https://github.com/wolfeidau/secure-cloudformation-resources
A group of cloudformation resources which implement a security baseline
https://github.com/wolfeidau/secure-cloudformation-resources
aws cloudformation go security
Last synced: 2 months ago
JSON representation
A group of cloudformation resources which implement a security baseline
- Host: GitHub
- URL: https://github.com/wolfeidau/secure-cloudformation-resources
- Owner: wolfeidau
- License: apache-2.0
- Created: 2020-10-13T19:43:08.000Z (over 5 years ago)
- Default Branch: master
- Last Pushed: 2023-01-09T23:01:57.000Z (over 3 years ago)
- Last Synced: 2025-12-31T21:12:38.879Z (6 months ago)
- Topics: aws, cloudformation, go, security
- Language: Go
- Homepage:
- Size: 43.9 KB
- Stars: 1
- Watchers: 1
- Forks: 0
- Open Issues: 4
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# secure-cloudformation-resources
This is an effort to create a group of cloudformation resources which implement a security baseline as a parameter to their creation, which influences their default configuration to help keep up with the latest recommendations.
For more background on this problem take a look at my blog post [Why isn't my s3 bucket secure?](https://www.wolfe.id.au/2020/10/08/why-isnt-my-s3-bucket-secure/).
# Example
Keeping things simple for developers this is all that is required to create an S3 bucket with the baseline selected at creation.
```yaml
AWSTemplateFormatVersion: "2010-09-09"
Transform:
- "YOUR_ACCOUNT_ID::SecurityTransform"
Resources:
MyDataBucket:
Type: Secure::S3::Bucket
Properties:
Baseline: standards/aws-foundational-security-best-practices/v/1.0.0
```
After the magic of translation this becomes.
```json
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"MyDataBucket": {
"Type": "AWS::S3::Bucket",
"Properties": {
"BucketEncryption": {
"ServerSideEncryptionConfiguration": [
{
"ServerSideEncryptionByDefault": {
"SSEAlgorithm": "AES256"
}
}
]
},
"PublicAccessBlockConfiguration": {
"BlockPublicAcls": true,
"BlockPublicPolicy": true,
"IgnorePublicAcls": true,
"RestrictPublicBuckets": true
}
}
}
}
}
```
So without any effort at all a developer has satisfied most of the security controls in [AWS Foundational Security Best Practices controls](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html) for creating s3 bucket resources.
[S3.1](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-s3-1) S3 Block Public Access setting should be enabled
[S3.2](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-s3-2) S3 buckets should prohibit public read access
[S3.3](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-s3-3) S3 buckets should prohibit public write access
[S3.4](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-s3-4) S3 buckets should have server-side encryption enabled
# AWS Links and Security Standards
* [AWS Security Hub User Guide](https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html)
* [AWS Foundational Security Best Practices controls](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html)
* [CIS Amazon Web Services Foundations 1.2.0 (PDF)](https://d1.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf)
# License
This code is released under Apache 2.0 license and is copyright [Mark Wolfe](https://www.wolfe.id.au).