CFT Assessment

In this topic:


    You can use the CloudGuard Dome9 Compliance Engine to evaluate AWS CloudFormation Templates (CFTs).

    By evaluating the CFT for a proposed cloud environment or extension, you can deal with security issues in the environment before the deployment and ensure that your design meets both your business goals and security needs.

    Note: CFT Assessments can be used with AWS CFTs only.


    Value to customers

    • evaluate security compliance before actual cloud provisioning

    • security considerations are assessed and addressed earlier in the DevOps process

    • supports Infrastructure as Code (IaC) approach to planning cloud environments


    • assess designs for cloud-elements (templates)

    • assess a template-based extension to a live cloud environment

    • test compliance to security guidelines within the CI/CD pipeline, before push to production (devsecops)


    Supported AWS Resources/Entities

    Dome9 supports these AWS objects in CFT assessments:

    SecurityGroup: 'AWS::EC2::SecurityGroup'

    SecurityGroupIngress: 'AWS::EC2::SecurityGroupIngress'

    SecurityGroupEgress: 'AWS::EC2::SecurityGroupEgress'

    Instance: 'AWS::EC2::Instance'

    Subnet: 'AWS::EC2::Subnet'

    SubnetCidrBlock: 'AWS::EC2::SubnetCidrBlock'

    NetworkInterface: 'AWS::EC2::NetworkInterface'

    NetworkInterfaceAttachment: 'AWS::EC2::NetworkInterfaceAttachment'

    EipAssociation: 'AWS::EC2::EIPAssociation'

    Eip: 'AWS::EC2::EIP'

    Vpc: 'AWS::EC2::VPC'

    VpcCidrBlock: 'AWS::EC2::VPCCidrBlock'

    Stack: 'AWS::CloudFormation::Stack'

    LoadBalancerV2: 'AWS::ElasticLoadBalancingV2::LoadBalancer'

    LoadBalancerV2Listener: 'AWS::ElasticLoadBalancingV2::Listener',


    Dome9 CFT Simulator

    Dome9 has prepared a CFT Simulator, with which you can run an offline (that is, not executing the stack in AWS environment) simulation of the your CFT, according to various input parameters. This will help you prepare our CFT. Then, use the Dome9 Compliance Engine to evaluate your template for any security issues.



    Assess a CFT

    Run a policy assessment on a CFT.

    1. Navigate to the Rulesets tab in the Compliance & Governance menu.

    2. Click on the ruleset to be run.

    3. Click .

    4. Select the CFT tab.

    5. Select the Cloud account and region.

    6. Drag the CFT file to the Template file box, and then click RUN. The assessment will take from a few seconds to a few minutes (depending on the complexity of the ruleset and the number of rules). When completed, the results will be displayed