Best practice rules for AWS CloudFormation
AWS CloudFormation gives you the ability to easily manage a collection of AWS resources by automating the creation and termination of your infrastructure, services, and applications.
CloudFormation is broken down into two parts, templates and stacks. A template is file that defines what resources are required to run your application. For example, the template may dictate that your application requires 3 Elastic Cloud Compute (EC2) servers and a specific Identify and Access Management (IAM) Policy. Once the template is uploaded, CloudFormation automatically launches the required resources and builds a running instance (stack) that matches the template.
Trend Micro Cloud One™ – Conformity monitors AWS CloudFormation with the following rules:
- AWS CloudFormation Deletion Policy in Use
Ensure a deletion policy is used for your Amazon CloudFormation stacks.
- AWS CloudFormation Drift Detection
Ensure that Amazon CloudFormation stacks have not been drifted.
- AWS CloudFormation In Use
Ensure CloudFormation service is in use for defining your cloud architectures on Amazon Web Services
- AWS CloudFormation Stack Failed Status
Ensure AWS CloudFormation stacks are not in Failed mode for more than 6 hours
- AWS CloudFormation Stack Policy
Ensure CloudFormation stack policies are set to prevent accidental updates to stack resources.
- CloudFormation Stack with IAM Role
Ensure that the IAM role associated with your AWS CloudFormation stack grants least privilege.
- Enable AWS CloudFormation Stack Notifications
Ensure your AWS CloudFormation stacks are integrated with Simple Notification Service (SNS).
- Enable AWS CloudFormation Stack Termination Protection
Ensure Termination Protection feature is enabled for your AWS CloudFormation stacks.