List Template Scanner rules
get/template-scanner/rules
This endpoint returns the list of available rules that are executed when scanning a template.
Example Request (CloudFormation):
curl -H "Content-Type: application/json" \
https://us-west-2-api.cloudconformity.com/v1/template-scanner/rules?type=cloudformation-template
Example Request (Terraform):
curl -H "Content-Type: application/json" \
https://us-west-2-api.cloudconformity.com/v1/template-scanner/rules?type=terraform-template
Example Response:
{
"data": [
{
"type": "rules",
"id": "EC2-001",
"attributes": {
"title": "Security Group Port Range",
"description": "Ensure no security group opens range of ports",
"compliances": [
"NIST4",
"NIST5",
"SOC2",
"NIST-CSF",
"AGISM",
"HITRUST",
"ASAE-3150",
"PCI",
"PCI-V4",
"FEDRAMP",
"CSA"
],
"provider": "aws",
"service": "EC2"
}
},
{
"type": "rules",
"id": "EC2-014",
"attributes": {
"title": "Security Group Rules Counts",
"description": "Determine if there is a large number of rules in a security group",
"compliances": [
"AWAF",
"AGISM",
"ASAE-3150",
"PCI",
"PCI-V4",
"CSA"
],
"provider": "aws",
"service": "EC2"
}
}, ...more rules
]
}
Request
Responses
200
Success response
Response samples
- 200
application/json
{- "data": [
- {
- "type": "rules",
- "id": "string",
- "attributes": {
- "title": "string",
- "description": "string",
- "compliances": [
- "string"
], - "provider": "string",
- "service": "string"
}
}
]
}Scan a template
post/template-scanner/scan
Template scanner accepts CloudFormation templates, in either YAML or JSON format, and Terraform plan templates only in JSON format. For assistance in how to generate Terraform plan templates from HCL to JSON format, please refer to the section Scanning a Terraform Template in the Help pages.
| AWS Resource | CloudFormation | Terraform |
|---|---|---|
| API Gateway | ||
| RestApi | ✅ | ❌ |
| AutoScaling | ||
| Group | ✅ | ✅ |
| LaunchConfiguration | ✅ | ❌ |
| CloudFormation | ||
| Stack | ✅ | ✅ |
| CloudTrail | ||
| Trail | ✅ | ❌ |
| DynamoDB | ||
| Table | ✅ | ✅ |
| EC2 | ||
| Instance | ✅ | ✅ |
| Volume | ✅ | ✅ |
| ECR | ||
| Repository | ❌ | ✅ |
| EFS | ||
| FileSystem | ✅ | ❌ |
| ElastiCache | ||
| CacheCluster | ✅ | ❌ |
| Elasticsearch | ||
| Domain | ✅ | ❌ |
| ELB | ||
| LoadBalancer | ✅ | ❌ |
| ELBv2 | ||
| LoadBalancer | ✅ | ❌ |
| EMR | ||
| Cluster | ✅ | ❌ |
| IAM | ||
| Group | ✅ | ✅ |
| ManagedPolicy | ✅ | ✅ |
| Role | ✅ | ✅ |
| Kinesis | ||
| Stream | ✅ | ✅ |
| KMS | ||
| Key | ✅ | ✅ |
| Lambda | ||
| Function | ✅ | ✅ |
| RDS | ||
| DBCluster | ✅ | ✅ |
| DBInstance | ✅ | ✅ |
| Redshift | ||
| Cluster | ✅ | ❌ |
| S3 | ||
| Bucket | ✅ | ✅ |
| SNS | ||
| Topic | ✅ | ✅ |
| SQS | ||
| Queue | ✅ | ✅ |
| VPC | ||
| NatGateway | ✅ | ✅ |
| NetworkAcl | ✅ | ✅ |
| NetworkInterface | ✅ | ✅ |
| SecurityGroup | ✅ | ✅ |
| Subnet | ✅ | ❌ |
| VPC | ✅ | ✅ |
| VPCEndpoint | ✅ | ✅ |
| WorkSpaces | ||
| WorkSpace | ✅ | ❌ |
- Child modules are also supported for Terraform
Supported rules:
All resource level rules are supported. For CloudFormation template rules supported, please refer to the CloudFormation rules endpoint for a list. For Terraform JSON plan rules supported, please refer to the Terraform rules endpoint for a list.
Examples:
Scan a template using Bash:
#!/usr/bin/env bash
# Scans a template file
# Requires "jq" (https://stedolan.github.io/jq/) to be installed
# Cloud Conformity API Key
api_key="Your Cloud Conformity API Key"
# Path to template file
file_path="Path to template"
# Region in which Cloud Conformity serves your organisation
region="us-west-2"
contents=$(cat ${file_path} | jq '.' -MRs)
payload="{\"data\":{\"attributes\":{\"type\":\"cloudformation-template\",\"contents\":${contents}}}}"
echo Request:
echo ${payload} | jq '.' -M
echo Response:
curl -s -X POST \
-H "Authorization: ApiKey ${api_key}" \
-H "Content-Type: application/vnd.api+json" \
https://${region}-api.cloudconformity.com/v1/template-scanner/scan \
--data-binary "${payload}" | jq '.' -M
Scan a template using Python:
#!/usr/bin/env python
# Scans a template file
# Requires "requests" to be installed
import requests
import json
# Please substitute filePath, apiKey, and region
# Cloud Conformity API Key
apiKey="Your Cloud Conformity API Key"
# Path to CloudFormation template file Yaml or JSON file
filePath="Path to CloudFormation template"
# Region in which Cloud Conformity serves your organisation
region="us-west-2"
endpoint = 'https://' + region + '-api.cloudconformity.com'
url = endpoint + '/v1/template-scanner/scan'
headers = {
'Content-Type': 'application/vnd.api+json',
'Authorization': 'ApiKey ' + apiKey
}
contents = open(filePath, 'r').read()
payload = {
'data': {
'attributes': {
'type': 'cloudformation-template',
'contents': contents
}
}
}
print 'Request:\n' + json.dumps(payload, indent=2)
resp = requests.post(url, headers=headers, data=json.dumps(payload))
print 'Response:\n' + json.dumps(resp.json(), indent=2, sort_keys=True)
SecurityApiKeyAuth
Request
Request Body schema: application/json
One of:
object A JSON object containing the following properties |
Responses
200
200 response
401
Unauthorized. The requesting user does not have enough privilege.
403
Forbidden. This happens when a valid api key is not provided or the user does not have access to the supplied account.
404
Not Found. The profile that was requested was not found.
500
The parsing of the template file failed
Request samples
- Payload
application/json
{- "data": {
- "attributes": {
- "type": "cloudformation-template",
- "contents": "AWSTemplateFormatVersion: 2010-09-09\nResources:\n Ec2Instance:\n Type: AWS::EC2::Instance\n Properties:\n InstanceType:\n Ref: InstanceTypeParameter01\nParameters:\n InstanceTypeParameter01:\n Type: String\n Default: t2.micro\n AllowedValues:\n - t2.micro\n - m1.small\n - m1.large\n",
- "arguments": [
- {
- "name": "InstanceTypeParameter01",
- "value": "m1.large"
}
], - "pseudoArguments": {
- "AWS::StackName": "test-stack-name-01"
}
}
}
}Response samples
- 200
- 401
- 403
- 404
- 500
application/json
{- "data": [
- {
- "type": "checks",
- "id": "ccc:H19NxM15-:CUSTOM-001:EC2:us-west-2:sg-956d00ea",
- "attributes": {
- "accountId": "FJagHgv1g",
- "categories": [
- "security"
], - "compliances": [
- "NIST4",
- "AWAF"
], - "cost": 3.1968,
- "created-date": 1521660152755,
- "descriptorType": "s3-bucket",
- "eventId": "Skzp7ra1WW",
- "excluded": false,
- "extradata": [
- {
- "label": "Group Id",
- "name": "GroupId",
- "type": "META",
- "value": "sg-2e885d00"
}
], - "failure-discovery-date": 1521660152755,
- "failure-introduced-by": "someone@test.com",
- "ignored": false,
- "last-updated-date": 1521660152755,
- "last-updated-by": "someone@test.com",
- "last-modified-date": 1521660152755,
- "lastStatusUpdateDate": 1521660152755,
- "link-title": "gm-bucket-4",
- "message": "Bucket S3Bucket allows public 'READ' access.",
- "not-scored": false,
- "notes": [
- {
- "createdBy": "SYmS0YcL-",
- "createdDate": 1511456432526,
- "note": "hello world"
}
], - "organisationId": "F1r9_41ul",
- "pretty-risk-level": "Medium",
- "provider": "aws",
- "providerResourceId": "arn:aws:sns:us-east-1:123456789012:MyTopic",
- "region": "us-west-2",
- "resolved-date": 1521660152755,
- "resolved-by": "someone@test.com",
- "resolution-page-url": "https://www.cloudconformity.com/conformity-rules/IAM/unused-iam-group.html#",
- "resource": "S3Bucket",
- "resourceName": "KeyVault Vault",
- "risk-level": "HIGH",
- "rule-title": "Custom Rule about EC2 SGs",
- "service": "S3",
- "status": "SUCCESS",
- "suppressed": true,
- "suppressed-until": 1521660152755,
- "tags": [
- "key0::value0",
- "key1::value1"
], - "ttl": 1521660152755,
- "waste": 54.32
}, - "relationships": {
- "rule": {
- "data": {
- "type": "rules",
- "id": "CUSTOM-001"
}
}, - "account": {
- "data": {
- "type": "accounts",
- "id": "H19NxM15-"
}
}
}
}
], - "meta": {
- "missingParameters": [
- "AmazonASN"
], - "errors": [
- {
- "ruleId": "ACM-001",
- "resourceId": "i-1234567890abcdef0",
- "errorMessage": "UNKNOWN ERROR"
}
]
}
}