CloudFormation scanning on every commit
For AWS users, CloudFormation provides a common language to provision AWS resources in your cloud environment. It also enables you to shift AWS cloud security left.
Basics
CloudFormation security and compliance
CloudFormation security risks
Infrastructure as code (IaC) frameworks such as CloudFormation have a lot of benefits when it comes to scaling and streamlining cloud infrastructure. But they can also introduce additional complexities and risks if security configuration is missing or incorrect. For organizations in regulated industries, it’s also crucial to keep infrastructure in compliance with regulatory policies.
CloudFormation security opportunity
Using simple code templates, CloudFormation enables you to automate cloud deployments across all accounts with a single source of truth. CloudFormation enables you to automate security earlier in the infrastructure development process. By shifting cloud security earlier, you can spend less time monitoring security and compliance issues in production.
Common AWS CloudFormation policies
To identify AWS CloudFormation misconfigurations, Bridgecrew comes pre-built with hundreds of policies for cloud resources and the code that provisions them.
General CloudFormation policies
General IAM and resource policies catch overly permissive security controls in resources like S3 Buckets and SQS.
Security Group ingress and egress rules
These policies look for CloudFormation Security Group rules that are overly permissive, for example allowing ingress to 0.0.0.0/0.
Logging and recovery
These policies enforce adequate access logs and backups for relevant resource types like Elastic Load Balancers and CloudFront Distributions.
Secrets and encryption
These policies check to make sure server-side encryption is enabled or enforced for applicable resources like AWS EBS volumes or for PutObject calls on an S3 bucket.
How it works
CloudFormation security platform
Bridgecrew is designed to enforce policies as part of every code review and fix CloudFormation misconfigurations as early as possible.
Complete coverage
Bridgecrew includes hundreds of built-in policies to scan your CloudFormation templates for provisioning AWS and third-party resources.
Seamless VCS integrations
Integrate directly with your CloudFormation repositories to instantly start scanning for security issues. No AWS account access needed.
CI/CD integrations
Keep your CloudFormation templates compliant with continuous scanning as part of your CI/CD pipelines.
Security where code happens
Get started with Bridgecrew for free
CloudFormation and AWS security resources
Bridgecrew for AWS
In addition to providing CloudFormation scanning, Bridgecrew enables teams to address security errors in deployed AWS resources.
CloudFormation security training tool
To help engineers learn how to spot CloudFormation misconfigurations, we built CfnGoat, a vulnerable-by-design security training tool.
Bridgecrew for AWS CDK Tutorial
Learn how to scan your AWS CDK-generated CloudFormation templates as part of a continuous build pipeline.