AWS CloudFormation enables you to safely and predictably create, change, and improve infrastructure.
The easy_infra
project includes and secures CloudFormation as a component due to its popularity and versitility in provisioning and updating environments as Infrastructure as Code (IaC).
easy_infra
uses security tools, such as Checkov, to transparently assess the provided IaC against the defined security policy.
If you use Software Version Control (such as git
) to manage your CloudFormation IaC, consider executing aws cloudformation validate-template
with easy_infra as a pipeline action on commit or pull request:
docker run -v $(pwd):/iac seiso/easy_infra:latest-cloudformation aws cloudformation validate-template --template-body file://./example.yml
You can also use easy_infra to deploy your infrastructure using aws cloudformation deploy
:
docker run -v $(pwd):/iac seiso/easy_infra:latest-cloudformation aws cloudformation deploy --template-file file://./example.yml --stack-name example
Note
In order to run aws cloudformation validate-template
, AWS requires that you have an active session with AWS
Environment Variable | Result | Example |
---|---|---|
CHECKOV_BASELINE |
Passes the value to --baseline |
/iac/.checkov.baseline |
CHECKOV_EXTERNAL_CHECKS_DIR |
Passes the value to --external-checks-dir |
/iac/checkov_rules/ |
CHECKOV_SKIP_CHECK |
Passes the value to --skip-check |
CKV_AWS_46 |
CHECKOV_BASELINE=/iac/.checkov.baseline
CHECKOV_EXTERNAL_CHECKS_DIR=/iac/checkov_rules/
CHECKOV_SKIP_CHECK=CKV_AWS_46
docker run --env-file <(env | grep ^CHECKOV_) -v $(pwd):/iac easy_infra:latest-cloudformation aws cloudformation validate-template --template-body file://./example.yml
The injected security tooling can be disabled entirely or individually, using easy_infra
-specific command line arguments or environment variables.
Environment variable | Default | Result |
---|---|---|
DISABLE_SECURITY |
false |
Disables all security tooling (Not just CloudFormation-related) when set to true |
SKIP_CHECKOV |
false |
Disables Checkov when set to true |
Parameter | Result | Example |
---|---|---|
--disable-security |
Disable all security tooling | aws cloudformation validate-template --disable-security --template-body file://./example.yml |
--skip-checkov |
Disable Checkov | aws cloudformation --skip-checkov validate-template --template-body file://./example.yml |
Note
All command-line arguments in the above table are processed by easy_infra and removed prior to passing parameters to aws cloudformation commands.
Checkov allow numerous methods for creating custom policies, such as by writing them in Python or using the Checkov-specific DSL in yml files. These options are described in more detail here