AWS Security Blog

Tag: AWS CloudFormation

Validate IAM policies in CloudFormation templates using IAM Access Analyzer

In this blog post, I introduce IAM Policy Validator for AWS CloudFormation (cfn-policy-validator), an open source tool that extracts AWS Identity and Access Management (IAM) policies from an AWS CloudFormation template, and allows you to run existing IAM Access Analyzer policy validation APIs against the template. I also show you how to run the tool […]

Read More

Creating a notification workflow from sensitive data discover with Amazon Macie, Amazon EventBridge, AWS Lambda, and Slack

Following the example of the EU in implementing the General Data Protection Regulation (GDPR), many countries are implementing similar data protection laws. In response, many companies are forming teams that are responsible for data protection. Considering the volume of information that companies maintain, it’s essential that these teams are alerted when sensitive data is at […]

Read More

How to implement the principle of least privilege with CloudFormation StackSets

March 24, 2021: We’ve corrected errors in the policy statements in steps 2 and 3 of the section “To create the IAM policy document.” AWS CloudFormation is a service that lets you create a collection of related Amazon Web Services and third-party resources and provision them in an orderly and predictable fashion. A typical access […]

Read More

How to set up a recurring Security Hub summary email

AWS Security Hub provides a comprehensive view of your security posture in Amazon Web Services (AWS) and helps you check your environment against security standards and best practices. In this post, we’ll show you how to set up weekly email notifications using Security Hub to provide account owners with a summary of the existing security […]

Read More

How to deploy public ACM certificates across multiple AWS accounts and Regions using AWS CloudFormation StackSets

In this post, I take you through the steps to deploy a public AWS Certificate Manager (ACM) certificate across multiple accounts and AWS Regions by using the functionality of AWS CloudFormation StackSets and AWS Lambda. ACM is a service offered by Amazon Web Services (AWS) that you can use to obtain x509 v3 SSL/TLS certificates. […]

Read More

Integrating AWS CloudFormation security tests with AWS Security Hub and AWS CodeBuild reports

The concept of infrastructure as code, by using pipelines for continuous integration and delivery, is fundamental for the development of cloud infrastructure. Including code quality and vulnerability scans in the pipeline is essential for the security of this infrastructure as code. In one of our previous posts, How to build a CI/CD pipeline for container […]

Read More

How to use AWS Certificate Manager with AWS CloudFormation

Last month, Amazon Web Services (AWS) introduced the ability to automate issuing and validating public and private certificates using AWS CloudFormation. To make this easier, AWS has introduced three new features that let you: Automate the steps to validate your domain with DNS validation and issue your public certificate. Use AWS CloudFormation templates to issue […]

Read More

How to create SAML providers with AWS CloudFormation

June 24, 2020: We updated the first 3 paragraphs of this post to provide, and link to, more information. As organizations grow, they often experience an inflection point where it becomes impractical to manually manage separate user accounts in disparate systems. Managing multiple AWS accounts is no exception. Many large organizations have dozens or even […]

Read More

How to define least-privileged permissions for actions called by AWS services

August 31, 2021: AWS KMS is replacing the term customer master key (CMK) with AWS KMS key and KMS key. The concept has not changed. To prevent breaking changes, AWS KMS is keeping some variations of this term. More info. February 21, 2020: We fixed a missing comma in a policy example. March 3, 2020: […]

Read More

How to create and retrieve secrets managed in AWS Secrets Manager using AWS CloudFormation templates

Updated November 15, 2018: We added information to make variables more clear in the sample template. AWS Secrets Manager now integrates with AWS CloudFormation so you can create and retrieve secrets securely using CloudFormation. This integration makes it easier to automate provisioning your AWS infrastructure. For example, without any code changes, you can generate unique […]

Read More