🛡
Guardian
Just because you don't see something, doesn't mean it doesn't exist
Anonymous on Tumblr - 2012
Guardian is a tool that analyzes the configuration of your AWS resources against best practice rules.
Guardian solves problems before they occur, and optimizes your app’s performances and costs.
Install Guardian on your project and customize your experience 🔎
yarn add -D @kumo-by-theodo/guardian
Select the cloudformation stacks you want to check using -c option
yarn guardian -c {YOUR_AWS_STACK_NAME_1} {YOUR_AWS_STACK_NAME_2}
Filter the checked resources by tags using the -t option
yarn guardian -t Key={TAG_KEY},Value={TAG_VALUE}
Specify an AWS profile or an AWS region using -p and -r options
yarn guardian -p {YOUR_AWS_PROFILE} -c {YOUR_AWS_STACK_NAME} -r {YOUR_AWS_REGION}
Run Guardian as a periodic check on your CI 📟
The command you want to run in your pipeline is:
yarn guardian -p {YOUR_AWS_PROFILE} -c {YOUR_AWS_STACK_NAME} -r {YOUR_AWS_REGION} -l {YOUR_DESIRED_LEVEL}
Github actions, Circle CI, Gitlab CI configuration snippets coming soon
- Ensure that the CI/CD runner has an AWS profile configured, with AdministratorAccess privileges.
- If the region is not configured for that profile, make sure to specify it using the -r flag in the command.
Rules featured by Guardian 📏
- AWS Lambda:
-
Lambda: Use ARM64 architecture: checks that you're using ARM64 architectures for your Lambda functions. -
Lambda: No shared IAM roles: checks that each one of your Lambda functions has its own IAM role. -
Lambda: Limited amount of versions: checks that you do not store all previous deployment versions for your Lambda functions. -
Lambda: Specify failure destination to async functions: checks that each one of your async Lambda functions has a failure destination. -
Lambda: No identical code: checks that each one of your Lambda functions has different code. -
Lambda: Light bundle: checks that each one of your Lambda functions' bundles is reasonably small. -
Lambda: No default memory: checks that you have consciously configured your Lambda functions' memory size. -
Lambda: Under maximum memory: checks that each one of your Lambda functions' memory size is reasonably small. -
Lambda: No maximum timeout: checks that your Lambda functions' timeout is not set at the maximum available.
-
- AWS S3:
-
S3: Use intelligent tiering: checks that each one of S3 buckets has intelligent tiering enabled. -
S3: Server-side encryption enabled: checks that a server-side encryption soution is enabled on each S3 bucket.
-
- AWS Cognito:
-
Cognito: Sign-in case insensitivity: checks that your Cognito user pool is insensitive to user name case.
-
- AWS CloudWatch:
-
CloudWatch Log Groups: Defined logs retention duration: checks that each of your Log Groups has a defined log retention duration.
-
- AWS EventBridge:
-
EventBridge: Specified dead letter queue: checks that each Event Bridge Rule target has a dead letter queue.
-
Check out our articles, to find out more:
- That one AWS Lambda hidden configuration that will make you a Hero - Guardian is watching over you by Zineb
- AWS Lambda Versions : Time to clean up! - Guardian is watching over you by Pierre
- AWS Lambda 101: Shave That Bundle Down by Éloi
About Guardian 📰
Guardian is a Theodo Group project made for AWS Serverless developers by AWS Serverless developers. Original idea appeared at Aleios. Guardian was migrated to Typescript and enriched by Kumo.