CloudFormation Template examples

Sources

---

You can find some sample source files inside the examples directory:

• examples/cloudformation contains CloudFormation Template example files to convert into OTM format.
• examples/cloudformation/split contains a complete CloudFormation Template example file split into two different files.

To process these examples, it is mandatory to use the mapping files according to the file data type. You can find some sample mapping files inside the examples/cloudformation directory.

Examples

---

CloudFormation is the AWS tool which lets you model, provision, and manage AWS and third-party resources by treating infrastructure as code. StartLeft's repository contains an example CloudFormation mapping file that enables you to generate threat models based on the OTM standard from both a single or multiple CloudFormation template files using a single command.

The following examples, which are located in the examples/cloudformation and examples/cloudformation/split directories, show you how to carry out the different stages of the process separately or in a single step.

Security Groups on multinetwork with Load Balancer

This is a rich example when you can see in action some the capabilities of StartLeft. It represents the threat model for an architecture with two TrustZones and several Virtual Private Networks which contain elements such as:

• Elastic Load Balancer.
• Elastic Container Service.
• CloudWatch Canary.
• VPC Endpoint
• Security Groups mapped as dataflows.

The following command will parse the CloudFormation source file multinetwork_security_groups_with_lb.json creating an OTM file multinetwork_security_groups_with_lb.otm in the process.

startleft parse \
    --iac-type CLOUDFORMATION \
    --default-mapping-file iriusrisk-cft-mapping.yaml \
    --output-file multinetwork_security_groups_with_lb.otm \
    --project-name "CFT MN Security Groups with LB" \
    --project-id "cft-mn-sg-lb" \
    multinetwork_security_groups_with_lb.json

Other examples

There are inside the StartLeft repositories some other CloudFormation files with different architectures that allow you to experiment with different mappings and options. For them, the same commands described before can be applied.

• elb-no-waf. This is the simplest example, including only a public cloud as a TrustZone with an AWS Elastic Load Balancer as a single component.
• elb-with-waf. Slight evolution of elb-no-waf by including another component, a Web Application Firewall, within the same TrustZone public cloud.

Split examples

In the examples/cloudformation/split directory we have split the multinetwork_security_groups_with_lb.json into two files which are networks_cft_file.json and resources_cft_file.json. The following command will parse both CloudFormation source files creating an OTM file multinetwork_security_groups_with_lb_from_multiple_files.otm in the process.

startleft parse \
    --iac-type CLOUDFORMATION \
    --default-mapping-file iriusrisk-cft-mapping.yaml \
    --output-file multinetwork_security_groups_with_lb_from_multiple_files.otm \
    --project-name "CFT MN Security Groups with LB from multiple files" \
    --project-id "cft-mn-sg-lb-ml-fl" \
    networks_cft_file.json \
    resources_cft_file.json