CloudFormation

Use Cloudformation to generate infrastructure as code. json or yaml but json is easier to parse with jq.

Validate

aws cloudformation validate-template --template-body file://your/template.json

Comply

Use cfn_nag

Install

gem install cfn-nag

# list all current stacks in a file
aws cloudformation list-stacks --stack-status-filter CREATE_IN_PROGRESS CREATE_COMPLETE ROLLBACK_IN_PROGRESS ROLLBACK_FAILED ROLLBACK_COMPLETE DELETE_IN_PROGRESS DELETE_FAILED UPDATE_IN_PROGRESS UPDATE_COMPLETE_CLEANUP_IN_PROGRESS UPDATE_COMPLETE UPDATE_ROLLBACK_IN_PROGRESS UPDATE_ROLLBACK_FAILED UPDATE_ROLLBACK_COMPLETE_CLEANUP_IN_PROGRESS UPDATE_ROLLBACK_COMPLETE REVIEW_IN_PROGRESS > /tmp/stacks2.json
# get the template body and store as $stack-name.yaml
for i in `cat /tmp/stacks2.json  | jq -r .StackSummaries[].StackName`; do  aws cloudformation get-template --stack-name $i | jq -r  .TemplateBody > /tmp/stacks/$i.yaml; done
# scan each cft with cfn_nag
for i in /tmp/stacks/*; do cfn_nag_scan --input-path $i; done

Tags

Stacks should be sensibly tagged. Taggable resources in CloudFormation stacks inherit the stack tags. Sensible tags are ones that are useful.

my_tags="iam=$(aws sts get-caller-identity |jq -r .UserId) src=$(git remote -v |grep push | awk '{print $2}') app=$app-name env=$ENV team=$team-name po=business_owner@somewhere"

Deploy

aws cloudformation deploy --template-file your/app-template.yaml --stack-name $app-name --tags $my_tags --region us-west-2  --capabilities CAPABILITY_NAMED_IAM