How to do a quality check on AWS cloud formation

Cloud formation is an infrastructure automation platform for AWS that deploys AWS resources in a repeatable, testable, and auditable manner.

This article will tackle how to validate, syntax lint, security vulnerabilities, best practice, and test cloud formation templates to improve the quality of overall infrastructure via an automated deployment pipeline.

This article assumes that readers have a basic understanding of AWS cloud formation, which is not recommended for beginners.

It is not feasible to manually check for issues, security risks, and invalid syntax in cloud formation which has multiple nested stacks.

CFN-lint:

CFN-lint was developed and maintained by Aws to validate cloud formation syntax . Linter is written in python.

To install: pip install cfn-lint, brew install cfn-lint

To scan templates :

Single template:

cfn-lint template.yaml

Multiple templates :

cfn-lint path/*.yaml cfn-lint path/**/*.yaml

It will return a non-zero error code when there is an issue in the template

GitHub : aws-cloudformation/cfn-lint: CloudFormation Linter

  • 0 is no issue was found
  • 2 is an error
  • 4 is a warning
  • 6 is an error and a warning
  • 8 is an informational
  • 10 is an error and informational
  • 12 is a warning and informational
  • 14 is an error and a warning and an informational
  • For cloud formation security and best practices :

CFN-nag:

The cfn-nag tool looks for patterns in CloudFormation templates that may indicate insecure infrastructure. Roughly speaking, it will look for:

  • IAM rules that are too permissive (wildcards)
  • Security group rules that are too permissive (wildcards)
  • Access logs that aren’t enabled
  • Encryption that isn’t enabled
  • Password literals
  • Cfn-nag is written in ruby.

To install:

gem install cfn-nag or brew install ruby brew-gem or brew gem install cfn-nag

To scan templates :

cfn_nag_scan — input-path <path to cloudformation json>
Docker image : stelligent/cfn_nag@master

Github link : stelligent/cfn_nag: Linting tool for CloudFormation templates

For more background on the tool, please see this post on Stelligent’s blog: Finding Security Problems Early in the Development Process of a CloudFormation Template with “cfn-nag”

For cloudformation testing:

Task Cat:

Task Cat is a tool that tests AWS CloudFormation templates.

It deploys your AWS CloudFormation template in multiple AWS Regions and generates a report with a pass/fail grade for each region.

You can specify the regions and number of Availability Zones you want to include in the test, and pass in parameter values from your AWS CloudFormation template.

Task Cat is implemented as a Python class that you import, instantiate, and run.

The aws-ia team developed TaskCat to test AWS CloudFormation templates that automatically deploy workloads on AWS.

AWS is pleased to make the tool available to all developers who want to validate their custom AWS CloudFormation templates across AWS Regions

GitHub Link

Docs Link

For more details read: aws.amazon.com/blogs/devops/building-a-ci-c..

#aws #cloudformation