Open menu
-->

Cloud Conformity Custom Policy Version (Using CloudFormation)

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Operational
excellence

Risk level: High (not acceptable risk)

Ensure that your AWS account is using the latest version of Cloud Conformity custom access policy in order to get the latest Cloud Conformity features and best practices that might require further access to the security configuration metadata of your AWS infrastructure.

Cloud Conformity updates the custom access policy as new conformity rules, features and best practices are introduced. If the Cloud Conformity engine does not use the latest version of the policy to access your AWS security configuration metadata, it won’t be able to highlight the newest potential security risks, cost or reliability inefficiencies.

Audit

To determine if your AWS account is using the latest version of Cloud Conformity custom access policy (version 1.2), perform the following:

Using AWS CloudFormation Console

01 Sign in to the AWS account registered with Cloud Conformity.

02 Navigate to CloudFormation dashboard at https://console.aws.amazon.com/cloudformation/.

03 Select the CloudFormation stack used during the registration process to grant access to your Cloud Conformity account.

04 Select Outputs tab from the dashboard bottom panel to access the stack output parameters.

05 Check the value set for the Version parameter, available in the Value column:

If the version number is lower than the latest policy version number

If the version number is lower than the latest policy version number (e.g. 1.2), the access policy utilized is outdated, therefore your AWS account is not using the latest version of Cloud Conformity custom access policy.

06 Repeat steps no. 1 – 5 for each AWS account registered with Cloud Conformity, that you want to examine.

Using AWS CLI

01 Run list-stacks command (OSX/Linux/UNIX) to list the names of all CloudFormation stacks provisioned within the AWS account registered with Cloud Conformity:

aws cloudformation list-stacks
	--region us-east-1
	--output table
	--query 'StackSummaries[*].StackName'

02 The command output should return a table with the requested stack names:

-----------------------
|     ListStacks      |
+---------------------+
|  CloudConformity    |
|  ProductionWebApp   |
|  WebServerCFNStack  |
+---------------------+

03 Run describe-stacks command (OSX/Linux/UNIX) using custom query filters to get the version number of the access policy used by the CloudFormation stack, named "CloudConformity", provided by Cloud Conformity during the registration process:

aws cloudformation describe-stacks
	--region us-east-1
	--stack-name CloudConformity
	--query 'Stacks[*].Outputs[?(OutputKey==`Version`)].OutputValue[]'

04 The command output should return the version number for the custom access policy used:

[
    "1.0"
]

If the version number returned by the describe-stacks command output is lower than the latest policy version number (i.e. 1.2), the access policy utilized is outdated, therefore your AWS account is not using the latest version of Cloud Conformity custom access policy.

05 Repeat steps no. 1 – 4 for each AWS account registered with Cloud Conformity, that you want to examine.

Remediation / Resolution

To update the Cloud Conformity custom access policy for your AWS account, perform the following actions:

Using Cloud Conformity Console

01 Sign in to Cloud Conformity Dashboard, select your account >> Settings >> Access Settings >> Update access settings.

02 Click on Cloud Conformity stack edit page link.

03 Select Specify an Amazon S3 template URL

04 Enter the following URL and click Next until you get to the Review page.
https://s3-us-west-2.amazonaws.com/cloudconformity/CloudConformity.template

05 Check "I acknowledge that AWS CloudFormation might create IAM resources with custom names." and click Update

06 Repeat steps no. 1 – 5 to update the custom access policy for other AWS accounts registered with Cloud Conformity.

Using AWS CLI

01 Run describe-stacks command (OSX/Linux/UNIX) to describe the parameters of the CloudFormation stack, named "CloudConformity", used by the Cloud Conformity engine during the registration process:

aws cloudformation describe-stacks
	--region us-east-1
	--stack-name CloudConformity
	--query 'Stacks[*].Outputs[]'

02 The command output should return the requested parameters metadata, information that will be useful later when the CloudFormation stack will be updated:

[
    {
        "OutputKey": "Version",
        "OutputValue": "1.0"
    },
    {
        "OutputKey": "CloudConformityRoleArn",
        "OutputValue": "arn:aws:iam::123456789012:role/CloudConformity"
    }
]

03 Run update-stack command (OSX/Linux/UNIX) using the configuration details returned at the previous step as parameters to update the AWS CloudFormation stack used for Cloud Conformity registration. Once the update process is complete, the Cloud Conformity custom access policy will be updated to the latest version (i.e. 1.2):

aws cloudformation update-stack
	--region us-east-1
	--stack-name CloudConformity
	--template-url https://s3-us-west-2.amazonaws.com/cloudconformity/CloudConformity.template
	--capabilities "CAPABILITY_NAMED_IAM"
	--parameters ParameterKey="AccountId",ParameterValue="123456789012" ParameterKey="ExternalId",ParameterValue="AAABBBCCCDDD"

04 The command output should return the ID of the updated AWS CloudFormation stack:

{
   "StackId": "arn:aws:cloudformation:us-east-1:123456789012:stack/CloudConformity/aaaabbbb-cccc-dddd-eeee-aaabbbcccddd"
}

05 Repeat steps no. 1 – 4 to update the custom access policy for other AWS accounts registered with Cloud Conformity.

References

Publication date Nov 21, 2017