CodePipeline lambda Function: Complete Example

Hello! It takes a few pieces to assemble a working lambda action for CodePipeline. I like to start from a simple example and build up to what I need. Here's the code I use as a starting point. First, a few notes: My pipeline lambda functions are usually small, often only a few dozen lines … Continue reading CodePipeline lambda Function: Complete Example

CloudFormation Custom Resource: Complete Example

Hello! It takes a few pieces to assemble a working CloudFormation Custom Resource. I like to start from a simple example and build up to what I need. Here's the code I use as a starting point. First, a few notes: My custom resources are usually small, often only a few dozen lines (more than … Continue reading CloudFormation Custom Resource: Complete Example

CloudWatch Logs: Preventing Orphaned Log Groups

Hello! When you need to publish logs to CloudWatch (e.g. from a lambda function), you need an IAM role with access to CloudWatch. It's tempting to use a simple policy like the one in the AWS docs. You might write a CloudFormation template like this: Obviously, the role is too permissive: arn:aws:logs:*:*:* But, there's another … Continue reading CloudWatch Logs: Preventing Orphaned Log Groups

CloudFormation: Limited-Privilege IAM Policies With cfn-nag

Hello! This article is about security testing in CloudFormation, if you're looking for functional testing, check out this. When you write IAM policies, you should grant the smallest set of permissions that work. So, looking at this policy defined in a CloudFormation resource: The Resource: '*' looks wrong. It grants permission to make the DescribeInstances … Continue reading CloudFormation: Limited-Privilege IAM Policies With cfn-nag