Open in app

Sign in

Write

Sign in

Are you letting misconfigured resources go unnoticed? 6 ways cfn-nag can help

Jeshan Babooa
LambdaTV
Published in
5 min readJun 15, 2020

I’m back after a long break and I will try to be more consistent from now on!

Misconfigured or insecure AWS resources can cost you a lot down the road. You don’t want to be among those who make the news by leaving an S3 bucket public for example. Or, you could have left ports opened that you didn’t intend.

Introducing cfn-nag

cfn-nag is an open-source CLI tool that helps you find misconfigurations or insecure AWS resources.

It can help you spot:

  • Overly permissive IAM policies, like liberally using ‘*’ in IAM statements
  • Encryptions that could be enabled but aren’t
  • inbound/outbound traffic rules that you shouldn’t be allowing

Today, I will show how cfn-nag can help you deal with this. Plus I’ll show you how to run it so that you don’t have to think about it again.

We want something that runs fast so that we can get feedback while we are writing the templates.

What you’ll learn in this video

  • What’s that cfn-nag thing
  • Why would you use it?
  • Different ways to use it, from easiest to most convenient.

Ways to use cfn-nag

Install cfn-nag with:

gem install cfn-nag

Now, I’m going to show you a few ways to run it

In the sample repo, I’m providing a few files to get you started. Open

https://github.com/jeshan/lambdatv/tree/master/cfn-nag-intro

and follow along.

I have the following demo-template.yaml file that I will run with cfn-nag:

AWSTemplateFormatVersion: '2010-09-09'
Description: 'demo cfn-nag'Resources:
  Bucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: hello  BucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref Bucket
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Sid: sid
            Effect: Allow
            Principal:
              AWS: '*'
            Action: ['s3:GetObject']
            Resource: [!Sub 'arn:aws:s3:::${Bucket}/*']

CLI

I run cfn_nag with it with:

cfn_nag demo-template.yaml

We see:

We see that it reports 3 violations; 1 failure and 2 warnings. Failures are usually reserved for the most severe issues.

You should review these issues before deploying your template.

VS code plugin

Of course, it’ll be easier if you could quickly get feedback while you’re writing the template. You could run cfn-nag on the CLI but there’s a more convenient option if you like to use VS Code.

Head over to the VS code marketplace:

https://marketplace.visualstudio.com/items?itemName=eastman.vscode-cfn-nag

or install with the command:

ext install eastman.vscode-cfn-nag

Github action

The cfn-nag team provides a Github action for running cfn-nag directly on Github repos. Head over to the cfn-nag home page to find it:

https://github.com/stelligent/cfn_nag

You can use their provided one or consider Lintly. Lintly can run several linters besides cfn-nag.

I don’t have experience with github actions yet, so I’ll let you try it on your own.

Codepipeline

If you like to deploy applications through CodePipeline, you can check out this blog post.

https://stelligent.com/2018/05/25/serverless-cloudformation-linting-in-aws-codepipeline/

One of cfn-nag authors, Paul Duvall, explains the details but to summarise, he will guide you through how to set deploy the solution from the serverless application repository, setup a cfn-nag action in your pipeline and make it so that the pipeline fails in case cfn-nag shows failures or warnings.

However, the blog points to an outdated serverless application repository url and an updated one can be found here:

https://serverlessrepo.aws.amazon.com/applications/arn:aws:serverlessrepo:us-east-1:275155842945:applications~cfn-nag-pipeline

HTTP API

If you want more flexibility, maybe you’ll like cfn-nag exposed as a REST api.

https://github.com/stelligent/cfn-nag-service

Deploying this project will expose HTTP endpoints.

This is made both available as an API in API gateway or you can also use it in a Docker container.

cfnbuddy

If you’re thinking that the above requires a lot of work and would like a solution that “just works”, you can also consider this cfnbuddy tool of mine.

What’s make it more useful is that not only will it scan all your deployed templates, it will also scan all your resources across regions. This is possible because it represents your full infrastructure as a CloudFormation template and can then run cfn-nag on it. After that is done, it will send you a report in a pull request.

Then, when you deploy new resources or fix any issues, you will see the updated report as a git diff:

This is one of many more features that help you work better with CloudFormation. If that sounds interesting, you can check it out at cfnbuddy.com.

More details

cfn nag rules

cfn-nag often gets new rules and as at today, it bundles more than 150 of them. To know more about the rules that cfn-nag has, know that cfn-nag provides another executable that you can run as follows:

cfn_nag_rules

The accompanying sample code has a a docker image. Run:

docker-compose up rules

Add your own rules with ruby

Finally, know that you can develop your own rules with Ruby and keep them private if you wish. cfn-nag can load them from S3 or as a Ruby gem.

Read this blog post or watch the video:

Show me the code

To help you get started, I have committed some basic code at the usual repository

https://github.com/jeshan/lambdatv/tree/master/cfn-nag-intro

Ending

If you like such subjects, then subscribe as I’ll have new videos this week. If you have a colleague who might find this useful, I’d appreciate it if you could share it with them.

Originally posted at https://www.lambdatv.com/cfn-nag-intro

AWS
Infrastructure As Code

--

--

Jeshan Babooa
LambdaTV

Written by Jeshan Babooa

43 Followers
Editor for

Serverless Guy. Loves AWS Lambda. Intellij fan(atic).

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams