🚧 WORK IN PROGRESS
Generates an IAM policy for the CloudFormation service role that adheres to least privilege.
pip3 install cfnlp
$ cfnlp -i test.yaml
{
"PolicyName": "root",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AccessAnalyzer-Create1-reg",
"Effect": "Allow",
"Action": [
"access-analyzer:TagResource",
"access-analyzer:CreateAnalyzer"
],
"Resource": "*"
},
{
"Sid": "AccessAnalyzer-Delete1-reg",
"Effect": "Allow",
"Action": "access-analyzer:DeleteAnalyzer",
"Resource": "*"
},
{
"Sid": "LambdaFunction-Create1",
"Effect": "Allow",
"Action": "lambda:CreateFunction",
"Resource": "arn:aws:lambda:us-east-1:123456789012:function:*"
},
{
"Sid": "LambdaFunction-Create2",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::123456789012:role/S3Access",
"Condition": {
"StringEquals": {
"iam:PassedToService": "lambda.amazonaws.com"
}
}
},
...
]
}
}
$ cfnlp --stack-name mystack
{
"PolicyName": "root",
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "myresource-Create1-reg",
"Effect": "Allow",
"Action": "ec2:ImportKeyPair",
"Resource": "*"
}
...
]
}
}
The following command line arguments are available:
The filename of a local CloudFormation template file to analyze. You must specify either this option or --stack-name.
The stack name or stack ID of a deployed CloudFormation stack to analyze. You must specify either this option or -i, --input-filename.
When specified, actions relating to stack updates (that don't trigger a resource replacement) will be included in the output if a value for its property has been set. The default behaviour will not include the actions for stack updates.
When specified, the Sid fields will be removed and statements sharing the same attributes except Action will be combined.
Overrides the region to specify in policy outputs and when retrieving deployed templates. By default, the region will be retrieved using the default precedence for Boto3.
When specified, the specified named profile credentials will be used for all data gathering AWS actions. The AWS_PROFILE environmental variable would also be respected if this property is not set.
Policies will be created with data following the below preference:
- Per-type mappings created by incrementally increasing required permissions
- Permissions retrieved from the CloudFormation Registry
- No data available (a warning will be shown for missed types)
The generated policy will be as specific as possible when specifying actions, resources and conditions. Wildcard actions are never used and all conditions that are available will be populated unless:
- The condition would take no effect or there is not enough information to specify the condition, or
- The condition is a global condition, or
- The condition applies to an update statement and would prevent the field from being freely changed, or
- The condition relates to the tag keys/values
Resources may be fully or partially wildcarded however will be as specific as possible.
Update statements are disabled by default. If enabled with the --include-update-actions option, only properties that have a value specified in the template will have an associated update statement that allows that value to be changed. Permissions required to add new properties may not have the permissions included in the policy.
The generated policy will only include the actions specified in the resource type specification provided by the registry. All resources will be wildcarded and no conditions will apply.
The following resource types are supported with a per-type mapping:
- AWS::CloudWatch::Alarm
- AWS::EC2::Instance
- AWS::EC2::SecurityGroup
- AWS::EC2::Subnet
- AWS::EC2::VPC
- AWS::IAM::Role
- AWS::Lambda::Function
- AWS::Lambda::Version
- AWS::Route53::HostedZone
- AWS::S3::Bucket
- AWS::SNS::Topic
- AWS::SQS::Queue