IDE Security Plugin
Install the Security plugin in the IDE
First you will need to install the VSCode IDE in your machine to install the Cloud Conformity Security Plugin as you can see here: Link
- Click on Install after opening the link from Cloud Conformity Plugin provide above and it will automatically download the plugin for the Visual Studio Code in your machine that you have installed in the Prequisites session:
Enabling the API Token to scan AWS CloudFormation Templates on the IDE
Second you will need to create one account in Conformity using this link here Create Account, login into your account, and generate an API Token.
Log in to Trend Micro Cloud One Platform:
1. Click on the bottom left User Management
2. Click the API Key icon on the left side
3. Click on New to create the API Key
4. Select Read Only Access Role, the prefer language for you and the prefer Timezone. After you can click Next
5. This will generate the API Key you will need to click Copy to Clipboard and save it properly. Because after you close this screen you will not be able to retrieve it later.
Remember to copy the key and save it safely. You won't be able to get it again.
Copy the API Key and go back to VSCode IDE 💻
- Click on the Extensions icon (left side) and click in Extension Settings ⚙️ for the Cloud Conformity Template Scanner entry.
- Select edit in settings.json on the Cc: ApiKey section.
- Input the API Key you generated on the previous step and save.
Now you will be able to scan the CloudFormation templates based on hundreds of checks that help you comply with the AWS Well-Architected Framework among others standards and frameworks to ensure you are building superior cloud infrastructure. Here is one example of a bad CloudFormation template NOT following the engineering best practices for you to test:
Copy the CloudFormation template example below and save the file with the YAML format (.yml). If you do not save the file, the template scanner will fail.
#This is an CloudFormation template example NOT following the AWS Well-Architected Framework
Resources:
Ec2Instance:
Type: 'AWS::EC2::Instance'
Properties:
SecurityGroups:
- !Ref InstanceSecurityGroup
KeyName: ec2-keypair
ImageId: ami-0ff8a91507f77f867
Tags:
-
Key: "Environment"
Value: "TM_Lab"
InstanceSecurityGroup:
Type: 'AWS::EC2::SecurityGroup'
Properties:
GroupDescription: Enable SSH access via port 22 test
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
Tags:
-
Key: "Environment"
Value: "TM_Lab"
S3Bucket:
Type: AWS::S3::Bucket
Properties:
BucketName: test-tm-lab-s3-bucket
Tags:
-
Key: "Environment"
Value: "TM_Lab"
To test the extension, open the CloudFormation template above with the VSCode IDE and open the Command Pallet with:
- MAC OS: ⇧ + ⌘ + P
- Windows/Linux: Ctrl+Shift+P
Search for Cloud One Conformity: Scan the Current Open Template and hit enter to start automatically scanning your CloudFormation template:
The result will appear in a second tab called Scan Result like the image below.
You can also check out the Conformity Knowledge Base, which can help you better understand more about any best practice check violations and how to remediate and fix them in your CloudFormation template or in production environments:
