Skip to content

Add AWS CloudFormation misconfiguration rule pack#241

Open
seonghobae wants to merge 1 commit into
developfrom
cloudformation-rules
Open

Add AWS CloudFormation misconfiguration rule pack#241
seonghobae wants to merge 1 commit into
developfrom
cloudformation-rules

Conversation

@seonghobae

Copy link
Copy Markdown
Contributor

Summary

Adds scanner/rules/cloudformation.yml — six high-precision pattern-regex rules for raw AWS CloudFormation templates (.yaml/.yml/.json/.template). Terraform-AWS misconfigurations are already covered by external engines; raw CFN templates were a gap.

Rule Detects Severity
cfn-iam-policy-star-star Action: * with Resource: * in one IAM statement (full account admin) CRITICAL
cfn-s3-bucket-public-acl AWS::S3::Bucket with AccessControl: PublicRead(Write) HIGH
cfn-security-group-open-world Security group ingress open to 0.0.0.0/0 / ::/0 HIGH
cfn-rds-publicly-accessible PubliclyAccessible: true (CFN casing) HIGH
cfn-storage-unencrypted StorageEncrypted: false / EBS volume Encrypted: false HIGH
cfn-secret-parameter-default Secret-named Parameter shipping a literal Default value HIGH

Precision

  • Every pattern is anchored on CloudFormation-specific context (AWS:: resource type names, PascalCase property names) — the pack does not blanket-match all YAML.
  • Tempered windows block cross-statement IAM false positives and ingress/egress bleed-through; default-open egress does not fire.
  • {{resolve:secretsmanager:...}} / SSM dynamic references pass the secret-default rule; CDK camelCase (publiclyAccessible) and lowercase GitHub Actions default: keys do not match.
  • E2E-verified zero findings on Kubernetes manifests, docker-compose files, and GitHub Actions workflows (common YAML look-alikes).

Testing

  • tests/test_cloudformation_rules.py: 29 tests — positives/negatives per rule, severity checks, e2e scans (misconfigured template fires all six; secure template, k8s, compose, and workflow fixtures stay clean). Secret-shaped fixtures are assembled at runtime.
  • Full suite: 251 passed.
  • Repo self-scan: zero cfn-* findings; the new rule file and test file trigger no rules at all.

🤖 Generated with Claude Code

https://claude.ai/code/session_01EywwS2Du8pimW7xqRP3An3

Six high-precision pattern-regex rules in scanner/rules/cloudformation.yml
covering raw CFN templates (YAML/JSON/.template), a gap next to the existing
Terraform-AWS coverage:

- cfn-iam-policy-star-star (CRITICAL): Action:* with Resource:* in one
  statement, with statement-boundary tempering to avoid cross-statement FPs
- cfn-s3-bucket-public-acl (HIGH): AccessControl PublicRead/PublicReadWrite
  windowed on Type: AWS::S3::Bucket
- cfn-security-group-open-world (HIGH): ingress open to 0.0.0.0/0 or ::/0;
  default open egress does not fire
- cfn-rds-publicly-accessible (HIGH): PubliclyAccessible: true (CFN casing)
- cfn-storage-unencrypted (HIGH): StorageEncrypted: false or EBS volume
  Encrypted: false
- cfn-secret-parameter-default (HIGH): secret-named Parameter with a literal
  Default; {{resolve:...}} dynamic references pass

Every pattern is anchored on CFN-specific context (AWS:: type names,
PascalCase property names), and tests assert zero findings on Kubernetes
manifests, docker-compose files, and GitHub Actions workflows. 29 new tests
(positives, negatives, severities, e2e scans); repo self-scan stays clean.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01EywwS2Du8pimW7xqRP3An3
@seonghobae seonghobae enabled auto-merge (squash) July 6, 2026 09:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant