CloudWatch Logs: Preventing Orphaned Log Groups

Hello! When you need to publish logs to CloudWatch (e.g. from a lambda function), you need an IAM role with access to CloudWatch. It's tempting to use a simple policy like the one in the AWS docs. You might write a CloudFormation template like this: Obviously, the role is too permissive: arn:aws:logs:*:*:* But, there's another … Continue reading CloudWatch Logs: Preventing Orphaned Log Groups

CloudFormation: Limited-Privilege IAM Policies With cfn-nag

Hello! This article is about security testing in CloudFormation, if you're looking for functional testing, check out this. When you write IAM policies, you should grant the smallest set of permissions that work. So, looking at this policy defined in a CloudFormation resource: The Resource: '*' looks wrong. It grants permission to make the DescribeInstances … Continue reading CloudFormation: Limited-Privilege IAM Policies With cfn-nag

CloudFormation: functions like ImportValue and GetAtt inside a Sub

Hello! In CloudFormation, I think !Sub is the best way to generate strings that contain dynamic values. It's better to interpolate, like this: Than to join, like this: Both are common solutions, ${SG} resolves to the same value as !Ref SG, but I think interpolation is the right tool here. Join is better for other … Continue reading CloudFormation: functions like ImportValue and GetAtt inside a Sub

CloudFormation Custom Resources: Avoiding the Two Hour Exception Timeout

There's a gotcha when writing CloudFormation Custom Resources that's easy to miss and if you miss it your stack can get stuck, ignoring its timeout setting. It'll fail on its own after an hour, but if it tries to roll back you have to wait a second hour. Here's how to avoid that. This post … Continue reading CloudFormation Custom Resources: Avoiding the Two Hour Exception Timeout