Announcing CloudFormation Support in Checkov
It has been just over a month since we introduced Checkov for static code analysis of Terraform templates. Checkov allows you to detect security misconfiguration during build time which helps prevent deployment of insecure infrastructure. From a security perspective this also means you avoid the wasted hours of tracking down resource owners and working through run time remediation. We are amazed at the excitement this has generated and the overall interest in the community. Since its release Checkov received 500 stars on GitHub and the team received several requests to scan other infrastructure as code tools including CloudFormation, Ansible, ARM templates, Kubernetes manifests, and Helm charts.
Today we’re taking the first step and are announcing CloudFormation support in Checkov!
Now you can scan CloudFormation templates in the same manner as Terraform. Where possible the same checks exist for both. Here is an example EC2 instance template to get started:
cat << EOF > ec2-instance.yaml
AWSTemplateFormatVersion: '2010-09-09'
Metadata:
License: Apache-2.0
Description: Sample EC2 Instance with EBS Volume and Security Group
Parameters:
KeyName:
Description: Name of an existing EC2 KeyPair to enable SSH access to the instance
Type: AWS::EC2::KeyPair::KeyName
ConstraintDescription: must be the name of an existing EC2 KeyPair.
InstanceType:
Description: WebServer EC2 instance type
Type: String
Default: t2.micro
AllowedValues: [t2.micro, t2.small, t2.medium, t2.large, t3.micro, t3.small, t3.medium, t3.large, m5.large, m5.xlarge]
ConstraintDescription: must be a valid EC2 instance type.
SSHLocation:
Description: The IP address range that can be used to SSH to the EC2 instances
Type: String
MinLength: 9
MaxLength: 18
Default: 0.0.0.0/0
AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})
ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x.
LatestAmiId:
Type: 'AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>'
Default: '/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2'
VPC:
Type: AWS::EC2::VPC::Id
PublicSubnet:
Type: AWS::EC2::Subnet::Id
Resources:
EC2Instance:
Type: AWS::EC2::Instance
Properties:
InstanceType: !Ref 'InstanceType'
KeyName: !Ref 'KeyName'
ImageId: !Ref 'LatestAmiId'
BlockDeviceMappings:
- DeviceName: "/dev/sdm"
Ebs:
VolumeType: "gp2"
DeleteOnTermination: "true"
VolumeSize: "10"
NetworkInterfaces:
- AssociatePublicIpAddress: "true"
DeviceIndex: "0"
GroupSet:
- Ref: "InstanceSecurityGroup"
SubnetId:
Ref: "PublicSubnet"
InstanceSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Enable SSH access via port 22
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: !Ref 'SSHLocation'
VpcId: !Ref 'VPC'
Outputs:
InstanceId:
Description: InstanceId of the newly created EC2 instance
Value: !Ref 'EC2Instance'
AZ:
Description: Availability Zone of the newly created EC2 instance
Value: !GetAtt [EC2Instance, AvailabilityZone]
PublicDNS:
Description: Public DNSName of the newly created EC2 instance
Value: !GetAtt [EC2Instance, PublicDnsName]
PublicIP:
Description: Public IP address of the newly created EC2 instance
Value: !GetAtt [EC2Instance, PublicIp]
EOFThe above example is a YAML template, but you can also use JSON if you prefer.
With Checkov we can scan this code before deploying to highlight any issues:
checkov -f ec2-instance.yaml
_ _
___| |__ ___ ___| | _______ __
/ __| '_ \ / _ \/ __| |/ / _ \ \ / /
| (__| | | | __/ (__| < (_) \ V /
\___|_| |_|\___|\___|_|\_\___/ \_/
version: 1.0.167
Passed checks: 0, Failed checks: 2, Skipped checks: 0
Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
FAILED for resource: InstanceSecurityGroup
File: ec2-instance.yaml:52-60
52 | Type: AWS::EC2::SecurityGroup
53 | Properties:
54 | GroupDescription: Enable SSH access via port 22
55 | SecurityGroupIngress:
56 | - IpProtocol: tcp
57 | FromPort: 22
58 | ToPort: 22
59 | CidrIp: !Ref 'SSHLocation'
60 | VpcId: !Ref 'VPC'
Check: CKV_AWS_23: "Ensure every security groups rule has a description"
FAILED for resource: InstanceSecurityGroup
File: ec2-instance.yaml:52-60
52 | Type: AWS::EC2::SecurityGroup
53 | Properties:
54 | GroupDescription: Enable SSH access via port 22
55 | SecurityGroupIngress:
56 | - IpProtocol: tcp
57 | FromPort: 22
58 | ToPort: 22
59 | CidrIp: !Ref 'SSHLocation'
60 | VpcId: !Ref 'VPC'Here we have 2 failed checks. The first check failed for allowing port 22 open to 0.0.0.0/0 (The default value of the parameter in the template). The second check failed due to the security group ingress rule not having a description line explaining the purpose of the port.
Checkov works well at development time to ensure you are creating secure resources. However, it also works great as part of a pipeline such as Jenkins or as a pre-commit check. Check out our existing integrations and getting started information in our documentation here: https://www.checkov.io/documentation
Thanks to Barak Schoster and Naor David for their help making this happen. We hope you find this useful for securing your CloudFormation templates. Please reach out to us on Slack (https://codified-security.herokuapp.com/) with any feedback.
— -
Bridgecrew builds and maintains Checkov to make policy-as-code simple and accessible.
If you need direct support you can contact us at info@bridgecrew.io
