Introduction

Skyscanner’s products are powered by hundreds of services hosted on AWS. In order to deploy changes and new services to production with zero clicks, we have an automated pipeline that´s responsible for building, testing and deploying new code, and provisioning and configuring new infrastructure. Developers perform these changes by writing CloudFormation templates that model their service’s Infrastructure as Code (IaC).

CloudFormation dynamic syntax

CloudFormation, although not a fully fledged programming language, is rich and dynamic. In order to make templates reusable and customisable, developers use parameters, mappings, conditions, intrinsic functions and conditions sections in their templates.

Bypassing CloudFormation scanners with intrinsic functions

Let’s craft a simple template that grants anyone permission to perform any action on any resource in an AWS account, effectively making anyone an administrator:

!Sub '${AWS::StackName}-role'
'test-stack-lambda-role'
  • Intrinsic Function resolver + Smarter Condition resolver: In the past, we were blind when a function was used. Now, we are able to resolve most of them. This allowed us to improve the condition resolver, we decided to analyse both sides of an if / else statement. Other approaches just check the true section. But in the last update, we are able to resolve conditions at the very beginning, so we can just evaluate section that is going to be evaluated.
  • AWS default parameters: AWS has some special parameters called pseudo parameters (prefixed by `AWS::`). These are automatically defined and don’t need to be passed. (A complete list can be found here: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/pseudo-parameter-reference.html)
  • Secrets handling in template parameters: Instead of using a raw template parameter, users can get a placeholder to prevent exposing the secrets. Some new rules take advantage of this to warn the user if the value will be printed in AWS logs or not.

Contributing

The current open-source version of CFRipper contains a set of built-in rules ranging from to. We’ll continue to add any new rules that we develop in-house, but we’ll also appreciate any rules that you might have developed while using CFRipper. Please read the contribution guide and submit a pull request.

About the authors:

Oscar Blanco Castan

Oscar recently completed the Graduate programme at Skyscanner as a software engineer. He’s passionate about security, and currently works in the Platform Security and Automation team, developing services to automate the security processes in Skyscanner.

Xavier Mendez

Xavi Mendez is a principal security engineering at Skyscanner,
leading the security automation team that builds security in our DevOps pipeline and our AWS and Kubernetes infrastructure.

Join Skyscanner, see the world

Life-enriching travel isn’t just for our customers — it’s for our employees too! Skyscanner team members get £500 (or their local currency equivalent) towards the travel trip of their choice in 2020 — and that’s just one of the great benefits we offer. Read more about our benefits and have a look at all of our open roles right here.

We are the engineers at Skyscanner, the company changing how the world travels. Visit skyscanner.net to see how we walk the talk!