A configuration package to automatically monitor CloudFormation stack drift (When resources deployed through CloudFormation are manaully changed after), and optionally alert on these events.
A collection of AWS Security controls for AWS CloudFormation. Controls include AWS Config rules for monitoring compliance, IAM policies, and CloudWatch Alarms. Configuration templates are available in AWS CloudFormation, AWS CLI and Terraform
A configuration package to automatically monitor CloudFormation stack drift (When resources deployed through CloudFormation are manaully changed after), and optionally alert on these events.
A config rule that checks whether your CloudFormation stacks are sending event notifications to an SNS topic. Optionally checks whether specified SNS topics are used.
A config rule that checks whether an AWS CloudFormation stack's actual configuration differs, or has drifted, from it's expected configuration. A stack is considered to have drifted if one or more of its resources differ from their expected configuration. The rule and the stack are COMPLIANT when the stack drift status is IN_SYNC. The rule and the stack are NON_COMPLIANT when the stack drift status is DRIFTED.
A CloudWatch Alarm that triggers when a new CloudFormation stack is created
A CloudWatch Alarm that triggers when an existing CloudFormation stack is updated
A CloudWatch Alarm that triggers when an existing CloudFormation stack is deleted
An IAM policy that allows all CloudFormation APIs access, but denies UpdateStack and DeleteStack APIs access on a specific stack (e.g. a production stack). This policy also provides the permissions necessary to complete this action on the console.
An IAM policy that allows users to create new or update existing CloudFormation stacks, as long as the template URL used is allowed. This policy also provides the permissions necessary to complete this action on the console.
An IAM policy that prevents creating or updating CloudFormation stacks that contain specific resource types (This policy uses IAM resources as the default example). This policy also provides the permissions necessary to complete this action on the console.
This SCP restricts IAM principals in accounts from making changes to specific CloudFormation stacks with the exception of a specific IAM role (This could be a common administrative IAM role created in all accounts in your organization)
A configuration package to create a custom CloudFormation Guard rules template. The package includes 150+ rules across most AWS services including EC2, S3, IAM, and many more.
CloudFormation guard rules template for IAM resources
CloudFormation guard rules template for EC2 resources
CloudFormation guard rules template for S3 resources
CloudFormation guard rules template for Security Groups
CloudFormation guard rules template for AWS Lambda resources
CloudFormation guard rules template for AWS OpenSearch resources
CloudFormation guard rules template for Amazon VPC resources
CloudFormation guard rules template for Amazon SageMaker resources
CloudFormation guard rules template for DynamoDB and DynamoDB Accelerator (DAX) resources
CloudFormation guard rules template for AWS Certificate Manager (ACM) resources
CloudFormation guard rules template for AWS Budget resources
CloudFormation guard rules template for AWS CloudFront resources
CloudFormation guard rules template for CloudWatch Log groups
CloudFormation guard rules template for CodeBuild resources
CloudFormation guard rules template for AWS Config
CloudFormation guard rules template for AWS DMS
CloudFormation guard rules template for AWS DocumentDB resources
CloudFormation guard rules template for EFS resources
CloudFormation guard rules template for ElastiCache resources
CloudFormation guard rules template for KMS resources
CloudFormation guard rules template for Network Firewall resources
CloudFormation guard rules template for SNS resources
CloudFormation guard rules template for SQS resources
CloudFormation guard rules template for WAF resources
CloudFormation guard rules template for API Gateway resources
CloudFormation guard rules template for AWS Backup resources
CloudFormation guard rules template for AWS CloudTrail resources
CloudFormation guard rules template for AWS CloudWatch Alarms
CloudFormation guard rules template for Amazon ECR resources
CloudFormation guard rules template for Amazon EKS resources
CloudFormation guard rules template for AWS Load Balancer resources
CloudFormation guard rules template for EMR resources
CloudFormation guard rules template for Amazon FSx resources
CloudFormation guard rules template for AWS Secrets Manager resources
CloudFormation guard rules template for Amazon Redshift resources
CloudFormation guard rules template for Amazon Route53 resources
CloudFormation guard rules template for Amazon MSK (Managed Apache Kafka) resources
CloudFormation guard rules template for Amazon Neptune resources
CloudFormation guard rules template for Auto Scaling Group resources