Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket

aws-cf-checker

Package Overview
Dependencies
Maintainers
1
Versions
11
Alerts
File Explorer

Advanced tools

Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

aws-cf-checker

Checks AWS CloudFormation templates for security, reliability and conformity

  • 1.0.0
  • latest
  • Source
  • npm
  • Socket score

Version published
Weekly downloads
0
decreased by-100%
Maintainers
1
Weekly downloads
 
Created
Source

Build Status NPM version NPM dependencies

AWS CloudFormation Checker

Checks can guarantee high security, reliability and conformity of your CloudFormation templates. We provide a set of default checks that you can use to validate your templates.

CLI usage

install the module globally

npm install aws-cf-checker -g

reading template from file

cf-checker --templateFile ./path/to/template.json

cf-checker --templateFile ./path/to/template.json --checksFile ./path/to/checks.json

reading template from stdin

cat ./path/to/template.json | cf-checker

cat ./path/to/template.json | cf-checker --checksFile ./path/to/checks.json

as long as the exit code is 0 your template is fine

Programatic usage

install the module locally

npm install aws-cf-checker

reading template from file

var checker = require("aws-cf-checker")

checker.checkFile("./path/to/template.json", {"logicalID": {}}, function(err, findings) {
  if (err) {
    throw err;
  } else {
    if (findings.length > 0) {
      console.error("findings", findings);
    } else {
      console.log("no findings");
    }
  }
});

using a template object

var checker = require("aws-cf-checker")

var template = {
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "minimal template"
};
checker.checkTemplate(template, {"logicalID": {}}, function(err, findings) {
  if (err) {
    throw err;
  } else {
    if (findings.length > 0) {
      console.error("findings", findings);
    } else {
      console.log("no findings");
    }
  }
});

as long as the findings array is empty your template is fine

Checks

Checks are configured with a JSON file. Have a look at our default checks.

logicalID

Checks logical ids of your template.

Options: (Object)

  • case: (Enum["pascal", "camel"] default: "pascal")

resourceType

Checks if the resource types are allowed in the template. Wildcard * is supported.

By default, nothing is allowed (implicit deny). If you deny something it overrides what you allowed (explicit deny).

Options: (Object)

  • deny: (Array[String]) (whitelist, wildcard * can be used)
  • allow: (Array[String]) (blacklist, wildcard * can be used)

securityGroupInbound

Checks that only security groups attached to:

  • AWS::ElasticLoadBalancing::LoadBalancer (external)

allow traffic from public IP addresses.

Security groups attached to:

  • AWS::ElasticLoadBalancing::LoadBalancer (internal)
  • AWS::AutoScaling::LaunchConfiguration
  • AWS::EC2::NetworkInterface
  • AWS::EC2::Instance
  • AWS::EC2::SpotFleet
  • AWS::RDS::DBInstance
  • AWS::RDS::DBCluster
  • AWS::Redshift::Cluster
  • AWS::ElastiCache::CacheCluster
  • AWS::ElastiCache::ReplicationGroup
  • AWS::EFS::MountTarget
  • AWS::OpsWorks::Layer

should only allow inbound traffic from other security groups or private ip addresses.

Assumes that your account only supports the EC2 platform EC2-VPC.

Options: (Object)

none

iamInlinePolicy

Checks IAM Users, Groups and Roles for inline policies.

Options: (Boolean)

true := inline policies are allowed false := inline policies are denied

iamPolicy

Checks allowed actions and resources of IAM policy statements. Wildcard * is supported.

A statement with NotAction is a finding. A statement with Effect != Allow is skipped.

By default, nothing is allowed (implicit deny). If you deny something it overrides what you allowed (explicit deny).

Options: (Object)

  • allow: (Array[Object]) List of allowed actions & resources (whitelist)
  • action: (String | Array[String]) IAM action (wildcard * can be used)
  • resource: (String | Array[String]) IAM resource (wildcard * can be used)
  • deny: (Array[Object]) List of denied actions & resources (blacklist)
  • action: (String | Array[String]) IAM action (wildcard * can be used)
  • resource: (String | Array[String]) IAM resource (wildcard * can be used)

iamManagedPolicy

Checks IAM Users, Groups and Roles for managed policy attachments. Wildcard * is supported.

Options: (Object)

  • allow: (Array[String]) List of allowed ARNs (whitelist, wildcard * can be used)
  • deny: (Array[String]) List of denied ARNs (blacklist, wildcard * can be used)

Keywords

FAQs

Package last updated on 08 Jun 2016

Did you know?

Socket

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Install

Related posts

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

Packages

npm

Stay in touch

Get open source security insights delivered straight into your inbox.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc