Best practices are recommendations that can help you use AWS CloudFormation more effectively and securely throughout its entire workflow. Learn how to plan and organize your stacks, create templates that describe your resources and the software applications that run on them, and manage your stacks and their resources. CFT Manager helps automate the process by validating your cloud formation template for these best practices
CFT Manager scans your template for below best practices –
Use IAM to Control Access –
IAM is an AWS service that you can use to manage users and their permissions in AWS. You can use IAM with AWS CloudFormation to specify what AWS CloudFormation actions users can perform, such as viewing stack templates, creating stacks, or deleting stacks. Furthermore, anyone managing AWS CloudFormation stacks will require permissions to resources within those stacks. CFT Managers flags any permissions provided with (*) on Effect, Action or Resource to make sure only limited access to resource is provided for specific actions.
Reusable Templates –
- Use Cross-Stack References to Export Shared Resources, use cross-stack references to export resources from a stack so that other stacks can use them. Stacks can use the exported resources by calling them using the
Fn::ImportValuefunction. This reduces hard coding the values and no need to make changes for each environment.
- To make templates reusable, use the parameters, mappings, and conditions sections so that you can customize your stacks when you create them
- Use AWS-Specific Parameter Types
Do Not Embed Credentials in Your Templates –
Rather than embedding sensitive information in your AWS CloudFormation templates, we strongly suggest you do one of the following:
- Use input parameters to pass in information whenever you create or update a stack, using the
NoEchoproperty to obfuscate the parameter value.
- Use dynamic parameters in the stack template to reference sensitive information that is stored and managed outside of CloudFormation, such as in the Systems Manager Parameter Store or Secrets Manager.
Use Parameter Constraints –
With parameter constraints, you can describe allowed input values so that AWS CloudFormation catches any invalid values before creating a stack. You can set constraints such as a minimum length, maximum length, and allowed patterns.
Validate Templates Before Using Them –
Before you use a template to create or update a stack, you can use AWS CloudFormation to validate it. Validating a template can help you catch syntax and some semantic errors, such as circular dependencies, before AWS CloudFormation creates any resources. If you use the CFT Manager console, the console automatically validates the template.