2.2 Run cfn_nag from the command line

Review and ensure that you have setup your development environment before going through the steps below.

To run a cfn_nag example, type the following from the Cloud9 terminal:

cd ~/environment/ccoa
git clone https://github.com/stelligent/cfn_nag_examples
gem install cfn-nag
cd cfn_nag_examples
cfn_nag_scan --input-path cfn/volume.yml

The above commands clone a GitHub repository that has some cfn_nag examples, installs cfn_nag in the Cloud9 environment, and runs built-in cfn_nag rules against a CloudFormation template called volume.yml. After running the command, you should see an error similar to the output shown below.

cfn/volume.yml
------------------------------------------------------------
| FAIL F1
|
| Resources: ["EBSVolume"]
|
| EBS volume should have server-side encryption enabled
Failures count: 1
Warnings count: 0

As you can see, you receive an error indicating that you must encrypt your EBS Volume.

To fix the error, run the command below against a modified version of the volume.yml template called volume-encrypted.yml that sets the EBS volume encryption to true. This CloudFormation template with the encrypted volume should return success.

cfn_nag_scan --input-path cfn/volume-encrypted.yml

Now that you have run failure and success scenarios against CloudFormation templates using cfn_nag, you can provision a full AWS infrastructure solution into a deployment pipeline within AWS CodePipeline.