AWS Podcast Episode #720: Hooked on CloudFormation: GoDaddy Stays Proactive with AWS CloudFormation Hooks

Release Date: May 12, 2025

In Episode #720 of the AWS Podcast, hosted by Simon Shuberty, Amazon Web Services delves into the innovative use of AWS CloudFormation Hooks, featuring insights from Stella He, a Senior Product Manager at AWS, and James Kelly, a Senior Software Engineer at GoDaddy. This episode provides a comprehensive exploration of how CloudFormation Hooks enhance infrastructure as code (IaC) practices, ensuring security and flexibility for large-scale organizations.

1. Introduction to CloudFormation

Simon Shuberty opens the discussion by emphasizing the importance of Infrastructure as Code (IaC), highlighting AWS CloudFormation as a pivotal tool for managing cloud infrastructure.

[01:09] Stella He: "AWS CloudFormation is a service that helps you define and manage your cloud infrastructure using code. So you create templates, you can write it in JSON or YAML that describe the resources you need like servers, databases or networks."

Simon further underscores the transition from manual operations to codified infrastructure management:

[01:46] Simon Shuberty: "Gone are the days of click ops and random scripts and other bits and pieces. It's gotta be as code in a repo with version control managed effectively."

2. Introducing CloudFormation Hooks

The conversation pivots to the newly introduced CloudFormation Hooks, a feature designed to proactively evaluate IaC configurations before deployment.

[02:32] Stella He: "CloudFormation Hooks is a feature that allows you to proactively evaluate your infrastructure as code configurations or CloudFormation templates... to inspect your resource configurations prior to create, update or delay CloudFormation stack operations."

Simon connects this innovation to the broader security practice of shifting left, ensuring issues are addressed early in the development process:

[03:19] Simon Shuberty: "This is about really trying to catch things before they get deployed versus waiting for them to get deployed and then reactively doing it. So it's proactive."

3. Benefits and Functionality of Hooks

Stella He elaborates on how CloudFormation Hooks enable organizations to enforce policies automatically, enhancing both speed and security without hindering developer agility:

[04:43] Simon Shuberty: "So hooks provides a way for customers to automatically and proactively enforce their policies early in this development without these issues."

She further explains the implementation process, highlighting the flexibility in authoring hooks using Lambda functions or the CloudFormation Guard DSL:

[05:37] Stella He: "You can author these hooks using a Lambda function... Alternatively, you can use CloudFormation Guard domain-specific language, store it as an S3 object and run it using the pre-built guard hook."

4. GoDaddy’s Adoption of CloudFormation Hooks

James Kelly from GoDaddy shares how his organization leverages CloudFormation Hooks to maintain robust cloud governance across hundreds of developers:

[07:25] James Kelly: "At GoDaddy, we have hundreds of developers... we deploy all of our workloads to the cloud and we want to make sure that everything is secure, like security is mission critical for us."

He discusses the transition from a custom solution to the AWS-managed Hooks, citing the latter's reliability and support as key advantages:

[08:38] James Kelly: "We pivoted to Hooks as soon as we heard it was in alpha... the fact that it's AWS managed and supported has just been a killer feature for enterprise security."

5. Balancing Security and Developer Flexibility

A significant portion of the discussion centers on how GoDaddy maintains security without stifling developer innovation. James explains their strategy to allow exceptions at the account level, providing necessary flexibility:

[10:13] James Kelly: "We decided that at the account level of granularity, we would allow for any control that we have to have an override and that would be built into the system."

He further elaborates on using AWS Guard for writing granular rules, enhancing both security and adaptability:

[10:43] James Kelly: "We move to AWS Guard for the rules and use the guard hook. So at the end of the day, we're just writing rules and everything else just kind of works."

6. Enhancing Developer Velocity

James highlights the importance of maintaining developer velocity while enforcing security measures. By integrating Hooks with various IaC tools like AWS CDK and Terraform, GoDaddy ensures that developers have the freedom to choose their preferred tools without compromising governance:

[17:07] James Kelly: "We’re giving the flexibility to our developers to say, okay, you can use SAM, you can use whatever tooling you want. We're going to evaluate it with the same rules and it's up to you to choose your own adventure there."

Simon reflects on the cultural shift required within organizations to embrace such flexible yet secure practices:

[18:27] Simon Shuberty: "...providing that great developer ergonomics. If there's one thing I've seen that affects developer productivity, it's the ergonomics of the developer environment."

7. Implementing CloudFormation Hooks: Practical Tips

As the episode progresses, James Kelly offers practical advice for organizations looking to adopt CloudFormation Hooks. He emphasizes starting with pre-built hooks and leveraging AWS’s comprehensive documentation:

[20:02] James Kelly: "I would recommend starting with the pre-built Guard hook... pairing it with a managed rule set from the AWS Guard rule registry."

He also touches on the integration of Lambda hooks for more advanced use cases, simplifying the process of authoring custom logic:

[21:11] James Kelly: "The pre-built Lambda hook... it's just going to work. If you want to do something crazy like make a real-time API call... it absolutely could do that."

8. Ensuring Governance and Preventing Bypass

Addressing potential vulnerabilities, James provides strategies to prevent bypassing governance through direct API calls or region-specific deployments:

[22:25] James Kelly: "Hooks themselves are deployed per region... We use IAM conditions to ensure that API calls must originate from CloudFormation or Cloud Control API and are made within regions that have hooks configured."

9. Customer Adoption and Best Practices

Stella He shares observations on how customers typically adopt Hooks, often starting in a monitoring phase before enforcing strict controls:

[23:58] Stella He: "They implement it across their organization... they put this in a warm mode where they will still allow the resources to be provisioned. After a while, they will flip the hooks into fail mode."

Simon concurs, noting the importance of a phased approach to avoid disruption:

[24:57] Stella He: "This is helpful for those who want to test it out and see what's the impact for the organization before moving forward to more governed deployments."

10. Conclusion and Recommendations

In closing, the hosts reiterate the significance of utilizing CloudFormation Hooks for effective cloud governance. James Kelly encourages listeners to explore AWS's updated console and leverage pre-built hooks to streamline their own implementations:

[20:02] James Kelly: "AWS console... we recommend starting with the pre-built Guard hook."

Simon Shuberty wraps up by emphasizing the benefits of integrating Hooks into IaC practices, encouraging developers and security teams alike to adopt these proactive measures:

[25:06] Simon Shuberty: "If you're using CloudFormation, then you should be using Hooks."

Key Takeaways

• Proactive Governance: CloudFormation Hooks allow organizations to enforce security and compliance policies before resources are deployed, shifting security left in the development process.

• Flexibility and Developer Velocity: By allowing exceptions at the account level and supporting multiple IaC tools, Hooks maintain security without hindering developer innovation.

• AWS Integration and Support: Leveraging AWS-managed Hooks simplifies implementation and ensures reliability, as demonstrated by GoDaddy’s successful adoption.

• Practical Implementation: Starting with pre-built hooks and utilizing AWS Guard can accelerate the adoption process and provide a robust foundation for custom governance.

• Preventing Bypass: Proper IAM configurations are essential to ensure that all resource provisioning goes through the governance checks provided by Hooks.

For organizations looking to enhance their cloud infrastructure management, Episode #720 of the AWS Podcast offers valuable insights into leveraging CloudFormation Hooks to achieve a balanced approach to security and flexibility.