AWS AWSCloudFormation high security documentation change
Summary
Expanded best practices with new security recommendations including IAM controls, credential management, CloudTrail logging, policy-as-code, and sensitive parameter handling. Added sections for modern CloudFormation features like StackSets, drift detection, and Infrastructure Composer.
Security assessment
Added explicit security guidance including: 1) Prohibition of embedded credentials with dynamic references recommendation 2) IAM least privilege principles 3) CloudTrail logging for audit trails 4) Secure parameter handling with Secrets Manager/Parameter Store 5) Policy-as-code enforcement with CloudFormation Guard. These changes directly address security vulnerabilities like credential exposure, insufficient auditing, and excessive permissions.
Diff
diff --git a/AWSCloudFormation/latest/UserGuide/best-practices.md b/AWSCloudFormation/latest/UserGuide/best-practices.md index 56cd00ca6..5922c6663 100644 --- a//AWSCloudFormation/latest/UserGuide/best-practices.md +++ b//AWSCloudFormation/latest/UserGuide/best-practices.md @@ -5 +5 @@ -Shorten the feedback loop to improve delivery velocityOrganize your stacks by lifecycle and ownershipUse cross-stack references to export shared resourcesVerify quotas for all resource typesReuse templates to replicate stacks in multiple environmentsUse modules to reuse resource configurationsUse AWS-specific parameter typesUse parameter constraintsUse pseudo parameters to promote portabilityUse AWS::CloudFormation::Init to deploy software applications on Amazon EC2 instancesUse the latest helper scriptsValidate templates before using themManage all stack resources through CloudFormationCreate change sets before updating your stacksUse stack policiesUse code reviews and revision controls to manage your templatesUpdate your Amazon EC2 instances regularly +Shorten the feedback loop to improve development velocityOrganize your stacks by lifecycle and ownershipUse cross-stack references to return the value of an output exported by another stackUse AWS CloudFormation StackSets for multi-account and multi-region deploymentsVerify quotas for all resource typesReuse templates to replicate stacks in multiple environmentsUse modules to reuse resource configurationsAdopt infrastructure as code practicesDon't embed credentials in your templatesUse AWS-specific parameter typesUse parameter constraintsUse pseudo parameters to promote portabilityUse AWS::CloudFormation::Init to deploy software applications on Amazon EC2 instancesUse the latest helper scriptsValidate templates before using themUsing YAML or JSON for template authoringImplement a comprehensive tagging strategyLeverage template macros for advanced transformationsManage all stack resources through CloudFormationCreate change sets before updating your stacksUse stack policies to protect resourcesUse AWS CloudTrail to log CloudFormation callsUse code reviews and revision controls to manage your templatesUpdate your Amazon EC2 instances regularlyUse drift detection regularlyConfigure rollback triggers for automatic recoveryImplement effective stack refactoring strategiesUse CloudFormation Hooks for lifecycle managementUse IaC Generator to create templates from existing resourcesUse AWS Infrastructure Composer for visual template designConsider using AWS Cloud Development Kit (AWS CDK) for complex infrastructureUse IAM to control accessApply the principle of least privilegeSecure sensitive parametersImplement policy as code with AWS CloudFormation Guard @@ -9 +9 @@ Shorten the feedback loop to improve delivery velocityOrganize your stacks by li -Best practices are recommendations that can help you use CloudFormation more effectively and securely throughout its entire workflow. Learn how to plan and organize your stacks, create templates that describe your resources and the software applications that run on them, and manage your stacks and their resources. The following best practices are based on real-world experience from current CloudFormation customers. +Best practices are recommendations that can help you use CloudFormation more effectively and adopt safe practices throughout its entire workflow. Learn how to plan and organize your stacks, create templates that describe your resources and the software applications that run on them, and manage your stacks and their resources. The following best practices are based on real-world experience from current CloudFormation customers. @@ -14 +14 @@ Best practices are recommendations that can help you use CloudFormation more eff - * Shorten the feedback loop to improve delivery velocity + * Shorten the feedback loop to improve development velocity @@ -18 +18 @@ Best practices are recommendations that can help you use CloudFormation more eff - * Use cross-stack references to export shared resources + * Use cross-stack references to return the value of an output exported by another stack @@ -20 +20 @@ Best practices are recommendations that can help you use CloudFormation more eff - * [Use IAM to control access](./security-best-practices.html#use-iam-to-control-access) + * Use AWS CloudFormation StackSets for multi-account and multi-region deployments @@ -27,0 +28,2 @@ Best practices are recommendations that can help you use CloudFormation more eff + * Adopt infrastructure as code practices + @@ -34 +36 @@ Best practices are recommendations that can help you use CloudFormation more eff - * [Do not embed credentials in your templates](./security-best-practices.html#creds) + * Don't embed credentials in your templates @@ -47,0 +50,6 @@ Best practices are recommendations that can help you use CloudFormation more eff + * Using YAML or JSON for template authoring + + * Implement a comprehensive tagging strategy + + * Leverage template macros for advanced transformations + @@ -58 +66 @@ Best practices are recommendations that can help you use CloudFormation more eff - * Use stack policies + * Use stack policies to protect resources @@ -60 +68 @@ Best practices are recommendations that can help you use CloudFormation more eff - * [Use AWS CloudTrail to log CloudFormation calls](./security-best-practices.html#cloudtrail) + * Use AWS CloudTrail to log CloudFormation calls @@ -65,0 +74,22 @@ Best practices are recommendations that can help you use CloudFormation more eff + * Use drift detection regularly + + * Configure rollback triggers for automatic recovery + + * Implement effective stack refactoring strategies + + * Use CloudFormation Hooks for lifecycle management + + + + +**Authoring tools** + + + * Use IaC Generator to create templates from existing resources + + * Use AWS Infrastructure Composer for visual template design + + * Consider using AWS Cloud Development Kit (AWS CDK) for complex infrastructure + + + @@ -66,0 +97 @@ Best practices are recommendations that can help you use CloudFormation more eff +**Security and compliance** @@ -69 +100,12 @@ Best practices are recommendations that can help you use CloudFormation more eff -## Shorten the feedback loop to improve delivery velocity + * Use IAM to control access + + * Apply the principle of least privilege + + * Secure sensitive parameters + + * Implement policy as code with AWS CloudFormation Guard + + + + +## Shorten the feedback loop to improve development velocity @@ -89 +131 @@ With a service-oriented architecture, you can organize big business problems int -## Use cross-stack references to export shared resources +## Use cross-stack references to return the value of an output exported by another stack @@ -91 +133 @@ With a service-oriented architecture, you can organize big business problems int -When you organize your AWS resources based on lifecycle and ownership, you might want to build a stack that uses resources that are in another stack. You can hardcode values or use input parameters to pass resource names and IDs. However, these methods can make templates difficult to reuse or can increase the overhead to get a stack running. Instead, use cross-stack references to export resources from a stack so that other stacks can use them. Stacks can use the exported resources by calling them using the `Fn::ImportValue` function. +When you organize your AWS resources based on lifecycle and ownership, you might want to build a stack that uses resources that are in another stack. You can hardcode values or use input parameters to pass resource names and IDs. However, these methods can make templates difficult to reuse or can increase the overhead to get a stack running. Instead, use cross-stack references to return the value of an output exported by another stack so that other stacks can use them. Stacks can use the exported resources by calling them using the `Fn::ImportValue` function. @@ -94,0 +137,8 @@ For example, you might have a network stack that includes a VPC, a security grou +## Use AWS CloudFormation StackSets for multi-account and multi-region deployments + +AWS CloudFormation StackSets extend the capability of stacks by enabling you to create, update, or delete stacks across multiple accounts and regions with a single operation. Use StackSets for deploying common infrastructure components, compliance controls, or shared services across your organization. + +When using StackSets, implement service-managed permissions with AWS Organizations for simplified permission management. This approach allows you to deploy StackSets to accounts within your organization without the need to manually configure IAM roles in each account. + +For more information on StackSets see [StackSets concepts](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-concepts.html). + @@ -108,0 +159,20 @@ These building blocks can be for a single resource, like best practices for defi +## Adopt infrastructure as code practices + +Treat your CloudFormation templates as code by implementing infrastructure as code (IaC) practices. Store your templates in version control systems, implement code reviews, and use automated testing to validate changes. This approach ensures consistency, improves collaboration, and provides an audit trail for infrastructure changes. + +Consider implementing CI/CD pipelines for your infrastructure code to automate the testing and deployment of your CloudFormation templates. Tools like AWS CodePipeline, AWS CodeBuild, and AWS CodeDeploy can be used to create automated workflows for your infrastructure deployments. + +For more information on implementing IaC best practices, see [Using AWS CloudFormation as an IaC tool](https://docs.aws.amazon.com/prescriptive-guidance/latest/choose-iac-tool/cloudformation.html). + +For more information on using continuous delivery with CloudFormation, see [Continuous delivery with CodePipeline](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/continuous-delivery-codepipeline.html). + +## Don't embed credentials in your templates + +Rather than embedding sensitive information in your CloudFormation templates, we recommend you use _dynamic references_ in your stack template. + +Dynamic references provide a compact, powerful way for you to reference external values that are stored and managed in other services, such as the AWS Systems Manager Parameter Store or AWS Secrets Manager. When you use a dynamic reference, CloudFormation retrieves the value of the specified reference when necessary during stack and change set operations, and passes the value to the appropriate resource. However, CloudFormation never stores the actual reference value. For more information, see [Using dynamic references to specify template values](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html). + +[AWS Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html) helps you to securely encrypt, store, and retrieve credentials for your databases and other services. The [AWS Systems Manager Parameter Store](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html) provides secure, hierarchical storage for configuration data management. + +For more information on defining template parameters, see [CloudFormation template Parameters syntax](./parameters-section-structure.html). + @@ -157,0 +228,46 @@ For more information, see the [cfn-guard](https://github.com/aws-cloudformation/ +## Using YAML or JSON for template authoring + +CloudFormation supports both YAML and JSON formats for templates. Each has its advantages, and the choice depends on your specific needs: + +Use YAML when + + * You prioritize human readability and maintainability + + * You want to include comments to document your template + + * You're working on complex templates with nested structures + + * You want to use YAML-specific features like anchors and aliases to reduce repetition + + + + +Use JSON when: + + * You need to integrate with tools or systems that prefer JSON + + * You're working with programmatic template generation or manipulation + + * You require strict data validation + + + + +YAML is generally recommended for manual template authoring due to its readability and comment support. It's particularly useful for complex templates where the indentation-based structure helps visualize resource hierarchies. JSON can be advantageous in automated workflows or when working with APIs that expect JSON input. It's also beneficial when you need to ensure strict adherence to a specific structure. Regardless of the format you choose, focus on creating well-structured, documented, and maintainable templates. If using YAML, leverage its features like anchors and aliases to reduce repetition and improve maintainability. + +## Implement a comprehensive tagging strategy + +Implement a consistent tagging strategy for all resources created by your CloudFormation templates. Tags help with resource organization, cost allocation, access control, and automation. Consider including tags for environment, owner, cost center, application, and purpose. + +Use the `AWS::CloudFormation::Stack` resource's `Tags` property to apply tags to all supported resources in a stack. You can also use the `TagSpecifications` property available on many resource types to apply tags during resource creation. + +For more information on tagging, see [Resource tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-properties-resource-tags.html). + +## Leverage template macros for advanced transformations + +CloudFormation macros enable you to perform custom processing on templates, from simple actions like find-and-replace operations to complex transformations that generate additional resources. Use macros to extend the capabilities of CloudFormation templates and implement reusable patterns across your organization. + +The AWS Serverless Application Model is an example of a macro that simplifies the development of serverless applications. Consider creating custom macros for organization-specific patterns and requirements. + +For more information on using macros in your templates, see [Overview of CloudFormation macros](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/template-macros-overview.html). + @@ -172 +288 @@ Use change sets to check how your changes might impact your running resources, e -## Use stack policies +## Use stack policies to protect resources @@ -177,0 +294,6 @@ During a stack update, you must explicitly specify the protected resources that +## Use AWS CloudTrail to log CloudFormation calls + +AWS CloudTrail tracks anyone making CloudFormation API calls in your AWS account. API calls are logged whenever anyone uses the CloudFormation API, the CloudFormation console, a back-end console, or CloudFormation AWS CLI commands. Enable logging and specify an Amazon S3 bucket to store the logs. That way, if you ever need to, you can audit who made what CloudFormation call in your account. + +For more information, see [Logging AWS CloudFormation API calls with AWS CloudTrail](./cfn-api-logging-cloudtrail.html). + @@ -185,0 +308,132 @@ On all your Amazon EC2 Windows instances and Amazon EC2 Linux instances created +## Use drift detection regularly + +Regularly use the CloudFormation drift detection feature to identify resources that have been modified outside of CloudFormation management. Detecting and resolving drift helps maintain the integrity of your infrastructure as code approach and ensures that your templates accurately reflect the state of your deployed resources. + +Consider implementing automated drift detection as part of your operational procedures. You can use AWS Lambda functions triggered by Amazon EventBridge rules to periodically check for drift and notify your team when discrepancies are detected. + +For more information on drift, see [Detect unmanaged configuration changes to stacks and resources with drift detection](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-stack-drift.html). + +## Configure rollback triggers for automatic recovery + +Use rollback triggers to specify Amazon CloudWatch alarms that CloudFormation should monitor during stack creation and update operations. If any of the specified alarms go into the `ALARM` state, CloudFormation automatically rolls back the entire stack operation, helping to ensure that your infrastructure remains in a stable state. + +Configure rollback triggers for critical metrics such as application error rates, system resource utilization, or custom business metrics that indicate the health of your application and infrastructure. + +For more information on rollback triggers, see [Roll back your stack on alarm breach](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-rollback-triggers.html). + +## Implement effective stack refactoring strategies + +As your infrastructure evolves, you may need to refactor your CloudFormation stacks to improve maintainability, reduce complexity, or adapt to changing requirements. Stack refactoring involves restructuring your templates and resources while preserving their external behavior and functionality. Stack refactoring is beneficial to use with CloudFormation in the following ways: + + * _Splitting monolithic stacks_ : Breaking down large, complex stacks into smaller, more manageable stacks organized by lifecycle or ownership + + * _Consolidating related resources_ : Combining related resources from multiple stacks into a single, cohesive stack to simplify management + + * _Extracting reusable components_ : Moving common patterns into modules or nested stacks to promote reuse and consistency + + * _Improving resource organization_ : Restructuring resources within a stack to better reflect their relationships and dependencies + +