How to use the cfripper.model.enums.RuleRisk function in cfripper
To help you get started, we’ve selected a few cfripper examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
Skyscanner / cfripper / tests / model / test_result.py View on Github 
def test_result_valid_after_removing_failures():
result = Result()
result.add_failure(
rule="mock_rule",
reason="mock_reason",
rule_mode=RuleMode.BLOCKING,
risk_value=RuleRisk.HIGH,
granularity=RuleGranularity.STACK,
)
# Result has a blocking failure, so it should be invalid
assert result.valid is False
result.failed_rules = []
# Result has no failures, so it should be valid
assert result.valid is Trueresult = Result()
failed_rules = [
Failure(
rule="S3CrossAccountTrustRule",
reason="ProductionAccessTest has forbidden cross-account policy allow with 123456789 for an S3 bucket.",
rule_mode=RuleMode.BLOCKING,
risk_value=RuleRisk.HIGH,
resource_ids={"ProductionAccessTest"},
actions=None,
granularity=RuleGranularity.RESOURCE,
),
Failure(
rule="S3CrossAccountTrustRule",
reason="This one isn't whitelisted because granularity is ACTION and not RESOURCE",
rule_mode=RuleMode.BLOCKING,
risk_value=RuleRisk.HIGH,
resource_ids={"ProductionAccessTest"},
actions=None,
granularity=RuleGranularity.ACTION,
),
]
result.failed_rules = failed_rules
RuleProcessor.remove_failures_of_whitelisted_resources(config=config, result=result)
assert result.failed_rules == [
Failure(
rule="S3CrossAccountTrustRule",
reason="This one isn't whitelisted because granularity is ACTION and not RESOURCE",
rule_mode=RuleMode.BLOCKING,
risk_value=RuleRisk.HIGH,
resource_ids={"ProductionAccessTest"},
actions=None,def expected_result_two_roles():
return [
Failure(
rule="CrossAccountTrustRule",
reason=(
"RootRoleOne has forbidden cross-account trust relationship with "
"arn:aws:iam::999999999:role/someuser@bla.com"
),
rule_mode=RuleMode.BLOCKING,
risk_value=RuleRisk.MEDIUM,
resource_ids={"RootRoleOne"},
actions=set(),
granularity=RuleGranularity.RESOURCE,
),
Failure(
rule="CrossAccountTrustRule",
reason=(
"RootRoleTwo has forbidden cross-account trust relationship with "
"arn:aws:iam::999999999:role/someuser@bla.com"
),
rule_mode=RuleMode.BLOCKING,
risk_value=RuleRisk.MEDIUM,
resource_ids={"RootRoleTwo"},
actions=set(),
granularity=RuleGranularity.RESOURCE,
),from abc import ABC, abstractmethod
from typing import Dict, List, Optional, Set
from pycfmodel.model.cf_model import CFModel
from cfripper.config.config import Config
from cfripper.config.rule_config import RuleConfig
from cfripper.model.enums import RuleGranularity, RuleMode, RuleRisk
from cfripper.model.result import Failure, Result
logger = logging.getLogger(__file__)
class Rule(ABC):
RULE_MODE = RuleMode.BLOCKING
RISK_VALUE = RuleRisk.MEDIUM
GRANULARITY = RuleGranularity.STACK
def __init__(self, config: Optional[Config]):
self._config = config if config else Config()
@property
def rule_config(self) -> RuleConfig:
return self._config.get_rule_config(self.__class__.__name__)
@property
def rule_mode(self) -> RuleMode:
return self.rule_config.rule_mode or self.RULE_MODE
@property
def risk_value(self) -> RuleRisk:
return self.rule_config.risk_value or self.RISK_VALUEChecks for any wildcard or account-wide principals defined in any statements. This rule will flag
as non-compliant any principals where `root` or `*` are included at the end of the value, for
example, `arn:aws:iam:12345:12345*`.
Risk:
It might allow other AWS identities or the root access of the account to escalate privileges.
Fix:
Where possible, restrict the access to only the required resources.
For example, instead of `Principal: "*"`, include a list of the roles that need access.
"""
REASON_WILCARD_PRINCIPAL = "{} should not allow wildcard in principals or account-wide principals (principal: '{}')"
RULE_MODE = RuleMode.MONITOR
RISK_VALUE = RuleRisk.MEDIUM
"""
Will catch:
- Principal: arn:aws:iam:12345:12345*
"""
FULL_REGEX = re.compile(r"^arn:aws:iam::.*:(.*\*|root)$")
class FullWildcardPrincipalRule(GenericWildcardPrincipalRule):
"""
Checks for any wildcard principals defined in any statements.
Risk:
It might allow other AWS identities to escalate privileges.under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
CONDITIONS OF ANY KIND, either express or implied. See the License for the
specific language governing permissions and limitations under the License.
"""
import re
from ..model.enums import RuleMode, RuleRisk
from .GenericWildcardPrincipalRule import GenericWildcardPrincipalRule
class PartialWildcardPrincipalRule(GenericWildcardPrincipalRule):
REASON_WILCARD_PRINCIPAL = "{} should not allow wildcard in principals or account-wide principals (principal: '{}')"
RULE_MODE = RuleMode.MONITOR
RISK_VALUE = RuleRisk.MEDIUM
"""
Will catch:
- Principal: arn:aws:iam:12345:12345*
"""
FULL_REGEX = re.compile(r"^arn:aws:iam::.*:(.*\*|root)$")
cfripper
Library and CLI tool for analysing CloudFormation templates and check them for security compliance.
Package Health Score
84 / 100Popular cfripper functions
- cfripper.config.config.Config
- cfripper.config.filter.Filter
- cfripper.config.rule_config.RuleConfig
- cfripper.model.enums.RuleGranularity
- cfripper.model.enums.RuleGranularity.RESOURCE
- cfripper.model.enums.RuleMode
- cfripper.model.enums.RuleMode.BLOCKING
- cfripper.model.enums.RuleMode.MONITOR
- cfripper.model.enums.RuleRisk
- cfripper.model.enums.RuleRisk.HIGH
- cfripper.model.result.Failure
- cfripper.model.result.Result
- cfripper.model.rule.Rule
- cfripper.model.utils.convert_json_or_yaml_to_dict
- cfripper.rule_processor.RuleProcessor
- cfripper.rules.base_rules.Rule
- cfripper.rules.DEFAULT_RULES
- cfripper.rules.DEFAULT_RULES.get
- cfripper.rules.DEFAULT_RULES.keys
- cfripper.rules.SecurityGroupOpenToWorldRule.SecurityGroupOpenToWorldRule