig <michael@widdix.de>",
   "license": "MIT",
@@ -13,0 +13,0 @@ "dependencies": {

README.md

@@ -0,11 +1,17 @@
+[![Build Status](https://secure.travis-ci.org/widdix/aws-cf-checker.png)](http://travis-ci.org/widdix/aws-cf-checker)
+[![NPM version](https://badge.fury.io/js/aws-cf-checker.png)](http://badge.fury.io/js/aws-cf-checker)
+[![NPM dependencies](https://david-dm.org/widdix/aws-cf-checker.png)](https://david-dm.org/widdix/aws-cf-checker)
+
 # AWS CloudFormation Checker
 
-## Installation
+Checks can guarantee high security, reliability and conformity of your CloudFormation templates. We provide a set of default checks that you can use to validate your templates.
 
+## CLI usage
+
+install the module globally
+
 ```
-npm install cf-checker
+npm install aws-cf-checker -g
 ```
 
-## CLI Usage
-
 reading template from file
@@ -19,3 +25,2 @@
 
-
 reading template from stdin
@@ -29,12 +34,72 @@
 
+as long as the exit code is `0` your template is fine
+
+## Programatic usage
+
+install the module locally
+
+```
+npm install aws-cf-checker
+```
+
+reading template from file
+
+```javascript
+var checker = require("aws-cf-checker")
+
+checker.checkFile("./path/to/template.json", {"logicalID": {"case": "pascal"}}, function(err, findings) {
+  if (err) {
+    throw err;
+  } else {
+    if (findings.length > 0) {
+      console.error("findings", findings);
+    } else {
+      console.log("no findings");
+    }
+  }
+});
+```
+
+using a template object
+
+```javascript
+var checker = require("aws-cf-checker")
+
+var template = {
+  "AWSTemplateFormatVersion": "2010-09-09",
+  "Description": "minimal template"
+};
+checker.checkFile(template, {"logicalID": {"case": "pascal"}}, function(err, findings) {
+  if (err) {
+    throw err;
+  } else {
+    if (findings.length > 0) {
+      console.error("findings", findings);
+    } else {
+      console.log("no findings");
+    }
+  }
+});
+```
+
+as long as the `findings` array is empty your template is fine
+
 ## Checks
 
+Checks are configured with a JSON file. Have a look at our [default checks](https://github.com/widdix/aws-cf-checker/blob/master/checks.json). 
+
 ### logicalID
 
+Checks logical ids of your template.
+
 Options:
 
-* `case`: Enum["pascal", "camel"]
+* `case`: Enum["pascal", "camel"] (default: "pascal")
 
 ### resourceType
 
+Checks if the resource types are allowed in the template.
+If you `deny` resource types everything that is not denied is allowed.
+If you `allow` resource types everything that is not allowed is denied.
+
 Options:
@@ -47,2 +112,7 @@
 
-Options
+Checks that only security groups attached to external load balancers allow traffic from public ip addresses.
+Security groups attached to internal load balancers, auto scaling groups (launch configuration), rds instances should only allow inbound traffic from other security groups or private ip addresses.
+
+Options:
+
+* none

test/securityGroupInbound.js

@@ -68,2 +68,66 @@ var checker = require("../index.js");
   });
+  it("secure AutoScaling + LoadBalancer + RDS instance setup", function(done) {
+    test({
+      "Resources": {
+        "SGDatabase": {
+          "Type": "AWS::EC2::SecurityGroup",
+          "Properties": {
+            "SecurityGroupIngress": [{
+              "FromPort": 3306,
+              "ToPort": 3306,
+              "IpProtocol": "tcp",
+              "SourceSecurityGroupId": {"Ref": "SGServer"}
+            }]
+          }
+        },
+        "SGServer": {
+          "Type": "AWS::EC2::SecurityGroup",
+          "Properties": {
+            "SecurityGroupIngress": [{
+              "FromPort": 80,
+              "ToPort": 80,
+              "IpProtocol": "tcp",
+              "SourceSecurityGroupId": {"Ref": "SGLoadBalancer"}
+            }]
+          }
+        },
+        "SGLoadBalancer": {
+          "Type": "AWS::EC2::SecurityGroup",
+          "Properties": {
+            "SecurityGroupIngress": [{
+              "FromPort": 80,
+              "ToPort": 80,
+              "IpProtocol": "tcp",
+              "CidrIp": "0.0.0.0/0"
+            }]
+          }
+        },
+        "LoadBalancer": {
+          "Type": "AWS::ElasticLoadBalancing::LoadBalancer",
+          "Properties": {
+            "SecurityGroups": [{"Ref": "SGLoadBalancer"}]
+          }
+        },
+        "AutoScalingGroup": {
+          "Type": "AWS::AutoScaling::AutoScalingGroup",
+          "Properties": {
+            "LaunchConfigurationName": {"Ref": "LaunchConfiguration"},
+            "LoadBalancerNames": [{"Ref": "LoadBalancer"}]
+          }
+        },
+        "LaunchConfiguration": {
+          "Type": "AWS::AutoScaling::LaunchConfiguration",
+          "Properties": {
+            "SecurityGroups": [{"Ref": "SGServer"}]
+          }
+        },
+        "Database": {
+          "Type": "AWS::RDS::DBInstance",
+          "Properties": {
+            "VPCSecurityGroups": [{"Ref": "SGDatabase"}]
+          }
+        }
+      }
+    }, {"securityGroupInbound": true}, 0, done);
+  });
   it("insecure AutoScaling + LoadBalancer setup", function(done) {
@@ -164,2 +228,48 @@ test({
   });
+  it("secure RDS instance setup", function(done) {
+    test({
+      "Resources": {
+        "SGDatabase": {
+          "Type": "AWS::EC2::SecurityGroup",
+          "Properties": {
+            "SecurityGroupIngress": [{
+              "FromPort": 3306,
+              "ToPort": 3306,
+              "IpProtocol": "tcp",
+              "CidrIp": "10.0.0.0/16"
+            }]
+          }
+        },
+        "Database": {
+          "Type": "AWS::RDS::DBInstance",
+          "Properties": {
+            "VPCSecurityGroups": [{"Ref": "SGDatabase"}]
+          }
+        }
+      }
+    }, {"securityGroupInbound": true}, 0, done);
+  });
+  it("insecure RDS instance setup", function(done) {
+    test({
+      "Resources": {
+        "SGDatabase": {
+          "Type": "AWS::EC2::SecurityGroup",
+          "Properties": {
+            "SecurityGroupIngress": [{
+              "FromPort": 3306,
+              "ToPort": 3306,
+              "IpProtocol": "tcp",
+              "CidrIp": "0.0.0.0/0"
+            }]
+          }
+        },
+        "Database": {
+          "Type": "AWS::RDS::DBInstance",
+          "Properties": {
+            "VPCSecurityGroups": [{"Ref": "SGDatabase"}]
+          }
+        }
+      }
+    }, {"securityGroupInbound": true}, 1, done);
+  });
 });

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

42257

increased by15.16%

Lines of code

1378

increased by8.68%

Number of lines in readme file

116

increased by152.17%

No dependency changes