The idea of infrastructure as code, through the use of pipelines for continuous delivery and integration, is fundamental for the advancement of cloud infrastructure. Including program code vulnerability and high quality scans in the offing is vital for the security of the infrastructure as code. In another of our previous blogposts, How to create a CI/CD pipeline for container vulnerability scanning with Trivy and AWS Security Hub, you learned how exactly to scan containers to efficiently identify Typical Vulnerabilities and Exposures (CVEs) and use your developers to handle them.

In this article, we’ll keep on with this topic, and in addition introduce a way for integrating open up source tools that discover potentially insecure styles in your AWS CloudFormation templates with both AWS Security Hub and AWS CodeBuild reports. We’ll be making use of Stelligent’s open source device CFN-Nag. We also demonstrate ways to extend the option to utilize AWS CloudFormation Guard (currently in preview).

One reason to utilize this integration is that it offers both security and growth teams visibility into possible security risks, and assets which are insecure or non-compliant to your organization policy, before they’re deployed.

< h2>Solution deliverables and benefit

In this solution, we offer you with a ready-to-use template for performing scanning of one’s AWS CloudFormation templates through the use of CFN-Nag. This tool has a lot more than 140 predefined designs, such as for example AWS Identity and Access Management (IAM) rules which are as well permissive (wildcards), security team rules that are as well permissive (wildcards), accessibility logs that aren’t allowed, or even encryption that isn’t allowed. It is possible to additionally define your personal rules to fit your company plan as referred to in the area later in this article, through the use of custom made exceptions and profiles, and suppressing fake positives.

Our solution allows you to do the next:

• Integrate CFN-Nag in a CodeBuild task, scanning the infrastructure program code for a lot more than 140 achievable insecure styles, and classifying them since warnings or perhaps a failing test.
• Learn how exactly to integrate AWS CloudFormation Guard (CFN-Guard). You should define your scanning guidelines in this full case.
• Generate CodeBuild reports, in order that developers may identify failed security lab tests easily. Inside our sample, the construct procedure fails if any important results are identified.
• Import to Security Hub the aggregated finding per program code branch, in order that security professionals can place vulnerable program code in repositories and branches very easily. For each branch, we import one aggregated acquiring.
• Store the initial scan report within an Amazon Simple Storage Service (Amazon S3) bucket for auditing purposes.

Note: inside this solution, the AWS CloudFormation scanning equipment won’t scan the application code that’s running at AWS Lambda functions, Amazon Elastic Container Service (Amazon ECS), or Amazon Elastic Compute Cloud (Amazon EC2) instances.

Architecture

Figure 1 exhibits the architecture of the perfect solution is. The primary steps are the following:

1. Your pipeline is triggered when brand-new program code is pushed to CodeCommit (which isn’t area of the template) to start a fresh build.
2. The build process scans the AWS CloudFormation templates utilizing the cfn_nag_scan or cfn-guard command as defined by the build job.
3. A Lambda functionality is invoked, and the scan record is delivered to it.
4. The scan report is published within an S3 bucket via the Lambda function.
5. The Lambda functionality aggregates the findings review per repository and git imports and branch the are accountable to Security Hub. The Lambda function also suppresses any previous findings linked to this current branch and repo. The severe nature of the finding will be calculated by the amount of results and a pounds coefficient that depends upon if the finding is specified as warning or vital.
6. Lastly, the Lambda function generates the CodeBuild test report within JUnit format and returns it to CodeBuild. This survey only includes information regarding any failed assessments.
7. CodeBuild creates a fresh test document from the brand new findings beneath the SecurityReports check group.

Number 1: Solution architecture

Walkthrough

To get began, you need to setup the sample solution that scans among your repositories through the use of CFN-Nag or CFN-Guard.

To create the sample alternative

1. Log directly into your AWS account in the event that you haven’t done so currently. Choose Start Stack to start the AWS CloudFormation gaming console with the prepopulated AWS CloudFormation demo template. Choose Next.
   Additionally, you will discover the most recent code on GitHub.
2. Fill inside the stack parameters like shown in Figure 2:
   • CodeCommitBranch: The title of the branch to end up being monitored, for instance refs/heads/learn.
   • CodeCommitUrl: The clone URL of the CodeCommit repo you want to monitor. It should be in exactly the same Region because the stack being released.
   • TemplateFolder: The folder within your repo which has the AWS CloudFormation templates.
   • Bodyweight coefficient for failing: The bodyweight coefficient for the failing violation within the template.
   • Bodyweight coefficient for warning: The bodyweight coefficient for a caution within the template.
   • Security device: The static evaluation tool that’s used to investigate the templates (CFN-Nag or even CFN-Guard).
   • Fail build: Whether to fail the develop when security findings are usually detected.
   • S3 bucket with sources: This bucket contains all sources, like the Lambda templates and function. The default could be kept by you text if you’re not customizing the sources.
   • Prefix for S3 bucket with resources: The prefix for several objects. The default could be kept by you if you’re not customizing the sources.

Look at the scan outcomes

After you carry out the CodeBuild task, you can view the outcomes in three various ways depending on your requirements: CodeBuild report, Security Hub, or the initial CFN-Guard or CFN-Nag statement.

CodeBuild report

In the AWS Management Console, head to CodeBuild and choose Report Groups. You will find the record you are looking at under SecurityReports. Both failures and warnings are usually represented as failed checks and so are prefixed with W(Caution) or F(Failing), respectively, as demonstrated in Body 3. Successful testing aren’t area of the report since they aren’t supplied by CFN-Nag reports.

In the CodeBuild routing menus, under Report groups, you can view an aggregated view of most scans. There you can observe a historical look at of the pass price of your exams, as shown in Determine 4.

Security Hub results

In the AWS Management Console, head to Security Hub and choose the Findings view. The aggregated selecting per branch gets the title CFN scan repo:name:branch with Company Personal and Item Default. The name and branch are usually placeholders for the repo and branch title. There’s one active finding per branch and repo. All previous reports because of this branch and repo are usually suppressed, so that automagically you see just the final ones. If essential, you can view the previous reviews by removing the choice filter in the Protection Hub finding console. Physique 5 shows a good example of the Security Hub results.

Authentic scan report

Lastly, you can get the initial scan report within the S3 bucket aws-sec-build-reviews-hash. There are also a mention of this item in the associated Safety Hub finding supply URL. The S3 item key is constructed the following.

cfn-nag-review/repo:source_repository/branch:branch_brief/cfn-nag-createdAt.json

where source_repository may be the name of the repository, branch_brief may be the name of the branch, and createdAt may be the report date.

The next screen capture shows an example view of this content.

Number 6: CFN_NAG survey sample

Security Hub intensity and weight coefficients

The Lambda function aggregates CFN-Nag findings to 1 Protection Hub finding per repo and branch. We consider that in this manner you get the very best presence without shedding orientation in way too many findings for those who have a big code base.

The Safety Hub finding severity is calculated the following:

• CFN-Nag critical findings are usually weighted (multiplied) by 20 and the warnings by 1.
• The amount of all CFN-Nag findings multiplied by their weighted coefficient outcomes in the severe nature of the Security Hub finding.

The severe nature label or normalized severity (from 0 to 100) (see AWS Security Finding Format (ASFF) for more information) is calculated from the summed severity. We applied the following convention:

• If the severe nature is a lot more than 100 factors, the label is defined as CRITICAL (100).
• If the severity is leaner than 100, the normalized severity and label are usually mapped as described in AWS Security Finding Format (ASFF).

Your company could have a different solution to calculate the severity. If you need to adjust the bodyweight coefficients, alter the stack parameter. In order to modify the mapping of the CFN-Nag results to Security hub intensity, then you’ll have to adjust the Lambda’s calculateSeverity Python perform.

Using customized exceptions and profiles, and suppressing fake positives

It is possible to customize CFN-Nag to employ a certain rule set by like the specific set of rules to use (called a profile) within the repository. Customizing principle sets pays to because developers or programs may have different security factors or danger profiles in specific apps. And also the operator may would rather exclude rules which are susceptible to introducing false positives.

To include a custom profile, it is possible to modify the cfn_nag_scan command specified within the CodeBuild buildspec.yml file. Utilize the -profile-path command argument to indicate the file which has the set of rules to utilize, as proven in the next code sample.

cfn_nag_scan --fail-on-warnings -profile-path .cfn_nag.profile  --input-path  $TemplateFolder -o json > ./report/cfn_nag.out.json

Where .cfn_nag.profile file contains one rule identifier per line:

F2
F3
F5
W11

You can find the entire set of available rules using cfn_nag_rules command.

It is possible to choose instead to employ a global deny set of rules also, or directly suppress findings per resource through the use of Metadata tags in each AWS CloudFormation resource. To find out more, start to see the CFN-Nag GitHub repository.

Integrating with AWS CloudFormation Guard

The integration with AWS CloudFormation Guard (CFN-Guard) follows exactly the same architecture pattern as CFN-Nag. The ImportToSecurityHub Lambda function can process both CFN-Nag and CFN-Guard leads to import to Security Hub and generate a CodeBuild report.

To deploy the CFN-Guard tool

1. In the AWS Management Console, head to CloudFormation, and choose Update the prior stack deployed.
2. Choose Next, and change the SecurityTool parameter to cfn-guard then.
3. Continue to navigate through the deploy and console the stack.

This creates a fresh buildspec.yml file that uses the cfn-guard command line interface (CLI) to scan all AWS CloudFormation templates in the foundation repository. A good example can be used by the scans rule set within the CFN-Guard repository.

You can elect to generate the rule set for the AWS CloudFormation templates which are required by the scanning engine and add the rule set to your repository as described on the GitHub page for AWS CloudFormation Guard. The rule set must reflect your organization security policy. This is one set for several templates, or influenced by the security profile of the application form.

You can use your personal rule set by modifying the cfn-guard -rule_path parameter to indicate a file from inside your repository, as follows.

cfn-guard --rule_set .cfn_guard.ruleset --template  "$template" > ./report/template_report

Troubleshooting

If the build report fails, the CloudBuild are available by you run logs in the CodeBuild Build history. The build shall fail if critical security findings are detected in the templates.

Additionally, the Lambda function execution logs are available in the CloudWatch Log group aws/lambda/ImportToSecurityHub.

Summary

In this article, you learned how exactly to scan the AWS CloudFormation templates for resources which are potentially insecure or not compliant to your organization policy in a CodeBuild project, import the findings to Security Hub, and generate CodeBuild test reports. Integrating this treatment for your pipelines might help multiple teams inside your organization detect potential security risks in your infrastructure code before its deployed to your AWS environments. If you want to extend the answer and need support further, contact AWS professional services or an Amazon Partner Network (APN) Partner. When you have technical questions, please utilize the AWS Security Hub or AWS CodeBuild forums.

When you have feedback concerning this post, submit comments in the Comments section below.

Want more AWS Security how-to content, news, and show announcements? Follow us on Twitter.