We’re excited to announce the launch support for AWS CloudFormation in Snyk Infrastructure as Code. In our recent Infrastructure as Code Security Insights report, we  found that 36% of survey participants were using AWS CloudFormation (CF) as their primary infrastructure as code tool of choice. Using Snyk Infrastructure as Code, you can now scan your CF YAML or JSON templates against our comprehensive set of AWS security rules. 

With these new capabilities, you have the power to treat your CloudFormation files like any other code and shift security left, early in your development process, making security an integral part of your infrastructure development and deployment pipelines.

Integrate where it matters

This functionality is available both by importing a repository or via our CLI, meaning you can integrate anywhere from local development through to source control and your CI/CD pipelines.

Using this example repository, which contains insecure CloudFormation template files, we integrated the repository from GitHub with Snyk and detected a range of issues across the CF files.

You can expand to the repository in Snyk to view the list of scanned configuration files, and in the screen below we’ve selected the db.ymlfile. Here you can see the configuration issues that are found linked to the relevant line in the original CF template: 

Alternatively, you can get the same feedback using the Snyk CLI which processes the files locally, meaning no data is sent to Snyk. 

$ snyk iac test db.yml

Testing db.yml...


Infrastructure as code issues:
  ✗ Non-encrypted RDS instance at rest [Medium Severity] [SNYK-CC-TF-201] in RDS
    introduced by Resources[Database] > Properties > StorageEncrypted

  ✗ RDS IAM authentication is disabled [Medium Severity] [SNYK-CC-AWS-414] in RDS
    introduced by Resources[Database] > Properties > EnableIAMDatabaseAuthentication

  ✗ Non-Encrypted SNS Topic [Medium Severity] [SNYK-CC-TF-55] in SNS
    introduced by Resources > DatabaseAlarmTopic > Properties > KmsMasterKeyId

  ✗ SNS topic is not encrypted with customer managed key [Low Severity] [SNYK-CC-AWS-422] in SNS
    introduced by Resources[DatabaseAlarmTopic] > Properties > KmsMasterKeyId


Organization:      mycompany.test
Type:              CloudFormation
Target file:       db.yml
Project name:      cloudformation-example
Open source:       no
Project path:      /Users/iliana/workspace/snyk-iac-cloudformation

Tested db.yml for known issues, found 4 issues

Using AWS Cloud Development Kit

The AWS Cloud Development Kit (AWS CDK) is an open source software development framework to define your cloud application resources using familiar programming languages. Using the AWS CDK, you can define your infrastructure using a programming language you are more familiar with such as TypeScript or Python, instead of writing YAML. This approach can offer more flexibility and accessibility, both in terms of familiarity to a developer in being able to use a language and IDE that you’re already comfortable with, but also using programming constructs to avoid the need for templating your YAML files. 

You can also scan your AWS CDK files using the iac test functionality in the Snyk CLI by first converting them to a JSON file using the AWS CDK’s built-in synth subcommand. 

Using another example, which uses TypeScript to define some infrastructure, you can run the following commands to test the configurations in your pipelines using the Snyk CLI:

# install your dependencies
npm install
# convert your typescript to a CloudFormation json file
cdk synth

# scan the rendered json file using the Snyk IaC CLI
snyk iac test cdk.out/VpcStackWithIssues.template.json

Testing VpcStackWithIssues.template.json...


Infrastructure as code issues:
  ✗ Security Group allows open ingress [Medium Severity] [SNYK-CC-TF-1] in VPC
    introduced by Resources > SSHSG26D56496 > Properties > SecurityGroupIngress[0]

  ✗ AWS Security Group allows open egress [Low Severity] [SNYK-CC-TF-73] in VPC
    introduced by Resources[SSHSG26D56496] > Properties > SecurityGroupEgress[0] > CidrIp

  ✗ Rule allows open egress [Low Severity] [SNYK-CC-TF-72] in VPC
    introduced by Resources[SSHSG26D56496] > Properties > SecurityGroupEgress[0]


Organization:      mycompany.test
Type:              CloudFormation
Target file:       cdk.out/VpcStackWithIssues.template.json
Project name:      cdk.out
Open source:       no
Project path:      cdk.out/VpcStackWithIssues.template.json

Tested VpcStackWithIssues.template.json for known issues, found 3 issues

This workflow would be perfect for a build pipeline where it can be fully automated on each pull request. As of publication date, AWS CDK files can only be scanned using a CLI driven workflow. 

Comprehensive configuration security rules

The depth and range of security rules is important for ensuring you get comprehensive security feedback. Snyk has a dedicated Security Engineering team that researches, validates and continually adds new rules into the product — with over 100 for AWS (and growing). 

When  adding rules, we ensure proper coverage by combining known best practices with our own first party security research. Best practices are derived from both cloud provider and community standards — for example, CIS benchmarks, as well as Kubernetes and AWS best practices. Our own security research uses techniques like threat modelling exercises on key usage patterns. For instance, we examine settings in managed Kubernetes offerings to determine where weaknesses might be avoided through proper IaC hardening. 

You can view and modify the severity of the Snyk IaC rules by navigating to your Snyk organization’s Settings and selectingInfrastructure as Code on the left hand menu. If you want to narrow the view to just AWS CloudFormation, you can then choose AWSfrom the tabs under Severity settings and select CloudFormation (or Terraform, if you prefer). We endeavor to write rules that are format agnostic, so most rules you see will appear no matter which toggles you select. 

You can also view a full list of our AWS CloudFormation security rules publicly on the Security Rules section of our site.

Get started with the Snyk IaC for free

These new features are available to everyone to try, including users on a free plan. Getting started is simple:

• If you don’t already have a Snyk account, sign up for free.
• Install the Snyk CLI. If you already have the Snyk CLI installed, verify you have CLI 1.629.0 or newer to get these features.
• Scan your CloudFormation files.The main command for scanning IaC with the new features is: snyk iac test <path-to-file-or-folder>

You can learn more about the various scanning options we support through Snyk’s docs or via the CLI docs by running: snyk iac --help

We’d love to hear your feedback! If you’re already a Snyk customer your customer success team is a great route for product feedback, but we welcome comments in our Snyk Community forum from all.