Digest

This podcast explores AWS CloudFormation hooks, a new feature enabling proactive evaluation of infrastructure-as-code configurations before deployment. Experts Stella Hee and James Kelly (GoDaddy) discuss the importance of Infrastructure as Code (IaC) and detail how CloudFormation hooks work, including authoring policies using Lambda functions or CloudFormation Guard. GoDaddy's experience implementing hooks is highlighted, showcasing how they balance security governance with developer flexibility using account-level overrides and a structured review process aided by LLMs. The podcast emphasizes the positive impact on developer experience, increased velocity, and the ability to choose tools and services freely. Finally, practical tips for implementation are provided, including starting with pre-built hooks and leveraging IAM configurations to prevent bypasses.

Outlines

00:00:06

Introduction to CloudFormation Hooks and GoDaddy's Implementation

The podcast introduces CloudFormation hooks, their purpose in proactive infrastructure-as-code evaluation, and sets the stage by introducing guests Stella Hee and James Kelly from GoDaddy who share their experience implementing these hooks to improve security and developer velocity.

00:04:57

Implementing and Authoring CloudFormation Hooks

This section details how to use CloudFormation hooks, including authoring policies, best practices, and configuring warnings or blocks. Different methods for authoring hooks (Lambda functions, CloudFormation Guard) are explained.

00:12:05

Balancing Governance, Developer Flexibility, and Impact on Developer Experience

The discussion focuses on GoDaddy's approach to balancing security governance with developer flexibility using account-level overrides and a structured process for reviewing new services, leveraging LLMs. The positive impact on developer experience and increased velocity are discussed.

00:19:58

Tips and Best Practices for Implementing CloudFormation Hooks

The podcast concludes with practical tips for implementing CloudFormation hooks, recommending starting with pre-built hooks and rules, leveraging AWS resources, and considering IAM configurations to prevent bypasses.

Keywords

Q&A

• What are the key benefits of using CloudFormation Hooks?

  Proactive security controls, improved developer agility through automated policy enforcement, and increased flexibility compared to rigid service catalog approaches.

• How can organizations balance security governance with developer flexibility?

  GoDaddy uses rule categories aligned with organizational standards, allowing account-level overrides for exceptions.

• What are different ways to author CloudFormation hooks?

  Lambda functions (including pre-built options), CloudFormation Guard's DSL, or custom hooks registered with the CloudFormation registry.

• How can organizations prevent users from bypassing CloudFormation hook governance?

  Use IAM policies restricting API calls to originate only from CloudFormation or Cloud Control API within regions where hooks are enabled.

Show Notes