Announcing AWS CloudFormation Support

Announcing AWS CloudFormation Support

Cloudrail is pleased to announce our newly released support of AWS CloudFormation templates. Whether you’re using Terraform or AWS CloudFormation to manage your infrastructure as code – ensure your resources are free from security misconfigurations with Cloudrail.

Why Cloudformation?

With a number of users choosing AWS Cloudformation templates as their primary infrastructure management tool for AWS workloads, we felt it was necessary to bring the same infrastructure security expertise provided to our customers using terraform, to those using AWS Cloudformation. Whether a team chooses Cloudformation for its bundled state management or simply because it’s an AWS service, Indeni Cloudrail is there to help keep things secure.

What is Cloudrail?

Cloudrail is a tool designed to help automate the security review of your cloud infrastructure, and infrastructure as code. It can be used to perform static security assessments on Terraform and Cloudformation templates before they’re deployed, and also in the broader context of your Cloud environment to ensure everything is configured as it should be.

Cloudrail uses an advanced context engine to determine if a cloud resource vulnerability is truly a vulnerability, and what other services it can potentially affect.

What is AWS Cloudformation?

AWS Cloudformation is an infrastructure provisioning tool designed for deploying AWS Workloads in a repeatable and scalable way. Similar to terraform, it uses a declarative approach, whereby a user specifies the resources they would like deployed, variables for a particular template, and lets the service provision the resources as necessary.

An example of a Cloudformation template is as follows:

{
  "AWSTemplateFormatVersion": "2010-09-09",

  "Description": "AWS CloudFormation Sample Template EC2InstanceWithSecurityGroupSample: Create an Amazon EC2 instance running the Amazon Linux AMI. The AMI is chosen based on the region in which the stack is run. This example creates an EC2 security group for the instance to give you SSH access. **WARNING** This template creates an Amazon EC2 instance. You will be billed for the AWS resources used if you create a stack from this template.",

  "Parameters": {
    "KeyName": {
      "Description": "Name of an existing EC2 KeyPair to enable SSH access to the instance",
      "Type": "AWS::EC2::KeyPair::KeyName",
      "ConstraintDescription": "must be the name of an existing EC2 KeyPair."
    },

    "InstanceType": {
      "Description": "WebServer EC2 instance type",
      "Type": "String",
      "Default": "t1.micro",
      "AllowedValues": ["t1.micro"],
      "ConstraintDescription": "must be a valid EC2 instance type."
    },

    "SSHLocation": {
      "Description": "The IP address range that can be used to SSH to the EC2 instances",
      "Type": "String",
      "MinLength": "9",
      "MaxLength": "18",
      "Default": "0.0.0.0/0",
      "AllowedPattern": "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})",
      "ConstraintDescription": "must be a valid IP CIDR range of the form x.x.x.x/x."
    }
  },

  "Mappings": {
    "AWSInstanceType2Arch": {
      "t1.micro": {
        "Arch": "HVM64"
      }
    },

    "AWSInstanceType2NATArch": {
      "t1.micro": {
        "Arch": "NATHVM64"
      }
    },
    "AWSRegionArch2AMI": {
      "us-east-1": {
        "HVM64": "ami-032930428bf1abbff",
        "HVMG2": "ami-0aeb704d503081ea6"
      }
    }

  },

  "Resources": {
    "EC2Instance": {
      "Type": "AWS::EC2::Instance",
      "Properties": {
        "InstanceType": {
          "Ref": "InstanceType"
        },
        "SecurityGroups": [{
          "Ref": "InstanceSecurityGroup"
        }],
        "KeyName": {
          "Ref": "KeyName"
        },
        "ImageId": {
          "Fn::FindInMap": ["AWSRegionArch2AMI", {
              "Ref": "AWS::Region"
            },
            {
              "Fn::FindInMap": ["AWSInstanceType2Arch", {
                "Ref": "InstanceType"
              }, "Arch"]
            }
          ]
        }
      }
    },

    "InstanceSecurityGroup": {
      "Type": "AWS::EC2::SecurityGroup",
      "Properties": {
        "GroupDescription": "Enable SSH access via port 22",
        "SecurityGroupIngress": [{
          "IpProtocol": "tcp",
          "FromPort": "22",
          "ToPort": "22",
          "CidrIp": {
            "Ref": "SSHLocation"
          }
        }]
      }
    }
  },

  "Outputs": {
    "InstanceId": {
      "Description": "InstanceId of the newly created EC2 instance",
      "Value": {
        "Ref": "EC2Instance"
      }
    },
    "AZ": {
      "Description": "Availability Zone of the newly created EC2 instance",
      "Value": {
        "Fn::GetAtt": ["EC2Instance", "AvailabilityZone"]
      }
    },
    "PublicDNS": {
      "Description": "Public DNSName of the newly created EC2 instance",
      "Value": {
        "Fn::GetAtt": ["EC2Instance", "PublicDnsName"]
      }
    },
    "PublicIP": {
      "Description": "Public IP address of the newly created EC2 instance",
      "Value": {
        "Fn::GetAtt": ["EC2Instance", "PublicIp"]
      }
    }
  }
}

The above template allows a user to deploy an EC2 instance with a security group and SSH access for the provided key-pair.

How To Run Cloudrail on Cloudformation Templates

To perform a review on your Cloudformation templates with Cloudrail, first make sure you have a cloudrail account with your AWS account connected, and the command line tool installed on your local system.

Next, grab the AWS account ID by running the following command

cloudrail cloud-account list-cloud-accounts 

With the account ID, run the following command on your template

@cloudrail run \
    -c {{your_cloudformation_template.json}} \
    --cloud-account-id {{your_cloud_account_id}} \
    --auto-approve

If a parameters file is required, you can add it with the following flag

--cfn-params-file sample.params.json \

Get Started Today

For help getting started with Cloudrail, check out our documentation, or feel free to reach out.

Looking to build secure infrastructure?

Get started with Cloudrail