Question 1

How to suppress false positives in cfn_nag?

Accepted Answer

Add a cfn_nag metadata key to the CloudFormation resource with rules_to_suppress, as shown in the README for security groups. This allows per-resource suppression with documented reasons, keeping templates clean while avoiding unnecessary warnings.

Question 2

cfn_nag vs cfn-lint: which is better for security?

Accepted Answer

cfn_nag is specialized for security misconfigurations with a rich rule set, while cfn-lint is a general-purpose linter for CloudFormation syntax and AWS best practices. For security scanning, cfn_nag is more comprehensive, but cfn-lint covers broader validation aspects.

Question 3

Can cfn_nag scan Terraform templates?

Accepted Answer

No, cfn_nag is designed only for AWS CloudFormation templates. For Terraform, you need tools like tfsec or Checkov, which offer similar security scanning but for different infrastructure-as-code languages.

Question 4

How to integrate cfn_nag into a Jenkins pipeline?

Accepted Answer

Install the Ruby gem or use the Docker image in your Jenkins agent. Run cfn_nag_scan with the input path, and leverage its non-zero exit codes for failures to break the build, similar to the GitHub Action example in the README.

Question 5

Does cfn_nag work with CloudFormation nested stacks?

Accepted Answer

The README doesn't explicitly mention nested stacks, but since cfn_nag scans directories recursively, it can process multiple templates. However, parameter passing between nested stacks might not be fully evaluated without manual configuration.

Question 6

What are the most common cfn_nag rules for IAM?

Accepted Answer

Common rules include F1 for IAM policy wildcards, F3 for missing conditions, and W11 for password literals. Use the cfn_nag_rules command to list all rules, focusing on those tagged with IAM-related identifiers in the output.

Stelligent/cfn_nag

What is Stelligent/cfn_nag?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions