CloudFormation Benefits for Secure AWS Deployments

As discussed in a prior Secplicity blog post, automation can help improve security by reducing the potential for human error. Security automation includes programmatic deployments of infrastructure and applications. But how do you automate cloud deployments? If you are using AWS, CloudFormation is one of your options. CloudFormation has some features that help secure the AWS resource deployment process.

What is CloudFormation?

CloudFormation is an AWS service that allows you to deploy things like virtual machines, networks, databases, storage, users, permissions, custom applications, and security appliances on the AWS cloud platform by writing software instead of clicking buttons. A “CloudFormation Template” is a text file written in a specific format that defines the AWS resources you want to create. The AWS Tool of your choice can execute commands to automatically deploy the resources in your template. For more details, refer to the CloudFormation documentation and the list of CloudFormation resources.  

How Can CloudFormation Help Secure Systems?

AWS users can log into the AWS Console, choose some options, and push buttons to easily create and change resources on AWS. Problems with this approach arise when someone clicks the wrong buttons or types the wrong information (by accident or on purpose). As already explained, human error contributes to many security problems. Preventing and reverting changes that do not match security policies is more complicated for random, uncontrolled processes. Deploying the same resource manually multiple times or in many places will likely result in mistakes due to variations in steps taken. To track down and fix errors, you must dig through logs and piece together information. Hopefully, you have the logs and have secured them. Manually fixing the problem could result in even more human error.

Alternatively, CloudFormation templates allow development, ops, and security teams to write code that deploys AWS resources. A team can test the code in advance to ensure it works correctly. Taking these steps minimizes the chance for human error during deployments to production systems. The code can perform the first deployment, re-deploy, and roll back changes if an error occurs. If a change causes a problem, older versions of the code stored in a source control system can restore systems to a prior state. With proper planning, you can design scripts to rerun gracefully even in the event of an unexpected error, such as a service outage. These scripts can pick up where they left off, correctly completing their tasks despite the original failure.

Managing CloudFormation Permissions

AWS Identity and Access Management (IAM) is a service which allows creation of very fine-grained policies defining who can take what actions in your account. The AWS CloudFormation service has a list of allowed actions. Policies can restrict permissions to take these actions to specific users or systems. Explaining all the details of IAM roles, policies, users and groups is beyond the scope of this blog post, but here is an example of an IAM policy that allows a user or role to create AWS resources using the CloudFormation CreateStack action.

  {
    "Version":"2012-10-17",
      "Statement":[{
        "Effect":"Allow",
        "Action":[
          "cloudformation:CreateStack"  
          "Resource":"*"
        }]
  }

CloudFormation Audit Logs 

CloudFormation offers real-time and post-deployment audit logs of events that occurred during the deployment in the AWS Console. For example, this audit log shows the time and events that occurred during an automated deployment of a Firebox Cloud.

The template tab in the CloudFormation console shows the template that created the stack. If you restrict changes to the account to CloudFormation only, you can use this information to verify what exists in your account.

The CloudFormation resources tab list resources created by the CloudFormation template.

Clicking on a link in the Physical ID column displays details about a resource.

CloudFormation Stack Policies

CloudFormation stack policies can prevent unauthorized updates to CloudFormation stack resources. The following is an example of a stack policy from the AWS stack policy documentation that allows updates to all resources in the stack except a database.

  {
  "Statement" :
    [{
      "Effect" : "Allow",
      "Action" : "Update:*",
      "Principal": "*",
      "Resource" : "*"
    },
   {
      "Effect" : "Deny",
      "Action" : "Update:*",
      "Principal": "*",
      "Resource" : "LogicalResourceId/ProductionDatabase"
    }]
  }

CloudTrail Logs

CloudTrail Logs track every AWS service action taken on the Amazon cloud platform, including CloudFormation actions.

Clicking on a specific event shows even more information.

Clicking on the “View event” button shows even more details. Ultimately every action taken by an AWS service in your account is the result of an API call, or in other words, a programmatic request to take an action on a software system. Even when you click a button the AWS console makes an API call to carry out the action you requested. These API calls are created via web requests in a specific format understood by the AWS cloud platform. The event detail shows the actual web request code related to logged event.

Log Security

Using a third-party platform with built-in logging and fine-grained access control makes it easier for companies to secure logs. Correctly established permissions can help companies who wish to implement segregation of duties. For example, a company may want to prevent the people or systems taking actions in their account from altering or deleting the logs that track those actions. This may be important if a legal issue requires chain of custody to prove what happened. AWS IAM allows companies to create the permissions structure to enforce these types of security policies. A scalable and secure logging platform will store logs as long and in as much detail as needed.

Disaster Recovery and Failover

Any form of software used to re-deploy systems and networks in the event of disaster recovery or failover is beneficial as explained in a previous post about security automation. One of the benefits of using CloudFormation specifically is tight integration with the AWS platform. CloudFormation understands and deploys resources in the same template in the correct order and in parallel when possible. Parameters allow execution of the same templates in different environments by separating the configuration values that change in each environment from the template code. Pseudo parameters generically reference AWS environment information in order to create templates that work in any AWS account or region.

Embedding Security Checks into Deployment Processes 

One of the real benefits of AWS in general is the ability to take actions based on specific events. That includes CloudFormation events. When a CloudFormation action occurs, this can trigger security checks to occur in your account using AWS services like CloudWatch Events, Amazon Inspector and AWS Config Rules. These tools can prevent and revert changes that do not meet security policies automatically.

Up Front Investment for Future Security

Initially, it might take some time for you to learn the CloudFormation template syntax. It will also take time to set up proper security controls in your account such as IAM policies to limit permissions. However, this upfront investment will pay time and security dividends in future deployments. CloudFormation is very powerful and flexible tool that can help prevent errors, improve logging, and add security to cloud deployments.

The next blog post in this series will show how to use CloudFormation to deploy a WatchGuard Firebox Cloud in your AWS account.  — Teri Radichel (@teriradichel)

Share This: