A configuration package to automatically monitor CloudFormation stack drift (When resources deployed through CloudFormation are manaully changed after), and optionally alert on these events.

This template creates a nested stack using the `AWS::CloudFormation::Stack` resource. It specifies a template URL and parameters for the nested stack.

This template creates a default version of a resource in CloudFormation. It specifies a new resource version and sets it as the default version. The `ResourceVersion` resource is created with the `TypeName` property set to `My::Sample::Resource` and the `SchemaHandlerPackage` property set to `s3://my-sample-resourceversion-bucket/my-sample-resource.zip`. The `ResourceDefaultVersion` resource is then created with the `TypeVersionArn` property set to the `Ref` value of the `ResourceVersion` resource.

This template registers a module version with the CloudFormation service. It specifies the module name and the location of the module package in an S3 bucket.

This template registers two versions of a module and sets the second version as the default version for CloudFormation to use. The `DependsOn` attribute is used to ensure that CloudFormation provisions version one before version two.

This template creates a new hook version for the AWS CloudFormation registry and sets it as the default version. It specifies the type name and the schema handler package for the hook version, and uses the `Ref` return value to set the version as the default for the hook.

This template creates a default version of a hook. The default version of the hook is used in CloudFormation operations for this AWS account and AWS Region.

This template creates a new hook configuration with the TypeName property type. The hook configuration specifies the target stacks, failure mode, and properties for the hook.

This template creates a new hook configuration with the TypeArn property type. The hook configuration specifies the target stacks, failure mode, and properties for the hook.

This template creates a stack set with managed execution activated. With managed execution, StackSets performs non-conflicting operations concurrently and queues conflicting operations.

This template sets up an IAM role for AWS CloudFormation StackSet administration and defines a CloudFormation StackSet for deploying a VPC across multiple accounts or regions.

Creates and manages a specific version of a CloudFormation Type, setting up logging and lifecycle policies.

A config rule that checks whether your CloudFormation stacks are sending event notifications to an SNS topic. Optionally checks whether specified SNS topics are used.

A config rule that checks whether an AWS CloudFormation stack's actual configuration differs, or has drifted, from it's expected configuration. A stack is considered to have drifted if one or more of its resources differ from their expected configuration. The rule and the stack are COMPLIANT when the stack drift status is IN_SYNC. The rule and the stack are NON_COMPLIANT when the stack drift status is DRIFTED.

A CloudWatch Alarm that triggers when a new CloudFormation stack is created

A CloudWatch Alarm that triggers when an existing CloudFormation stack is updated

A CloudWatch Alarm that triggers when an existing CloudFormation stack is deleted

An IAM policy that allows all CloudFormation APIs access, but denies UpdateStack and DeleteStack APIs access on a specific stack (e.g. a production stack). This policy also provides the permissions necessary to complete this action on the console.

An IAM policy that allows users to create new or update existing CloudFormation stacks, as long as the template URL used is allowed. This policy also provides the permissions necessary to complete this action on the console.

An IAM policy that prevents creating or updating CloudFormation stacks that contain specific resource types (This policy uses IAM resources as the default example). This policy also provides the permissions necessary to complete this action on the console.

This SCP restricts IAM principals in accounts from making changes to specific CloudFormation stacks with the exception of a specific IAM role (This could be a common administrative IAM role created in all accounts in your organization)

A configuration package to create a custom CloudFormation Guard rules template. The package includes 150+ rules across most AWS services including EC2, S3, IAM, and many more.

CloudFormation guard rules template for IAM resources

CloudFormation guard rules template for EC2 resources

CloudFormation guard rules template for S3 resources

CloudFormation guard rules template for Security Groups

CloudFormation guard rules template for AWS Lambda resources

CloudFormation guard rules template for AWS OpenSearch resources

CloudFormation guard rules template for Amazon VPC resources

CloudFormation guard rules template for Amazon SageMaker resources

CloudFormation guard rules template for DynamoDB and DynamoDB Accelerator (DAX) resources

CloudFormation guard rules template for AWS Certificate Manager (ACM) resources

CloudFormation guard rules template for AWS Budget resources

CloudFormation guard rules template for AWS CloudFront resources

CloudFormation guard rules template for CloudWatch Log groups

CloudFormation guard rules template for CodeBuild resources

CloudFormation guard rules template for AWS Config

CloudFormation guard rules template for AWS DMS

CloudFormation guard rules template for AWS DocumentDB resources

CloudFormation guard rules template for EFS resources

CloudFormation guard rules template for ElastiCache resources

CloudFormation guard rules template for KMS resources

CloudFormation guard rules template for Network Firewall resources

CloudFormation guard rules template for SNS resources

CloudFormation guard rules template for SQS resources

CloudFormation guard rules template for WAF resources

CloudFormation guard rules template for API Gateway resources

CloudFormation guard rules template for AWS Backup resources

CloudFormation guard rules template for AWS CloudTrail resources

CloudFormation guard rules template for AWS CloudWatch Alarms

CloudFormation guard rules template for Amazon ECR resources

CloudFormation guard rules template for Amazon EKS resources

CloudFormation guard rules template for AWS Load Balancer resources

CloudFormation guard rules template for EMR resources

CloudFormation guard rules template for Amazon FSx resources

CloudFormation guard rules template for AWS Secrets Manager resources

CloudFormation guard rules template for Amazon Redshift resources

CloudFormation guard rules template for Amazon Route53 resources

CloudFormation guard rules template for Amazon MSK (Managed Apache Kafka) resources

CloudFormation guard rules template for Amazon Neptune resources

CloudFormation guard rules template for Auto Scaling Group resources