2.1 cfn_nag and Static Analysis

cfn_nag is an open source static analysis tool for CloudFormation templates that can discover obvious security flaws before deployment. This can include things like open security groups, wildcard IAM permissions or missing encryption settings.

cfn_nag highlights:

• Allows developers to find obvious security flaws in CloudFormation templates before doing a deployment.
• Provides flexible controls for rule application including whitelists, blacklists, and fine-grained suppressions.
• Supports custom rule development for enterprise-specific security violations.