Views:

Example of AWS Cloudformation template scanning.

Example template

AWSTemplateFormatVersion: "2010-09-09"
Resources:
  dynamodb003S1:
    Type: AWS::DynamoDB::Table
    Properties:
      PointInTimeRecoverySpecification:
        PointInTimeRecoveryEnabled: true
      AttributeDefinitions:
        - AttributeName: Album
          AttributeType: S
        - AttributeName: Artist
          AttributeType: S
        - AttributeName: Sales
          AttributeType: N
        - AttributeName: NumberOfSongs
          AttributeType: N
      KeySchema:
        - AttributeName: Album
          KeyType: HASH
        - AttributeName: Artist
          KeyType: RANGE
      ProvisionedThroughput:
        ReadCapacityUnits: "5"
        WriteCapacityUnits: "5"
      SSESpecification:
        SSEEnabled: true
      TableName: myTableName
      GlobalSecondaryIndexes:
        - IndexName: myGSI
          KeySchema:
            - AttributeName: Sales
              KeyType: HASH
            - AttributeName: Artist
              KeyType: RANGE
          Projection:
            NonKeyAttributes:
              - Album
              - NumberOfSongs
            ProjectionType: INCLUDE
          ProvisionedThroughput:
            ReadCapacityUnits: "5"
            WriteCapacityUnits: "5"
        - IndexName: myGSI2
          KeySchema:
            - AttributeName: NumberOfSongs
              KeyType: HASH
            - AttributeName: Sales
              KeyType: RANGE
          Projection:
            NonKeyAttributes:
              - Album
              - Artist
            ProjectionType: INCLUDE
          ProvisionedThroughput:
            ReadCapacityUnits: "5"
            WriteCapacityUnits: "5"
      LocalSecondaryIndexes:
        - IndexName: myLSI
          KeySchema:
            - AttributeName: Album
              KeyType: HASH
            - AttributeName: Sales
              KeyType: RANGE
          Projection:
            NonKeyAttributes:
              - Artist
              - NumberOfSongs
            ProjectionType: INCLUDE

Example scan command

#!/usr/bin/env bash
# Scans a template file
# Requires "jq" (https://stedolan.github.io/jq/) to be installed

api_key="Your Trend Vision One API Key"
api_base_url="https://api.xdr.trendmicro.com"
file_path="Path to template"

content=$(cat ${file_path} | jq '.' -MRs)
payload="{\"type\":\"cloudformation-template\",\"content\":${content}}"

echo Request:
echo ${payload} | jq '.' -M

echo Response:
curl -s -X POST \
     -H "Authorization: Bearer ${api_key}" \
     -H "Content-Type: application/json" \
     ${api_base_url}/beta/cloudPosture/scanTemplate \
     --data-binary "${payload}" | jq '.' -M

Example Template Scanner API Output

{
  "scanResults": [
    {
      "id": "ccc:OrganisationId:RG-001:ResourceGroup:us-east-1:dynamodb003s1-otfs8ljoe0sp",
      "accountId": "",
      "ruleId": "RG-001",
      "provider": "aws",
      "ruleTitle": "Tags",
      "riskLevel": "LOW",
      "status": "FAILURE",
      "service": "ResourceGroup",
      "description": "dynamodb-table dynamodb003s1-otfs8ljoe0sp has [Environment, Role, Owner, Name] tags missing",
      "resource": "dynamodb003s1-otfs8ljoe0sp",
      "resourceType": "dynamodb-table",
      "ignored": false,
      "categories": [
        "security",
        "reliability",
        "performance-efficiency",
        "cost-optimisation",
        "operational-excellence",
        "sustainability"
      ],
      "compliances": [
        "AWAF",
        "CIS-V8",
        "NIST4",
        "NIST5",
        "SOC2",
        "NIST-CSF",
        "ISO27001",
        "ISO27001-2022",
        "AGISM",
        "HITRUST",
        "ASAE-3150",
        "PCI-V4",
        "FEDRAMP",
        "MAS",
        "CSA"
      ],
      "region": "us-east-1",
      "notScored": false,
      "resolutionPageUrl": "https://wstaging.cloudconformity.com/knowledge-base/aws/ResourceGroup/tags.html"
    },
    {
      "id": "ccc:OrganisationId:DynamoDB-003:DynamoDB:us-east-1:dynamodb003s1-otfs8ljoe0sp",
      "accountId": "",
      "ruleId": "DynamoDB-003",
      "provider": "aws",
      "ruleTitle": "DynamoDB Continuous Backups",
      "riskLevel": "HIGH",
      "status": "SUCCESS",
      "service": "DynamoDB",
      "description": "Continuous Backups are enabled for [dynamodb003s1-otfs8ljoe0sp]",
      "resource": "dynamodb003s1-otfs8ljoe0sp",
      "resourceType": "dynamodb-table",
      "resourceId": "dynamodb003s1-otfs8ljoe0sp",
      "ignored": false,
      "categories": ["reliability"],
      "compliances": [
        "AWAF",
        "CIS-V8",
        "NIST4",
        "NIST5",
        "SOC2",
        "NIST-CSF",
        "ISO27001",
        "ISO27001-2022",
        "AGISM",
        "HIPAA",
        "HITRUST",
        "ASAE-3150",
        "PCI",
        "PCI-V4",
        "APRA",
        "FEDRAMP",
        "MAS",
        "CSA",
        "ENISA",
        "FISC-V9"
      ],
      "region": "us-east-1",
      "tags": [],
      "notScored": false,
      "resolutionPageUrl": "https://wstaging.cloudconformity.com/knowledge-base/aws/DynamoDB/continuous-backups.html"
    },
    {
      "id": "ccc:OrganisationId:DynamoDB-004:DynamoDB:us-east-1:dynamodb003s1-otfs8ljoe0sp",
      "accountId": "",
      "ruleId": "DynamoDB-004",
      "provider": "aws",
      "ruleTitle": "Enable Encryption at Rest with Amazon KMS Keys",
      "riskLevel": "HIGH",
      "status": "SUCCESS",
      "service": "DynamoDB",
      "description": "Table [dynamodb003s1-otfs8ljoe0sp] is encrypted at rest using the AWS managed key or Customer managed key",
      "resource": "dynamodb003s1-otfs8ljoe0sp",
      "resourceType": "dynamodb-table",
      "resourceId": "dynamodb003s1-otfs8ljoe0sp",
      "ignored": false,
      "categories": ["security"],
      "compliances": [
        "GDPR",
        "AWAF",
        "CIS-V8",
        "NIST4",
        "NIST5",
        "SOC2",
        "NIST-CSF",
        "ISO27001",
        "ISO27001-2022",
        "AGISM",
        "HIPAA",
        "HITRUST",
        "ASAE-3150",
        "PCI",
        "PCI-V4",
        "APRA",
        "FEDRAMP",
        "MAS",
        "CSA",
        "ENISA",
        "FISC-V9",
        "LGPD"
      ],
      "region": "us-east-1",
      "tags": [],
      "notScored": false,
      "resolutionPageUrl": "https://wstaging.cloudconformity.com/knowledge-base/aws/DynamoDB/encrypted-with-cmk.html"
    }
  ],
  "missingParameters": [],
  "skippedRules": []
}