AI CloudAdvisor (Beta)

My Presets

You must be logged in to save or view your saved configuration templates

Security Controls

Service Control PoliciesConfig RulesCloudWatch Alarms and Event RulesCloudFormation Guard RulesLogging & Monitoring ConfigurationsBackups & DRAuto Remediation RulesConformance PacksBilling and Cost ManagementS3 Bucket PoliciesSecurity Groups & NACLsIAM PoliciesVPC Endpoint Policies

AWS Services

Guided Walkthroughs

Configuration Packages

Reference Guides

Other

AI CloudAdvisor (Beta)

Configuration Stack
0

My Presets

Security Controls

AWS Services

Guided Walkthroughs

Configuration Packages

Reference Guides

Other

Guided Walkthroughs

CloudFormation CI/CD with Security Scanning

Overview

A premium subscription is required for this content


Configuration

AWS Account
Source Code Management
Pipeline Settings
Security Validation (CodeBuild)

Account Summary

Select AWS account and region to display account summary
Hide Info

AWS Account

Select the AWS account and region where the CodeCommit Repository, CodeBuild Project and CodePipeline Pipeline will exist which will take and deploy CloudFormation templates from repository on commit with and without security checks.

Deploy

CFN Guard Pipeline

Items
7
Size
10.9 KB
AWSTemplateFormatVersion: '2010-09-09'
Description: ''
Resources:
  CodeCommitRepository:
    Type: 'AWS::CodeCommit::Repository'
    Properties:
      RepositoryName: cfn-templates
  CodeBuildProjectServiceRole:
    Type: 'AWS::IAM::Role'
    Properties:
      RoleName: codebuild-cfn-guard-service-role
      Description: Service Role for CFN Guard CodeBuild Project
      Path: /service-role/
      MaxSessionDuration: 3600
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - codebuild.amazonaws.com
            Condition: {}
            Action:
              - 'sts:AssumeRole'
      Policies:
        - PolicyName: codebuild-cfn-guard-service-role-policy
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Resource:
                  - 'arn:aws:logs:::log-group:/aws/codebuild/cfn-guard-validation'
                  - 'arn:aws:logs:::log-group:/aws/codebuild/cfn-guard-validation:*'
                Action:
                  - 'logs:CreateLogGroup'
                  - 'logs:CreateLogStream'
                  - 'logs:PutLogEvents'
              - Effect: Allow
                Resource:
                  - 'arn:aws:s3:::cfn-guard-codepipeline-artifact-store*'
                Action:
                  - 's3:PutObject'
                  - 's3:GetObject'
                  - 's3:GetObjectVersion'
                  - 's3:GetBucketAcl'
                  - 's3:GetBucketLocation'
              - Effect: Allow
                Resource:
                  - 'arn:aws:codecommit:::cfn-guard-demo'
                Action:
                  - 'codecommit:GitPull'
              - Effect: Allow
                Action:
                  - 'codebuild:CreateReportGroup'
                  - 'codebuild:CreateReport'
                  - 'codebuild:UpdateReport'
                  - 'codebuild:BatchPutTestCases'
                  - 'codebuild:BatchPutCodeCoverages'
                Resource:
                  - 'arn:aws:codebuild:::report-group/cfn-guard-validation-*'
  CodeBuildProject:
    Type: 'AWS::CodeBuild::Project'
    Properties:
      Name: cfn-guard-validation
      Description: Build Project to check cfn templates with CFN Guard
      ServiceRole:
        'Fn::GetAtt':
          - CodeBuildProjectServiceRole
          - Arn
      Artifacts:
        Type: NO_ARTIFACTS
      Environment:
        Type: LINUX_CONTAINER
        Image: 'aws/codebuild/standard:5.0'
        ComputeType: BUILD_GENERAL1_SMALL
      Source:
        Type: CODECOMMIT
        Location:
          'Fn::GetAtt':
            - CodeCommitRepository
            - Name
        BuildSpec:
          'Fn::Join':
            - ''
            - - |
                version: 0.2
              - |
                env:
              - |2
                  variables:
              - |2
                    CFN_GUARD_VERSION: "2.0.4"
              - |2
                    CFN_GUARD_MAJOR_VER: "v2"
              - |2
                    OS_TYPE: "ubuntu"
              - |2
                    CFN_GUARD_FILENAME: "cfn-guard"
              - |2
                    CF_TEMPLATE: "cfn_template.yaml"
              - |2
                    CF_ORG_RULESET:  "cfn_guard_ruleset"
              - |
                phases:
              - |2
                  install:
              - |2
                    commands:
              - |2
                      - apt-get update
              - |2
                      - apt-get install git -y
              - |2
                  pre_build:
              - |2
                    commands:
              - |2
                      - echo "Setting up the environment for AWS CloudFormation Guard"
              - |2
                      - echo "More info https://github.com/aws-cloudformation/cloudformation-guard"
              - |2
                  build:
              - |2
                    commands:
              - |2
                      - echo "Pull from github"
              - |2
                      - echo "More info https://github.com/aws-cloudformation/cloudformation-guard/releases"
              - |2
                      - wget -O $CFN_GUARD_FILENAME.tar.gz https://github.com/aws-cloudformation/cloudformation-guard/releases/download/$CFN_GUARD_VERSION/cfn-guard-$CFN_GUARD_MAJOR_VER-$OS_TYPE-latest.tar.gz
              - |2
                      - echo "Extract cfn-guard"
              - |2
                      - tar xvf $CFN_GUARD_FILENAME.tar.gz ./cfn-guard-v2-ubuntu-latest/cfn-guard
              - |2
                  post_build:
              - |2
                    commands:
              - |2
                      - echo "Validate CloudFormation template with cfn-guard tool"
              - |2
                      - echo "More information https://github.com/aws-cloudformation/cloudformation-guard/blob/master/cfn-guard/README.md"
              - |2
                      - cfn-guard-v2-ubuntu-latest/cfn-guard validate --data $CF_TEMPLATE --rules $CF_ORG_RULESET --output-format json --show-summary none
              - |
                artifacts:
              - |2
                  files:
              - |2
                    - $CF_TEMPLATE
              - |2
                  name: guard_templates
  CodePipelinePipelineServiceRole:
    Type: 'AWS::IAM::Role'
    Properties:
      RoleName: codepipeline-cfn-guard-service-role
      Description: Service Role for CFN Guard Code Pipeline
      Path: /service-role/
      MaxSessionDuration: 3600
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - codepipeline.amazonaws.com
            Condition: {}
            Action:
              - 'sts:AssumeRole'
      Policies:
        - PolicyName: codepipeline-cfn-guard-service-role-policy
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action:
                  - 'codecommit:UploadArchive'
                  - 'codecommit:CancelUploadArchive'
                  - 'codecommit:GetCommit'
                  - 'codecommit:GetUploadArchiveStatus'
                  - 'codecommit:GetBranch'
                  - 'codestar-connections:UseConnection'
                  - 'codedeploy:CreateDeployment'
                  - 'codedeploy:GetApplicationRevision'
                  - 'codedeploy:RegisterApplicationRevision'
                  - 'codedeploy:GetDeploymentConfig'
                  - 'codedeploy:GetDeployment'
                  - 'codedeploy:GetApplication'
                  - 's3:*'
                  - 'cloudformation:*'
                  - 'ec2:*'
                  - 'codebuild:BatchGetBuilds'
                  - 'codebuild:StartBuild'
                Resource: '*'
              - Effect: Allow
                Action: 'iam:PassRole'
                Resource: '*'
                Condition:
                  StringEqualsIfExists:
                    'iam:PassedToService':
                      - cloudformation.amazonaws.com
                      - ec2.amazonaws.com
  CodePipelineClouformationServiceRole:
    Type: 'AWS::IAM::Role'
    Properties:
      RoleName: codepipeline-cfn-guard-cloudformation-service-role
      Description: Service Role for CFN Guard Code Pipeline
      Path: /service-role/
      MaxSessionDuration: 3600
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - cloudformation.amazonaws.com
            Condition: {}
            Action:
              - 'sts:AssumeRole'
      Policies:
        - PolicyName: codepipeline-cfn-guard-cloudformation-service-role-policy
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Action: 'iam:CreateServiceLinkedRole'
                Resource: '*'
                Condition:
                  StringEquals:
                    'iam:AWSServiceName':
                      - '*'
              - Effect: Allow
                Action: '*'
                Resource: '*'
                Condition:
                  'ForAnyValue:StringEquals':
                    'aws:CalledVia':
                      - cloudformation.amazonaws.com
  CodePipelineArtifactS3Bucket:
    Type: 'AWS::S3::Bucket'
    Properties:
      BucketName: cfn-guard-codepipeline-artifact-store
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - BucketKeyEnabled: false
            ServerSideEncryptionByDefault:
              SSEAlgorithm: 'aws:kms'
              KMSMasterKeyID: aws/s3
      VersioningConfiguration:
        Status: Suspended
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true
  CodePipeline:
    Type: 'AWS::CodePipeline::Pipeline'
    Properties:
      Name: cfn-deploy-pipeline
      RoleArn:
        'Fn::GetAtt':
          - CodePipelinePipelineServiceRole
          - Arn
      ArtifactStores:
        - Region: ''
          ArtifactStore:
            Location:
              Ref: CodePipelineArtifactS3Bucket
            Type: S3
      Stages:
        - Name: Source
          Actions:
            - Name: Source
              ActionTypeId:
                Category: Source
                Provider: CodeCommit
                Version: '1'
                Owner: AWS
              OutputArtifacts:
                - Name: SourceArtifact
              Configuration:
                RepositoryName:
                  'Fn::GetAtt':
                    - CodeCommitRepository
                    - Name
                BranchName: main
                PollForSourceChanges: 'false'
                OutputArtifactFormat: CODE_ZIP
        - Name: Build
          Actions:
            - Name: Build
              ActionTypeId:
                Category: Build
                Provider: CodeBuild
                Version: '1'
                Owner: AWS
              InputArtifacts:
                - Name: SourceArtifact
              OutputArtifacts:
                - Name: BuildArtifact
              Configuration:
                ProjectName:
                  Ref: CodeBuildProject
                BatchEnabled: 'false'
        - Name: Deploy
          Actions:
            - Name: Deploy
              ActionTypeId:
                Category: Deploy
                Provider: CloudFormation
                Version: '1'
                Owner: AWS
              InputArtifacts:
                - Name: BuildArtifact
              Configuration:
                ActionMode: CREATE_UPDATE
                StackName: cfn-stack
                Capabilities: CAPABILITY_NAMED_IAM
                RoleArn:
                  'Fn::GetAtt':
                    - CodePipelineClouformationServiceRole
                    - Arn
                TemplatePath: 'BuildArtifact::cfn_template.yaml'
Parameters: {}
Metadata: {}
Conditions: {}