This repository contains several CloudFormation templates that demonstrate the various capabilties of cfn_nag, a static analyzer of CloudFormation templates. It will look at your CloudFormation template files, and look for known anti-patterns that are best avoided.
cfn_nag is a ruby gem. Assuming you have Ruby installed already, installing cfn_nag is a snap:
gem install cfn-nag
Encrypted EBS volumes are an excellent example of something cfn_nag will help enforce. There's really no reason you don't want your EBS volumes encrypted, so if cfn_nag detects you are provisioning an unencrypted EBS volume, it'll issue and error.
cfn_nag_scan --input-path cfn/volume.yml
Which will produce
------------------------------------------------------------
volume.yml
------------------------------------------------------------------------------------------------------------------------
| FAIL F1
|
| Resources: ["EBSVolume"]
|
| EBS volume should have server-side encryption enabled
Failures count: 1
Warnings count: 0
However, if we encrypt the volume, cfn_nag succeeds:
cfn_nag_scan --input-path cfn/volume-encrypted.yml
Which will produce
------------------------------------------------------------
volume-encrypted.yml
------------------------------------------------------------
Failures count: 0
Warnings count: 0
cfn_nag will complain in two different ways: it will issue warnings for patterns that are probably a bad idea, and will issue errors for patterns that are definitely a bad idea.
For example, let's look at a tempalte for a EC2 instance, with an IAM role attached, behind an ELB:
cfn_nag_scan --input-path cfn/stack.yml
Which will produce
------------------------------------------------------------
cfn/stack.yml
------------------------------------------------------------------------------------------------------------------------
| FAIL F1
|
| Resources: ["EBSVolume"]
|
| EBS volume should have server-side encryption enabled
------------------------------------------------------------
| WARN W26
|
| Resources: ["LoadBalancer"]
|
| Elastic Load Balancer should have access logging enabled
------------------------------------------------------------
| FAIL F3
|
| Resources: ["InstanceRole"]
|
| IAM role should not allow * action on its permissions policy
------------------------------------------------------------
| WARN W11
|
| Resources: ["InstanceRole"]
|
| IAM role should not allow * resource on its permissions policy
------------------------------------------------------------
| WARN W5
|
| Resources: ["EC2SecurityGroup"]
|
| Security Groups found with cidr open to world on egress
------------------------------------------------------------
| WARN W29
|
| Resources: ["EC2SecurityGroup"]
|
| Security Groups found egress with port range instead of just a single port
Failures count: 2
Warnings count: 4
When used as part of your continuous delivery pipeline, failures will cause cfn_nag to return a non-zero error code, which will fail your build. However, warnings will just be printed out, and cfn_nag will exit successfully so your build can continue.
If the failures are fixed, the build can continue, but with warnings:
cfn_nag_scan --input-path cfn/stack-fixed.yml
Which will produce
------------------------------------------------------------
cfn/stack-fixed.yml
------------------------------------------------------------------------------------------------------------------------
| WARN W26
|
| Resources: ["LoadBalancer"]
|
| Elastic Load Balancer should have access logging enabled
------------------------------------------------------------
| WARN W11
|
| Resources: ["InstanceRole"]
|
| IAM role should not allow * resource on its permissions policy
------------------------------------------------------------
| WARN W5
|
| Resources: ["EC2SecurityGroup"]
|
| Security Groups found with cidr open to world on egress
------------------------------------------------------------
| WARN W29
|
| Resources: ["EC2SecurityGroup"]
|
| Security Groups found egress with port range instead of just a single port
Failures count: 0
Warnings count: 4