Have ideas to improve npm?Join in the discussion! »

    aws-cf-checker

    1.0.0 • Public • Published

    Build Status NPM version NPM dependencies

    AWS CloudFormation Checker

    Checks can guarantee high security, reliability and conformity of your CloudFormation templates. We provide a set of default checks that you can use to validate your templates.

    CLI usage

    install the module globally

    npm install aws-cf-checker -g
    

    reading template from file

    cf-checker --templateFile ./path/to/template.json
    
    cf-checker --templateFile ./path/to/template.json --checksFile ./path/to/checks.json
    

    reading template from stdin

    cat ./path/to/template.json | cf-checker
    
    cat ./path/to/template.json | cf-checker --checksFile ./path/to/checks.json
    

    as long as the exit code is 0 your template is fine

    Programatic usage

    install the module locally

    npm install aws-cf-checker
    

    reading template from file

    var checker = require("aws-cf-checker")
     
    checker.checkFile("./path/to/template.json", {"logicalID": {}}, function(err, findings) {
      if (err) {
        throw err;
      } else {
        if (findings.length > 0) {
          console.error("findings", findings);
        } else {
          console.log("no findings");
        }
      }
    });

    using a template object

    var checker = require("aws-cf-checker")
     
    var template = {
      "AWSTemplateFormatVersion": "2010-09-09",
      "Description": "minimal template"
    };
    checker.checkTemplate(template, {"logicalID": {}}, function(err, findings) {
      if (err) {
        throw err;
      } else {
        if (findings.length > 0) {
          console.error("findings", findings);
        } else {
          console.log("no findings");
        }
      }
    });

    as long as the findings array is empty your template is fine

    Checks

    Checks are configured with a JSON file. Have a look at our default checks.

    logicalID

    Checks logical ids of your template.

    Options: (Object)

    • case: (Enum["pascal", "camel"] default: "pascal")

    resourceType

    Checks if the resource types are allowed in the template. Wildcard * is supported.

    By default, nothing is allowed (implicit deny). If you deny something it overrides what you allowed (explicit deny).

    Options: (Object)

    • deny: (Array[String]) (whitelist, wildcard * can be used)
    • allow: (Array[String]) (blacklist, wildcard * can be used)

    securityGroupInbound

    Checks that only security groups attached to:

    • AWS::ElasticLoadBalancing::LoadBalancer (external)

    allow traffic from public IP addresses.

    Security groups attached to:

    • AWS::ElasticLoadBalancing::LoadBalancer (internal)
    • AWS::AutoScaling::LaunchConfiguration
    • AWS::EC2::NetworkInterface
    • AWS::EC2::Instance
    • AWS::EC2::SpotFleet
    • AWS::RDS::DBInstance
    • AWS::RDS::DBCluster
    • AWS::Redshift::Cluster
    • AWS::ElastiCache::CacheCluster
    • AWS::ElastiCache::ReplicationGroup
    • AWS::EFS::MountTarget
    • AWS::OpsWorks::Layer

    should only allow inbound traffic from other security groups or private ip addresses.

    Assumes that your account only supports the EC2 platform EC2-VPC.

    Options: (Object)

    none

    iamInlinePolicy

    Checks IAM Users, Groups and Roles for inline policies.

    Options: (Boolean)

    true := inline policies are allowed false := inline policies are denied

    iamPolicy

    Checks allowed actions and resources of IAM policy statements. Wildcard * is supported.

    A statement with NotAction is a finding. A statement with Effect != Allow is skipped.

    By default, nothing is allowed (implicit deny). If you deny something it overrides what you allowed (explicit deny).

    Options: (Object)

    • allow: (Array[Object]) List of allowed actions & resources (whitelist)
    • action: (String | Array[String]) IAM action (wildcard * can be used)
    • resource: (String | Array[String]) IAM resource (wildcard * can be used)
    • deny: (Array[Object]) List of denied actions & resources (blacklist)
    • action: (String | Array[String]) IAM action (wildcard * can be used)
    • resource: (String | Array[String]) IAM resource (wildcard * can be used)

    iamManagedPolicy

    Checks IAM Users, Groups and Roles for managed policy attachments. Wildcard * is supported.

    Options: (Object)

    • allow: (Array[String]) List of allowed ARNs (whitelist, wildcard * can be used)
    • deny: (Array[String]) List of denied ARNs (blacklist, wildcard * can be used)

    Install

    npm i aws-cf-checker

    DownloadsWeekly Downloads

    417

    Version

    1.0.0

    License

    MIT

    Last publish

    Collaborators

    • avatar
    • avatar