Here at globaldatanet we especially enjoy building as much as automation possible for us and our clients' deployments.
Today we are going to quickly cover an important security validation topic that you're probably aware of by now, to make sure all CloudFormation code follows the best practices and it's secure when deploying new or existing infrastructure.
We use the cfn-nag tool to verify all the CloudFormation templates that we ship to production, this means that as part of our Codepipeline we have a build step in-place (could be an AWS Lambda or a Codebuild) which will run the security validation.
We like some efficiency 😎
Taking into consideration all the requirements we decided to use a Codebuild for it, giving us more flexibility, easiness to implement and visualization if something happens.
Note: As an alternative, the cfn-nag is also available from the AWS Lambda public serverless app repository, you can integrate easily the cfn-nag-pipeline function into your Codepipeline.
We use Codecommit as our Codepipeline source, but our Bash script also supports any git-like repo, as long as you choose to pass the .git files to Codebuild. By getting the list of the CF files from the last commit we can then run cfn-nag agaist thiose files only.
In a nutshell:
We are globaldatanet are big fans of opensource and code sharing, so here it goes, the bash script, the buildspec file for the Codebuild and some examples for a simple Codepipeline.
version: 0.2 phases: install: runtime-versions: ruby: 2.6 commands: - pip3 install awscli --upgrade --quiet - pip3 install cfn-lint --quiet - aws --version - yum install jq git -y -q - gem install cfn-nag - cfn_nag_rules # Show all cfn_nag_rules that will be used in the scan build: commands: - scriptToExecute=`find $(pwd)/ \( -name "CfnTemplateValidation.sh" \) ` - chmod +x "$scriptToExecute" - bash "$scriptToExecute" --full_scan no --codecommit-repository_name NAME-OF-YOUR-CODECOMMIT-REPO --codebuild_project_name NAME-OF-CODEBUILD-PROJECT artifacts: files: '**/*'
Download the template validation script here: CfnTemplateValidation.sh
Keep in touch! We would love to hear from you and/or help you build the next amazing automation on AWS 😎