{"id":20853792,"url":"https://github.com/wolfeidau/secure-cloudformation-resources","last_synced_at":"2026-04-29T03:30:57.152Z","repository":{"id":38289277,"uuid":"303811706","full_name":"wolfeidau/secure-cloudformation-resources","owner":"wolfeidau","description":"A group of cloudformation resources which implement a security baseline","archived":false,"fork":false,"pushed_at":"2023-01-09T23:01:57.000Z","size":45,"stargazers_count":1,"open_issues_count":4,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-12-31T21:12:38.879Z","etag":null,"topics":["aws","cloudformation","go","security"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/wolfeidau.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-10-13T19:43:08.000Z","updated_at":"2020-10-23T20:55:58.000Z","dependencies_parsed_at":"2023-02-08T15:45:24.696Z","dependency_job_id":null,"html_url":"https://github.com/wolfeidau/secure-cloudformation-resources","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/wolfeidau/secure-cloudformation-resources","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wolfeidau%2Fsecure-cloudformation-resources","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wolfeidau%2Fsecure-cloudformation-resources/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wolfeidau%2Fsecure-cloudformation-resources/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wolfeidau%2Fsecure-cloudformation-resources/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/wolfeidau","download_url":"https://codeload.github.com/wolfeidau/secure-cloudformation-resources/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wolfeidau%2Fsecure-cloudformation-resources/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32409077,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-29T02:37:21.628Z","status":"ssl_error","status_checked_at":"2026-04-29T02:36:50.947Z","response_time":110,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","cloudformation","go","security"],"created_at":"2024-11-18T03:23:12.654Z","updated_at":"2026-04-29T03:30:57.128Z","avatar_url":"https://github.com/wolfeidau.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# secure-cloudformation-resources\n\nThis is an effort to create a group of cloudformation resources which implement a security baseline as a parameter to their creation, which influences their default configuration to help keep up with the latest recommendations.\n\nFor more background on this problem take a look at my blog post [Why isn't my s3 bucket secure?](https://www.wolfe.id.au/2020/10/08/why-isnt-my-s3-bucket-secure/).\n\n# Example\n\nKeeping things simple for developers this is all that is required to create an S3 bucket with the baseline selected at creation.\n\n```yaml\nAWSTemplateFormatVersion: \"2010-09-09\"\n\nTransform:\n  - \"YOUR_ACCOUNT_ID::SecurityTransform\"\nResources:\n  MyDataBucket:\n    Type: Secure::S3::Bucket\n    Properties: \n      Baseline: standards/aws-foundational-security-best-practices/v/1.0.0\n```\n\nAfter the magic of translation this becomes.\n\n```json\n{\n  \"AWSTemplateFormatVersion\": \"2010-09-09\",\n  \"Resources\": {\n    \"MyDataBucket\": {\n      \"Type\": \"AWS::S3::Bucket\",\n      \"Properties\": {\n        \"BucketEncryption\": {\n          \"ServerSideEncryptionConfiguration\": [\n            {\n              \"ServerSideEncryptionByDefault\": {\n                \"SSEAlgorithm\": \"AES256\"\n              }\n            }\n          ]\n        },\n        \"PublicAccessBlockConfiguration\": {\n          \"BlockPublicAcls\": true,\n          \"BlockPublicPolicy\": true,\n          \"IgnorePublicAcls\": true,\n          \"RestrictPublicBuckets\": true\n        }\n      }\n    }\n  }\n}\n```\n\nSo without any effort at all a developer has satisfied most of the security controls in [AWS Foundational Security Best Practices controls](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html) for creating s3 bucket resources.\n\n[S3.1](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-s3-1) S3 Block Public Access setting should be enabled\n[S3.2](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-s3-2) S3 buckets should prohibit public read access\n[S3.3](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-s3-3) S3 buckets should prohibit public write access\n[S3.4](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-s3-4) S3 buckets should have server-side encryption enabled\n\n# AWS Links and Security Standards\n\n* [AWS Security Hub User Guide](https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html)\n* [AWS Foundational Security Best Practices controls](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html)\n* [CIS Amazon Web Services Foundations 1.2.0 (PDF)](https://d1.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf)\n\n# License\n\nThis code is released under Apache 2.0 license and is copyright [Mark Wolfe](https://www.wolfe.id.au).","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwolfeidau%2Fsecure-cloudformation-resources","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fwolfeidau%2Fsecure-cloudformation-resources","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwolfeidau%2Fsecure-cloudformation-resources/lists"}