Skip to content

Latest commit

 

History

History
137 lines (109 loc) · 4.36 KB

README.md

File metadata and controls

137 lines (109 loc) · 4.36 KB

CfnNagService

This repository contains the automation code required to deploy https://github.com/stelligent/cfn_nag as either an API Gateway endpoint or as a Docker container.

Endpoints

Each request expects a CloudFormation template in either JSON or YAML.

/scan

This endpoint returns a similar response that you would see if you just ran cfn_nag from the command line.

Response example:

{
    "failure_count": 1,
    "violations": [
        {
            "id": "W35",
            "type": "WARN",
            "message": "S3 Bucket should have access logging configured",
            "logical_resource_ids": [
                "S3Bucket"
            ],
            "line_numbers": [
                5
            ]
        },
        {
            "id": "F14",
            "type": "FAIL",
            "message": "S3 Bucket should not have a public read-write acl",
            "logical_resource_ids": [
                "S3Bucket"
            ],
            "line_numbers": [
                5
            ]
        }
    ]
}

/signed_scan

This endpoint will provide a digital signature so you can verify the authenticity of the results.

Response example:

{
    "results": {
        "failure_count": 1,
        "violations": [
            {
                "id": "W35",
                "type": "WARN",
                "message": "S3 Bucket should have access logging configured",
                "logical_resource_ids": [
                    "S3Bucket"
                ],
                "line_numbers": [
                    5
                ]
            },
            {
                "id": "F14",
                "type": "FAIL",
                "message": "S3 Bucket should not have a public read-write acl",
                "logical_resource_ids": [
                    "S3Bucket"
                ],
                "line_numbers": [
                    5
                ]
            }
        ]
    },
    "encoded_results": "FGSDFSDFW.....",
    "signature": "eKlzShFty5tCC/zXo3Cf7L0E0yCxdXejS7dAYauBc2s9eBoCfs9Lmd2AQcGR\nEwrSUzr43s+bUjqy/5Sum1JcCQ==\n"
}

The encoded_results are strict Base64 encoded of the original template body, the results/violations and the list of rules applied. When verifying the payload, verify the signature of the encoded_results as Base64 (i.e. don't decode the encoded_results before verifying)

/status

This endpoint just provides a 200 HTTP response and a simple message to let you know the endpoint is up.

Variations Between Lambda/Docker

The API exposed by the Docker endpoint is cfn_nag/v1/*

Verifying Signatures

When using the /signed_scan endpoint you can use the libsodium library to verify the signatures. An example ruby implementation is provided.

$ ./scripts/verify_signature.rb
Enter Base64 encoded signature:
2nW3Y/2U/HyLy7KZvyfBgtZfz3spYI6ppYHL4rt0+pu/C7DjC/nLcTrEGiROkoVsV3TBLctgwtruHg502uxuBQ==
Enter Base64 encoded verification key
...
Enter in Base64 encoded results
eyJmYWlsdXJlX2NvdW50IjoxLCJ2aW9sYXRpb25zIjpbeyJpZCI6IlczNSIsInR5cGUiOiJXQVJOIiwibWVzc2FnZSI6IlMzIEJ1Y2tldCBzaG91bGQgaGF2ZSBhY2Nlc3MgbG9nZ2luZyBjb25maWd1cmVkIiwibG9naWNhbF9yZXNvdXJjZV9pZHMiOlsiUzNCdWNrZXQiXSwibGluZV9udW1iZXJzIjpbNV19LHsiaWQiOiJGMTQiLCJ0eXBlIjoiRkFJTCIsIm1lc3NhZ2UiOiJTMyBCdWNrZXQgc2hvdWxkIG5vdCBoYXZlIGEgcHVibGljIHJlYWQtd3JpdGUgYWNsIiwibG9naWNhbF9yZXNvdXJjZV9pZHMiOlsiUzNCdWNrZXQiXSwibGluZV9udW1iZXJzIjpbNV19XX0=
Signature is valid!

Deployment

To deploy the Lambda, run scripts/deploy_sam.sh and consult the outputs for the endpoints

To deploy the Docker container locally:

docker build . docker run -p 4567:4567 -e 'private_key_override=...base64 signing_key...' -e use_https=self ...image_id...

Then hit https://localhost:4567/cfn_nag/v1/status

HTTPS

The docker image observes env var use_https to determine whether to enable SSL.

none means http self means https with a self-signed cert generated by the web container cert means a certificate of your own choosing that you must generate and map it. for example: -e use_https=cert -e cert_public_path=/certs/cert.pem -e cert_private_path=/certs/key.pem -v ~/certs:/certs

Testing - Under development

file=~/git/cfn_nag/spec/test_templates/json/elasticsearch/elasticsearch_domain_with_explicit_name.json
curl -d "{\"template_body\": \"`base64 $file`\"}" -H "Content-Type: application/json" -X POST https://ycabffgus6.execute-api.us-east-1.amazonaws.com/Prod/scan/