AWS CloudFormation provides a number of security features to consider as you develop and implement your own security policies. The following best practices are general guidelines and don’t represent a complete security solution in AWS CloudFormation. I will explore into details all the AWS CloudFormation securities. Follow and share this blog while I explore the other security features going forward.
Topics
- Use IAM to control access
- Do not embed credentials in your templates
- Use AWS CloudTrail to log AWS CloudFormation calls.
Use IAM to control access
IAM is an AWS service that you can use to manage users and their permissions in AWS. You can use IAM with AWS CloudFormation to specify what AWS CloudFormation actions users can perform, such as viewing stack templates, creating stacks, or deleting stacks. Anyone managing AWS CloudFormation stacks will require permissions to resources within those stacks. An example is, if users want to use AWS CloudFormation to launch, update, or terminate Amazon EC2 instances, they must have permission to call the relevant Amazon EC2 actions.
In most cases, users require full access to manage all of the resources in a template. AWS CloudFormation makes calls to create, modify, and delete those resources on their behalf. To separate permissions between a user and the AWS CloudFormation service, use a service role. AWS CloudFormation uses the service role policy to make calls instead of the user policy.
Do not embed credentials in your templates
Rather than embedding sensitive information in your AWS CloudFormation templates, use a dynamic references in your stack template.
Dynamic references provide a compact, powerful way for you to reference external values that are stored and managed in other services, such as the AWS Systems Manager Parameter Store or AWS Secrets Manager. When you use a dynamic reference, CloudFormation retrieves the value of the specified reference when necessary during stack and change set operations, and passes the value to the appropriate resource. But, CloudFormation never stores the actual reference value.
AWS Secrets Manager helps you to securely encrypt, store, and retrieve credentials for your databases and other services. The AWS Systems Manager Parameter Store also provide secure, and hierarchical storage for configuring data management.
Use AWS CloudTrail to log AWS CloudFormation calls
AWS CloudTrail tracks anyone making AWS CloudFormation API calls on your AWS account. API calls are logged whenever anyone uses the AWS CloudFormation API, the AWS CloudFormation console, a back-end console, or AWS CloudFormation AWS CLI commands. Enable logging and specify an Amazon S3 bucket to store the logs. That way, if you ever need to, you can audit who made what AWS CloudFormation call in your account.