CloudFormation scanning on every commit

For AWS users, CloudFormation provides a common language to provision AWS resources in your cloud environment. It also enables you to shift AWS cloud security left.

Bridgecrew CloudFormation Scanning


CloudFormation security and compliance

CloudFormation security risks

Infrastructure as code (IaC) frameworks such as CloudFormation have a lot of benefits when it comes to scaling and streamlining cloud infrastructure. But they can also introduce additional complexities and risks if security configuration is missing or incorrect. For organizations in regulated industries, it’s also crucial to keep infrastructure in compliance with regulatory policies.

CloudFormation security opportunity

Using simple code templates, CloudFormation enables you to automate cloud deployments across all accounts with a single source of truth. CloudFormation enables you to automate security earlier in the infrastructure development process. By shifting cloud security earlier, you can spend less time monitoring security and compliance issues in production.

Common AWS CloudFormation policies

To identify AWS CloudFormation misconfigurations, Bridgecrew comes pre-built with hundreds of policies for cloud resources and the code that provisions them.

General CloudFormation policies

General IAM and resource policies catch overly permissive security controls in resources like S3 Buckets and SQS.

Security Group ingress and egress rules

These policies look for CloudFormation Security Group rules that are overly permissive, for example allowing ingress to

Logging and recovery

These policies enforce adequate access logs and backups for relevant resource types like Elastic Load Balancers and CloudFront Distributions.

Secrets and encryption

These policies check to make sure server-side encryption is enabled or enforced for applicable resources like AWS EBS volumes or for PutObject calls on an S3 bucket.

How it works

CloudFormation security platform

Bridgecrew is designed to enforce policies as part of every code review and fix CloudFormation misconfigurations as early as possible.

Complete coverage

Bridgecrew includes hundreds of built-in policies to scan your CloudFormation templates for provisioning AWS and third-party resources. 

Seamless VCS integrations

Integrate directly with your CloudFormation repositories to instantly start scanning for security issues. No AWS account access needed.

CI/CD integrations

Keep your CloudFormation templates compliant with continuous scanning as part of your CI/CD pipelines.

Security where code happens

Get started with Bridgecrew for free

CloudFormation and AWS security resources

Bridgecrew for AWS

In addition to providing CloudFormation scanning, Bridgecrew enables teams to address security errors in deployed AWS resources.

CloudFormation security training tool

To help engineers learn how to spot CloudFormation misconfigurations, we built CfnGoat, a vulnerable-by-design security training tool.

Bridgecrew for AWS CDK Tutorial

Learn how to scan your AWS CDK-generated CloudFormation templates as part of a continuous build pipeline.