Cloud Conformity provides Template Scanner capability as a preventative measure to ensure your AWS infrastructure remains compliant by detecting risks in template files before they are launched into AWS.
This API endpoint is suitable for CI/CD pipelines and automation.
This endpoint is used to scan a template file. Currently, CloudFormation template is supported.
POST /v1/template-scanner/scan
Request payload is a JSON:API 1.0 compatible structure consisting of the following data attributes:
- type: Type of the infrastructure template file.
- Type: string
- Values:
cloudformation-template
- contents: Contents of the infrastructure template file.
- Type: string
- Value: JSON or Yaml string
Example:
- Request:
{ "data": { "attributes": { "type": "cloudformation-template", "contents": "---\nAWSTemplateFormatVersion: '2010-09-09'\nResources:\n S3Bucket:\n Type: AWS::S3::Bucket\n Properties:\n AccessControl: PublicRead" } } }
- Response:
{ "data": [ { "type": "checks", "id": "ccc:AccountId:S3-001:S3:us-east-1:S3Bucket", "attributes": { "region": "us-east-1", "status": "FAILURE", "risk-level": "VERY_HIGH", "pretty-risk-level": "Very High", "message": "Bucket S3Bucket allows public 'READ' access.", "resource": "S3Bucket", "descriptorType": "s3-bucket", "categories": [ "security" ], "last-updated-date": null, "tags": [], "cost": 0, "waste": 0, "not-scored": false, "ignored": false, "rule-title": "S3 Bucket Public 'READ' Access" }, "relationships": { //... } }, //... ] }
- APIGateway
- RestApi
- CloudFormation
- Stack
- CloudTrail
- Trail
- DynamoDB
- Table
- EC2
- Instance
- NatGateway
- NetworkAcl
- RouteTable
- SecurityGroup
- Subnet
- VPCEndpoint
- EFS
- FileSystem
- ELB
- LoadBalancer
- ELBv2
- LoadBalancer
- IAM
- Group
- ManagedPolicy
- Role
- Kinesis
- Stream
- KMS
- Key
- Lambda
- Function
- RDS
- DBCluster
- DBInstance
- S3Bucket
- S3Bucket
- SNS
- Topic
- WorkSpaces
- WorkSpace
All resource level rules are supported. Refer to Cloud Conformity rule catalogue for the list of rules.