Static Analysis and Policy Enforcement for CloudFormation

2 min read Infrastructure & DevOps Security

Static Analysis and Policy Enforcement for CloudFormation

CFN-Lint provides comprehensive linting for CloudFormation templates, including security-focused rules. Beyond syntax validation, cfn-lint identifies potential security issues like hardcoded passwords, overly permissive IAM policies, and missing encryption configurations. Custom rules can enforce organization-specific security requirements.

# Example cfn-lint configuration with security rules
# .cfnlintrc.yaml
templates:
  - templates/**/*.yaml
  - templates/**/*.json

ignore_templates:
  - tests/fixtures/*

rules:
  # Enable additional security checks
  E3001: true  # Invalid resource property
  E3002: true  # Invalid resource attribute
  E3012: true  # Check for hardcoded passwords
  W3011: true  # Check for missing encryption
  
custom_rules:
  - rules/  # Custom security rules directory

# Custom rule example: rules/RequireEncryption.py
"""Custom rule requiring encryption for specific resources."""
from cfnlint.rules import CloudFormationLintRule
from cfnlint.rules import RuleMatch

class RequireEncryption(CloudFormationLintRule):
    id = 'E9001'
    shortdesc = 'Require encryption for data resources'
    description = 'Ensures S3 buckets and RDS instances use encryption'
    
    def match(self, cfn):
        matches = []
        
        # Check S3 buckets
        for resource_name, resource in cfn.get_resources(['AWS::S3::Bucket']).items():
            properties = resource.get('Properties', {})
            if 'BucketEncryption' not in properties:
                matches.append(RuleMatch(
                    ['Resources', resource_name, 'Properties'],
                    'S3 bucket must have encryption enabled'
                ))
                
        # Check RDS instances
        for resource_name, resource in cfn.get_resources(['AWS::RDS::DBInstance']).items():
            properties = resource.get('Properties', {})
            if not properties.get('StorageEncrypted', False):
                matches.append(RuleMatch(
                    ['Resources', resource_name, 'Properties'],
                    'RDS instance must have storage encryption enabled'
                ))
                
        return matches

CloudFormation Guard enables policy-as-code validation using a domain-specific language designed for infrastructure rules. Guard policies can enforce complex security requirements across CloudFormation templates, including cross-resource validation and conditional rules based on parameter values.