AWS CloudFormation Checker

Checks can guarantee high security, reliability and conformity of your CloudFormation templates. We provide a set of default checks that you can use to validate your templates.

CLI usage

install the module globally

npm install aws-cf-checker -g

reading template from file

cf-checker --templateFile ./path/to/template.json

cf-checker --templateFile ./path/to/template.json --checksFile ./path/to/checks.json

reading template from stdin

cat ./path/to/template.json | cf-checker

cat ./path/to/template.json | cf-checker --checksFile ./path/to/checks.json

as long as the exit code is 0 your template is fine

Programatic usage

install the module locally

npm install aws-cf-checker

reading template from file

var checker = require("aws-cf-checker")
 
checker.checkFile("./path/to/template.json", {"logicalID": {}}, function(err, findings) {
  if (err) {
    throw err;
  } else {
    if (findings.length > 0) {
      console.error("findings", findings);
    } else {
      console.log("no findings");
    }
  }
});

using a template object

var checker = require("aws-cf-checker")
 
var template = {
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "minimal template"
};
checker.checkTemplate(template, {"logicalID": {}}, function(err, findings) {
  if (err) {
    throw err;
  } else {
    if (findings.length > 0) {
      console.error("findings", findings);
    } else {
      console.log("no findings");
    }
  }
});

as long as the findings array is empty your template is fine

Checks

Checks are configured with a JSON file. Have a look at our default checks.

logicalID

Checks logical ids of your template.

Options: (Object)

• case: (Enum["pascal", "camel"] default: "pascal")

resourceType

Checks if the resource types are allowed in the template. Wildcard * is supported.

By default, nothing is allowed (implicit deny). If you deny something it overrides what you allowed (explicit deny).

Options: (Object)

• deny: (Array[String]) (whitelist, wildcard * can be used)
• allow: (Array[String]) (blacklist, wildcard * can be used)

securityGroupInbound

Checks that only security groups attached to:

• AWS::ElasticLoadBalancing::LoadBalancer (external)

allow traffic from public IP addresses.

Security groups attached to:

• AWS::ElasticLoadBalancing::LoadBalancer (internal)
• AWS::AutoScaling::LaunchConfiguration
• AWS::EC2::NetworkInterface
• AWS::EC2::Instance
• AWS::EC2::SpotFleet
• AWS::RDS::DBInstance
• AWS::RDS::DBCluster
• AWS::Redshift::Cluster
• AWS::ElastiCache::CacheCluster
• AWS::ElastiCache::ReplicationGroup
• AWS::EFS::MountTarget
• AWS::OpsWorks::Layer

should only allow inbound traffic from other security groups or private ip addresses.

Assumes that your account only supports the EC2 platform EC2-VPC.

Options: (Object)

none

iamInlinePolicy

Checks IAM Users, Groups and Roles for inline policies.

Options: (Boolean)

true := inline policies are allowed false := inline policies are denied

iamPolicy

Checks allowed actions and resources of IAM policy statements. Wildcard * is supported.

A statement with NotAction is a finding. A statement with Effect != Allow is skipped.

By default, nothing is allowed (implicit deny). If you deny something it overrides what you allowed (explicit deny).

Options: (Object)

• allow: (Array[Object]) List of allowed actions & resources (whitelist)
• action: (String | Array[String]) IAM action (wildcard * can be used)
• resource: (String | Array[String]) IAM resource (wildcard * can be used)
• deny: (Array[Object]) List of denied actions & resources (blacklist)
• action: (String | Array[String]) IAM action (wildcard * can be used)
• resource: (String | Array[String]) IAM resource (wildcard * can be used)

iamManagedPolicy

Checks IAM Users, Groups and Roles for managed policy attachments. Wildcard * is supported.

Options: (Object)

• allow: (Array[String]) List of allowed ARNs (whitelist, wildcard * can be used)
• deny: (Array[String]) List of denied ARNs (blacklist, wildcard * can be used)