Announcing CloudFormation Support in Checkov

Checkov by Bridgecrew

It has been just over a month since we introduced Checkov for static code analysis of Terraform templates. Checkov allows you to detect security misconfiguration during build time which helps prevent deployment of insecure infrastructure. From a security perspective, this also means you avoid the wasted hours of tracking down resource owners and working through run time remediation. We are amazed at the excitement this has generated and the overall interest in the community.

Since its release, Checkov received 500 stars on GitHub and the team received several requests to scan other infrastructure as code tools including CloudFormation, ARM templates, Kubernetes manifests, and Helm charts.

Today we’re taking the first step and are announcing CloudFormation support in Checkov!

Now you can scan CloudFormation templates in the same manner as Terraform. Where possible the same checks exist for both. Here is an example EC2 instance template to get started:

cat << EOF > ec2-instance.yaml
AWSTemplateFormatVersion: '2010-09-09'
Metadata:
  License: Apache-2.0
Description: Sample EC2 Instance with EBS Volume and Security Group
Parameters:
  KeyName:
    Description: Name of an existing EC2 KeyPair to enable SSH access to the instance
    Type: AWS::EC2::KeyPair::KeyName
    ConstraintDescription: must be the name of an existing EC2 KeyPair.
  InstanceType:
    Description: WebServer EC2 instance type
    Type: String
    Default: t2.micro
    AllowedValues: [t2.micro, t2.small, t2.medium, t2.large, t3.micro, t3.small, t3.medium, t3.large, m5.large, m5.xlarge]
    ConstraintDescription: must be a valid EC2 instance type.
  SSHLocation:
    Description: The IP address range that can be used to SSH to the EC2 instances
    Type: String
    MinLength: 9
    MaxLength: 18
    Default: 0.0.0.0/0
    AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})
    ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x.
  LatestAmiId:
    Type: 'AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>'
    Default: '/aws/service/ami-amazon-linux-latest/amzn2-ami-hvm-x86_64-gp2'
  VPC:
    Type: AWS::EC2::VPC::Id
  PublicSubnet:
    Type: AWS::EC2::Subnet::Id
Resources:
  EC2Instance:
    Type: AWS::EC2::Instance
    Properties:
      InstanceType: !Ref 'InstanceType'
      KeyName: !Ref 'KeyName'
      ImageId: !Ref 'LatestAmiId'
      BlockDeviceMappings:
        - DeviceName: "/dev/sdm"
          Ebs:
            VolumeType: "gp2"
            DeleteOnTermination: "true"
            VolumeSize: "10"
      NetworkInterfaces:
        - AssociatePublicIpAddress: "true"
          DeviceIndex: "0"
          GroupSet:
            - Ref: "InstanceSecurityGroup"
          SubnetId:
            Ref: "PublicSubnet"
  InstanceSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Enable SSH access via port 22
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 22
          ToPort: 22
          CidrIp: !Ref 'SSHLocation'
      VpcId: !Ref 'VPC'
Outputs:
  InstanceId:
    Description: InstanceId of the newly created EC2 instance
    Value: !Ref 'EC2Instance'
  AZ:
    Description: Availability Zone of the newly created EC2 instance
    Value: !GetAtt [EC2Instance, AvailabilityZone]
  PublicDNS:
    Description: Public DNSName of the newly created EC2 instance
    Value: !GetAtt [EC2Instance, PublicDnsName]
  PublicIP:
    Description: Public IP address of the newly created EC2 instance
    Value: !GetAtt [EC2Instance, PublicIp]
EOF

The above example is a YAML template, but you can also use JSON if you prefer.

With Checkov we can scan this code before deploying to highlight any issues:

checkov -f ec2-instance.yaml

       _               _              
   ___| |__   ___  ___| | _______   __
  / __| '_ \ / _ \/ __| |/ / _ \ \ / /
 | (__| | | |  __/ (__|   < (_) \ V / 
  \___|_| |_|\___|\___|_|\_\___/ \_/  
                                      
version: 1.0.167 

Passed checks: 0, Failed checks: 2, Skipped checks: 0

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
    FAILED for resource: InstanceSecurityGroup
    File: ec2-instance.yaml:52-60

        52 |     Type: AWS::EC2::SecurityGroup
        53 |     Properties:
        54 |       GroupDescription: Enable SSH access via port 22
        55 |       SecurityGroupIngress:
        56 |         - IpProtocol: tcp
        57 |           FromPort: 22
        58 |           ToPort: 22
        59 |           CidrIp: !Ref 'SSHLocation'
        60 |       VpcId: !Ref 'VPC'


Check: CKV_AWS_23: "Ensure every security groups rule has a description"
    FAILED for resource: InstanceSecurityGroup
    File: ec2-instance.yaml:52-60

        52 |     Type: AWS::EC2::SecurityGroup
        53 |     Properties:
        54 |       GroupDescription: Enable SSH access via port 22
        55 |       SecurityGroupIngress:
        56 |         - IpProtocol: tcp
        57 |           FromPort: 22
        58 |           ToPort: 22
        59 |           CidrIp: !Ref 'SSHLocation'
        60 |       VpcId: !Ref 'VPC'

Here we have 2 failed checks. The first check failed for allowing port 22 open to 0.0.0.0/0 (The default value of the parameter in the template). The second check failed due to the security group ingress rule not having a description line explaining the purpose of the port.

Checkov works well at development time to ensure you are creating secure resources. However, it also works great as part of a pipeline such as Jenkins or as a pre-commit check. Check out our existing integrations and getting started information in our documentation here: https://www.checkov.io/documentation

Thanks to Barak Schoster and Naor David for their help making this happen. We hope you find this useful for securing your CloudFormation templates. Please reach out to us on Slack (https://codified-security.herokuapp.com/) with any feedback.


Bridgecrew builds and maintains Checkov to make policy-as-code simple and accessible.

If you need direct support you can contact us at info@bridgecrew.io