Use infrastructure as code

Building infrastructure as code

AWS offers multiple tools to deploy infrastructure as code, such as CLI, AWS CloudFormation, and AWS CDK, or Terraform. Describing infrastructure as code facilitates governance, enables versioning of the architecture, facilitates rebuilding a compromised environment, and the evaluation of templates to identify non-compliances before the infrastructure is generated.

It’s recommended to leverage Infrastructure as Code (IaC) to build, validate, and recreate infrastructure based on code that can be versioned and introduced into a change management process.

There are also available 3rd party open-source solutions like Hashicorp Terraform, Ansible and others.

Using Infrastructure as Code early can have significant benefits, and it’s not simple to build cloudformation templates based on a infrastructure. If you are part of a large organization that will eventually move to IaC, try to prioritize this recommendation.

CloudFormation Guard: Validations prior to deploy

AWS published a code to make compliance reviews prior to the deployment of CloudFormation templates, which can help solve the problem before having it. For example, you could verify that every bucket to deploy has encryption enabled by default.

https://github.com/aws-cloudformation/cloudformation-guard

Pricing

The AWS CloudFormation service is free, you only pay for resources generated by the solution. For additional details use the following link:

https://aws.amazon.com/cloudformation/pricing/