cfn_nag VS cfn-python-lint

.pre-commit-config.yaml – contains the cfn-lint and cfn_nag pre-commit hooks.

For generic CloudFormation templates, check CFN-NAG.

If you use CDK, you should implement CDK nag; otherwise, use cfn-nag.

cfn_nag

CodeBuild will run a linting check against the CloudFormation Template using cfn-lint and will then run cfn-nag to check for patterns that indicate insecure resources within the CloudFormation template.

Security checks for the Cloudformation stack using cfn-nag

cdk-nag contains several Aspects to check your applications for best practices. It is especially useful if you need to be HIPAA-compliant or have other compliance requirements. It is inspired by cfn_nag which is a a tool checking for patterns in your CloudFormation templates.

cfn-lint and cfn_nag or other tools of that nature to check as you write so you don't need to continually try to deploy only to find that you've done something dumb.

There is another tool called cfn_nag that can check your code for potentially any insecure infrastructure. When you read the documentation around this tool, the author says it can check for things such as:

I recently wanted to use the cfn-nag tool on some templates I was writing but couldn't find any instructions to install on Windows, but I have found a way to do it.

Now the first 3 options are pretty straight forward. The template itself is a bit more complicated. In my example I used an inline template, I did this for the sake of this blog. But you can also reference an existing object on S3. This way you can use linting tools like cfn-lint on your conformance pack. This will reduce errors during deployment as you can catch them before you commit and push your code.

Automate testing and validation: Before deploying your templates, it's important to test and validate them to ensure that they will work as expected. Use tools like AWS CloudFormation Linter and Azure Resource Manager Template Tester to automate this process.

Honestly I've had good luck writing clean Cloud Formation. It's AWS only. But Nested Stacks can help keep things pretty clean and tools like cfn-lint do a pretty good job of preventing you from going too crazy with spaghetti code. Additionally, as it's all json/yaml, you can parse it to look for common problems your organization wants to enforce. So you can ensure things like specific tags your roles/vpc etc..., or usage of an "approved" set of AMI, requiring an EKS/RDS cluster to be split across availability zones; they're all just a test in your CI pipeline away.

CodeBuild will run a linting check against the CloudFormation Template using cfn-lint and will then run cfn-nag to check for patterns that indicate insecure resources within the CloudFormation template.

A linter for our AWSCloudformation stack called cfn-lint

cfn-lint and cfn_nag or other tools of that nature to check as you write so you don't need to continually try to deploy only to find that you've done something dumb.

https://github.com/aws-cloudformation/cfn-lint as mentioned will do what you've explicitly called-out.

cfn-lint can do basic validation and rule-based linting. Highly recommend using it even if it doesn't solve your problem.

To help validate your AWS CloudFormation templates you can use a tool called cfn-lint.