AWS CloudFormation Validation Pipeline
AWS CloudFormation Validation Pipeline

Appendix A: Template Linting with cfn-nag

The Lint_Template AWS Lambda Function runs cfn-nag, a third-party linting tool that is designed to identify patterns in AWS CloudFormation templates that might result in insecure infrastructure. If you use this test, the solution will deploy AWS CodeBuild and run a default set of cfn-nag rules that check for the following issues:

  • AWS Identity and Access Management and resource policies that are too permissive (wildcards)

  • Security group rules that are too permissive (wildcards)

  • Access logs that are not enabled for applicable resources

  • Encryption that is not enabled for applicable resources

AWS CodeBuild records log data for the cfn-nag test. To troubleshoot linting failures, search your Amazon CloudWatch logs for AWS CodeBuild log files from this solution (the project name is listed in the resources of the Central Microservices AWS CloudFormation stack): /aws/codebuild/<name of AWS CodeBuild project>

For more information on cfn-nag, see the Stelligent article Finding Security Problems Early in the Development Process of a CloudFormation Template with "cfn-nag" and the cfn-nag GitHub repository.