Using cfn-lint to validate IAM Resources in AWS

Highly recommended for any automation engineer who wants to control their Cloudformation via a pipeline.

Jason Keane

When running a continuous delivery pipeline to reliably deploy AWS CloudFormation infrastructure, you want to run tests on your code to validate it is written well before it gets deployed.

aws cloudformation validate, the AWS command line interface command, is the most common solution used to verify your stacks, but since the command doesn’t have the ability to check IAM_CAPABILITY’, it can’t effectively validate IAM resources.


Problem - Validating CloudFormation

For instance, the example below will pass a validation check using aws cloudformation validate, even though property ‘BadField’ doesn’t exist.


AWSTemplateFormatVersion: '2010-09-09'
Description: IAM Role example
Resources:
  CFNLintExample:
    Type: AWS::IAM::Role
    Properties:
      RoleName: cfn-lint-example
  *** BadField: ThisWillNotWork ***
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Service: ec2.amazon.com
            Action:
              - sts:AssumeRole
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/S3ReadOnlyAccess


The response when running aws cloudformation validate-template --template-body file://iam.yaml will output:


{
    "Parameters": [],
    "Description": "IAM Roles for example cfn-lint",
    "Capabilities": [
        "CAPABILITY_NAMED_IAM"
    ],
    "CapabilitiesReason": "The following resource(s) require capabilities: [AWS::IAM::Role]"
}


The output above will not tell if you the IAM is validated or not, and will continue along unaware the IAM role in the CloudFormation stack will fail during deployment.


Solution: cfn-lint!

cfn-lint, a tool available from the awslabs open source github repository, is used to analyse Cloudformation code for errors, stylistic errors and bugs, and can be used as an alternative method to aws cloudformation validate to validate all Cloudformation, including IAM resources.


Value of Solution

By using cfn-lint you will be able to effectively validate IAM resources inside CloudFormation stacks before deployment, instead of waiting to get to the deployment stages of continuous delivery pipeline to  have to guess the reason why your stacks are failing.

Validating the example above running cfn-lint iam.yaml will produce the following output:

iE3002 Invalid Property Resources/CFNLintexample/Properties/RandomField
iam.yaml:8:7

This will give an error and fail the build, since the property doesn’t exist.


Summary

Validating Cloudformation code with aws cloudformation validate, does not validate IAM resources due to missing CAPABILITY_IAM switch in the command. One way to get around this limitation is to use cfn-lint, which not only checks Cloudformation for bad formatting, but also checks for resource creation errors, including IAM. This makes it handy to integrate Cloudformation into a continuous delivery pipeline so code can be tested before it gets deployed.

cfn-lint is available from the aws-labs repository at the following link https://github.com/awslabs/cfn-python-lint where it can be installed by running pip install cfn-lint.