CFT Assessment

In this topic:

    Overview

    You can use the Dome9 Compliance Engine to evaluate AWS CloudFormation Templates (CFTs).

    By evaluating the CFT for a proposed cloud environment or extension, you can deal with security issues in the environment before the deployment and ensure that your design meets both your business goals and security needs.

    Note

    Note: CFT Assessments can be used with AWS CFTs only.

     

    Value to customers

    • evaluate security compliance before actual cloud provisioning

    • security considerations are assessed and addressed earlier in the DevOps process

    • supports Infrastructure as Code (IaC) approach to planning cloud environments

    Use-cases

    • assess designs for cloud-elements (templates)

    • assess a template-based extension to a live cloud environment

    • test compliance to security guidelines within the CI/CD pipeline, before push to production (devsecops)

     
     

    Supported AWS Resources/Entities

    Dome9 supports these AWS objects in CFT assessments:

    SecurityGroup: 'AWS::EC2::SecurityGroup'

    SecurityGroupIngress: 'AWS::EC2::SecurityGroupIngress'

    SecurityGroupEgress: 'AWS::EC2::SecurityGroupEgress'

    Instance: 'AWS::EC2::Instance'

    Subnet: 'AWS::EC2::Subnet'

    SubnetCidrBlock: 'AWS::EC2::SubnetCidrBlock'

    NetworkInterface: 'AWS::EC2::NetworkInterface'

    NetworkInterfaceAttachment: 'AWS::EC2::NetworkInterfaceAttachment'

    EipAssociation: 'AWS::EC2::EIPAssociation'

    Eip: 'AWS::EC2::EIP'

    Vpc: 'AWS::EC2::VPC'

    VpcCidrBlock: 'AWS::EC2::VPCCidrBlock'

    Stack: 'AWS::CloudFormation::Stack'

    LoadBalancerV2: 'AWS::ElasticLoadBalancingV2::LoadBalancer'

    LoadBalancerV2Listener: 'AWS::ElasticLoadBalancingV2::Listener',

     

    Dome9 CFT Simulator

    Dome9 has prepared a CFT Simulator, with which you can run an offline (= not executing the stack in AWS environment) simulation of the your CFT, according to various input parameters. This will help you prepare our CFT. Then, use the Dome9 Compliance Engine to evaluate your template for any security issues.

     

    Actions

    Assess a CFT

    Run a policy assessment on a CFT.

    1. Navigate to the Compliance Engine main page.

    2. Click on the policy (bundle) to be run (in the list on the left).

    3. Click .

    4. Select the CFT tab.

    5. Select the Cloud account and region.

    6. Drag the CFT file to the Template file box, and then click RUN. The assessment will take from a few seconds to a few minutes (depending on the complexity of the policy and the number of rules). When completed, the results will be displayed