AWS Cloud Operations Blog

AWS CloudFormation Update: AWS Guard Duty, Amazon Inspector, and Service Discovery, plus 40 resource updates

AWS CloudFormation recently added support for these recently released AWS services:

  • AWS Guard Duty is an automated threat-detection service that can be quickly enabled, does not require agents to be installed, and monitors unusual account usage using sources like AWS CloudTrail logs, DNS logs, and other sources. With the new AWS CloudFormation resource support, you can create detectors, whitelisted IP sets, and identify known malicious IP addresses via ThreatIntelSets.
  • Amazon Inspector is a low-impact, low-cost, agent-based vulnerability scanner.Use it, for example, to automate vulnerability assessments and make them part of your deployment process. With the new AWS CloudFormation resource support, you can take tagged resources and build a resource group, then use the resource group to create an assessment target. Finally, you can create an assessment template, which is similar to a policy document and determines which rules the service uses to analyze the target hosts, as well as a duration for the assessment run.
  • Amazon Route 53 Auto Naming for Service Discovery and the new AWS::ServiceDiscovery resources in CloudFormation make it easy to consume the recently released Route 53 Auto Naming API calls.It can be used, for example, if you’re creating microservices in Amazon ECS and you want to leverage Route 53 to register new service instances and aid in the management and discovery of service names. This is important for Amazon ECS deployments, and it helps enable blue/green deployment patterns. With the new AWS CloudFormation resources, you can create either public or private DNS namespaces, then create named services and service instances for your microservices. If you’re interested in using these new resources, I recommend checking out this deck from a session at the AWS re:Invent 2017 conference.

Beyond supporting these new services, 40 of the 248 existing supported resources have been updated recently, adding 50 new property types for these resources. The following list summarizes these recent changes, ordered by service name:

Amazon API Gateway

  • For AWS::ApiGateway::Deployment, a StageName property has been deprecated on the StageDescription property type
  • For AWS::ApiGateway::Method, an OpeationName property was added to assign a friendly name to an API Gateway method; a RequestValidatorId property was added to associate a request validator with a method; a ContentHandling property was added for Integration and IntegrationResponse property types to specify how to handle request payload content type conversions
  • For AWS::ApiGateway::ApiKey, a CustomerID property was added to specify an AWS Marketplace customer identifier; a GenerateDistinctID property was added to indicate whether the key identifier is different from the created API key value
  • For AWS::ApiGateway::Authorizer, an AuthType property was added to specify a customer-defined field that is used in Swagger imports and exports without functional impact
  • For AWS::ApiGateway::DomainName, an EndpointConfiguration property was added to specify the endpoint types of an API Gateway domain name; a RegionalCertificateArn property was added to reference a certificate for use by the regional endpoint for a domain name
  • For AWS::ApiGateway::RestApi, an EndpointConfiguration property was added to specify the endpoint types of a REST API

AWS Auto Scaling

AWS Cloud9

AWS CodeBuild

  • For AWS::CodeBuild::Project, a BadgeEnabled property was added to generate a publicly accessible URL for a project’s build badge; a Cache property was added to configure cache settings for build dependencies; a VpcConfig property was added to enable AWS CodeBuild to access resources in an Amazon VPC; a Type property was added in the EnvironmentVariable property type to specify the type of environment variable

AWS CodeDeploy

  • For AWS::CodeDeploy::Application, a ComputePlatform property was added to specify an AWS Lambda compute platform for AWS CodeDeploy to deploy an application to
  • For AWS::CodeDeploy::DeploymentGroup, a TargetGroupInfoList property was added to the LoadBalancerInfo property type to specify information about a target group in Elastic Load Balancing to use in a deployment; a DeploymentType property was added to the DeploymentStyle property type to specify a blue/green deployment on a Lambda compute platform

Amazon CloudFront

  • For AWS::CloudFront::Distribution, a Tags property was added to specify an arbitrary set of tags (key-value pairs) to associate with an Amazon CloudFront distribution; OriginKeepAliveTimeout and OriginReadTimeout properties were added to the CustomOriginConfig property type to specify a custom keep-alive timeout and a custom origin read timeout respectively; an IPV6Enabled property was added to the DistributionConfig property type to specify whether Amazon CloudFront responds to IPv6 DNS requests an IPv6 address for your distribution
  • Use the AWS::CloudFront::CloudFrontOriginAccessIdentity resource to specify the origin access identity to associate with the origin of an Amazon CloudFront distribution
  • Use the AWS::CloudFront::StreamingDistribution resource to specify an Adobe Real-Time Messaging protocol (RTMP) streaming distribution for Amazon CloudFront

Amazon EC2

Amazon Elastic Container Registry

  • For AWS::ECR::Repository, a LifecyclePolicy property was added to specify a lifecycle policy for an Amazon ECR repository

Amazon Elastic Container Service

  • For AWS::ECS::TaskDefinition, a LinuxParameters property was added to the ContainerDefinition property type to specify Linux-specific options for an Amazon ECS container; a Cpu property was added to specify the number of CPU units needed for the task; an ExecutionRoleArn property was added to specify the Amazon Resource Name (ARN) of the execution role; Memory property was added to specify the amount of memory in MiB needed for the task; and a RequiresCompatibilities property was added to specify the launch type the task requires
  • For AWS::ECS::Service, a LaunchType property was added to specify the launch type on which to run the service; a NetworkConfiguration property was added to specify the network configuration for the service; a PlatformVersion property was added to specify the platform version on which to run your service

AWS Elastic Beanstalk

Amazon ElastiCache

  • For AWS::ElastiCache::ReplicationGroup, an AtRestEncryptionEnabled property was added to enable encryption at rest; an AuthToken property was added to specify a password that is used to access a password-protected server; and a TransitEncryptionEnabled property was added to enable in-transit encryption

Elastic Load Balancing

Amazon ElasticSearch Service

Amazon EMR

  • For AWS::EMR::Cluster, a CustomAmiId property was added to specify a custom Amazon Linux AMI for a cluster; an EbsRootVolumeSize property was added to specify the size of the EBS root volume for an Amazon EMR cluster

Amazon Kinesis

AWS Key Management Service

  • For AWS::KMS::Key, a Tags property was added to specify an arbitrary set of tags (key-value pairs) to associate with a custom master key

AWS Lambda

  • For AWS::Lambda::Alias, use the CodeDeployLambdaAliasUpdate update policy to perform an AWS CodeDeploy deployment when the version changes on a resource; you can also use the RoutingConfig property to specify two different versions of an AWS Lambda function, allowing you to dictate what percentage of traffic will invoke each version

AWS OpsWorks

Amazon RDS

  • For AWS::RDS::OptionGroup, an OptionVersion property was added to the OptionConfiguration property type to specify a version for the option
  • For AWS::RDS::DBInstance, SourceRegion and KmsKeyId properties were added to create an encrypted read replica from a cross-region source database instance

Amazon Route53

  • For AWS::Route53::HostedZone, a QueryLoggingConfig property was added to specify a configuration for DNS query logging

Amazon S3

  • For AWS::S3::Bucket, an AnalyticsConfigurations property was added to configure an analysis filter for an Amazon S3 bucket

AWS Systems Manager

  • For AWS::SSM::Parameter, an AllowedPattern property was added to specify a regular expression used to validate the parameter value

AWS Step Functions

  • For AWS::StepFunctions::StateMachine, you can specify a StateMachineName when creating a state machine, and both DefinitionString and RoleArn can be updated without replacing the state machine.

 

Visit the CloudFormation details page and CloudFormation documentation for more information, as well as the full list of supported resources.

About the Author

 

Luis Colon is a Senior Developer Advocate for the AWS CloudFormation team. He works with customers and internal development teams to focus on and improve the developer experience for CloudFormation users. In his spare time, he mixes progressive trance music.