.gitignore
.readthedocs.yaml
CHANGELOG.md
CLAUDE.md
CODEOWNERS
CODE_OF_CONDUCT.md
CONTRIBUTING.md
LICENSE.md
Makefile
README.md
mkdocs.yml
pyproject.toml
uv.lock
.github/dependabot.yml
.github/pull_request_template.md
.github/release-drafter.yml
.github/workflows/lint-and-test.yml
.github/workflows/pypi-release.yml
.github/workflows/release-drafter.yml
.github/workflows/test-docs.yml
.github/workflows/zizmor.yml
cfripper/__init__.py
cfripper/__main__.py
cfripper/boto3_client.py
cfripper/cli.py
cfripper/cloudformation_actions_only_accepts_wildcard.py
cfripper/exceptions.py
cfripper/rule_processor.py
cfripper.egg-info/PKG-INFO
cfripper.egg-info/SOURCES.txt
cfripper.egg-info/dependency_links.txt
cfripper.egg-info/entry_points.txt
cfripper.egg-info/requires.txt
cfripper.egg-info/top_level.txt
cfripper/config/__init__.py
cfripper/config/config.py
cfripper/config/constants.py
cfripper/config/filter.py
cfripper/config/logger.py
cfripper/config/regex.py
cfripper/config/rule_config.py
cfripper/config/pluggy/__init__.py
cfripper/config/pluggy/hookspec.py
cfripper/config/pluggy/utils.py
cfripper/config/rule_configs/__init__.py
cfripper/config/rule_configs/allow_http_ports_open_to_world.py
cfripper/config/rule_configs/example_rules_config_for_cli.py
cfripper/config/rule_configs/firehose_ips.py
cfripper/model/__init__.py
cfripper/model/enums.py
cfripper/model/result.py
cfripper/model/utils.py
cfripper/rules/__init__.py
cfripper/rules/base_rules.py
cfripper/rules/cloudformation_authentication.py
cfripper/rules/cross_account_trust.py
cfripper/rules/ebs_volume_has_sse.py
cfripper/rules/ec2_security_group.py
cfripper/rules/hardcoded_RDS_password.py
cfripper/rules/iam_roles.py
cfripper/rules/kms_key_rotation_enabled.py
cfripper/rules/kms_key_wildcard_principal.py
cfripper/rules/managed_policy_on_user.py
cfripper/rules/policy_on_user.py
cfripper/rules/privilege_escalation.py
cfripper/rules/public_elb_checker_rule.py
cfripper/rules/rds_security_group.py
cfripper/rules/s3_bucket_policy.py
cfripper/rules/s3_lifecycle_configuration.py
cfripper/rules/s3_object_versioning.py
cfripper/rules/s3_public_access.py
cfripper/rules/sns_topic_policy.py
cfripper/rules/sqs_queue_policy.py
cfripper/rules/stack_name_matches_regex.py
cfripper/rules/storage_encrypted_rule.py
cfripper/rules/wildcard_policies.py
cfripper/rules/wildcard_principals.py
cfripper/rules/wildcard_resource_rule.py
docs/__init__.py
docs/changelog.md
docs/cli.md
docs/code_of_conduct.md
docs/contributing.md
docs/examples.md
docs/index.md
docs/plugin.md
docs/rule_config_and_filters.md
docs/rules.md
docs/img/cfripper.png
docs/img/cfripper2.png
docs/img/favicon.ico
docs/img/logo.png
tests/__init__.py
tests/conftest.py
tests/test_boto3_client.py
tests/test_cli.py
tests/utils.py
tests/config/test_config.py
tests/config/test_filter.py
tests/config/test_pluggy.py
tests/config/test_regex.py
tests/model/test_principal_checking_rule.py
tests/model/test_result.py
tests/model/test_rule_processor.py
tests/model/test_utils.py
tests/rules/test_CloudFormationAuthenticationRule.py
tests/rules/test_CrossAccountTrustRule.py
tests/rules/test_EBSVolumeHasSSERule.py
tests/rules/test_EC2SecurityGroupIngressOpenToWorld.py
tests/rules/test_EC2SecurityGroupMissingEgressRule.py
tests/rules/test_EC2SecurityGroupOpenToWorldRule.py
tests/rules/test_FullWildcardPrincipal.py
tests/rules/test_GenericCrossAccountTrustRule.py
tests/rules/test_GenericResourceFullWildcardPrincipal.py
tests/rules/test_GenericResourcePartialWildcardPrincipal.py
tests/rules/test_GenericResourceWildcardPolicyRule.py
tests/rules/test_GenericResourceWildcardPrincipal.py
tests/rules/test_GenericWildcardPrincipal.py
tests/rules/test_HardcodedRDSPasswordRule.py
tests/rules/test_IAMRoleWildcardActionOnPolicyRule.py
tests/rules/test_IAMRolesOverprivilegedRule.py
tests/rules/test_KMSEnabledKeyRotationRule.py
tests/rules/test_KMSKeyWildcardPrincipal.py
tests/rules/test_ManagedPolicyOnUserRule.py
tests/rules/test_PartialWildcardPrincipal.py
tests/rules/test_PolicyOnUserRule.py
tests/rules/test_PrivilegeEscalationRule.py
tests/rules/test_PublicELBCheckerRule.py
tests/rules/test_RDSSecurityGroupIngressOpenToWorldRule.py
tests/rules/test_S3BucketPolicyPrincipalRule.py
tests/rules/test_S3BucketPublicReadAclAndListStatementRule.py
tests/rules/test_S3BucketPublicReadAclRule.py
tests/rules/test_S3BucketPublicReadWriteAclRule.py
tests/rules/test_S3CrossAccountTrustRule.py
tests/rules/test_S3LifecycleConfigurationRule.py
tests/rules/test_S3ObjectVersioningRule.py
tests/rules/test_SNSTopicDangerousPolicyActionsRule.py
tests/rules/test_SNSTopicPolicyNotPrincipalRule.py
tests/rules/test_SQSDangerousPolicyActionsRule.py
tests/rules/test_SQSQueuePolicyNotPrincipalRule.py
tests/rules/test_SQSQueuePolicyPublicRule.py
tests/rules/test_StackNameMatchesRegexRule.py
tests/rules/test_StorageEncryptedRule.py
tests/rules/test_WildcardPoliciesRule.py
tests/rules/test_WildcardResourceRule.py
tests/test_files/config/rules_config_CrossAccountTrustRule.py
tests/test_files/config/rules_config_invalid.py
tests/test_files/filters/test_filter_1.py
tests/test_files/invalid_filters/invalid_filters.py
tests/test_templates/config/cross_account_role_no_name.json
tests/test_templates/config/cross_account_role_with_name.json
tests/test_templates/config/security_group_firehose_ips.json
tests/test_templates/model/example.json
tests/test_templates/others/bad_cidr_in_parameter.yml
tests/test_templates/others/buckets_with_insecure_acl.json
tests/test_templates/others/cloudfront_distribution_without_logging.json
tests/test_templates/others/dangling_egress_rule.json
tests/test_templates/others/dangling_ingress_rule.json
tests/test_templates/others/ebs_volume_with_encryption.json
tests/test_templates/others/ebs_volume_without_encryption_string.json
tests/test_templates/others/ebs_volume_without_encryption_string_externalized.json
tests/test_templates/others/egress_with_port_range.json
tests/test_templates/others/iam_managed_policy_on_user.json
tests/test_templates/others/iam_managed_policy_with_not_action.json
tests/test_templates/others/iam_managed_policy_with_not_resource.json
tests/test_templates/others/iam_managed_policy_with_wildcard_action.json
tests/test_templates/others/iam_managed_policy_with_wildcard_resource.json
tests/test_templates/others/iam_policy_on_user.json
tests/test_templates/others/iam_policy_with_not_action.json
tests/test_templates/others/iam_policy_with_not_resource.json
tests/test_templates/others/iam_policy_with_wildcard_action.json
tests/test_templates/others/iam_policy_with_wildcard_resource.json
tests/test_templates/others/iam_role.json
tests/test_templates/others/iam_role_not_action.json
tests/test_templates/others/iam_role_not_action_on_trust.json
tests/test_templates/others/iam_role_not_principal_on_trust.json
tests/test_templates/others/iam_role_not_resource.json
tests/test_templates/others/iam_user_with_inline_policy.json
tests/test_templates/others/iam_user_with_no_group.json
tests/test_templates/others/iam_user_with_one_group.json
tests/test_templates/others/iam_user_with_two_groups_through_addition.json
tests/test_templates/others/ip6_security_group_egress_open_to_world.yml
tests/test_templates/others/ip6_security_groups_open_to_world.json
tests/test_templates/others/ip6_security_groups_open_to_world.yml
tests/test_templates/others/lambda_with_wildcard_principal_and_non_invoke_function_permission.json
tests/test_templates/others/multiple_inline_egress.json
tests/test_templates/others/non_32_cidr.json
tests/test_templates/others/non_32_cidr_standalone_ingress.json
tests/test_templates/others/non_32_cidr_with_ip6.json
tests/test_templates/others/rds_instance_literal_password.json
tests/test_templates/others/rds_instance_no_echo_password.json
tests/test_templates/others/rds_instance_no_echo_with_default_password.json
tests/test_templates/others/rds_instance_not_publicly_accessible.json
tests/test_templates/others/rds_instance_publicly_accessible.json
tests/test_templates/others/rds_instance_without_publicly_accessible.json
tests/test_templates/others/s3_bucket_policy_with_not_action.json
tests/test_templates/others/s3_bucket_policy_with_not_principal.json
tests/test_templates/others/security_group_open_to_world_on_egress.json
tests/test_templates/others/security_group_open_to_world_on_ingress.json
tests/test_templates/others/sg_with_mangled_metadata.yml
tests/test_templates/others/sg_with_suppression.yml
tests/test_templates/others/single_security_group_empty_ingress.json
tests/test_templates/others/single_security_group_single_egress.json
tests/test_templates/others/single_security_group_two_externalized_egress.json
tests/test_templates/others/sns_topic_with_not_action.json
tests/test_templates/others/sns_topic_with_not_principal.json
tests/test_templates/others/sns_topic_with_wildcard_principal.json
tests/test_templates/others/sqs_policy_with_not_action.json
tests/test_templates/others/sqs_policy_with_not_principal.json
tests/test_templates/others/standalone_egress_open_to_world.json
tests/test_templates/others/standalone_ingress_open_to_world.json
tests/test_templates/others/two_ebs_volumes_with_no_encryption.json
tests/test_templates/others/two_load_balancers_with_no_logging.json
tests/test_templates/others/two_security_group_two_cidr_ingress.json
tests/test_templates/others/two_security_group_two_externalized_cidr_ingress.json
tests/test_templates/others/two_security_groups_one_with_non_32_cidr.json
tests/test_templates/others/waf_webacl_with_default_allow.json
tests/test_templates/rules/CloudFormationAuthenticationRule/cfn_authentication_bad.json
tests/test_templates/rules/CloudFormationAuthenticationRule/cfn_authentication_good.json
tests/test_templates/rules/CloudFormationAuthenticationRule/cfn_authentication_neutral.yml
tests/test_templates/rules/CrossAccountTrustRule/es_domain_basic.yml
tests/test_templates/rules/CrossAccountTrustRule/es_domain_without_access_policies.yml
tests/test_templates/rules/CrossAccountTrustRule/generic_resource_no_policies.json
tests/test_templates/rules/CrossAccountTrustRule/generic_resource_with_cross_account_policy.json
tests/test_templates/rules/CrossAccountTrustRule/generic_resources_no_policies.json
tests/test_templates/rules/CrossAccountTrustRule/generic_resources_with_cross_account_policies.json
tests/test_templates/rules/CrossAccountTrustRule/generic_resources_with_mixed_cross_account_policy_and_no_policy.json
tests/test_templates/rules/CrossAccountTrustRule/iam_role_to_jump_to_another_account.yaml
tests/test_templates/rules/CrossAccountTrustRule/iam_root_role_cross_account.json
tests/test_templates/rules/CrossAccountTrustRule/iam_root_role_cross_account_two_roles.json
tests/test_templates/rules/CrossAccountTrustRule/invalid_generic_resource.json
tests/test_templates/rules/CrossAccountTrustRule/invalid_generic_resources.json
tests/test_templates/rules/CrossAccountTrustRule/invalid_with_sts.yml
tests/test_templates/rules/CrossAccountTrustRule/invalid_with_sts_es_domain.yml
tests/test_templates/rules/CrossAccountTrustRule/invalid_with_sts_opensearch_domain.yml
tests/test_templates/rules/CrossAccountTrustRule/kms_basic.yml
tests/test_templates/rules/CrossAccountTrustRule/kms_key_without_policy.yml
tests/test_templates/rules/CrossAccountTrustRule/mixed_invalid_generic_resources.json
tests/test_templates/rules/CrossAccountTrustRule/opensearch_domain_basic.yml
tests/test_templates/rules/CrossAccountTrustRule/opensearch_domain_without_access_policies.yml
tests/test_templates/rules/CrossAccountTrustRule/valid_with_canonical_id.json
tests/test_templates/rules/CrossAccountTrustRule/valid_with_service.json
tests/test_templates/rules/CrossAccountTrustRule/valid_with_sts.yml
tests/test_templates/rules/CrossAccountTrustRule/valid_with_sts_es_domain.yml
tests/test_templates/rules/CrossAccountTrustRule/valid_with_sts_opensearch_domain.yml
tests/test_templates/rules/EBSVolumeHasSSERule/bad_template.json
tests/test_templates/rules/EBSVolumeHasSSERule/bad_template.yaml
tests/test_templates/rules/EBSVolumeHasSSERule/good_template.json
tests/test_templates/rules/EC2SecurityGroupIngressOpenToWorld/bad_template.json
tests/test_templates/rules/EC2SecurityGroupIngressOpenToWorld/good_template.json
tests/test_templates/rules/EC2SecurityGroupMissingEgressRule/security_group_with_egress.json
tests/test_templates/rules/EC2SecurityGroupMissingEgressRule/single_security_group_one_cidr_ingress.json
tests/test_templates/rules/EC2SecurityGroupOpenToWorldRule/invalid_security_group_cidripv6.json
tests/test_templates/rules/EC2SecurityGroupOpenToWorldRule/invalid_security_group_multiple_statements.json
tests/test_templates/rules/EC2SecurityGroupOpenToWorldRule/invalid_security_group_no_ports_defined.json
tests/test_templates/rules/EC2SecurityGroupOpenToWorldRule/invalid_security_group_port78_81.json
tests/test_templates/rules/EC2SecurityGroupOpenToWorldRule/invalid_security_group_range.json
tests/test_templates/rules/EC2SecurityGroupOpenToWorldRule/security_group_type_slash0.json
tests/test_templates/rules/EC2SecurityGroupOpenToWorldRule/valid_security_group_not_slash0.json
tests/test_templates/rules/EC2SecurityGroupOpenToWorldRule/valid_security_group_port443.json
tests/test_templates/rules/EC2SecurityGroupOpenToWorldRule/valid_security_group_port80.json
tests/test_templates/rules/FullWildcardPrincipalRule/bad_template.json
tests/test_templates/rules/FullWildcardPrincipalRule/good_template.json
tests/test_templates/rules/GenericWildcardPrincipalRule/bad_template.json
tests/test_templates/rules/GenericWildcardPrincipalRule/good_template.json
tests/test_templates/rules/GenericWildcardPrincipalRule/kms_replica_key.yaml
tests/test_templates/rules/GenericWildcardPrincipalRule/wildcard_principal_rule_is_allowed_retrieved_correctly.json
tests/test_templates/rules/HardcodedRDSPasswordRule/bad_clusters_and_instances.json
tests/test_templates/rules/HardcodedRDSPasswordRule/bad_template.json
tests/test_templates/rules/HardcodedRDSPasswordRule/bad_template_cluster.json
tests/test_templates/rules/HardcodedRDSPasswordRule/rds_good_cluster_bad_instances.json
tests/test_templates/rules/HardcodedRDSPasswordRule/rds_good_cluster_good_instances.json
tests/test_templates/rules/IAMRoleWildcardActionOnPolicyRule/iam_managed_policy_with_wildcard_action.json
tests/test_templates/rules/IAMRoleWildcardActionOnPolicyRule/iam_role_valid.json
tests/test_templates/rules/IAMRoleWildcardActionOnPolicyRule/iam_role_with_wildcard_action.json
tests/test_templates/rules/IAMRoleWildcardActionOnPolicyRule/iam_role_with_wildcard_action_on_trust.json
tests/test_templates/rules/IAMRolesOverprivilegedRule/invalid_role_inline_policy.json
tests/test_templates/rules/IAMRolesOverprivilegedRule/invalid_role_inline_policy_fn_if.json
tests/test_templates/rules/IAMRolesOverprivilegedRule/invalid_role_inline_policy_resource_as_array.json
tests/test_templates/rules/IAMRolesOverprivilegedRule/invalid_role_managed_policy.json
tests/test_templates/rules/IAMRolesOverprivilegedRule/valid_role_inline_policy.json
tests/test_templates/rules/IAMRolesOverprivilegedRule/valid_role_managed_policy.json
tests/test_templates/rules/KMSEnabledKeyRotation/bad_template_symmetric_keyspec_property.yaml
tests/test_templates/rules/KMSEnabledKeyRotation/bad_template_symmetric_no_property.yaml
tests/test_templates/rules/KMSEnabledKeyRotation/bad_template_symmetric_property.yaml
tests/test_templates/rules/KMSEnabledKeyRotation/good_template.yaml
tests/test_templates/rules/KMSKeyWildcardPrincipalRule/kms_key_with_wildcard_resource.json
tests/test_templates/rules/KMSKeyWildcardPrincipalRule/kms_key_without_policy.yml
tests/test_templates/rules/ManagedPolicyOnUserRule/bad_template.json
tests/test_templates/rules/ManagedPolicyOnUserRule/good_template.json
tests/test_templates/rules/PartialWildcardPrincipalRule/aws_elb_template.yml
tests/test_templates/rules/PartialWildcardPrincipalRule/bad_template.json
tests/test_templates/rules/PartialWildcardPrincipalRule/good_template.json
tests/test_templates/rules/PartialWildcardPrincipalRule/intra_account_root_access.yml
tests/test_templates/rules/PolicyOnUserRule/bad_template.json
tests/test_templates/rules/PolicyOnUserRule/good_template.json
tests/test_templates/rules/PrivilegeEscalationRule/privilege_escalation_role.yaml
tests/test_templates/rules/PrivilegeEscalationRule/privilege_escalation_s3_bucket_policy.yaml
tests/test_templates/rules/PrivilegeEscalationRule/valid_role_inline_policy.json
tests/test_templates/rules/PublicELBCheckerRule/private_elb_instance.yml
tests/test_templates/rules/PublicELBCheckerRule/private_elb_v2_instance.yml
tests/test_templates/rules/PublicELBCheckerRule/public_facing_elb_instance.yml
tests/test_templates/rules/PublicELBCheckerRule/public_facing_elb_v2_instance.yml
tests/test_templates/rules/RDSSecurityGroupIngressOpenToWorldRule/rds_sg.yaml
tests/test_templates/rules/RDSSecurityGroupIngressOpenToWorldRule/rds_sg_ingress.yaml
tests/test_templates/rules/S3BucketPolicyPrincipalRule/bad_template.json
tests/test_templates/rules/S3BucketPublicReadAclAndListStatementRule/s3_read_plus_list.json
tests/test_templates/rules/S3BucketPublicReadAclRule/bad_template.json
tests/test_templates/rules/S3BucketPublicReadWriteAclRule/bad_template.json
tests/test_templates/rules/S3CrossAccountTrustRule/s3_bucket_cross_account.json
tests/test_templates/rules/S3CrossAccountTrustRule/s3_bucket_cross_account_and_normal.json
tests/test_templates/rules/S3CrossAccountTrustRule/s3_bucket_cross_account_from_aws_service.json
tests/test_templates/rules/S3LifecycleConfiguration/bad_template_no_configurations.yaml
tests/test_templates/rules/S3LifecycleConfiguration/good_template.yaml
tests/test_templates/rules/S3ObjectVersioning/good_template.yaml
tests/test_templates/rules/S3ObjectVersioning/no_versioning_defined.yaml
tests/test_templates/rules/S3ObjectVersioning/status_suspended.yaml
tests/test_templates/rules/SNSTopicDangerousPolicyActionsRule/bad_template.yaml
tests/test_templates/rules/SNSTopicPolicyNotPrincipalRule/bad_template.json
tests/test_templates/rules/SQSDangerousPolicyActionsRule/sqs_policy.json
tests/test_templates/rules/SQSQueuePolicyNotPrincipalRule/bad_template.json
tests/test_templates/rules/SQSQueuePolicyPublicRule/sqs_policy_public.json
tests/test_templates/rules/StorageEncryptedRule/aurora_engine_used.yml
tests/test_templates/rules/StorageEncryptedRule/encrypted_db_resource.yml
tests/test_templates/rules/StorageEncryptedRule/missing_storage_encrypted_flag.yml
tests/test_templates/rules/StorageEncryptedRule/no_db_resource.yml
tests/test_templates/rules/StorageEncryptedRule/two_resources_not_encrypted.yml
tests/test_templates/rules/WildcardPoliciesRule/generic_with_wildcards.json
tests/test_templates/rules/WildcardPoliciesRule/s3_bucket_with_wildcards.json
tests/test_templates/rules/WildcardPoliciesRule/sns_topic_with_wildcards.json
tests/test_templates/rules/WildcardPoliciesRule/sqs_queue_with_wildcards.json
tests/test_templates/rules/WildcardResourceRule/iam_policy_with_wildcard_resource_and_wildcard_action.json
tests/test_templates/rules/WildcardResourceRule/iam_policy_with_wildcard_resource_and_wildcard_action_and_condition.json
tests/test_templates/rules/WildcardResourceRule/iam_policy_with_wildcard_resource_and_wildcard_action_without_policy_name.json
tests/test_templates/rules/WildcardResourceRule/iam_policy_with_wildcard_resource_without_policy_name.json
tests/test_templates/rules/WildcardResourceRule/iam_user_with_wildcard_resource.json
tests/test_templates/rules/WildcardResourceRule/multiple_resources_with_wildcard_resources.json
tests/test_templates/rules/WildcardResourceRule/policy_with_invalid_string_policy_document.json
tests/test_templates/rules/WildcardResourceRule/policy_with_s3_wildcard_and_all_buckets.json
tests/test_templates/rules/WildcardResourceRule/policy_with_string_policy_document.json