avatarTeri Radichel

Summary

Teri Radichel explores the new AWS CloudFormation import-existing-resources option to manage existing resources within a CloudFormation stack, specifically focusing on the challenges of importing default resources like route tables and security groups.

Abstract

In a recent post, Teri Radichel delves into the AWS CloudFormation import-existing-resources feature introduced at AWS re:Invent 2023, which aims to simplify the process of incorporating existing AWS resources into a CloudFormation stack. Radichel discusses the prerequisites for using this feature, such as the requirement for resources to have a custom name, and highlights the supported resource types. The author attempts to import default security groups and route tables into a stack, encountering difficulties due to the lack of custom names for these resources. Despite sparse documentation, Radichel experiments with naming default security groups to enable their import, only to find that the feature may not be fully functional yet. The post concludes with Radichel deciding to revert to existing code while awaiting further documentation and examples from AWS.

Opinions

  • Radichel views the import-existing-resources feature as a potentially powerful tool for managing AWS resources within CloudFormation but notes that its current implementation and documentation are lacking.
  • The author expresses confusion about the process, particularly regarding the naming convention for default resources, indicating a need for clearer guidance from AWS.
  • Radichel is optimistic about the future of the feature, expecting that AWS will provide more comprehensive documentation and examples to facilitate its use.
  • The post reflects a hands-on approach to understanding new AWS features, with Radichel willing to experiment and share findings even when documentation is scarce.
  • There is an underlying frustration with the current state of the feature, as Radichel's attempts to utilize it for default resources like security groups and route tables were unsuccessful.

Checking out the new CloudFormation import-existing-resources option

ACM.424 Can we import the default route table or security group for a VPC?

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Part of my series on Automating Cybersecurity Metrics. The Code.

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

In the last post I deployed a VPC that should in theory be able to be used by anyone in the OU.

I have yet to test it. Next I was going to configure my AMIs VPC but my code to fix up the default route table and security group is failing. I decided to fix that once and for all.

In a prior post I showed how to deploy an AWS Organization in CloudFormation, but also if the Organization already exists, how to import it into a CloudFormation stack:

At AWS re:Invent 2023 AWS introduced a new option for the CreatChangeSet command called import-existing-resources which is supposed to make this easier.

At first glance, I wasn’t sure how it worked but let’s dig in. If you want to import an existing resource using this command, it needs to be a resource that has a custom name option. The resource types that support custom names are listed at the bottom of this page:

(List is truncated.)

SecurityGroup is in the list, but RouteTable is not:

The custom name for a security group is, I presume, the GroupName property, but I’m not exactly sure. The documentation for this new feature is sparse.

Something to keep in mind:

In other words you will be updating the properties on the existing resource if you update it, not creating a new resource. To create a completely new resource, create a resource with a new name.

Alright so can we import our existing default security group into a stack? Lacking documentation I’m going to try to reverse-engineer how this is supposed to work. I created an account with an existing default VPC and a new public and private VPC. Each VPC has a default security group. Well, none of them have names so I have a catch 22. In order to import the resource using a name, I’d have to manually log in and add a name.

Welp. That nixes that idea but just out of curiosity, let’s see what we can do. I’m going to name the default security group in the account “mysg”.

So I create a file and add the option and guess at what I should possibly pass in.

And…it doesn’t exist. Well, this must still be a work in progress I guess.

I’ll wait for the documentation and an example which is probably on the way.

For now, I’ll use my existing code and see what comes out of this. Perhaps I’m just using it incorrectly.

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2023

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab
Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation
Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab
AWS
Cloudformation
Createchangeset
Import Existing Resources
Customname
Recommended from ReadMedium