serverless/serverless
在 GitHub 查看serverless autogenerated ressources doesn't comply safeguards rules
Open
#8,076 创建于 2020年8月12日
bughelp wanted
描述
Serverless auto generated resources are not compliant with safeguards:
Warned - iamRoleStatement granting Resource='*'. Wildcard resources in iamRoleStatements are not permitted
Considering my iamRoleStatements have no wildcard, this seem to be link with serverless autogenerated resources. The warning doesn't raise when I remove the app field in serverless.yml (line 1).
Warned - Bucket "ServerlessDeploymentBucket" doesn't have a BucketPolicy forbidding unsecure HTTP access.
I didn't get that one since it seem to be link with the pull #6823. It could be an issue from the safeguards plugin rule forbid-s3-http-access.
Warned - Function "CustomDashresourceDashexistingDashcupLambdaFunction" has no description
I don't know why this function is created, if you can tell me at the same time. It's autogenerated by serverless and doesn't have description so doesn't comply to safeguards rule require-description.
Tell me if you need the code of specific resources since it's from seperate file
app: cognito-company
service: cognito-company
# Create an optimized package for our functions
package:
individually: true
exclude:
- '/**'
plugins:
- 'serverless-pseudo-parameters'
- '@serverless/safeguards-plugin'
provider:
name: aws
runtime: python3.8
stage: ${opt:stage, 'dev'}
region: ${env:AWS_REGION, 'us-east-1'}
stackName: ${self:provider.stage}-${self:service}
profile: default
stackTags:
LinkedApp: 'api-company'
CreationMode: 'auto'
cfnRole: ${ssm:/CC/API/cfnRole~true}
iamRoleStatements:
# Lambda
- Effect: 'Allow'
Action:
- lambda:InvokeFunction
Resource:
- 'arn:aws:lambda:#{AWS::Region}:#{AWS::AccountId}:userpool/${self:provider.stackName}-pre-sign-up'
Condition:
ArnLike:
AWS:SourceArn: !GetAtt CognitoUserPool.Arn
# Cognito
- Effect: 'Allow'
Action:
- cognito-idp:ListUsers
- cognito-idp:ListUsersInGroup
- cognito-idp:AdminLinkProviderForUser
- cognito-idp:AdminUpdateUserAttributes
Resource:
- !GetAtt CognitoUserPool.Arn
custom:
COGNITO_CALLBACK_URL: ${ssm:/CC/API/Cognito/Urls/${self:provider.stage}CallbackUrl~true}
COGNITO_LOGOUT_URL: ${ssm:/CC/API/Cognito/Urls/${self:provider.stage}LogOutUrl~true}
COGNITO_DOMAIN_URL: ${ssm:/CC/API/Cognito/Urls/${self:provider.stage}DomainUrl~true}
COGNITO_DOMAIN_CERTIFICATE_URL: ${ssm:/CC/API/Cognito/Urls/${self:provider.stage}DomainCertificateArn~true}
GOOGLE_CLIENT_ID: ${ssm:/CC/API/Cognito/IdentityProvider/Google/ClientId~true}
GOOGLE_CLIENT_SECRET: ${ssm:/CC/API/Cognito/IdentityProvider/Google/ClientSecret~true}
GOOGLE_AUTHORIZE_SCOPES: ${ssm:/CC/API/Cognito/IdentityProvider/Google/AuthorizeScopes~true}
safeguards: ${file(configs/safeguards.yml):safeguards}
functions:
pre-sign-up: ${file(resources/functions/pre-sign-up.yml):pre-sign-up}
resources:
# Cognito User Pool Clients
# Outputs: ${self:provider.stackName}-CognitoUserPoolClient[Id]
- ${file(resources/cognito/user-pool-clients.yml)}
# Cognito User Pool Domains
# Outputs: ${self:provider.stackName}-CognitoUserPoolDomain[Id]
- ${file(resources/cognito/user-pool-domains.yml)}
# Cognito User Pool Groups
# Outputs: ${self:provider.stackName}-[Delete|Minimal|Dev|Admin|SuperAdmin]CognitoUserPoolGroup[Id]
- ${file(resources/cognito/user-pool-groups.yml)}
# Cognito User Pool Identity Providers
# Outputs: ${self:provider.stackName}-CognitoUserPoolIdentityProvider[Id]
- ${file(resources/cognito/user-pool-identity-providers.yml)}
# Cognito User Pool Resource Servers
# Outputs: ${self:provider.stackName}-CognitoUserPoolResourceServer[Id]
- ${file(resources/cognito/user-pool-resource-servers.yml)}
# Cognito User Pool UI Customization attachment
# Outputs: ${self:provider.stackName}-CognitoUserPoolUICustomizationAttachment[Id]
- ${file(resources/cognito/user-pool-ui-customization-attachments.yml)}
# Cognito User Pools
# Outputs: ${self:provider.stackName}-CognitoUserPool[Id|Arn|Name|ProviderURL]
- ${file(resources/cognito/user-pools.yml)}
pre-sign-up:
handler: lambdas/pre_sign_up.pre_sign_up
name: ${self:provider.stackName}-pre-sign-up
description: 'Cognito Pre SignUp Trigger to link Connect with Google account to existing Cognito User'
environment:
STAGE: ${self:provider.stage}
tags:
LinkedApp: api-company
CreationMode: auto
Stage: ${self:provider.stage}
events:
- cognitoUserPool:
pool: ${self:provider.stackName}-user-pool
trigger: PreSignUp
existing: true
package:
include:
- '/lambdas/pre_sign_up.py'
Serverless: Safeguards Results:
Summary --------------------------------------------------
passed - Allowed plugins
passed - No clear-text credentials in environment variables
warned- No "*" in IAM Role statements
warned - Forbid S3 HTTP Access
passed - Framework Version
passed - Require Cloudformation Deployment Role
warned - Require Description
passed - Required stack tags
passed - Restrict regions
passed - Allowed stages
passed - Allowed Runtimes
passed - Ensure Dead Letter Queues are attached to functions
Details --------------------------------------------------
1) Warned - iamRoleStatement granting Resource='*'. Wildcard resources in iamRoleStatements are not permitted.
details: http://slss.io/sg-no-wild-iam-role
This policy performs a simple check to prevent "*" permissions being used in AWS IAM Roles by checking for wildcards on Actions and Resources in grant statements.
2) Warned - Bucket "ServerlessDeploymentBucket" doesn't have a BucketPolicy forbidding unsecure HTTP access.
details: http://slss.io/sg-forbid-s3-http-access
This policy requires that you have a BucketPolicy forbidding access over HTTP for each bucket.
3) Warned - Function "CustomDashresourceDashexistingDashcupLambdaFunction" has no description
details: http://slss.io/sg-require-desc
This rule requires that all functions have a description of minimum or maximum length.
Serverless: Safeguards Summary: 10 passed, 2 warnings, 0 errors, 0 skipped
Installed version
Framework Core: 1.78.1
Plugin: 3.7.0
SDK: 2.3.1
Components: 2.34.3
serverless-pseudo-parameters: 2.5.0
@serverless/safeguards-plugin: 1.0.1