Example template
AWSTemplateFormatVersion: "2010-09-09"
Resources:
dynamodb003S1:
Type: AWS::DynamoDB::Table
Properties:
PointInTimeRecoverySpecification:
PointInTimeRecoveryEnabled: true
AttributeDefinitions:
- AttributeName: Album
AttributeType: S
- AttributeName: Artist
AttributeType: S
- AttributeName: Sales
AttributeType: N
- AttributeName: NumberOfSongs
AttributeType: N
KeySchema:
- AttributeName: Album
KeyType: HASH
- AttributeName: Artist
KeyType: RANGE
ProvisionedThroughput:
ReadCapacityUnits: "5"
WriteCapacityUnits: "5"
SSESpecification:
SSEEnabled: true
TableName: myTableName
GlobalSecondaryIndexes:
- IndexName: myGSI
KeySchema:
- AttributeName: Sales
KeyType: HASH
- AttributeName: Artist
KeyType: RANGE
Projection:
NonKeyAttributes:
- Album
- NumberOfSongs
ProjectionType: INCLUDE
ProvisionedThroughput:
ReadCapacityUnits: "5"
WriteCapacityUnits: "5"
- IndexName: myGSI2
KeySchema:
- AttributeName: NumberOfSongs
KeyType: HASH
- AttributeName: Sales
KeyType: RANGE
Projection:
NonKeyAttributes:
- Album
- Artist
ProjectionType: INCLUDE
ProvisionedThroughput:
ReadCapacityUnits: "5"
WriteCapacityUnits: "5"
LocalSecondaryIndexes:
- IndexName: myLSI
KeySchema:
- AttributeName: Album
KeyType: HASH
- AttributeName: Sales
KeyType: RANGE
Projection:
NonKeyAttributes:
- Artist
- NumberOfSongs
ProjectionType: INCLUDE
Example scan command
#!/usr/bin/env bash
# Scans a template file
# Requires "jq" (https://stedolan.github.io/jq/) to be installed
api_key="Your Trend API Key"
file_path="Path to template"
api_base_url="https://conformity.us-1.cloudone.trendmicro.com/api"
contents=$(cat ${file_path} | jq '.' -MRs)
payload="{\"data\":{\"attributes\":{\"type\":\"cloudformation-template\",\"contents\":${contents}}}}"
echo Request:
echo ${payload} | jq '.' -M
echo Response:
curl -s -X POST \
-H "Authorization: ApiKey ${api_key}" \
-H "Content-Type: application/vnd.api+json" \
${api_base_url}/template-scanner/scan \
--data-binary "${payload}" | jq '.' -M
Example Template Scanner API Output
{
"data": [
{
"type": "checks",
"id": "ccc:OrganisationId:RG-001:ResourceGroup:us-east-1:dynamodb003s1-4ez4cs0amgea",
"attributes": {
"region": "us-east-1",
"status": "FAILURE",
"risk-level": "LOW",
"pretty-risk-level": "Low",
"message": "dynamodb-table dynamodb003s1-4ez4cs0amgea has [Environment, Role, Owner, Name] tags missing",
"resource": "dynamodb003s1-4ez4cs0amgea",
"descriptorType": "dynamodb-table",
"categories": [
"security",
"reliability",
"performance-efficiency",
"cost-optimisation",
"operational-excellence",
"sustainability"
],
"compliances": [
"AWAF",
"CIS-V8",
"NIST4",
"NIST5",
"SOC2",
"NIST-CSF",
"ISO27001",
"ISO27001-2022",
"AGISM",
"HITRUST",
"ASAE-3150",
"PCI-V4",
"FEDRAMP",
"MAS",
"CSA"
],
"extradata": [
{
"name": "DETAILED_STATUS",
"label": "Resource tags status for dynamodb-table dynamodb003s1-4ez4cs0amgea",
"value": "{\"service\":\"DynamoDB\",\"descriptorType\":\"dynamodb-table\",\"resourceName\":\"dynamodb003s1-4ez4cs0amgea\",\"tags\":[{\"key\":\"Environment\",\"hasValue\":false},{\"key\":\"Role\",\"hasValue\":false},{\"key\":\"Owner\",\"hasValue\":false},{\"key\":\"Name\",\"hasValue\":false}]}",
"type": "META",
"internal": true
}
],
"cost": 0,
"waste": 0,
"not-scored": false,
"ignored": false,
"rule-title": "Tags",
"provider": "aws",
"resolution-page-url": "https://wdevelopment.cloudconformity.com/knowledge-base/aws/ResourceGroup/tags.html",
"service": "ResourceGroup"
},
"relationships": {
"rule": {
"data": {
"type": "rules",
"id": "RG-001"
}
},
"account": {
"data": null
}
}
},
{
"type": "checks",
"id": "ccc:OrganisationId:DynamoDB-003:DynamoDB:us-east-1:dynamodb003s1-4ez4cs0amgea",
"attributes": {
"region": "us-east-1",
"status": "SUCCESS",
"risk-level": "HIGH",
"pretty-risk-level": "High",
"message": "Continuous Backups are enabled for [dynamodb003s1-4ez4cs0amgea]",
"resource": "dynamodb003s1-4ez4cs0amgea",
"descriptorType": "dynamodb-table",
"categories": ["reliability"],
"compliances": [
"AWAF",
"CIS-V8",
"NIST4",
"NIST5",
"SOC2",
"NIST-CSF",
"ISO27001",
"ISO27001-2022",
"AGISM",
"HIPAA",
"HITRUST",
"ASAE-3150",
"PCI",
"PCI-V4",
"APRA",
"FEDRAMP",
"MAS",
"CSA",
"ENISA",
"FISC-V9"
],
"last-updated-date": null,
"extradata": [
{
"name": "EarliestRestorableDateTime",
"label": "Earliest Restorable DateTime",
"value": 1707793902245,
"type": "META"
},
{
"name": "LatestRestorableDateTime",
"label": "Latest Restorable DateTime",
"value": 1707793902245,
"type": "META"
}
],
"tags": [],
"cost": 0,
"waste": 0,
"not-scored": false,
"ignored": false,
"rule-title": "DynamoDB Continuous Backups",
"provider": "aws",
"resolution-page-url": "https://wdevelopment.cloudconformity.com/knowledge-base/aws/DynamoDB/continuous-backups.html",
"service": "DynamoDB",
"logicalResourceId": "dynamodb003s1-4ez4cs0amgea"
},
"relationships": {
"rule": {
"data": {
"type": "rules",
"id": "DynamoDB-003"
}
},
"account": {
"data": null
}
}
},
{
"type": "checks",
"id": "ccc:OrganisationId:DynamoDB-004:DynamoDB:us-east-1:dynamodb003s1-4ez4cs0amgea",
"attributes": {
"region": "us-east-1",
"status": "SUCCESS",
"risk-level": "HIGH",
"pretty-risk-level": "High",
"message": "Table [dynamodb003s1-4ez4cs0amgea] is encrypted at rest using the AWS managed key or Customer managed key",
"resource": "dynamodb003s1-4ez4cs0amgea",
"descriptorType": "dynamodb-table",
"categories": ["security"],
"compliances": [
"GDPR",
"AWAF",
"CIS-V8",
"NIST4",
"NIST5",
"SOC2",
"NIST-CSF",
"ISO27001",
"ISO27001-2022",
"AGISM",
"HIPAA",
"HITRUST",
"ASAE-3150",
"PCI",
"PCI-V4",
"APRA",
"FEDRAMP",
"MAS",
"CSA",
"ENISA",
"FISC-V9",
"LGPD"
],
"last-updated-date": null,
"tags": [],
"cost": 0,
"waste": 0,
"not-scored": false,
"ignored": false,
"rule-title": "Enable Encryption at Rest with Amazon KMS Keys",
"provider": "aws",
"resolution-page-url": "https://wdevelopment.cloudconformity.com/knowledge-base/aws/DynamoDB/encrypted-with-cmk.html",
"service": "DynamoDB",
"logicalResourceId": "dynamodb003s1-4ez4cs0amgea"
},
"relationships": {
"rule": {
"data": {
"type": "rules",
"id": "DynamoDB-004"
}
},
"account": {
"data": null
}
}
}
],
"meta": {
"missingParameters": [],
"errors": []
}
}