The principle of infrastructure as code, utilizing pipelines for continuous integration and delivery, is crucial for developing cloud infrastructure. Incorporating code quality checks and vulnerability scans into these pipelines is vital for ensuring the security of this infrastructure as code. In a previous blog post, “How to Build a CI/CD Pipeline for Container Vulnerability Scanning with Trivy and AWS Security Hub,” you learned how to efficiently scan containers to identify Common Vulnerabilities and Exposures (CVEs) and collaborate with developers to mitigate them.
In this article, we will expand on that topic and introduce a method for integrating open-source tools that detect potentially insecure patterns in your AWS CloudFormation templates with AWS Security Hub and AWS CodeBuild reports. We will utilize Stelligent’s open-source tool, CFN-Nag, and also explore how to extend this solution using AWS CloudFormation Guard, which is currently in preview.
One of the key advantages of this integration is that it provides both security and development teams with visibility into potential security risks, as well as resources that may not comply with your company’s policies, before deployment occurs.
Benefits and Deliverables of the Solution
This solution includes a ready-to-use template for scanning your AWS CloudFormation templates using CFN-Nag. This tool features over 140 predefined patterns, including overly permissive AWS Identity and Access Management (IAM) rules, security group rules, and checks for disabled access logs or encryption. You can also define custom rules to align with your company’s policies, as explained later in this post, using custom profiles and exceptions to manage false positives.
Our solution allows you to:
- Integrate CFN-Nag into a CodeBuild project to scan infrastructure code for over 140 potential insecure patterns, categorizing them as warnings or failures.
- Learn to incorporate AWS CloudFormation Guard (CFN-Guard), requiring the definition of your scanning rules.
- Generate CodeBuild reports that help developers easily identify failed security tests. In our example, the build process fails if any critical findings are detected.
- Import aggregated findings into Security Hub per code branch, enabling security professionals to quickly identify vulnerable code in repositories and branches. Each branch will have one aggregated finding imported.
- Store the original scan report in an Amazon Simple Storage Service (Amazon S3) bucket for auditing purposes.
Architecture Overview
The architecture of this solution is represented in Figure 1. The main steps include:
- Your pipeline is triggered when new code is pushed to CodeCommit (which is not included in the template) to initiate a new build.
- The build process scans the AWS CloudFormation templates using the cfn_nag_scan or cfn-guard command as specified in the build job.
- A Lambda function is activated, and the scan report is sent to it.
- The scan report is published in an S3 bucket through the Lambda function.
- The Lambda function aggregates the findings report per repository and git branch and imports the report into Security Hub. It also suppresses any previous findings for the current repo and branch, calculating severity based on the number of findings and their classification as warnings or critical.
- Finally, the Lambda function generates the CodeBuild test report in JUnit format and returns it to CodeBuild. This report only includes details about failed tests.
Walkthrough for Setup
To begin, you will need to set up the sample solution that scans one of your repositories utilizing CFN-Nag or CFN-Guard.
- Log in to your AWS account if you haven’t already. Click on Launch Stack to open the AWS CloudFormation console with the preconfigured AWS CloudFormation demo template. Hit Next. Furthermore, you can find the latest code on GitHub.
- Complete the stack parameters as shown in Figure 2:
- CodeCommitBranch: The branch name to monitor, e.g., refs/heads/master.
- CodeCommitUrl: The clone URL of the CodeCommit repository to monitor, which must be in the same region as the launched stack.
- TemplateFolder: The directory in your repo containing the AWS CloudFormation templates.
- Weight coefficient for failing: The weight coefficient for a failing violation in the template.
- Weight coefficient for warning: The weight coefficient for a warning in the template.
- Security tool: The static analysis tool for analyzing templates (CFN-Nag or CFN-Guard).
- Fail build: Specify whether to fail the build when security findings arise.
- S3 bucket with sources: This bucket holds all sources, such as the Lambda function and templates. You may leave the default text if sources are not customized.
- Prefix for S3 bucket with sources: The prefix for all objects can also remain as default if not customizing.
Viewing Scan Results
After executing the CodeBuild project, you can view the results in three different ways depending on your preferences: CodeBuild report, Security Hub findings, or the original CFN-Nag or CFN-Guard report.
- CodeBuild Report: In the AWS Management Console, navigate to CodeBuild and select Report Groups. The report of interest will be found under SecurityReports, with both failures and warnings represented as failed tests, prefixed by W(Warning) or F(Failure).
- Security Hub Findings: In the AWS Management Console, go to Security Hub and select the Findings view. The aggregated finding per branch will have the title CFN scan repo:name:branch with Company Personal and Product Default. This title is a placeholder for the repo and branch name, with only the latest finding displayed by default.
- Original Scan Report: Finally, you can locate the original scan report in the S3 bucket, which serves as an excellent resource.
For further reading on this topic, check out this blog post, and also refer to this authoritative source to deepen your understanding. Additionally, Amazon’s fulfillment center safety and training provides valuable insights into best practices.
The location for these operations is: Amazon IXD – VGT2, 6401 E Howdy Wells Ave, Las Vegas, NV 89115.