Example of AWS Cloudformation template scanning.
Example template
AWSTemplateFormatVersion: "2010-09-09"
Resources:
dynamodb003S1:
Type: AWS::DynamoDB::Table
Properties:
PointInTimeRecoverySpecification:
PointInTimeRecoveryEnabled: true
AttributeDefinitions:
- AttributeName: Album
AttributeType: S
- AttributeName: Artist
AttributeType: S
- AttributeName: Sales
AttributeType: N
- AttributeName: NumberOfSongs
AttributeType: N
KeySchema:
- AttributeName: Album
KeyType: HASH
- AttributeName: Artist
KeyType: RANGE
ProvisionedThroughput:
ReadCapacityUnits: "5"
WriteCapacityUnits: "5"
SSESpecification:
SSEEnabled: true
TableName: myTableName
GlobalSecondaryIndexes:
- IndexName: myGSI
KeySchema:
- AttributeName: Sales
KeyType: HASH
- AttributeName: Artist
KeyType: RANGE
Projection:
NonKeyAttributes:
- Album
- NumberOfSongs
ProjectionType: INCLUDE
ProvisionedThroughput:
ReadCapacityUnits: "5"
WriteCapacityUnits: "5"
- IndexName: myGSI2
KeySchema:
- AttributeName: NumberOfSongs
KeyType: HASH
- AttributeName: Sales
KeyType: RANGE
Projection:
NonKeyAttributes:
- Album
- Artist
ProjectionType: INCLUDE
ProvisionedThroughput:
ReadCapacityUnits: "5"
WriteCapacityUnits: "5"
LocalSecondaryIndexes:
- IndexName: myLSI
KeySchema:
- AttributeName: Album
KeyType: HASH
- AttributeName: Sales
KeyType: RANGE
Projection:
NonKeyAttributes:
- Artist
- NumberOfSongs
ProjectionType: INCLUDE
Example scan command
#!/usr/bin/env bash
# Scans a template file
# Requires "jq" (https://stedolan.github.io/jq/) to be installed
api_key="Your Trend Vision One API Key"
api_base_url="https://api.xdr.trendmicro.com"
file_path="Path to template"
content=$(cat ${file_path} | jq '.' -MRs)
payload="{\"type\":\"cloudformation-template\",\"content\":${content}}"
echo Request:
echo ${payload} | jq '.' -M
echo Response:
curl -s -X POST \
-H "Authorization: Bearer ${api_key}" \
-H "Content-Type: application/json" \
${api_base_url}/beta/cloudPosture/scanTemplate \
--data-binary "${payload}" | jq '.' -M
Example Template Scanner API Output
{
"scanResults": [
{
"id": "ccc:OrganisationId:RG-001:ResourceGroup:us-east-1:dynamodb003s1-otfs8ljoe0sp",
"accountId": "",
"ruleId": "RG-001",
"provider": "aws",
"ruleTitle": "Tags",
"riskLevel": "LOW",
"status": "FAILURE",
"service": "ResourceGroup",
"description": "dynamodb-table dynamodb003s1-otfs8ljoe0sp has [Environment, Role, Owner, Name] tags missing",
"resource": "dynamodb003s1-otfs8ljoe0sp",
"resourceType": "dynamodb-table",
"ignored": false,
"categories": [
"security",
"reliability",
"performance-efficiency",
"cost-optimisation",
"operational-excellence",
"sustainability"
],
"compliances": [
"AWAF",
"CIS-V8",
"NIST4",
"NIST5",
"SOC2",
"NIST-CSF",
"ISO27001",
"ISO27001-2022",
"AGISM",
"HITRUST",
"ASAE-3150",
"PCI-V4",
"FEDRAMP",
"MAS",
"CSA"
],
"region": "us-east-1",
"notScored": false,
"resolutionPageUrl": "https://wstaging.cloudconformity.com/knowledge-base/aws/ResourceGroup/tags.html"
},
{
"id": "ccc:OrganisationId:DynamoDB-003:DynamoDB:us-east-1:dynamodb003s1-otfs8ljoe0sp",
"accountId": "",
"ruleId": "DynamoDB-003",
"provider": "aws",
"ruleTitle": "DynamoDB Continuous Backups",
"riskLevel": "HIGH",
"status": "SUCCESS",
"service": "DynamoDB",
"description": "Continuous Backups are enabled for [dynamodb003s1-otfs8ljoe0sp]",
"resource": "dynamodb003s1-otfs8ljoe0sp",
"resourceType": "dynamodb-table",
"resourceId": "dynamodb003s1-otfs8ljoe0sp",
"ignored": false,
"categories": ["reliability"],
"compliances": [
"AWAF",
"CIS-V8",
"NIST4",
"NIST5",
"SOC2",
"NIST-CSF",
"ISO27001",
"ISO27001-2022",
"AGISM",
"HIPAA",
"HITRUST",
"ASAE-3150",
"PCI",
"PCI-V4",
"APRA",
"FEDRAMP",
"MAS",
"CSA",
"ENISA",
"FISC-V9"
],
"region": "us-east-1",
"tags": [],
"notScored": false,
"resolutionPageUrl": "https://wstaging.cloudconformity.com/knowledge-base/aws/DynamoDB/continuous-backups.html"
},
{
"id": "ccc:OrganisationId:DynamoDB-004:DynamoDB:us-east-1:dynamodb003s1-otfs8ljoe0sp",
"accountId": "",
"ruleId": "DynamoDB-004",
"provider": "aws",
"ruleTitle": "Enable Encryption at Rest with Amazon KMS Keys",
"riskLevel": "HIGH",
"status": "SUCCESS",
"service": "DynamoDB",
"description": "Table [dynamodb003s1-otfs8ljoe0sp] is encrypted at rest using the AWS managed key or Customer managed key",
"resource": "dynamodb003s1-otfs8ljoe0sp",
"resourceType": "dynamodb-table",
"resourceId": "dynamodb003s1-otfs8ljoe0sp",
"ignored": false,
"categories": ["security"],
"compliances": [
"GDPR",
"AWAF",
"CIS-V8",
"NIST4",
"NIST5",
"SOC2",
"NIST-CSF",
"ISO27001",
"ISO27001-2022",
"AGISM",
"HIPAA",
"HITRUST",
"ASAE-3150",
"PCI",
"PCI-V4",
"APRA",
"FEDRAMP",
"MAS",
"CSA",
"ENISA",
"FISC-V9",
"LGPD"
],
"region": "us-east-1",
"tags": [],
"notScored": false,
"resolutionPageUrl": "https://wstaging.cloudconformity.com/knowledge-base/aws/DynamoDB/encrypted-with-cmk.html"
}
],
"missingParameters": [],
"skippedRules": []
}