Example of AWS Cloudformation template scanning.
Example template
AWSTemplateFormatVersion: "2010-09-09" Resources: dynamodb003S1: Type: AWS::DynamoDB::Table Properties: PointInTimeRecoverySpecification: PointInTimeRecoveryEnabled: true AttributeDefinitions: - AttributeName: Album AttributeType: S - AttributeName: Artist AttributeType: S - AttributeName: Sales AttributeType: N - AttributeName: NumberOfSongs AttributeType: N KeySchema: - AttributeName: Album KeyType: HASH - AttributeName: Artist KeyType: RANGE ProvisionedThroughput: ReadCapacityUnits: "5" WriteCapacityUnits: "5" SSESpecification: SSEEnabled: true TableName: myTableName GlobalSecondaryIndexes: - IndexName: myGSI KeySchema: - AttributeName: Sales KeyType: HASH - AttributeName: Artist KeyType: RANGE Projection: NonKeyAttributes: - Album - NumberOfSongs ProjectionType: INCLUDE ProvisionedThroughput: ReadCapacityUnits: "5" WriteCapacityUnits: "5" - IndexName: myGSI2 KeySchema: - AttributeName: NumberOfSongs KeyType: HASH - AttributeName: Sales KeyType: RANGE Projection: NonKeyAttributes: - Album - Artist ProjectionType: INCLUDE ProvisionedThroughput: ReadCapacityUnits: "5" WriteCapacityUnits: "5" LocalSecondaryIndexes: - IndexName: myLSI KeySchema: - AttributeName: Album KeyType: HASH - AttributeName: Sales KeyType: RANGE Projection: NonKeyAttributes: - Artist - NumberOfSongs ProjectionType: INCLUDE
Example scan command
#!/usr/bin/env bash # Scans a template file # Requires "jq" (https://stedolan.github.io/jq/) to be installed api_key="Your Trend Vision One API Key" api_base_url="https://api.xdr.trendmicro.com" file_path="Path to template" content=$(cat ${file_path} | jq '.' -MRs) payload="{\"type\":\"cloudformation-template\",\"content\":${content}}" echo Request: echo ${payload} | jq '.' -M echo Response: curl -s -X POST \ -H "Authorization: Bearer ${api_key}" \ -H "Content-Type: application/json" \ ${api_base_url}/beta/cloudPosture/scanTemplate \ --data-binary "${payload}" | jq '.' -M
Example Template Scanner API Output
{ "scanResults": [ { "id": "ccc:OrganisationId:RG-001:ResourceGroup:us-east-1:dynamodb003s1-otfs8ljoe0sp", "accountId": "", "ruleId": "RG-001", "provider": "aws", "ruleTitle": "Tags", "riskLevel": "LOW", "status": "FAILURE", "service": "ResourceGroup", "description": "dynamodb-table dynamodb003s1-otfs8ljoe0sp has [Environment, Role, Owner, Name] tags missing", "resource": "dynamodb003s1-otfs8ljoe0sp", "resourceType": "dynamodb-table", "ignored": false, "categories": [ "security", "reliability", "performance-efficiency", "cost-optimisation", "operational-excellence", "sustainability" ], "compliances": [ "AWAF", "CIS-V8", "NIST4", "NIST5", "SOC2", "NIST-CSF", "ISO27001", "ISO27001-2022", "AGISM", "HITRUST", "ASAE-3150", "PCI-V4", "FEDRAMP", "MAS", "CSA" ], "region": "us-east-1", "notScored": false, "resolutionPageUrl": "https://wstaging.cloudconformity.com/knowledge-base/aws/ResourceGroup/tags.html" }, { "id": "ccc:OrganisationId:DynamoDB-003:DynamoDB:us-east-1:dynamodb003s1-otfs8ljoe0sp", "accountId": "", "ruleId": "DynamoDB-003", "provider": "aws", "ruleTitle": "DynamoDB Continuous Backups", "riskLevel": "HIGH", "status": "SUCCESS", "service": "DynamoDB", "description": "Continuous Backups are enabled for [dynamodb003s1-otfs8ljoe0sp]", "resource": "dynamodb003s1-otfs8ljoe0sp", "resourceType": "dynamodb-table", "resourceId": "dynamodb003s1-otfs8ljoe0sp", "ignored": false, "categories": ["reliability"], "compliances": [ "AWAF", "CIS-V8", "NIST4", "NIST5", "SOC2", "NIST-CSF", "ISO27001", "ISO27001-2022", "AGISM", "HIPAA", "HITRUST", "ASAE-3150", "PCI", "PCI-V4", "APRA", "FEDRAMP", "MAS", "CSA", "ENISA", "FISC-V9" ], "region": "us-east-1", "tags": [], "notScored": false, "resolutionPageUrl": "https://wstaging.cloudconformity.com/knowledge-base/aws/DynamoDB/continuous-backups.html" }, { "id": "ccc:OrganisationId:DynamoDB-004:DynamoDB:us-east-1:dynamodb003s1-otfs8ljoe0sp", "accountId": "", "ruleId": "DynamoDB-004", "provider": "aws", "ruleTitle": "Enable Encryption at Rest with Amazon KMS Keys", "riskLevel": "HIGH", "status": "SUCCESS", "service": "DynamoDB", "description": "Table [dynamodb003s1-otfs8ljoe0sp] is encrypted at rest using the AWS managed key or Customer managed key", "resource": "dynamodb003s1-otfs8ljoe0sp", "resourceType": "dynamodb-table", "resourceId": "dynamodb003s1-otfs8ljoe0sp", "ignored": false, "categories": ["security"], "compliances": [ "GDPR", "AWAF", "CIS-V8", "NIST4", "NIST5", "SOC2", "NIST-CSF", "ISO27001", "ISO27001-2022", "AGISM", "HIPAA", "HITRUST", "ASAE-3150", "PCI", "PCI-V4", "APRA", "FEDRAMP", "MAS", "CSA", "ENISA", "FISC-V9", "LGPD" ], "region": "us-east-1", "tags": [], "notScored": false, "resolutionPageUrl": "https://wstaging.cloudconformity.com/knowledge-base/aws/DynamoDB/encrypted-with-cmk.html" } ], "missingParameters": [], "skippedRules": [] }