Home > DevSecOps

CloudFormation Scanning

CloudFormation scanning identifies insecure configurations inside AWS CloudFormation templates before they deploy into your cloud environment. CloudFormation defines critical resources such as IAM roles, S3 buckets, EC2 instances, VPCs, security groups, KMS keys, RDS databases, and Lambda functions. If these templates contain misconfigurations, AWS will instantiate insecure cloud infrastructure. Scanning CloudFormation ensures security is enforced at the IaC stage, preventing production-level vulnerabilities.

Why CloudFormation Security Matters

CloudFormation templates often include sensitive AWS components. Small mistakes—like open ports, public storage, or unencrypted services—can lead to full compromise. Typical risks include:

• Public S3 buckets
• Open security groups (0.0.0.0/0)
• Unencrypted EBS, RDS, S3, SNS, SQS
• Overly permissive IAM roles
• Disabled CloudTrail logging
• Unrestricted Lambda permissions
• Missing VPC Flow Logs
• Public-facing EC2 instances
• Missing multi-factor or password policies

Scanning templates stops these issues before deployment.

Tools for CloudFormation Scanning

Checkov

Deep CloudFormation scanning with hundreds of AWS policies.

cfn-nag

Specialized CloudFormation scanner detecting IAM, networking, and encryption issues.

AWS CloudFormation Guard (cfn-guard)

Policy-as-code engine to validate CloudFormation against compliance rules.

KICS

Multi-IaC scanner including CloudFormation.

Terrascan

OPA-based scanning for CloudFormation templates.

These tools collectively catch misconfigurations across AWS services.

How CloudFormation Scanners Work

Parse Template

Read resources defined in JSON or YAML files.

Identify Resource Types

Recognize AWS resources such as:

• AWS::IAM::Role
• AWS::S3::Bucket
• AWS::EC2::SecurityGroup
• AWS::RDS::DBInstance
• AWS::Lambda::Function

Apply Security Policies

Policies evaluate configurations for:

• encryption
• network exposure
• least privilege
• logging
• IAM permissions
• unsafe defaults

Produce Security Findings

Findings include:

• severity
• resource name
• file path
• remediation guidance

This provides actionable insights before deployment.

Installing CloudFormation Scanners

Checkov

pip install checkov

cfn-nag

gem install cfn-nag

cfn-guard

curl -Ls https://github.com/aws-cloudformation/cloudformation-guard/releases/latest/download/cfn-guard-linux.tar.gz | tar xz

Terrascan

curl -L https://runterrascan.io/install.sh | bash

Scanning CloudFormation With Checkov

Scan directory:

checkov -d .

Scan file:

checkov -f template.yml

Checkov detects encryption issues, IAM misconfigs, public buckets, open SGs, etc.

Scanning With cfn-nag

cfn_nag_scan -i template.yml

cfn-nag specifically detects:

• wildcard IAM permissions
• insecure SecurityGroups
• missing encryption
• open S3 buckets

Scanning With cfn-guard

Validate template against rules:

cfn-guard validate \
  -r rules.guard \
  -d template.yml

Rules define compliance for all CloudFormation stacks.

Common CloudFormation Misconfigurations

Public S3 Bucket

AccessControl: PublicRead

Misconfig creates public data exposure.

Open Security Group

CidrIp: 0.0.0.0/0

Allows global access to resource.

Missing Encryption

Resources missing:

Encrypted: true

applies to:

• EBS
• RDS
• S3
• SNS
• SQS
• EFS
• Redshift

Overly Broad IAM Role

Action: "*"
Resource: "*"

Critical severity due to privilege escalation.

Missing Logging

CloudTrail, ELB access logs, WAF logs disabled.

Public Load Balancers Exposed

Type is internet-facing without restrictions.

Secrets in Environment Variables

CloudFormation containing plaintext credentials.

Scanners detect all of these issues.

Best Practices for CloudFormation Security

• Scan templates before commit
• Run scanners in CI/CD
• Use IAM least privilege
• Enforce encryption by default
• Avoid public IP assignment
• Never include secrets in templates
• Require logging on all resources
• Validate VPC, subnet, and SG configurations
• Use KMS keys for sensitive data
• Store templates in version control with scanning hooks

Full-Length Practical Section

Deep hands-on exercises to master CloudFormation scanning.

Practical 1: Scan Template With Checkov

Create insecure template:

Resources:
  PublicBucket:
    Type: AWS::S3::Bucket
    Properties:
      AccessControl: PublicRead

Scan:

checkov -f template.yml

Fix by enabling public access block.

Practical 2: Detect Open Security Groups

Add:

CidrIp: 0.0.0.0/0

Scan with:

checkov -d .

or:

cfn_nag_scan -i template.yml

Fix CIDR and restrict ingress.

Practical 3: Detect Unencrypted EBS Volume

Encrypted: false

Scan with Checkov.
Fix by enabling encryption.

Practical 4: Detect Over-Permissive IAM Roles

IAM policy:

Action: "*"
Resource: "*"

Scan with:

cfn_nag_scan -i template.yml

Fix using least-privilege actions.

Practical 5: Validate Template Against cfn-guard

Define guard rule:

AWS::S3::Bucket {
  Properties.BucketEncryption.ServerSideEncryptionConfiguration exists
}

Run:

cfn-guard validate -r rules.guard -d template.yml

Practical 6: Scan Secrets in Template

Add secret:

Environment:
  Variables:
    DB_PASS: "pass123"

Scan with:

checkov -d .

Identify and remove plaintext credential.

Practical 7: Detect Publicly Accessible RDS

PubliclyAccessible: true

Scanner flags critical exposure.

Practical 8: Enforce Encryption on SQS and SNS

Scan resources missing:

KmsMasterKeyId

Fix by enabling KMS.

Practical 9: Validate VPC Security

Scan for:

• missing Flow Logs
• wide-open SGs
• public subnets without controls
• missing NACLs

Use:

checkov -d .

Practical 10: Identify Missing CloudTrail Logging

If audit logging disabled, scanner flags it.
Fix by enabling CloudTrail.

Practical 11: Detect Dangerous hostPath Mounts in EKS YAML

Scan:

checkov -d eks/

Fix insecure pod specs inside CloudFormation EKS cluster blocks.

Practical 12: Audit CloudFormation with KICS

kics scan -p .

Review S3, IAM, EC2, VPC issues.

Practical 13: Create Custom Governance Rules

Using cfn-guard, enforce:

• no public buckets
• must use encryption
• no wildcard IAM

Run validation on every CI commit.

Practical 14: Pre-Commit Hook for CloudFormation Scans

Add:

pre-commit install

Hook:

checkov -d .

Blocks insecure templates before commit.

Practical 15: GitHub Actions Pipeline

Workflow:

- name: Checkov CloudFormation Scan
  uses: bridgecrewio/checkov-action@master
  with:
    directory: .

Blocks insecure PRs.

Practical 16: GitLab CI CloudFormation Scan

cloudformation_scan:
  script:
    - checkov -d .

Fails merge requests with critical findings.

Practical 17: Detect Missing KMS Encryption on Logs

Scan CloudWatch Log groups for missing KMS.

Practical 18: Prevent EC2 Public IP Assignments

Scanners detect:

AssociatePublicIpAddress: true

Fix by placing EC2 in private subnet.

Practical 19: Multi-File Stack Scanning

Scan nested stacks:

checkov -d cfn/

Fix layered issues.

Practical 20: Build Full CloudFormation Security Architecture

Include:

• Checkov for deep scanning
• cfn-nag for IAM + networking
• cfn-guard for policy-as-code
• Terrascan for OPA-based checks
• CI pipeline scanning
• Pre-commit hooks
• Baseline validation
• Central policy library
• Secret scanning in YAML
• Automated remediation checks

This creates robust CloudFormation security governance across all AWS infrastructure code.

Intel Dump

• CloudFormation scanning prevents insecure AWS deployments
• Tools: Checkov, cfn-nag, cfn-guard, Terrascan, KICS
• Detect risks: public buckets, open SGs, over-permissive IAM, missing encryption, disabled logs
• Must scan before commit, in CI/CD, and before stack deploy
• Practicals include scanning buckets, SGs, IAM roles, encryption, VPC configs, CloudTrail, cfn-guard policy enforcement, and full CloudFormation security architecture

HOME LEARN COMMUNITY DASHBOARD