Skip to main content

Scan for AWS CloudFormation misconfigurations with Snyk IaC

Written by:
Ilianna Papastefanou
Ilianna Papastefanou
wordpress-sync/Blog-iac-header

June 17, 2021

0 mins read

We’re excited to announce the launch support for AWS CloudFormation in Snyk Infrastructure as Code. In our recent Infrastructure as Code Security Insights report, we  found that 36% of survey participants were using AWS CloudFormation (CF) as their primary infrastructure as code tool of choice. Using Snyk Infrastructure as Code, you can now scan your CF YAML or JSON templates against our comprehensive set of AWS security rules.

With these new capabilities, you have the power to treat your CloudFormation files like any other code and shift security left, early in your development process, making security an integral part of your infrastructure development and deployment pipelines.

Integrate where it matters

This functionality is available both by importing a repository or via our CLI, meaning you can integrate anywhere from local development through to source control and your CI/CD pipelines.

Using this example repository, which contains insecure CloudFormation template files, we integrated the repository from GitHub with Snyk and detected a range of issues across the CF files.

wordpress-sync/blog-aws-cf-repo

You can expand to the repository in Snyk to view the list of scanned configuration files, and in the screen below we’ve selected the db.yml file. Here you can see the configuration issues that are found linked to the relevant line in the original CF template:

wordpress-sync/blog-aws-cf-config-scan

Alternatively, you can get the same feedback using the Snyk CLI which processes the files locally, meaning no data is sent to Snyk.

1$ snyk iac test db.yml
2
3Testing db.yml...
4
5Infrastructure as code issues:
6  ✗ Non-encrypted RDS instance at rest [Medium Severity] [SNYK-CC-TF-201] in RDS
7    introduced by Resources[Database] > Properties > StorageEncrypted
8
9  ✗ RDS IAM authentication is disabled [Medium Severity] [SNYK-CC-AWS-414] in RDS
10    introduced by Resources[Database] > Properties > EnableIAMDatabaseAuthentication
11
12  ✗ Non-Encrypted SNS Topic [Medium Severity] [SNYK-CC-TF-55] in SNS
13    introduced by Resources > DatabaseAlarmTopic > Properties > KmsMasterKeyId
14
15  ✗ SNS topic is not encrypted with customer managed key [Low Severity] [SNYK-CC-AWS-422] in SNS
16    introduced by Resources[DatabaseAlarmTopic] > Properties > KmsMasterKeyId
17
18Organization:      mycompany.test
19Type:              CloudFormation
20Target file:       db.yml
21Project name:      cloudformation-example
22Open source:       no
23Project path:      /Users/iliana/workspace/snyk-iac-cloudformation
24
25Tested db.yml for known issues, found 4 issues

Using AWS Cloud Development Kit

The AWS Cloud Development Kit (AWS CDK) is an open source software development framework to define your cloud application resources using familiar programming languages. Using the AWS CDK, you can define your infrastructure using a programming language you are more familiar with such as TypeScript or Python, instead of writing YAML. This approach can offer more flexibility and accessibility, both in terms of familiarity to a developer in being able to use a language and IDE that you’re already comfortable with, but also using programming constructs to avoid the need for templating your YAML files.

You can also scan your AWS CDK files using the iac test functionality in the Snyk CLI by first converting them to a JSON file using the AWS CDK’s built-in synth subcommand.

Using another example, which uses TypeScript to define some infrastructure, you can run the following commands to test the configurations in your pipelines using the Snyk CLI:

1# install your dependencies
2npm install
3# convert your typescript to a CloudFormation json file
4cdk synth
5
6# scan the rendered json file using the Snyk IaC CLI
7snyk iac test cdk.out/VpcStackWithIssues.template.json
8
9Testing VpcStackWithIssues.template.json...
10
11Infrastructure as code issues:
12  ✗ Security Group allows open ingress [Medium Severity] [SNYK-CC-TF-1] in VPC
13    introduced by Resources > SSHSG26D56496 > Properties > SecurityGroupIngress[0]
14
15  ✗ AWS Security Group allows open egress [Low Severity] [SNYK-CC-TF-73] in VPC
16    introduced by Resources[SSHSG26D56496] > Properties > SecurityGroupEgress[0] > CidrIp
17
18  ✗ Rule allows open egress [Low Severity] [SNYK-CC-TF-72] in VPC
19    introduced by Resources[SSHSG26D56496] > Properties > SecurityGroupEgress[0]
20
21Organization:      mycompany.test
22Type:              CloudFormation
23Target file:       cdk.out/VpcStackWithIssues.template.json
24Project name:      cdk.out
25Open source:       no
26Project path:      cdk.out/VpcStackWithIssues.template.json
27
28Tested VpcStackWithIssues.template.json for known issues, found 3 issues

This workflow would be perfect for a build pipeline where it can be fully automated on each pull request. As of publication date, AWS CDK files can only be scanned using a CLI driven workflow.

Comprehensive configuration security rules

The depth and range of security rules is important for ensuring you get comprehensive security feedback. Snyk has a dedicated Security Engineering team that researches, validates and continually adds new rules into the product — with over 100 for AWS (and growing).

When  adding rules, we ensure proper coverage by combining known best practices with our own first party security research. Best practices are derived from both cloud provider and community standards — for example, CIS benchmarks, as well as Kubernetes and AWS best practices. Our own security research uses techniques like threat modelling exercises on key usage patterns. For instance, we examine settings in managed Kubernetes offerings to determine where weaknesses might be avoided through proper IaC hardening.

You can view and modify the severity of the Snyk IaC rules by navigating to your Snyk organization's Settings and selectingInfrastructure as Code on the left hand menu. If you want to narrow the view to just AWS CloudFormation, you can then choose AWSfrom the tabs under Severity settings and select CloudFormation (or Terraform, if you prefer). We endeavor to write rules that are format agnostic, so most rules you see will appear no matter which toggles you select.

wordpress-sync/blog-aws-cf-settings

You can also view a full list of our AWS CloudFormation security rules publicly on the Security Rules section of our site.

wordpress-sync/blog-aws-cf-rules

Get started with the Snyk IaC for free

These new features are available to everyone to try, including users on a free plan. Getting started is simple:

  • If you don’t already have a Snyk account, sign up for free.

  • Install the Snyk CLI. If you already have the Snyk CLI installed, verify you have CLI 1.629.0 or newer to get these features.

  • Scan your CloudFormation files.The main command for scanning IaC with the new features is: snyk iac test <path-to-file-or-folder>

You can learn more about the various scanning options we support through Snyk’s docs or via the CLI docs by running: snyk iac --help

We’d love to hear your feedback! If you’re already a Snyk customer your customer success team is a great route for product feedback, but we welcome comments in our Snyk Community forum from all.

Posted in: