From 6ffe59637df3617de55907d95e2f64c55998c09b Mon Sep 17 00:00:00 2001 From: Ramon Date: Thu, 23 Nov 2023 16:09:26 +0100 Subject: [PATCH 01/14] Add Homebrew badge (#258) * add homebrew badge * update html for logo image * revert align --------- Co-authored-by: Ramon --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index f8658527..19cfc1ac 100644 --- a/README.md +++ b/README.md @@ -1,11 +1,12 @@

- +cfripper logo

# CFRipper ![Build Status](https://github.com/Skyscanner/cfripper/workflows/PyPI%20release/badge.svg) [![PyPI version](https://badge.fury.io/py/cfripper.svg)](https://badge.fury.io/py/cfripper) +[![homebrew version](https://img.shields.io/homebrew/v/cfripper)](https://formulae.brew.sh/formula/cfripper) ![License](https://img.shields.io/github/license/skyscanner/cfripper) CFRipper is a Library and CLI security analyzer for AWS CloudFormation templates. You can use CFRipper to prevent deploying insecure AWS resources into your Cloud environment. You can write your own compliance checks by adding new custom plugins. From 5b50aa7801d17123697fa7280b63bce357db6a7a Mon Sep 17 00:00:00 2001 From: Jordi Soucheiron Date: Mon, 4 Dec 2023 14:22:04 +0100 Subject: [PATCH 02/14] Update stack_name_matches_regex.py (#261) * Update stack_name_matches_regex.py * Update changelog and version --- CHANGELOG.md | 8 ++++++++ cfripper/__version__.py | 2 +- cfripper/rules/stack_name_matches_regex.py | 4 ++-- 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c48614a7..4508c8e8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,14 @@ All notable changes to this project will be documented in this file. ### Fixes - Fix documentation. +## [1.15.2] +### Fixes +- Fixes https://github.com/Skyscanner/cfripper/issues/260 + +## [1.15.1] +### Fixes +- Fix docs generation + ## [1.15.0] ### Additions - New rules: `PublicELBCheckerRule`, `StackNameMatchesRegexRule`, and `StorageEncryptedRule` diff --git a/cfripper/__version__.py b/cfripper/__version__.py index ed46a0fb..1afd7edb 100644 --- a/cfripper/__version__.py +++ b/cfripper/__version__.py @@ -1,3 +1,3 @@ -VERSION = (1, 15, 1) +VERSION = (1, 15, 2) __version__ = ".".join(map(str, VERSION)) diff --git a/cfripper/rules/stack_name_matches_regex.py b/cfripper/rules/stack_name_matches_regex.py index ca2c8e8f..9307082b 100644 --- a/cfripper/rules/stack_name_matches_regex.py +++ b/cfripper/rules/stack_name_matches_regex.py @@ -28,11 +28,11 @@ def _stack_name_matches_regex(self, stack_name: str) -> bool: def invoke(self, cfmodel: CFModel, extras: Optional[Dict] = None) -> Result: result = Result() + if not extras: + extras = {} stack_name = self._config.stack_name or extras.get("stack_name", "") if not stack_name: return result - if not extras: - extras = {} if not self._stack_name_matches_regex(stack_name): self.add_failure_to_result( From da57d86786c019f7ce1803ff20b97576f1f30933 Mon Sep 17 00:00:00 2001 From: Ramon Pinuaga <129771135+rpinuaga-sky@users.noreply.github.com> Date: Thu, 14 Dec 2023 15:02:33 +0100 Subject: [PATCH 03/14] Update invalid_role_inline_policy_fn_if.json (#263) --- .../invalid_role_inline_policy_fn_if.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/test_templates/rules/IAMRolesOverprivilegedRule/invalid_role_inline_policy_fn_if.json b/tests/test_templates/rules/IAMRolesOverprivilegedRule/invalid_role_inline_policy_fn_if.json index c1e25866..644828c3 100644 --- a/tests/test_templates/rules/IAMRolesOverprivilegedRule/invalid_role_inline_policy_fn_if.json +++ b/tests/test_templates/rules/IAMRolesOverprivilegedRule/invalid_role_inline_policy_fn_if.json @@ -35,7 +35,7 @@ { "Action": "sts:AssumeRole", "Effect": "Allow", - "Resource": "arn:aws:iam::325714046698:role/sandbox-secrets-access" + "Resource": "arn:aws:iam::123456789012:role/test-role" } ], "Version": "2012-10-17" @@ -65,4 +65,4 @@ } } } -} \ No newline at end of file +} From 6a37acafa0117acb92ab458d04dc66ef761a8627 Mon Sep 17 00:00:00 2001 From: Ramon Date: Thu, 28 Dec 2023 13:02:27 +0100 Subject: [PATCH 04/14] remove duplicated section in changelog (#262) Co-authored-by: Ramon --- CHANGELOG.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4508c8e8..433e9844 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,10 +1,6 @@ # Changelog All notable changes to this project will be documented in this file. -## [1.15.1] -### Fixes -- Fix documentation. - ## [1.15.2] ### Fixes - Fixes https://github.com/Skyscanner/cfripper/issues/260 From fc89834179279cea00113986b6aefe45f19fd510 Mon Sep 17 00:00:00 2001 From: Ignacio Bolonio Date: Tue, 16 Jan 2024 10:48:10 +0100 Subject: [PATCH 05/14] Improve logging for the exception when applying rule filters (#264) * Improve logging * Add data --------- Co-authored-by: Ignacio Bolonio <> --- cfripper/rules/base_rules.py | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/cfripper/rules/base_rules.py b/cfripper/rules/base_rules.py index 2c23f065..48de5148 100644 --- a/cfripper/rules/base_rules.py +++ b/cfripper/rules/base_rules.py @@ -66,7 +66,12 @@ def add_failure_to_result( if self._config.metrics_logger: self._config.metrics_logger(rule=self.__class__.__name__, filter_reason=rule_filter.reason) except Exception: - logger.exception(f"Exception raised while evaluating filter for `{rule_filter.reason}`", extra=context) + logger.exception( + f"Exception raised while evaluating rule {self.__class__.__name__} " + f"with filter for `{rule_filter.reason}`. " + f"Stack: {self._config.stack_name} Account: {self._config.aws_account_id}", + extra=context, + ) if rule_mode != RuleMode.ALLOWED: result.add_failure( From 30a93f06a8fc2c5ad79e7f604a096e8b75d19ce9 Mon Sep 17 00:00:00 2001 From: Ignacio Bolonio <> Date: Tue, 16 Jan 2024 11:06:51 +0100 Subject: [PATCH 06/14] Add release drafter template --- .github/workflows/release-drafter.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 .github/workflows/release-drafter.yml diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml new file mode 100644 index 00000000..fb3da367 --- /dev/null +++ b/.github/workflows/release-drafter.yml @@ -0,0 +1,17 @@ +name-template: 'v$RESOLVED_VERSION' +tag-template: 'v$RESOLVED_VERSION' +change-template: '- $TITLE @$AUTHOR (#$NUMBER)' +change-title-escapes: '\<*_&' # You can add # and @ to disable mentions, and add ` to disable code blocks. +version-resolver: + major: + labels: + - 'major' + minor: + labels: + - 'minor' + patch: + labels: + - 'patch' + default: patch +template: | + ## Changes \ No newline at end of file From 6f30b6942ad6bf55575f0bf4574923ee08efe71a Mon Sep 17 00:00:00 2001 From: Ignacio Bolonio <> Date: Tue, 16 Jan 2024 11:10:05 +0100 Subject: [PATCH 07/14] Move template --- .github/{workflows => }/release-drafter.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename .github/{workflows => }/release-drafter.yml (100%) diff --git a/.github/workflows/release-drafter.yml b/.github/release-drafter.yml similarity index 100% rename from .github/workflows/release-drafter.yml rename to .github/release-drafter.yml From d78a46ec6d7763e4767aa2e0647bceddd8378cbf Mon Sep 17 00:00:00 2001 From: Ignacio Bolonio Date: Tue, 16 Jan 2024 11:51:48 +0100 Subject: [PATCH 08/14] Add release drafter template (#265) * Add release drafter template * Move template --------- Co-authored-by: Ignacio Bolonio <> --- .github/release-drafter.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 .github/release-drafter.yml diff --git a/.github/release-drafter.yml b/.github/release-drafter.yml new file mode 100644 index 00000000..fb3da367 --- /dev/null +++ b/.github/release-drafter.yml @@ -0,0 +1,17 @@ +name-template: 'v$RESOLVED_VERSION' +tag-template: 'v$RESOLVED_VERSION' +change-template: '- $TITLE @$AUTHOR (#$NUMBER)' +change-title-escapes: '\<*_&' # You can add # and @ to disable mentions, and add ` to disable code blocks. +version-resolver: + major: + labels: + - 'major' + minor: + labels: + - 'minor' + patch: + labels: + - 'patch' + default: patch +template: | + ## Changes \ No newline at end of file From 5596ec8f9f32e21d56fd9317bbab19874c1429f9 Mon Sep 17 00:00:00 2001 From: Ignacio Bolonio <> Date: Tue, 16 Jan 2024 11:52:53 +0100 Subject: [PATCH 09/14] Add release drafter workflow --- .github/workflows/release-drafter.yml | 32 +++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 .github/workflows/release-drafter.yml diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml new file mode 100644 index 00000000..56eaca4b --- /dev/null +++ b/.github/workflows/release-drafter.yml @@ -0,0 +1,32 @@ +name: Release Drafter + +on: + push: + # branches to consider in the event; optional, defaults to all + branches: + - master + # pull_request event is required only for autolabeler + pull_request: + # Only following types are handled by the action, but one can default to all as well + types: [opened, reopened, synchronize] + # pull_request_target event is required for autolabeler to support PRs from forks + pull_request_target: + types: [opened, reopened, synchronize] + +permissions: + contents: read + +jobs: + update_release_draft: + permissions: + # write permission is required to create a github release + contents: write + # write permission is required for autolabeler + # otherwise, read permission is required at least + pull-requests: write + runs-on: ubuntu-latest + steps: + # Drafts your next Release notes as Pull Requests are merged into "master" + - uses: release-drafter/release-drafter@v5 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file From 9f2f78f5ffc9475d27755b8fd8931f729fca8e50 Mon Sep 17 00:00:00 2001 From: Ignacio Bolonio <> Date: Tue, 16 Jan 2024 12:15:54 +0100 Subject: [PATCH 10/14] HOTFIX Update version file --- cfripper/__version__.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cfripper/__version__.py b/cfripper/__version__.py index 1afd7edb..df6a2f7f 100644 --- a/cfripper/__version__.py +++ b/cfripper/__version__.py @@ -1,3 +1,3 @@ -VERSION = (1, 15, 2) +VERSION = (1, 15, 3) __version__ = ".".join(map(str, VERSION)) From 9f73c76b92d27e72e00366cc4b6dd0f52a09f999 Mon Sep 17 00:00:00 2001 From: Ignacio Bolonio <> Date: Tue, 16 Jan 2024 12:17:30 +0100 Subject: [PATCH 11/14] Update changelog --- CHANGELOG.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 433e9844..11e63309 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,12 @@ # Changelog All notable changes to this project will be documented in this file. +## [1.15.3] +## Changes +- Update invalid_role_inline_policy_fn_if.json +- Improve logging for the exception when applying rule filters +- Add release drafter + ## [1.15.2] ### Fixes - Fixes https://github.com/Skyscanner/cfripper/issues/260 From e92938c3082af9bdebaca062fd1bff97584c9360 Mon Sep 17 00:00:00 2001 From: Ignacio Bolonio <> Date: Mon, 12 Feb 2024 12:48:35 +0100 Subject: [PATCH 12/14] Bump pycfmodel and fix rule --- cfripper/__version__.py | 2 +- cfripper/rules/kms_key_wildcard_principal.py | 45 ++++++------ requirements.txt | 2 +- setup.py | 2 +- tests/rules/test_CrossAccountTrustRule.py | 8 +++ tests/rules/test_KMSKeyWildcardPrincipal.py | 71 +++++++++++++------ tests/rules/test_WildcardResourceRule.py | 46 +++++++++++- .../kms_key_without_policy.yml | 9 +++ .../kms_key_with_wildcard_resource.json | 2 +- .../kms_key_without_policy.yml | 9 +++ 10 files changed, 147 insertions(+), 49 deletions(-) create mode 100644 tests/test_templates/rules/CrossAccountTrustRule/kms_key_without_policy.yml rename tests/test_templates/rules/{WildcardResourceRule => KMSKeyWildcardPrincipalRule}/kms_key_with_wildcard_resource.json (96%) create mode 100644 tests/test_templates/rules/KMSKeyWildcardPrincipalRule/kms_key_without_policy.yml diff --git a/cfripper/__version__.py b/cfripper/__version__.py index df6a2f7f..ba2922a6 100644 --- a/cfripper/__version__.py +++ b/cfripper/__version__.py @@ -1,3 +1,3 @@ -VERSION = (1, 15, 3) +VERSION = (1, 15, 4) __version__ = ".".join(map(str, VERSION)) diff --git a/cfripper/rules/kms_key_wildcard_principal.py b/cfripper/rules/kms_key_wildcard_principal.py index 3934cadf..4f7cc2f9 100644 --- a/cfripper/rules/kms_key_wildcard_principal.py +++ b/cfripper/rules/kms_key_wildcard_principal.py @@ -37,26 +37,27 @@ def invoke(self, cfmodel: CFModel, extras: Optional[Dict] = None) -> Result: result = Result() for logical_id, resource in cfmodel.Resources.items(): if isinstance(resource, KMSKey): - for statement in resource.Properties.KeyPolicy._statement_as_list(): - filtered_principals = statement.principals_with(self.CONTAINS_WILDCARD_PATTERN) - if statement.Effect == "Allow" and filtered_principals: - for principal in filtered_principals: - if statement.Condition and statement.Condition.dict(): - # Ignoring condition checks since they will get reviewed in other - # rules and future improvements - pass - else: - self.add_failure_to_result( - result, - self.REASON.format(logical_id), - resource_ids={logical_id}, - context={ - "config": self._config, - "extras": extras, - "logical_id": logical_id, - "resource": resource, - "statement": statement, - "principal": principal, - }, - ) + if resource.Properties.KeyPolicy: + for statement in resource.Properties.KeyPolicy._statement_as_list(): + filtered_principals = statement.principals_with(self.CONTAINS_WILDCARD_PATTERN) + if statement.Effect == "Allow" and filtered_principals: + for principal in filtered_principals: + if statement.Condition and statement.Condition.dict(): + # Ignoring condition checks since they will get reviewed in other + # rules and future improvements + pass + else: + self.add_failure_to_result( + result, + self.REASON.format(logical_id), + resource_ids={logical_id}, + context={ + "config": self._config, + "extras": extras, + "logical_id": logical_id, + "resource": resource, + "statement": statement, + "principal": principal, + }, + ) return result diff --git a/requirements.txt b/requirements.txt index fa70e777..5639dc25 100644 --- a/requirements.txt +++ b/requirements.txt @@ -10,7 +10,7 @@ cfn-flip==1.3.0 click==8.1.2 jmespath==1.0.0 pluggy==0.13.1 -pycfmodel==0.20.0 +pycfmodel==0.22.0 pydantic==1.9.0 pydash==6.0.0 python-dateutil==2.8.2 diff --git a/setup.py b/setup.py index cf2c6a66..aa613d04 100644 --- a/setup.py +++ b/setup.py @@ -11,7 +11,7 @@ "cfn_flip>=1.2.0", "click>=8.0.0", "pluggy~=0.13.1", - "pycfmodel>=0.20.0", + "pycfmodel>=0.22.0", "pydash>=4.7.6", "PyYAML>=4.2b1", ] diff --git a/tests/rules/test_CrossAccountTrustRule.py b/tests/rules/test_CrossAccountTrustRule.py index a34fee61..bb7bb890 100644 --- a/tests/rules/test_CrossAccountTrustRule.py +++ b/tests/rules/test_CrossAccountTrustRule.py @@ -301,6 +301,14 @@ def test_kms_key_cross_account_sts(template, is_valid, failures): assert compare_lists_of_failures(result.failures, failures) +def test_kms_key__without_policy(): + rule = KMSKeyCrossAccountTrustRule(Config(aws_account_id="123456789", aws_principals=["999999999"])) + model = get_cfmodel_from("rules/CrossAccountTrustRule/kms_key_without_policy.yml") + result = rule.invoke(model) + assert result.valid + assert compare_lists_of_failures(result.failures, []) + + @pytest.mark.parametrize( "principal", [ diff --git a/tests/rules/test_KMSKeyWildcardPrincipal.py b/tests/rules/test_KMSKeyWildcardPrincipal.py index 72f81953..34d30cfa 100644 --- a/tests/rules/test_KMSKeyWildcardPrincipal.py +++ b/tests/rules/test_KMSKeyWildcardPrincipal.py @@ -1,22 +1,49 @@ -# import pytest -# -# from cfripper.rules.KMSKeyWildcardPrincipal import KMSKeyWildcardPrincipal -# from cfripper.model.result import Result -# from tests.utils import get_cfmodel_from - -# TODO Implement check if this is needed as GenericWildcardPrincipal rule seems to include this one -# @pytest.fixture() -# def abcdef(): -# return get_cfmodel_from("rules/KMSKeyWildcardPrincipal/abcdef.json").resolve() -# -# -# def test_abcdef(abcdef): -# result = Result() -# rule = KMSKeyWildcardPrincipal(None, result) -# rule.invoke(abcdef) -# -# assert not result.valid -# assert len(result.failed_rules) == 1 -# assert len(result.failed_monitored_rules) == 0 -# assert result.failed_rules[0].rule == "KMSKeyWildcardPrincipal" -# assert result.failed_rules[0].reason == "KMS Key policy {} should not allow wildcard principals" +import pytest + +from cfripper.model.result import Failure +from cfripper.rules import KMSKeyWildcardPrincipalRule +from tests.utils import compare_lists_of_failures, get_cfmodel_from + + +@pytest.fixture() +def kms_key_with_wildcard_policy(): + return get_cfmodel_from("rules/KMSKeyWildcardPrincipalRule/kms_key_with_wildcard_resource.json").resolve() + + +@pytest.fixture() +def kms_key_without_policy(): + return get_cfmodel_from("rules/KMSKeyWildcardPrincipalRule/kms_key_without_policy.yml").resolve() + + +def test_kms_key_with_wildcard_resource_not_allowed_is_flagged(kms_key_with_wildcard_policy): + rule = KMSKeyWildcardPrincipalRule(None) + rule._config.stack_name = "stack3" + rule.all_cf_actions = set() + result = rule.invoke(kms_key_with_wildcard_policy) + + assert result.valid is False + assert compare_lists_of_failures( + result.failures, + [ + Failure( + granularity="RESOURCE", + reason="KMS Key policy myKey should not allow wildcard principals", + risk_value="MEDIUM", + rule="KMSKeyWildcardPrincipalRule", + rule_mode="BLOCKING", + actions=None, + resource_ids={"myKey"}, + resource_types=None, + ) + ], + ) + + +def test_kms_key_without_policy_is_not_flagged(kms_key_without_policy): + rule = KMSKeyWildcardPrincipalRule(None) + rule._config.stack_name = "stack3" + rule.all_cf_actions = set() + result = rule.invoke(kms_key_without_policy) + + assert result.valid + assert compare_lists_of_failures(result.failures, []) diff --git a/tests/rules/test_WildcardResourceRule.py b/tests/rules/test_WildcardResourceRule.py index 14541df0..21c3fc42 100644 --- a/tests/rules/test_WildcardResourceRule.py +++ b/tests/rules/test_WildcardResourceRule.py @@ -17,7 +17,7 @@ def user_with_wildcard_resource(): @pytest.fixture() def kms_key_with_wildcard_policy(): - return get_cfmodel_from("rules/WildcardResourceRule/kms_key_with_wildcard_resource.json").resolve() + return get_cfmodel_from("rules/KMSKeyWildcardPrincipalRule/kms_key_with_wildcard_resource.json").resolve() @pytest.fixture() @@ -434,6 +434,28 @@ def test_multiple_resources_with_wildcard_resources_are_detected(user_and_policy resource_ids={"RolePolicy"}, resource_types={"AWS::IAM::Policy"}, ), + Failure( + granularity="ACTION", + reason='"RolePolicy" is using a wildcard resource in "TheExtremePolicy" for "dynamodb:GetResourcePolicy"', + risk_value="MEDIUM", + rule="WildcardResourceRule", + rule_mode="BLOCKING", + actions={ + "dynamodb:CreateTable", + "dynamodb:BatchGet*", + "dynamodb:Scan", + "dynamodb:Update*", + "dynamodb:Query", + "dynamodb:Delete*", + "dynamodb:PutItem", + "dynamodb:DescribeStream", + "dynamodb:DescribeTable", + "dynamodb:BatchWrite*", + "dynamodb:Get*", + }, + resource_ids={"RolePolicy"}, + resource_types={"AWS::IAM::Policy"}, + ), Failure( granularity="ACTION", reason='"RolePolicy" is using a wildcard resource in "TheExtremePolicy" for "dynamodb:GetShardIterator"', @@ -610,6 +632,28 @@ def test_multiple_resources_with_wildcard_resources_are_detected(user_and_policy resource_ids={"RolePolicy"}, resource_types={"AWS::IAM::Policy"}, ), + Failure( + granularity="ACTION", + reason='"RolePolicy" is using a wildcard resource in "TheExtremePolicy" for "dynamodb:UpdateGlobalTableVersion"', + risk_value="MEDIUM", + rule="WildcardResourceRule", + rule_mode="BLOCKING", + actions={ + "dynamodb:CreateTable", + "dynamodb:BatchGet*", + "dynamodb:Scan", + "dynamodb:Update*", + "dynamodb:Query", + "dynamodb:Delete*", + "dynamodb:PutItem", + "dynamodb:DescribeStream", + "dynamodb:DescribeTable", + "dynamodb:BatchWrite*", + "dynamodb:Get*", + }, + resource_ids={"RolePolicy"}, + resource_types={"AWS::IAM::Policy"}, + ), Failure( granularity="ACTION", reason='"RolePolicy" is using a wildcard resource in "TheExtremePolicy" for "dynamodb:UpdateItem"', diff --git a/tests/test_templates/rules/CrossAccountTrustRule/kms_key_without_policy.yml b/tests/test_templates/rules/CrossAccountTrustRule/kms_key_without_policy.yml new file mode 100644 index 00000000..b3400c53 --- /dev/null +++ b/tests/test_templates/rules/CrossAccountTrustRule/kms_key_without_policy.yml @@ -0,0 +1,9 @@ +--- +AWSTemplateFormatVersion: "2010-09-09" + +Resources: + MyKey: + Type: "AWS::KMS::Key" + Properties: + EnableKeyRotation: true + Enabled: true diff --git a/tests/test_templates/rules/WildcardResourceRule/kms_key_with_wildcard_resource.json b/tests/test_templates/rules/KMSKeyWildcardPrincipalRule/kms_key_with_wildcard_resource.json similarity index 96% rename from tests/test_templates/rules/WildcardResourceRule/kms_key_with_wildcard_resource.json rename to tests/test_templates/rules/KMSKeyWildcardPrincipalRule/kms_key_with_wildcard_resource.json index 45d5691a..1599b66b 100644 --- a/tests/test_templates/rules/WildcardResourceRule/kms_key_with_wildcard_resource.json +++ b/tests/test_templates/rules/KMSKeyWildcardPrincipalRule/kms_key_with_wildcard_resource.json @@ -12,7 +12,7 @@ "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { - "AWS": "arn:aws:iam::111122223333:root" + "AWS": "*" }, "Action": "kms:*", "Resource": "*" diff --git a/tests/test_templates/rules/KMSKeyWildcardPrincipalRule/kms_key_without_policy.yml b/tests/test_templates/rules/KMSKeyWildcardPrincipalRule/kms_key_without_policy.yml new file mode 100644 index 00000000..b3400c53 --- /dev/null +++ b/tests/test_templates/rules/KMSKeyWildcardPrincipalRule/kms_key_without_policy.yml @@ -0,0 +1,9 @@ +--- +AWSTemplateFormatVersion: "2010-09-09" + +Resources: + MyKey: + Type: "AWS::KMS::Key" + Properties: + EnableKeyRotation: true + Enabled: true From 1bd1de51ef365962bdd882c6b262ac829b62c934 Mon Sep 17 00:00:00 2001 From: Ignacio Bolonio <> Date: Mon, 12 Feb 2024 12:50:38 +0100 Subject: [PATCH 13/14] Fix release drafter template --- .github/release-drafter.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/release-drafter.yml b/.github/release-drafter.yml index fb3da367..1318f25c 100644 --- a/.github/release-drafter.yml +++ b/.github/release-drafter.yml @@ -14,4 +14,6 @@ version-resolver: - 'patch' default: patch template: | - ## Changes \ No newline at end of file + ## Changes + + $CHANGES \ No newline at end of file From 54e901114669917050273ce3997485b157da8c7d Mon Sep 17 00:00:00 2001 From: Ignacio Bolonio <> Date: Tue, 13 Feb 2024 09:55:18 +0100 Subject: [PATCH 14/14] Update changelog --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 11e63309..53477741 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,13 @@ # Changelog All notable changes to this project will be documented in this file. +## [1.15.4] +## Fixes +- Fix `KMSKeyWildcardPrincipalRule` to work without a KMS policy +- Fix release drafter template to show PR titles +### Updates +- Bumped minimum `pycfmodel` version to `0.22.0` + ## [1.15.3] ## Changes - Update invalid_role_inline_policy_fn_if.json