Creating and managing AWS CloudFormation Hooks - AWS CloudFormation

Creating and managing AWS CloudFormation Hooks

AWS CloudFormation Hooks provide a mechanism to evaluate your CloudFormation resources before allowing stack creation, modification, or deletion. This feature helps you ensure that your CloudFormation resources comply with your organization's security, operational, and cost optimization best practices.

To create a Hook, you have three options.

  • Guard Hook – Evaluates resources using an AWS CloudFormation Guard rule.

  • Lambda Hook – Forwards requests for resource evaluation to an AWS Lambda function.

  • Custom Hook – Uses a custom Hook handler that you manually develop.

Guard Hook

To create a Guard Hook, follow these main steps:

  1. Write your resource evaluation logic as a Guard policy rule using the Guard domain-specific language (DSL).

  2. Store the Guard policy rule in an Amazon S3 bucket.

  3. Navigate to the CloudFormation console and begin creating a Guard Hook.

  4. Provide the Amazon S3 path to your Guard rule.

  5. Choose the specific targets that the Hook will evaluate.

  6. Choose the deployment actions (create, update, delete) that will invoke your Hook.

  7. Choose how the Hook responds when it fails evaluation.

  8. When configuration is complete, activate the Hook to begin enforcement.

Lambda Hook

To create a Lambda Hook, follow these main steps:

  1. Write your resource evaluation logic as a Lambda function.

  2. Navigate to the CloudFormation console and begin creating a Lambda Hook.

  3. Provide the Amazon Resource Name (ARN) for your Lambda function.

  4. Choose the specific targets that the Hook will evaluate.

  5. Choose the deployment actions (create, update, delete) that will invoke your Hook.

  6. Choose how the Hook responds when it fails evaluation.

  7. When configuration is complete, activate the Hook to begin enforcement.

Custom Hook

Custom Hooks are extensions that you register in the CloudFormation registry using the CloudFormation Command Line Interface (CFN-CLI).

To create a custom Hook, follow these main steps:

  1. Initiate the project – Generate the files needed to develop a custom Hook.

  2. Model the Hook – Write a schema that defines the Hook and the handlers that specify the operations that can invoke the Hook.

  3. Register and activate the Hook – After you have created a Hook, you need to register it in the account and Region where you want to use it and this activates it.

The following topics provide more information for creating and managing Hooks.