CloudFormation Template examples
Sources
You can find some sample source files inside the examples
directory:
examples/cloudformation
contains CloudFormation Template example files to convert into OTM format.examples/cloudformation/split
contains a complete CloudFormation Template example file split into two different files.
To process these examples, it is mandatory to use the mapping files according to the file data type.
You can find some sample mapping files inside the examples/cloudformation
directory.
Examples
CloudFormation is the AWS tool which lets you model, provision, and manage AWS and third-party resources by treating infrastructure as code. StartLeft's repository contains an example CloudFormation mapping file that enables you to generate threat models based on the OTM standard from both a single or multiple CloudFormation template files using a single command.
The following examples, which are located in the examples/cloudformation
and examples/cloudformation/split
directories, show you how to carry out the different stages of the process separately or in a single step.
Security Groups on multinetwork with Load Balancer
This is a rich example when you can see in action some the capabilities of StartLeft. It represents the threat model for an architecture with two TrustZones and several Virtual Private Networks which contain elements such as:
- Elastic Load Balancer.
- Elastic Container Service.
- CloudWatch Canary.
- VPC Endpoint
- Security Groups mapped as dataflows.
The following command will parse the CloudFormation source file multinetwork_security_groups_with_lb.json
creating an
OTM file multinetwork_security_groups_with_lb.otm
in the process.
startleft parse \
--iac-type CLOUDFORMATION \
--default-mapping-file iriusrisk-cft-mapping.yaml \
--output-file multinetwork_security_groups_with_lb.otm \
--project-name "CFT MN Security Groups with LB" \
--project-id "cft-mn-sg-lb" \
multinetwork_security_groups_with_lb.json
Other examples
There are inside the StartLeft repositories some other CloudFormation files with different architectures that allow you to experiment with different mappings and options. For them, the same commands described before can be applied.
elb-no-waf
. This is the simplest example, including only a public cloud as aTrustZone
with an AWS Elastic Load Balancer as a single component.elb-with-waf
. Slight evolution ofelb-no-waf
by including another component, a Web Application Firewall, within the sameTrustZone
public cloud.
Split examples
In the examples/cloudformation/split
directory we have split the multinetwork_security_groups_with_lb.json
into two
files which are networks_cft_file.json
and resources_cft_file.json
.
The following command will parse both CloudFormation source files creating an OTM file
multinetwork_security_groups_with_lb_from_multiple_files.otm
in the process.
startleft parse \
--iac-type CLOUDFORMATION \
--default-mapping-file iriusrisk-cft-mapping.yaml \
--output-file multinetwork_security_groups_with_lb_from_multiple_files.otm \
--project-name "CFT MN Security Groups with LB from multiple files" \
--project-id "cft-mn-sg-lb-ml-fl" \
networks_cft_file.json \
resources_cft_file.json