#cloud-formation #lambda #rules #compliance #aws-lambda #ruleset #guard

app cfn-guard-rulegen-lambda

Lambda version of cfn-guard-rulegen. Takes a CloudFormation template and autogenerates a set of cfn-guard rules that match the properties of its resources. This is a useful way to get started rule-writing or just create ready-to-use rulesets from known-good templates.

1 stable release

1.0.0 Oct 1, 2020
0.0.0 Sep 18, 2020

#6 in #ruleset

Apache-2.0

20KB
162 lines

CloudFormation Guard Rulegen as a Lambda

Table of Contents

Installation

Dependencies

  • AWS CLI configured with permissions to deploy and invoke Lambdas
  • An AWS Lambda Execution Role in IAM
  • A shell environment variable called CFN_GUARD_LAMBDA_ROLE_ARN set to the ARN of that role
  • Rust (See the installation instructions in the top-level README)
  • If building on a Mac, you'll need Homebrew.
  • If building on Ubuntu, you'll need to run sudo apt-get update; sudo apt install build-essential if you haven't already

Mac/Ubuntu

  1. Install and configure the dependencies.
  2. If you're on a Mac, add the following to ~/.cargo/config:
    [target.x86_64-unknown-linux-musl]
    linker = "x86_64-linux-musl-gcc"
    
  3. Ensure you're in the cfn-guard-lambda directory
  4. Run make pre-reqs.
  5. Run make install.

To build and run post-install

To build, deploy and test the function after you edit its source code, run make test.

To merely invoke the function, run make invoke. The variables in the Makefile used to make the calls can be manipulated to provide different payloads.

This project is licensed under the Apache-2.0 License.

We will be working to improve the quality of lambda messages, but as a general rule, cfn-guard-rulegen-lambda is just a wrapper for the cfn-guard-rulegen code and each can be used to test the other.

Calling the Lambda Function

Request Structure

Requests to cfn-guard-rulegen-lambda require the following field:

  • template - The string version of the YAML or JSON CloudFormation Template

Example

There are example payloads in the Makefile. Here's one we use to test a rule set that should not pass:

request_payload = '{ "template": "{\n    \"Resources\": {\n        \"NewVolume\" : {\n            \"Type\" : \"AWS::EC2::Volume\",\n            \"Properties\" : {\n                \"Size\" : 100,\n                \"Encrypted\": true,\n                \"AvailabilityZone\" : \"us-east-1b\"\n            }\n        },\n        \"NewVolume2\" : {\n            \"Type\" : \"AWS::EC2::Volume\",\n            \"Properties\" : {\n                \"Size\" : 99,\n                \"Encrypted\": true,\n                \"AvailabilityZone\" : \"us-east-1b\"\n            }\n        } }\n}"}'
 
 #======================================================================
 # Request Payload
 #======================================================================
 # Template
 # {"Resources": {
 #  "NewVolume" : {
 #    "Type" : "AWS::EC2::Volume",
 #    "Properties" : {
 #    "Size" : 100,
 #    "Encrypted": true,
 #    "AvailabilityZone" : "us-east-1b"
 #    }
 #  },
 #  "NewVolume2" : {
 #    "Type" : "AWS::EC2::Volume",
 #    "Properties" : {
 #      "Size" : 99,
 #      "Encrypted": true,
 #      "AvailabilityZone" : "us-east-1b"
 #    }
 #  }
 #}
 #======================================================================

FAQ

  • Q: How do I troubleshoot a lambda call returning an opaque error message like:

     {"errorType": "Runtime.ExitError", "errorMessage": "RequestId: 1c0c0620-0f83-40bc-8eca-3cf2cf24820f Error: Runtime exited with error: exit status 101"}
    
  • A: Run the same template locally with cfn-guard-rulegen to get a better message:

     thread 'main' panicked at 'Bad Rule Operator: REQUIRE', src/rule_proc.rs:344:2
    

    We will be working to improve the quality of lambda messages, but as a general rule, cfn-guard-rulegen-lambda is just a wrapper for the cfn-guard-rulegen code and each can be used to test the other.

Dependencies

~14–21MB
~291K SLoC