Support Open Console

Template scanner

Managing Conformity template scanner.

List Template Scanner rules

get/template-scanner/rules

This endpoint returns the list of available rules that are executed when scanning a template.

Example Request (CloudFormation):

curl -H "Content-Type: application/json" \
https://us-west-2-api.cloudconformity.com/v1/template-scanner/rules?type=cloudformation-template

Example Request (Terraform):

curl -H "Content-Type: application/json" \
https://us-west-2-api.cloudconformity.com/v1/template-scanner/rules?type=terraform-template

Example Response:

{
  "data": [
    {
      "type": "rules",
      "id": "EC2-001",
      "attributes": {
        "title": "Security Group Port Range",
        "description": "Ensure no security group opens range of ports",
        "compliances": [
          "NIST4",
          "NIST5",
          "SOC2",
          "NIST-CSF",
          "AGISM",
          "HITRUST",
          "ASAE-3150",
          "PCI",
          "FEDRAMP",
          "CSA"
        ],
        "provider": "aws",
        "service": "EC2"
      }
    },
    {
      "type": "rules",
      "id": "EC2-014",
      "attributes": {
        "title": "Security Group Rules Counts",
        "description": "Determine if there is a large number of rules in a security group",
        "compliances": [
          "AWAF",
          "AGISM",
          "ASAE-3150",
          "PCI",
          "CSA"
        ],
        "provider": "aws",
        "service": "EC2"
      }
    }, ...more rules
  ]
}
Request
query Parameters
type
string

Sepcify the type of template. Default value is 'cloudformation-template'

Enum: "cloudformation-template" "terraform-template"
Responses
200Success response
Response samples
application/json
{
  • "data": [
    ]
}

Scan a template

post/template-scanner/scan
AWS Resource CloudFormation Terraform
API Gateway
  RestApi
  AutoScaling
  LaunchConfiguration
CloudFormation
  Stack
CloudTrail
  RouteTable
  SecurityGroup
  Subnet
  Volume
  VPC
  VPCEndpoint
DynamoDB
  Table
EC2
  Instance
  Volume
EFS
  FileSystem
ElastiCache
  CacheCluster
Elasticsearch
  Domain
ELB
  LoadBalancer
ELBv2
  LoadBalancer
IAM
  Group
  ManagedPolicy
  Policy
  Role
RDS
  DBCluster
  DBInstance
Redshift
  Cluster
S3
  Bucket
SNS
  Topic
SQS
  Queue
VPC
  VPCEndpoint
  NetworkAcl
  NetworkInterface
  SecurityGroup
  VPC
WorkSpaces
  WorkSpace
  • Child modules are also supported for terraform

Supported rules:

All resource level rules are supported. Refer to Cloud Conformity rule catalogue for the list of rules.

Examples:

Scan a template using Bash:

#!/usr/bin/env bash
# Scans a template file
# Requires "jq" (https://stedolan.github.io/jq/) to be installed

# Cloud Conformity API Key
api_key="Your Cloud Conformity API Key"
# Path to template file
file_path="Path to template"
# Region in which Cloud Conformity serves your organisation
region="us-west-2"

contents=$(cat ${file_path} | jq '.' -MRs)
payload="{\"data\":{\"attributes\":{\"type\":\"cloudformation-template\",\"contents\":${contents}}}}"

echo Request:
echo ${payload} | jq '.' -M

echo Response:
curl -s -X POST \
     -H "Authorization: ApiKey ${api_key}" \
     -H "Content-Type: application/vnd.api+json" \
     https://${region}-api.cloudconformity.com/v1/template-scanner/scan \
     --data-binary "${payload}" | jq '.' -M

Scan a template using Python:

#!/usr/bin/env python
# Scans a template file
# Requires "requests" to be installed

import requests
import json

# Please substitute filePath, apiKey, and region
# Cloud Conformity API Key
apiKey="Your Cloud Conformity API Key"
# Path to CloudFormation template file Yaml or JSON file
filePath="Path to CloudFormation template"
# Region in which Cloud Conformity serves your organisation
region="us-west-2"

endpoint = 'https://' + region + '-api.cloudconformity.com'
url = endpoint + '/v1/template-scanner/scan'

headers = {
    'Content-Type': 'application/vnd.api+json',
    'Authorization': 'ApiKey ' + apiKey
}

contents = open(filePath, 'r').read()

payload =  {
    'data': {
        'attributes': {
            'type': 'cloudformation-template',
            'contents': contents
        }
    }
}
print 'Request:\n' + json.dumps(payload, indent=2)

resp = requests.post(url, headers=headers, data=json.dumps(payload))
print 'Response:\n' + json.dumps(resp.json(), indent=2, sort_keys=True)
Request
Security:
Request Body schema: application/json
One of:
object

A JSON object containing the following properties

Responses
200200 response
401Unauthorized. The requesting user does not have enough privilege.
403Forbidden. This happens when a valid api key is not provided or the user does not have access to the supplied account.
404Not Found. The profile that was requested was not found.
500The parsing of the template file failed
Request samples
application/json
{
  • "data": {
    }
}
Response samples
application/json
{
  • "data": [
    ],
  • "meta": {
    }
}