cfn-lint icon indicating copy to clipboard operation
cfn-lint copied to clipboard

Published 20 hours ago verified publisher icon aws-cloudformation

Best Practices

Open kddejong opened this issue 7 years ago • 3 comments

A question was asked if we should be including template issues and best practices with the same repository of rules.

Example would be for an image ID property.

  1. Refs a Parameter of Type Number would not work at all and should show a failure.
  2. Refs a Parameter of type String shows a failure today because its not AWS::EC2::Image::Id. In this case both would work but AWS::EC2::Image::Id is more right.

Another example would be if you are specifying a password for a RDS database we make sure the REF to a parameter has the property NoEcho True set. Again a best practice but not a requirement for the template to work.

This is a great question and deserves some conversation. I see two options.

  1. Separate out best practice rules into another repo that people can download and use as they want.
  2. Keep Issues in this repo but allow people to turn off or enable best practices as needed. a. Tag Rules as Best Practice vs. Issue (wording to be worked on) and allow people to enable best practices as they need (disabled by default).
    b. A variance on the last one would be making best practices Warnings and allowing people to disable Warnings via parameter. Exit code would be determined on Errors and not on Warnings.

Right now I'm leaning towards a model in which we keep the rules in this repo but allow people to disable best practices.

kddejong avatar Apr 26 '18 20:04 kddejong

I like the "Error" vs. "Warning" model similar to other linters (Flake8 for example). This would allow separation of issues that will cause CloudFormation to fail from stylistic or other best practices.

cmmeyer avatar Apr 26 '18 21:04 cmmeyer

So I think we are in agreement of this.

  • Errors will focus on things that will fail when running a deployment.
  • Non-Errors will focus on best practice items.

Pull request 28 includes a capability to disable all Warnings.

kddejong avatar May 04 '18 17:05 kddejong

Re-opening this issue to track progress on some broadly applicable best practices:

  • [ ] Masking sensitive properties
  • [ ] Encryption
    • [ ] AWS::DocDB::DBCluster.StorageEncrypted
    • [ ] AWS::DynamoDB::Table.SSESpecification
    • [ ] AWS::EFS::FileSystem.Encrypted
    • [ ] AWS::Elasticsearch::Domain.EncryptionAtRestOptions
    • [ ] AWS::Elasticsearch::Domain.NodeToNodeEncryptionOptions
    • [ ] AWS::Redshift::Cluster.Encrypted
    • [ ] AWS::S3::Bucket.BucketEncryption
    • [ ] AWS::SNS::Topic.KmsMasterKeyId
    • [ ] AWS::SQS::Queue.KmsMasterKeyId
  • [ ] Backups/Versioning/RetentionPeriod/RemovalPolicy
    • [ ] AWS::DynamoDB::Table.PointInTimeRecoverySpecification
    • [ ] AWS::S3::Bucket.VersioningConfiguration
    • [ ] AWS::S3::Bucket.ReplicationConfiguration
  • [ ] Autoscaling/On-demand
    • [ ] AWS::DynamoDB::Table.BillingMode
  • [ ] Logging
    • [ ] AWS::AmazonMQ::Broker.Logs
    • [ ] AWS::S3::Bucket.LoggingConfiguration
  • [ ] not publicly accessible
  • [ ] latest version
  • [ ] least privilege / firewall

related: https://github.com/aws-cloudformation/cloudformation-guard/pull/21/

PatMyron avatar Feb 29 '20 04:02 PatMyron