Giters

Skyscanner / cfripper

Library and CLI tool for analysing CloudFormation templates and check them for security compliance.

Home Page:https://cfripper.readthedocs.io/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Tool fails to parse template with KMS Key Policies that have function based statement

CPMellows opened this issue · comments

commented

If I have a template that contains a KeyPolicy that contains a function based statement I receive a set of Attribute Errors from the tool even though it is a valid cloud formation template. I would expect this to be parsable

Discovered while using version 1.0.7

Template:

  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "The AWS CloudFormation template for this Serverless application",
  "Resources": {
    "CustomerMasterKey": {
      "Type": "AWS::KMS::Key",
      "Properties": {
        "Description": "customerKey",
        "Enabled": true,
        "EnableKeyRotation": true,
        "KeyPolicy": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Principal": {
                "AWS": "arn:aws:iam::0123456789:root"
              },
              "Action": "kms:*",
              "Resource": "*"
            },
            {
              "Fn::If": [
                "IsRightRole",
                {
                  "Sid": "Allow role to use key",
                  "Effect": "Allow",
                  "Principal": {
                    "AWS": {
                      "Fn::ImportValue": "RoleArn"
                    }
                  },
                  "Action": [
                    "kms:Decrypt",
                    "kms:GenerateDataKey"
                  ],
                  "Resource": "*"
                },
                {
                  "Ref": "AWS::NoValue"
                }
              ]
            }
          ]
        },
        "KeyUsage": "ENCRYPT_DECRYPT",
        "PendingWindowInDays": 7,
        "Tags": []
      }
    }
  },
  "Conditions": {
    "IsRightRole": {
      "Fn::Or": [
        {
          "Fn::Equals": [
            "wrong",
            "right"
          ]
        },
        {
          "Fn::Equals": [
            "right",
            "right"
          ]
        }
      ]
    }
  }
}

cfripper output:

~cfripper ~/tmp/template.json
Analysing ~/tmp/template.json...
Not adding KMSKeyCrossAccountTrustRule failure in CustomerMasterKey because no AWS Account ID was found in the config.
KMSKeyCrossAccountTrustRule crashed with AttributeError for project - None, service - None, stack - None
Traceback (most recent call last):
  File "/usr/local/lib/python3.9/site-packages/cfripper/rule_processor.py", line 24, in process_cf_template
    result += rule.invoke(cfmodel, extras)
  File "/usr/local/lib/python3.9/site-packages/cfripper/rules/cross_account_trust.py", line 59, in invoke
    self._do_statement_check(result, logical_id, statement, filters_available_context)
  File "/usr/local/lib/python3.9/site-packages/cfripper/rules/cross_account_trust.py", line 65, in _do_statement_check
    if statement.Effect == "Allow":
AttributeError: 'FunctionDict' object has no attribute 'Effect'
KMSKeyWildcardPrincipalRule crashed with AttributeError for project - None, service - None, stack - None
Traceback (most recent call last):
  File "/usr/local/lib/python3.9/site-packages/cfripper/rule_processor.py", line 24, in process_cf_template
    result += rule.invoke(cfmodel, extras)
  File "/usr/local/lib/python3.9/site-packages/cfripper/rules/kms_key_wildcard_principal.py", line 41, in invoke
    if statement.Effect == "Allow" and statement.principals_with(self.CONTAINS_WILDCARD_PATTERN):
AttributeError: 'FunctionDict' object has no attribute 'Effect'
WildcardResourceRule crashed with AttributeError for project - None, service - None, stack - None
Traceback (most recent call last):
  File "/usr/local/lib/python3.9/site-packages/cfripper/rule_processor.py", line 24, in process_cf_template
    result += rule.invoke(cfmodel, extras)
  File "/usr/local/lib/python3.9/site-packages/cfripper/rules/base_rules.py", line 104, in invoke
    result += self.resource_invoke(resource=resource, logical_id=logical_id, extras=extras)
  File "/usr/local/lib/python3.9/site-packages/cfripper/rules/wildcard_resource_rule.py", line 58, in resource_invoke
    self._check_policy_document(result, logical_id, resource.Properties.KeyPolicy, None, extras)
  File "/usr/local/lib/python3.9/site-packages/cfripper/rules/wildcard_resource_rule.py", line 70, in _check_policy_document
    for statement in policy_document.statements_with(REGEX_IS_STAR):
  File "/usr/local/lib/python3.9/site-packages/pycfmodel/model/resources/properties/policy_document.py", line 42, in statements_with
    return [statement for statement in self._statement_as_list() if statement.resources_with(pattern)]
  File "/usr/local/lib/python3.9/site-packages/pycfmodel/model/resources/properties/policy_document.py", line 42, in <listcomp>
    return [statement for statement in self._statement_as_list() if statement.resources_with(pattern)]
AttributeError: 'FunctionDict' object has no attribute 'resources_with'
commented

Hey @CPMellows , if you try and run the tool with the --resolve flag, the issue should resolve :)

cfripper ~/tmp/template.json --resolve
commented

@ocrawford555 Thanks so much, appreciate the quick response.