What is AWS CloudFormation Hooks?

AWS CloudFormation Hooks is a feature that you can use to ensure that your CloudFormation resources are compliant with your organization's security, operational, and cost optimization best practices. With CloudFormation Hooks, you can provide code that proactively inspects the configuration of your AWS resources before provisioning. If non-compliant resources are found, AWS CloudFormation either fails the operation and prevents the resources from being provisioned, or emits a warning and allows the provisioning operation to continue.

You can use Hooks to enforce a variety of requirements and guidelines. For example, a security-related Hook can verify security groups for the appropriate inbound and outbound traffic rules for your Amazon Virtual Private Cloud (Amazon VPC). A cost-related Hook can restrict development environments to only use smaller Amazon Elastic Compute Cloud (Amazon EC2) instance types. A Hook designed for data availability can enforce automatic backups for Amazon Relational Database Service (Amazon RDS) .

CloudFormation Hooks is a supported extension type in the AWS CloudFormation registry. The registry makes it easy to distribute and activate Hooks both publicly and privately. Versioning, and resource and module extension types are also supported by the registry. You can use pre-built Hooks, or build your own Hooks using the CloudFormation CLI.

This guide provides an overview of the structure of AWS CloudFormation Hooks, and guides for developing, registering, testing, managing, and publishing your own Hooks.