Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/stelligent/cfn-nag-service

Exposes cfn-nag as a service through a Lambda/APIGW or Docker image
https://github.com/stelligent/cfn-nag-service

Last synced: 10 months ago
JSON representation

Exposes cfn-nag as a service through a Lambda/APIGW or Docker image

Awesome Lists containing this project

README 

          
## CfnNagService



This repository contains the automation code required to deploy https://github.com/stelligent/cfn_nag as either an API Gateway endpoint

or as a Docker container.



### Endpoints



Each request expects a CloudFormation template in either JSON or YAML.



#### /scan



This endpoint returns a similar response that you would see if you just ran `cfn_nag` from the command line.



Response example:



```

{

    "failure_count": 1,

    "violations": [

        {

            "id": "W35",

            "type": "WARN",

            "message": "S3 Bucket should have access logging configured",

            "logical_resource_ids": [

                "S3Bucket"

            ],

            "line_numbers": [

                5

            ]

        },

        {

            "id": "F14",

            "type": "FAIL",

            "message": "S3 Bucket should not have a public read-write acl",

            "logical_resource_ids": [

                "S3Bucket"

            ],

            "line_numbers": [

                5

            ]

        }

    ]

}

```



#### /signed_scan



This endpoint will provide a digital signature so you can verify the authenticity of the results. 



Response example:



```

{

    "results": {

        "failure_count": 1,

        "violations": [

            {

                "id": "W35",

                "type": "WARN",

                "message": "S3 Bucket should have access logging configured",

                "logical_resource_ids": [

                    "S3Bucket"

                ],

                "line_numbers": [

                    5

                ]

            },

            {

                "id": "F14",

                "type": "FAIL",

                "message": "S3 Bucket should not have a public read-write acl",

                "logical_resource_ids": [

                    "S3Bucket"

                ],

                "line_numbers": [

                    5

                ]

            }

        ]

    },

    "encoded_results": "FGSDFSDFW.....",

    "signature": "eKlzShFty5tCC/zXo3Cf7L0E0yCxdXejS7dAYauBc2s9eBoCfs9Lmd2AQcGR\nEwrSUzr43s+bUjqy/5Sum1JcCQ==\n"

}

```



The encoded_results are strict Base64 encoded of the original template body, the results/violations and the list of rules applied.

When verifying the payload, verify the signature of the encoded_results as Base64 (i.e. don't decode the encoded_results

before verifying)



#### /status



This endpoint just provides a 200 HTTP response and a simple message to let you know the endpoint is up.



#### Variations Between Lambda/Docker



The API exposed by the Docker endpoint is cfn_nag/v1/*



### Verifying Signatures



When using the /signed_scan endpoint you can use the libsodium library to verify the signatures. An example ruby implementation is provided.



```

$ ./scripts/verify_signature.rb

Enter Base64 encoded signature:

2nW3Y/2U/HyLy7KZvyfBgtZfz3spYI6ppYHL4rt0+pu/C7DjC/nLcTrEGiROkoVsV3TBLctgwtruHg502uxuBQ==

Enter Base64 encoded verification key

...

Enter in Base64 encoded results

eyJmYWlsdXJlX2NvdW50IjoxLCJ2aW9sYXRpb25zIjpbeyJpZCI6IlczNSIsInR5cGUiOiJXQVJOIiwibWVzc2FnZSI6IlMzIEJ1Y2tldCBzaG91bGQgaGF2ZSBhY2Nlc3MgbG9nZ2luZyBjb25maWd1cmVkIiwibG9naWNhbF9yZXNvdXJjZV9pZHMiOlsiUzNCdWNrZXQiXSwibGluZV9udW1iZXJzIjpbNV19LHsiaWQiOiJGMTQiLCJ0eXBlIjoiRkFJTCIsIm1lc3NhZ2UiOiJTMyBCdWNrZXQgc2hvdWxkIG5vdCBoYXZlIGEgcHVibGljIHJlYWQtd3JpdGUgYWNsIiwibG9naWNhbF9yZXNvdXJjZV9pZHMiOlsiUzNCdWNrZXQiXSwibGluZV9udW1iZXJzIjpbNV19XX0=

Signature is valid!

```



### Deployment



To deploy the Lambda, run `scripts/deploy_sam.sh` and consult the outputs for the endpoints



To deploy the Docker container locally:



docker build .

docker run -p 4567:4567 -e 'private_key_override=...base64 signing_key...' -e use_https=self ...image_id...



Then hit https://localhost:4567/cfn_nag/v1/status



### HTTPS

The docker image observes env var use_https to determine whether to enable SSL.



none means http

self means https with a self-signed cert generated by the web container

cert means a certificate of your own choosing that you must generate and map it.  for example:

-e use_https=cert -e cert_public_path=/certs/cert.pem -e cert_private_path=/certs/key.pem -v ~/certs:/certs



#### Testing - Under development



```

file=~/git/cfn_nag/spec/test_templates/json/elasticsearch/elasticsearch_domain_with_explicit_name.json

curl -d "{\"template_body\": \"`base64 $file`\"}" -H "Content-Type: application/json" -X POST https://ycabffgus6.execute-api.us-east-1.amazonaws.com/Prod/scan/

```