IDE Security Plugin

Install the Security plugin in the IDE

First you will need to install the VSCode IDE in your machine to install the Cloud Conformity Security Plugin as you can see here: Link

  • Click on Install after opening the link from Cloud Conformity Plugin provide above and it will automatically download the plugin for the Visual Studio Code in your machine that you have installed in the Prequisites session:

IDE1

Enabling the API Token to scan AWS CloudFormation Templates on the IDE

Second you will need to create one account in Conformity using this link here Create Account, login into your account, and generate an API Token.

Log in to Trend Micro Cloud One Platform:

1. Click on the bottom left User Management IDE1

2. Click the API Key icon on the left side IDE1

3. Click on New to create the API Key IDE1

4. Select Read Only Access Role, the prefer language for you and the prefer Timezone. After you can click Next IDE1

5. This will generate the API Key you will need to click Copy to Clipboard and save it properly. Because after you close this screen you will not be able to retrieve it later.

Remember to copy the key and save it safely. You won't be able to get it again.

IDE1

Copy the API Key and go back to VSCode IDE 💻

  1. Click on the Extensions icon (left side) and click in Extension Settings ⚙️ for the Cloud Conformity Template Scanner entry.
  2. Select edit in settings.json on the Cc: ApiKey section.
  3. Input the API Key you generated on the previous step and save.

API2

Now you will be able to scan the CloudFormation templates based on hundreds of checks that help you comply with the AWS Well-Architected Framework among others standards and frameworks to ensure you are building superior cloud infrastructure. Here is one example of a bad CloudFormation template NOT following the engineering best practices for you to test:

Copy the CloudFormation template example below and save the file with the YAML format (.yml). If you do not save the file, the template scanner will fail.

#This is an CloudFormation template example NOT following the AWS Well-Architected Framework  

Resources:
  Ec2Instance:
    Type: 'AWS::EC2::Instance'
    Properties:
      SecurityGroups:
        - !Ref InstanceSecurityGroup
      KeyName: ec2-keypair
      ImageId: ami-0ff8a91507f77f867
      Tags:
        - 
          Key: "Environment"
          Value: "TM_Lab"
  InstanceSecurityGroup:
    Type: 'AWS::EC2::SecurityGroup'
    Properties:
      GroupDescription: Enable SSH access via port 22 test 
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 22
          ToPort: 22
          CidrIp: 0.0.0.0/0
      Tags:
        - 
          Key: "Environment"
          Value: "TM_Lab"
  S3Bucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: test-tm-lab-s3-bucket
      Tags:
        - 
          Key: "Environment"
          Value: "TM_Lab"

To test the extension, open the CloudFormation template above with the VSCode IDE and open the Command Pallet with:

- MAC OS: ⇧ + ⌘ + P
- Windows/Linux: Ctrl+Shift+P

Search for Cloud One Conformity: Scan the Current Open Template and hit enter to start automatically scanning your CloudFormation template:

IDE3

The result will appear in a second tab called Scan Result like the image below.

You can also check out the Conformity Knowledge Base, which can help you better understand more about any best practice check violations and how to remediate and fix them in your CloudFormation template or in production environments:

IDE4

Awesome the first stage for an IaC Security automation is done. 😃🤖💻