In our latest news, we introduced Cloud Conformity’s CloudFormation Template (CFT) Scanner — the service that will change AWS infrastructure deployment and security. The service identifies misconfigurations and illegible code ahead of your collection going live, giving you peace of mind that everything going into your environment is meant to be there, exactly as you want.

The tool itself is incredibly easy to use:

  1. Users upload the CloudFormation template via their Cloud Conformity account in either YAML or JSON format.
  2. The Cloud Conformity engine runs its 450-plus conformity rules which, using the AWS Well-Architected Framework best practice, assesses security risks, reliability and performance issues, and any areas where cost could be optimized.
  3. The scan results are returned, highlighting any violations against the rules so that the necessary steps to modify or even redevelop the CloudFormation template can be taken before deployment into your AWS cloud.

Cloud Conformity allows you to upload your templates:

  • You can navigate to the scanning page within your Cloud Conformity account and upload the CloudFormation template using Browse and Upload and scan buttons: https://goo.gl/GK6e9b

Note: It is also possible to do this via our API, please view the associated documentation on our GitHub page

Let’s see this service in action taking the following AWS CloudFormation template as an example. You’ll see that the template fails to address in-transit and at-rest encryption, as well as the bucket deletion prevention using Multi-Factor Authentication (MFA) for this Amazon S3 bucket:

---

AWSTemplateFormatVersion: '2010-09-09'

Description: 'AWS CloudFormation sample template named S3_Website_Bucket_With_Retain_On_Delete: sample template showing how to create a publicly accessible S3 bucket configured for website access with a deletion policy of retain on delete. **WARNING** This template creates an Amazon S3 bucket that will NOT be deleted when the stack is deleted. You will be billed for the AWS resources used if you create a CloudFormation stack from this template.'

Resources:

   S3Bucket:

      Type: AWS::S3::Bucket

      Properties:

         AccessControl: PublicRead

         WebsiteConfiguration:

           IndexDocument: index.html

           ErrorDocument: error.html

         BucketEncryption:

           ServerSideEncryptionConfiguration:

           - ServerSideEncryptionByDefault:

              SSEAlgorithm: AES256

         LifecycleConfiguration:

            Rules:

            - Id: DeleteEverythingInThreeMonths

               Prefix: ''

               Status: Enabled

               ExpirationInDays: '90'

         VersioningConfiguration:

            Status: Enabled

            Tags:

            - Key: tag1

               Value: tag1_Value

            LoggingConfiguration:

               DestinationBucketName: cc-logging-bucket

               LogFilePrefix: application-logs

      DeletionPolicy: Retain

   SampleBucketPolicy:

      Type: AWS::S3::BucketPolicy

      Properties:

         Bucket: S3Bucket

         PolicyDocument:

            Statement:

            - Action:

               - s3:GetObject

               Effect: Allow

               Resource:

               - arn:aws:s3:::cc-website-bucket/*

               Principal: "*"

               Condition:

                  StringLike:

                     aws:Referer:

                     - http://www.cloudconformity.com/*

                     - http://cloudconformity.com/*

Outputs:

   WebsiteURL:

      Value:

         Fn::GetAtt:

         - S3Bucket

         - WebsiteURL

      Description: URL for a website/web application hosted on AWS S3.

   S3BucketSecureURL:

     Value:

        Fn::Join:

        - ''

        - - https://

           - Fn::GetAtt:

              - S3Bucket

              - DomainName

     Description: Name of the S3 bucket that holds the website content.

After being run in the rules engine, this template produced the scan results below:

Pretty straightforward, right?

Following the usual user-friendly Cloud Conformity format, the results are clearly marked against the conformity rule, service, category and risk level as defined by the Well-Architected Framework. On any checks that have failed, a ‘Resolve’ button will show which will directly take you to the step-by-step remediation guide for that specific rule.

You can run the same template through the scanning tool as many times as you like to ensure you get the green light on all relevant rules — in fact, Cloud Conformity strongly recommend scanning each template before deployment for this very reason.

Today, the Cloud Conformity engine runs over 450 checks and with constant additions being made on a fortnightly basis, you can be confident knowing that your infrastructure is up to date with the newest security, reliability and optimization checks.

Get started today on our GitHub API Documentation page or with a 14 day trial