CloudFormation security scanning on every commit

For AWS users, CloudFormation provides a common language to provision AWS resources in your cloud environment. It also enables you to shift AWS cloud security left.

Bridgecrew CloudFormation Scanning

Basics

CloudFormation security and compliance

Computer with warning icon

CloudFormation security risks

Infrastructure as code (IaC) frameworks such as CloudFormation have a lot of benefits when it comes to scaling and streamlining cloud infrastructure. But they can also introduce additional complexities and risks if security configuration is missing or incorrect. For organizations in regulated industries, it’s also crucial to keep infrastructure in compliance with regulatory policies. AWS CloudFormation is an increasingly popular way to manage security and compliance, but you never rid yourself of the risks involved in cloud computing. That’s where Bridgecrew comes in.

Codified cloud icon

CloudFormation security opportunity

Using simple code templates, CloudFormation enables you to automate cloud deployments across all accounts with a single source of truth. CloudFormation enables you to automate security earlier in the infrastructure development process. By shifting cloud security earlier, you can spend less time monitoring security and compliance issues in production.

Common AWS CloudFormation policies

To identify AWS CloudFormation misconfigurations, Bridgecrew comes pre-built with hundreds of policies for cloud resources and the code that provisions them. By automating these security checks and guardrails within your codified infrastructure, you’re getting meaningful visibility into all functions of your cloud ecosystem. Plus, you’re able to pinpoint and address issues in real time as the CloudFormation controls identify security lapses ranging from weaknesses to full-blown cloud risk.

General CloudFormation policies

General IAM and resource policies catch overly permissive security controls in resources like S3 Buckets and SQS.

Security Group ingress and egress rules

These policies look for CloudFormation Security Group rules that are overly permissive, for example allowing ingress to 0.0.0.0/0.

Logging and recovery

These policies enforce adequate access logs and backups for relevant resource types like Elastic Load Balancers and CloudFront Distributions.

Secrets and encryption

These policies check to make sure server-side encryption is enabled or enforced for applicable resources like AWS EBS volumes or for PutObject calls on an S3 bucket.

How it works

CloudFormation security platform

Bridgecrew is designed to enforce policies as part of every code review and fix CloudFormation misconfigurations as early as possible.

Complete coverage

Bridgecrew includes hundreds of built-in policies to scan your CloudFormation templates for provisioning AWS and third-party resources. By automating this process of scanning CloudFormation variables, you can allow Bridgecrew to work through security scans so your team doesn’t have to.

Seamless VCS integrations

Integrate directly with your CloudFormation repositories to instantly start scanning for security issues. No AWS account access needed. With easy integrations, you can enjoy the added protections fast and save yourself from issues impacting your AWS compliance and security.

CI/CD integrations

Keep your CloudFormation templates compliant with continuous scanning as part of your CI/CD pipelines. We know that product improvement and scalability is continuous. This way, each change you make to your code pipeline CloudFormation is checked for errors that occur during post-development editing. 

Bridgecrew policy infrastructure as code demonstration

Security where code happens

Get started with Bridgecrew for free

CloudFormation and AWS security resources

Bridgecrew for AWS

In addition to providing CloudFormation scanning, Bridgecrew enables teams to address security errors in deployed AWS resources.

CloudFormation security training tool

To help engineers learn how to spot CloudFormation misconfigurations, we built CfnGoat, a vulnerable-by-design security training tool.

Bridgecrew for AWS CDK Tutorial

Learn how to scan your AWS CDK-generated CloudFormation templates as part of a continuous build pipeline.