Auditing and Compliance with CloudFormation - Tutorial

Welcome to this tutorial on auditing and compliance with AWS CloudFormation. As organizations adopt infrastructure-as-code practices, ensuring auditing and compliance becomes crucial. AWS CloudFormation provides features and integrations that enable you to meet auditing requirements and maintain compliance in your cloud infrastructure deployments.

Example of Auditing with CloudFormation

Let's consider an example where you have a CloudFormation stack that provisions an Amazon S3 bucket. To ensure compliance, you want to audit the bucket to verify if it has server-side encryption enabled.

Command to Audit the S3 Bucket:

You can use the AWS CLI and AWS Config to audit the S3 bucket:

aws configservice put-config-rule --config-rule '{"ruleName":"S3BucketEncryptionCheck","source":{"owner":"AWS"},"scope":{"complianceResourceTypes":["AWS::S3::Bucket"]},"inputParameters":"{}","maximumExecutionFrequency":"TwentyFour_Hours","configRuleState":"ACTIVE"}'

This command creates a configuration rule in AWS Config to check for server-side encryption on S3 buckets. It sets the rule to run every 24 hours and activates the rule.

Steps for Auditing and Compliance

  1. Identify the auditing requirements specific to your organization and the regulations or frameworks you need to comply with.
  2. Understand the AWS CloudFormation features and services available for auditing and compliance.
  3. Configure AWS Config to monitor and evaluate the compliance of your CloudFormation stacks.
  4. Create and customize AWS Config rules to check for specific compliance requirements.
  5. Enable AWS Config to record configuration changes and evaluate the compliance of your CloudFormation resources.
  6. Use AWS Config dashboard and APIs to view compliance reports and audit findings.
  7. Implement remediation actions for non-compliant resources by updating the CloudFormation stack or making configuration changes.
  8. Continuously monitor and re-evaluate the compliance of your infrastructure using AWS Config.

Common Mistakes with Auditing and Compliance

  • Not clearly defining auditing requirements and compliance standards for your infrastructure.
  • Overlooking or misconfiguring AWS Config rules, leading to incomplete or inaccurate audit findings.
  • Failure to regularly review and address audit findings and non-compliant resources.
  • Not implementing automated remediation actions for non-compliant resources.

Frequently Asked Questions (FAQs)

1. Can I audit resources created outside of CloudFormation with AWS Config?

Yes, AWS Config can monitor and evaluate the compliance of both CloudFormation-managed resources and resources created outside of CloudFormation.

2. Can I customize AWS Config rules to match specific compliance requirements?

Yes, you can create custom AWS Config rules using AWS Lambda functions or pre-built rule templates to match your specific compliance requirements.

3. Can AWS Config help with auditing historical changes to CloudFormation stacks?

Yes, AWS Config can record and retain configuration history for your CloudFormation stacks, enabling you to audit historical changes and track compliance over time.

4. Are there predefined AWS Config rules available for auditing CloudFormation?

Yes, AWS Config provides predefined rules for auditing CloudFormation resources, such as checking for required tags or resource naming conventions.

5. How can I receive notifications or alerts for non-compliant resources?

You can configure AWS Config rules to send notifications via Amazon SNS or trigger AWS Lambda functions to perform custom actions when non-compliant resources are detected.


Auditing and compliance are essential aspects of managing infrastructure-as-code deployments with AWS CloudFormation. By leveraging AWS Config and related services, you can ensure that your infrastructure adheres to regulatory standards and organizational policies, providing transparency, security, and peace of mind.