The increasing preference for automation alongside the accelerating adoption of cloud computing and CI/CD practices has meant infrastructure is now designed, deployed and configured in an entirely new way. This advanced and efficient infrastructure deployment method, aka Infrastructure as Code (IaC), means critical changes on your AWS environments can be completed more quickly than ever — however, risky security and performance implications can also be introduced just as easily.

Cloud Conformity helps you to find and remediate violations of AWS best practice already present in your footprint today, but what if you could prevent these issues before they even roll into your cloud infrastructure?

With the goal to add proactive preventative controls and highlight the importance of security, performance, reliability and compliance during the deployment process, Cloud Conformity introduces the CloudFormation Template Scanner. The CFT Scanner is a static code analysis and validation tool to check your CloudFormation templates against Cloud Conformity rules, before deploying them live to your AWS infrastructure.

A CloudFormation template is a simple text file that describes a collection or stack of AWS resources to be deployed and configured together. This game-changing tool checks for improvements and the quality of your AWS CloudFormation collection without the need to execute the code first. Sleepless nights be gone!

With Cloud Conformity’s CFT Scanner, each template resource is checked against hundreds of industry best practices including AWS Well-Architected Framework, Centre for Internet Security (CIS), Payment Card Industry Data Security Standard (PCI DSS) and General Data Protection Regulation (GDPR). Here are some examples of easily and commonly missed misconfigurations that are checked:

  • Opening too many TCP ports within EC2 security groups
  • Granting permission without applying the principle of least privilege
  • Granting permissions to wrong IAM users and roles
  • Allowing public access to S3 buckets storing sensitive data
  • Forgetting to encrypt RDS databases and EBS volumes
  • Exposing APIs to the internet

Following the concept of “Preventative Security Controls”, the CFT Scanner predicts if an incident will happen and then provides remediation during early development — resolving multiple security problems before they even occur. To ensure full confidence that these security vulnerabilities, AWS resource leaks and performance and reliability issues won’t make it in production, Cloud Conformity strongly recommend you upload and scan each CloudFormation template before deployment. The CFT Scanner supports templates written in YAML or JSON format.

So there you have it, the tool we could have all done with a few versions ago! Find out how to get started on our GitHub page

** For open source projects hosted on GitHub, this product is free.