Serverless framework configuration scanning

Checkov supports the evaluation of policies on your Serverless framework files. When using checkov to scan a directory that contains a Serverless framework template it will validate if the file is compliant with AWS best practices such as having logging and auditing enabled, making sure S3 buckets are encrypted, HTTPS is being used, and more.

Full list of Serverless framework policies checks can be found here. The serverless scanning is utilizing checks that are part of the Cloudformation scanning implementation of checkov since Serverless resource definition extends the Cloudformation definition.

Example misconfigured Serverless framework

service: usersCrud
provider: aws

functions:
  myFunc:
    name: myFunc
    tags:
      RESOURCE: lambda
      PUBLIC: false
    iamRoleStatements:
      - Effect: Allow
        Action:
          - "lambda:InvokeFunction"
        Resource:
          - "arn:aws:lambda:#{AWS::Region}:#{AWS::AccountId}:function:invokedLambda"
    handler: Handler.handle
    timeout: 600
    memorySize: 320

resources: # CloudFormation template syntax
  Resources:
    S3BucketPublicRead:
      Type: AWS::S3::Bucket
      Properties:
        AccessControl: PublicRead
        BucketEncryption:
          ServerSideEncryptionConfiguration:
            - ServerSideEncryptionByDefault:
                SSEAlgorithm: AES256

Running in CLI

checkov -d . --framework serverless

Example output


       _               _              
   ___| |__   ___  ___| | _______   __
  / __| '_ \ / _ \/ __| |/ / _ \ \ / /
 | (__| | | |  __/ (__|   < (_) \ V / 
  \___|_| |_|\___|\___|_|\_\___/ \_/  
                                      
By Prisma Cloud | version: x.x.x 


serverless scan results:

Passed checks: 5, Failed checks: 7, Skipped checks: 0

Check: CKV_AWS_19: "Ensure the S3 bucket has server-side-encryption enabled"
   PASSED for resource: AWS::S3::Bucket.S3BucketPublicRead
   File:/serverless.yml:22-29
   Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-14-data-encrypted-at-rest

Check: CKV_AWS_57: "Ensure the S3 bucket does not allow WRITE permissions to everyone"
   PASSED for resource: AWS::S3::Bucket.S3BucketPublicRead
   File:/serverless.yml:22-29
   Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-2-acl-write-permissions-everyone

Check: CKV_AWS_49: "Ensure no IAM policies documents allow "*" as a statement's actions"
   PASSED for resource: myFunc
   File:/serverless.yml:5-19
   Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/bc_aws_iam_43

Check: CKV_AWS_41: "Ensure no hard coded AWS access key and secret key exists in provider"
   PASSED for resource: myFunc
   File:/serverless.yml:5-19
   Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/bc_aws_secrets_5

Check: CKV_AWS_1: "Ensure IAM policies that allow full "*-*" administrative privileges are not created"
   PASSED for resource: myFunc
   File:/serverless.yml:5-19
   Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/iam_23

Check: CKV_AWS_20: "Ensure the S3 bucket does not allow READ permissions to everyone"
   FAILED for resource: AWS::S3::Bucket.S3BucketPublicRead
   File:/serverless.yml:22-29
   Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3_1-acl-read-permissions-everyone

      22 |     S3BucketPublicRead:
      23 |       Type: AWS::S3::Bucket
      24 |       Properties:
      25 |         AccessControl: PublicRead
      26 |         BucketEncryption:
      27 |           ServerSideEncryptionConfiguration:
      28 |             - ServerSideEncryptionByDefault:
      29 |                 SSEAlgorithm: AES256

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
   FAILED for resource: AWS::S3::Bucket.S3BucketPublicRead
   File:/serverless.yml:22-29
   Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3_13-enable-logging

      22 |     S3BucketPublicRead:
      23 |       Type: AWS::S3::Bucket
      24 |       Properties:
      25 |         AccessControl: PublicRead
      26 |         BucketEncryption:
      27 |           ServerSideEncryptionConfiguration:
      28 |             - ServerSideEncryptionByDefault:
      29 |                 SSEAlgorithm: AES256

Check: CKV_AWS_53: "Ensure S3 bucket has block public ACLS enabled"
   FAILED for resource: AWS::S3::Bucket.S3BucketPublicRead
   File:/serverless.yml:22-29
   Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/bc_aws_s3_19

      22 |     S3BucketPublicRead:
      23 |       Type: AWS::S3::Bucket
      24 |       Properties:
      25 |         AccessControl: PublicRead
      26 |         BucketEncryption:
      27 |           ServerSideEncryptionConfiguration:
      28 |             - ServerSideEncryptionByDefault:
      29 |                 SSEAlgorithm: AES256

Check: CKV_AWS_54: "Ensure S3 bucket has block public policy enabled"
   FAILED for resource: AWS::S3::Bucket.S3BucketPublicRead
   File:/serverless.yml:22-29
   Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/bc_aws_s3_20

      22 |     S3BucketPublicRead:
      23 |       Type: AWS::S3::Bucket
      24 |       Properties:
      25 |         AccessControl: PublicRead
      26 |         BucketEncryption:
      27 |           ServerSideEncryptionConfiguration:
      28 |             - ServerSideEncryptionByDefault:
      29 |                 SSEAlgorithm: AES256

Check: CKV_AWS_21: "Ensure the S3 bucket has versioning enabled"
   FAILED for resource: AWS::S3::Bucket.S3BucketPublicRead
   File:/serverless.yml:22-29
   Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3_16-enable-versioning

      22 |     S3BucketPublicRead:
      23 |       Type: AWS::S3::Bucket
      24 |       Properties:
      25 |         AccessControl: PublicRead
      26 |         BucketEncryption:
      27 |           ServerSideEncryptionConfiguration:
      28 |             - ServerSideEncryptionByDefault:
      29 |                 SSEAlgorithm: AES256

Check: CKV_AWS_55: "Ensure S3 bucket has ignore public ACLs enabled"
   FAILED for resource: AWS::S3::Bucket.S3BucketPublicRead
   File:/serverless.yml:22-29
   Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/bc_aws_s3_21

      22 |     S3BucketPublicRead:
      23 |       Type: AWS::S3::Bucket
      24 |       Properties:
      25 |         AccessControl: PublicRead
      26 |         BucketEncryption:
      27 |           ServerSideEncryptionConfiguration:
      28 |             - ServerSideEncryptionByDefault:
      29 |                 SSEAlgorithm: AES256

Check: CKV_AWS_56: "Ensure S3 bucket has 'restrict_public_bucket' enabled"
   FAILED for resource: AWS::S3::Bucket.S3BucketPublicRead
   File:/serverless.yml:22-29
   Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/bc_aws_s3_22

      22 |     S3BucketPublicRead:
      23 |       Type: AWS::S3::Bucket
      24 |       Properties:
      25 |         AccessControl: PublicRead
      26 |         BucketEncryption:
      27 |           ServerSideEncryptionConfiguration:
      28 |             - ServerSideEncryptionByDefault:
      29 |                 SSEAlgorithm: AES256