CfnNagService
This repository contains the automation code required to deploy https://github.com/stelligent/cfn_nag as either an API Gateway endpoint or as a Docker container.
Endpoints
Each request expects a CloudFormation template in either JSON or YAML.
/scan
This endpoint returns a similar response that you would see if you just ran cfn_nag from the command line.
Response example:
{
"failure_count": 1,
"violations": [
{
"id": "W35",
"type": "WARN",
"message": "S3 Bucket should have access logging configured",
"logical_resource_ids": [
"S3Bucket"
],
"line_numbers": [
5
]
},
{
"id": "F14",
"type": "FAIL",
"message": "S3 Bucket should not have a public read-write acl",
"logical_resource_ids": [
"S3Bucket"
],
"line_numbers": [
5
]
}
]
}
/signed_scan
This endpoint will provide a digital signature so you can verify the authenticity of the results.
Response example:
{
"results": {
"failure_count": 1,
"violations": [
{
"id": "W35",
"type": "WARN",
"message": "S3 Bucket should have access logging configured",
"logical_resource_ids": [
"S3Bucket"
],
"line_numbers": [
5
]
},
{
"id": "F14",
"type": "FAIL",
"message": "S3 Bucket should not have a public read-write acl",
"logical_resource_ids": [
"S3Bucket"
],
"line_numbers": [
5
]
}
]
},
"encoded_results": "FGSDFSDFW.....",
"signature": "eKlzShFty5tCC/zXo3Cf7L0E0yCxdXejS7dAYauBc2s9eBoCfs9Lmd2AQcGR\nEwrSUzr43s+bUjqy/5Sum1JcCQ==\n"
}
The encoded_results are strict Base64 encoded of the original template body, the results/violations and the list of rules applied. When verifying the payload, verify the signature of the encoded_results as Base64 (i.e. don't decode the encoded_results before verifying)
/status
This endpoint just provides a 200 HTTP response and a simple message to let you know the endpoint is up.
Variations Between Lambda/Docker
The API exposed by the Docker endpoint is cfn_nag/v1/*
Verifying Signatures
When using the /signed_scan endpoint you can use the libsodium library to verify the signatures. An example ruby implementation is provided.
$ ./scripts/verify_signature.rb
Enter Base64 encoded signature:
2nW3Y/2U/HyLy7KZvyfBgtZfz3spYI6ppYHL4rt0+pu/C7DjC/nLcTrEGiROkoVsV3TBLctgwtruHg502uxuBQ==
Enter Base64 encoded verification key
...
Enter in Base64 encoded results
eyJmYWlsdXJlX2NvdW50IjoxLCJ2aW9sYXRpb25zIjpbeyJpZCI6IlczNSIsInR5cGUiOiJXQVJOIiwibWVzc2FnZSI6IlMzIEJ1Y2tldCBzaG91bGQgaGF2ZSBhY2Nlc3MgbG9nZ2luZyBjb25maWd1cmVkIiwibG9naWNhbF9yZXNvdXJjZV9pZHMiOlsiUzNCdWNrZXQiXSwibGluZV9udW1iZXJzIjpbNV19LHsiaWQiOiJGMTQiLCJ0eXBlIjoiRkFJTCIsIm1lc3NhZ2UiOiJTMyBCdWNrZXQgc2hvdWxkIG5vdCBoYXZlIGEgcHVibGljIHJlYWQtd3JpdGUgYWNsIiwibG9naWNhbF9yZXNvdXJjZV9pZHMiOlsiUzNCdWNrZXQiXSwibGluZV9udW1iZXJzIjpbNV19XX0=
Signature is valid!
Deployment
To deploy the Lambda, run scripts/deploy_sam.sh and consult the outputs for the endpoints
To deploy the Docker container locally:
docker build . docker run -p 4567:4567 -e 'private_key_override=...base64 signing_key...' -e use_https=self ...image_id...
Then hit https://localhost:4567/cfn_nag/v1/status
HTTPS
The docker image observes env var use_https to determine whether to enable SSL.
none means http self means https with a self-signed cert generated by the web container cert means a certificate of your own choosing that you must generate and map it. for example: -e use_https=cert -e cert_public_path=/certs/cert.pem -e cert_private_path=/certs/key.pem -v ~/certs:/certs
Testing - Under development
file=~/git/cfn_nag/spec/test_templates/json/elasticsearch/elasticsearch_domain_with_explicit_name.json
curl -d "{\"template_body\": \"`base64 $file`\"}" -H "Content-Type: application/json" -X POST https://ycabffgus6.execute-api.us-east-1.amazonaws.com/Prod/scan/