Assess AWS CloudFormation Template Security with cnspec

Use cnspec to scan AWS CloudFormation templates for security misconfigurations and policy violations before deploying them. cnspec parses both YAML and JSON CloudFormation templates and exposes resources, parameters, outputs, and other template sections as queryable MQL resources.

Scan a CloudFormation template

Scan a single template file:

cnspec scan cloudformation template.yaml

cnspec automatically detects whether the template is YAML or JSON.

Scan options

Example checks

Run cnspec shell cloudformation template.yaml to open the interactive shell. From there you can make checks like the examples below.

List all resources in a template

cloudformation.template.resources { name type }

Ensure EC2 instances don't use a hardcoded AMI

cloudformation.template.resources.where(type == "AWS::EC2::Instance").all(
  properties["ImageId"] != /^ami-/
)

Check that no security groups allow unrestricted SSH

cloudformation.template.resources.where(type == "AWS::EC2::SecurityGroup") {
  name
  properties["SecurityGroupIngress"]
}

List all template outputs

cloudformation.template.outputs { name properties }

Inspect template parameters

cloudformation.template.parameters

Learn more

• For the full MQL resource reference, see the MQL CloudFormation provider documentation.

• To learn more about how the MQL query language works, read Write Effective MQL.