#720: Hooked on CloudFormation: GoDaddy stays proactive with AWS CloudFormation Hooks - AWS Podcast

Summary6 min read

AWS Podcast Episode #720: Hooked on CloudFormation: GoDaddy Stays Proactive with AWS CloudFormation Hooks

Release Date: May 12, 2025

In Episode #720 of the AWS Podcast, hosted by Simon Shuberty, Amazon Web Services delves into the innovative use of AWS CloudFormation Hooks, featuring insights from Stella He, a Senior Product Manager at AWS, and James Kelly, a Senior Software Engineer at GoDaddy. This episode provides a comprehensive exploration of how CloudFormation Hooks enhance infrastructure as code (IaC) practices, ensuring security and flexibility for large-scale organizations.

1. Introduction to CloudFormation

Simon Shuberty opens the discussion by emphasizing the importance of Infrastructure as Code (IaC), highlighting AWS CloudFormation as a pivotal tool for managing cloud infrastructure.

[01:09] Stella He: "AWS CloudFormation is a service that helps you define and manage your cloud infrastructure using code. So you create templates, you can write it in JSON or YAML that describe the resources you need like servers, databases or networks."

Simon further underscores the transition from manual operations to codified infrastructure management:

[01:46] Simon Shuberty: "Gone are the days of click ops and random scripts and other bits and pieces. It's gotta be as code in a repo with version control managed effectively."

2. Introducing CloudFormation Hooks

The conversation pivots to the newly introduced CloudFormation Hooks, a feature designed to proactively evaluate IaC configurations before deployment.

[02:32] Stella He: "CloudFormation Hooks is a feature that allows you to proactively evaluate your infrastructure as code configurations or CloudFormation templates... to inspect your resource configurations prior to create, update or delay CloudFormation stack operations."

Simon connects this innovation to the broader security practice of shifting left, ensuring issues are addressed early in the development process:

[03:19] Simon Shuberty: "This is about really trying to catch things before they get deployed versus waiting for them to get deployed and then reactively doing it. So it's proactive."

3. Benefits and Functionality of Hooks

Stella He elaborates on how CloudFormation Hooks enable organizations to enforce policies automatically, enhancing both speed and security without hindering developer agility:

[04:43] Simon Shuberty: "So hooks provides a way for customers to automatically and proactively enforce their policies early in this development without these issues."

She further explains the implementation process, highlighting the flexibility in authoring hooks using Lambda functions or the CloudFormation Guard DSL:

[05:37] Stella He: "You can author these hooks using a Lambda function... Alternatively, you can use CloudFormation Guard domain-specific language, store it as an S3 object and run it using the pre-built guard hook."

4. GoDaddy’s Adoption of CloudFormation Hooks

James Kelly from GoDaddy shares how his organization leverages CloudFormation Hooks to maintain robust cloud governance across hundreds of developers:

[07:25] James Kelly: "At GoDaddy, we have hundreds of developers... we deploy all of our workloads to the cloud and we want to make sure that everything is secure, like security is mission critical for us."

He discusses the transition from a custom solution to the AWS-managed Hooks, citing the latter's reliability and support as key advantages:

[08:38] James Kelly: "We pivoted to Hooks as soon as we heard it was in alpha... the fact that it's AWS managed and supported has just been a killer feature for enterprise security."

5. Balancing Security and Developer Flexibility

A significant portion of the discussion centers on how GoDaddy maintains security without stifling developer innovation. James explains their strategy to allow exceptions at the account level, providing necessary flexibility:

[10:13] James Kelly: "We decided that at the account level of granularity, we would allow for any control that we have to have an override and that would be built into the system."

He further elaborates on using AWS Guard for writing granular rules, enhancing both security and adaptability:

[10:43] James Kelly: "We move to AWS Guard for the rules and use the guard hook. So at the end of the day, we're just writing rules and everything else just kind of works."

6. Enhancing Developer Velocity

James highlights the importance of maintaining developer velocity while enforcing security measures. By integrating Hooks with various IaC tools like AWS CDK and Terraform, GoDaddy ensures that developers have the freedom to choose their preferred tools without compromising governance:

[17:07] James Kelly: "We’re giving the flexibility to our developers to say, okay, you can use SAM, you can use whatever tooling you want. We're going to evaluate it with the same rules and it's up to you to choose your own adventure there."

Simon reflects on the cultural shift required within organizations to embrace such flexible yet secure practices:

[18:27] Simon Shuberty: "...providing that great developer ergonomics. If there's one thing I've seen that affects developer productivity, it's the ergonomics of the developer environment."

7. Implementing CloudFormation Hooks: Practical Tips

As the episode progresses, James Kelly offers practical advice for organizations looking to adopt CloudFormation Hooks. He emphasizes starting with pre-built hooks and leveraging AWS’s comprehensive documentation:

[20:02] James Kelly: "I would recommend starting with the pre-built Guard hook... pairing it with a managed rule set from the AWS Guard rule registry."

He also touches on the integration of Lambda hooks for more advanced use cases, simplifying the process of authoring custom logic:

[21:11] James Kelly: "The pre-built Lambda hook... it's just going to work. If you want to do something crazy like make a real-time API call... it absolutely could do that."

8. Ensuring Governance and Preventing Bypass

Addressing potential vulnerabilities, James provides strategies to prevent bypassing governance through direct API calls or region-specific deployments:

[22:25] James Kelly: "Hooks themselves are deployed per region... We use IAM conditions to ensure that API calls must originate from CloudFormation or Cloud Control API and are made within regions that have hooks configured."

9. Customer Adoption and Best Practices

Stella He shares observations on how customers typically adopt Hooks, often starting in a monitoring phase before enforcing strict controls:

[23:58] Stella He: "They implement it across their organization... they put this in a warm mode where they will still allow the resources to be provisioned. After a while, they will flip the hooks into fail mode."

Simon concurs, noting the importance of a phased approach to avoid disruption:

[24:57] Stella He: "This is helpful for those who want to test it out and see what's the impact for the organization before moving forward to more governed deployments."

10. Conclusion and Recommendations

In closing, the hosts reiterate the significance of utilizing CloudFormation Hooks for effective cloud governance. James Kelly encourages listeners to explore AWS's updated console and leverage pre-built hooks to streamline their own implementations:

[20:02] James Kelly: "AWS console... we recommend starting with the pre-built Guard hook."

Simon Shuberty wraps up by emphasizing the benefits of integrating Hooks into IaC practices, encouraging developers and security teams alike to adopt these proactive measures:

[25:06] Simon Shuberty: "If you're using CloudFormation, then you should be using Hooks."

Key Takeaways

Proactive Governance: CloudFormation Hooks allow organizations to enforce security and compliance policies before resources are deployed, shifting security left in the development process.
Flexibility and Developer Velocity: By allowing exceptions at the account level and supporting multiple IaC tools, Hooks maintain security without hindering developer innovation.
AWS Integration and Support: Leveraging AWS-managed Hooks simplifies implementation and ensures reliability, as demonstrated by GoDaddy’s successful adoption.
Practical Implementation: Starting with pre-built hooks and utilizing AWS Guard can accelerate the adoption process and provide a robust foundation for custom governance.
Preventing Bypass: Proper IAM configurations are essential to ensure that all resource provisioning goes through the governance checks provided by Hooks.

For organizations looking to enhance their cloud infrastructure management, Episode #720 of the AWS Podcast offers valuable insights into leveraging CloudFormation Hooks to achieve a balanced approach to security and flexibility.

Loading summary

Transcript56 lines

[00:00]
Simon Shuberty
This is episode 720 of the AWS podcast released on May 12, 2025. Hello everyone and welcome back to the AWS Podcast. Simon Shuberty, Great to have you back. I'm joined by not one, but two very special guests today. Firstly, I'm joined by Stella he, who is a senior Product manager at aws.
[00:20]
Stella He
Hi, how are you doing?
[00:21]
Simon Shuberty
Good. Good to have you here today. And I'm joined all the way from Hawaii because why wouldn't you mention that if someone's in Hawaii? James Kelly, who's senior software engineer at GoDaddy. G' day James. How you doing?
[00:32]
James Kelly
Hey, happy to be here.
[00:34]
Simon Shuberty
Good to have you here. Now we're talking about a topic that is close to the heart of many listeners and should be close to the heart of anyone doing infrastructure as code, which is about cloud formation. But in particular we're going to be talking about cloud formation hooks. And so before we get into the whys and wherefores and James going to give us some really interesting insight into actually using this. The talk to someone who helped construct this whole concept and figure out what it should do and why. We're going to talk with Stella. Stella, tell me firstly, let's just do the quick what is cloudformation for anyone who's not familiar with it and why you would use it? Sure.
[01:10]
Stella He
So AWS Cloudformation is a service that helps you define and manage your cloud infrastructure using code. So you create templates, you can write it in JSON or YAML that describe the resources you need like servers, databases OR networks. That CloudFormation automatically provisions and configures these resources for you. It makes it so much easier for you to deploy and manage applications to the cloud, especially if you have a complex infrastructure or if you need to make sure that all of your infrastructure consistent, repeatable and in any kind of environments.
[01:46]
Simon Shuberty
Yeah. I'll emphasize that if you are not doing infrastructure as code, using some kind of infrastructure as code tooling, you are definitely doing it wrong. Gone are the days of click ops and random scripts and other bits and pieces. It's gotta be as code in a repo with version control managed effective. Otherwise you're gonna lose your mind. So an important thing now, Cloudformation has been a wonderful thing for a long time. Although I have to say I've never been more happy than when we introduced YAML support instead of JSON. Because man, if I don't have to debug another JSON, I'll just be very, very happy with that many hours of my Life, I'll never. We've got something new, Cloudformation hooks. And that's what we're talking about today. So what are cloudformation hooks?
[02:32]
Stella He
So cloudformation hooks is a feature that allows you to proactively evaluate your infrastructure as code configurations or cloudformation templates in this case that we have been talking. So you can evaluate this prior to provisioning, so you can invoke a custom logic to inspect your resource configurations prior to create, update or delay cloudformation stack operations and, and the new integrations with AWS cloud control API operations.
[03:00]
Simon Shuberty
So this is interesting because if we think about cloudformation, you get to sort of have a declarative approach to say, hey, go make this thing for me. And then cloudformation, amongst other things is kind of being like a state machine, driving the deployment, the status, et cetera. Why did you have to create hooks? Why did the team have to build that for our customers?
[03:19]
Stella He
So normally you use infrastructure as code or cloudformation to model, provision or manage your cloud applications in a safe, predictable and repeatable way. Because you have large organizations you manage here or just want to do best practices. So to do it you need guardrails or something that helps you to move fast but secure, minimize the risk without limiting developers agility, which is something that is pretty hard to do. There are customers who are relying on detective control so they evaluate their cloud environment after all of the resources are up there. And this is probably like too late for some customers. It's like it's already up there.
[04:07]
Simon Shuberty
Yeah, the problem already exists. Thanks for telling me.
[04:11]
Stella He
And we also have other customers who are using golden template plus they authored these templates that only this template exists in the entire organization, which is limiting for a lot of developers. They cannot gain the advantage of new ideas services that is out there in every single day as fast as they would like to do. So hooks provides a way for customers to automatically and proactively enforce their policies early in this development without these issues.
[04:43]
Simon Shuberty
Yeah, so in classic, I guess, security sense, we often talk about pushing security to the left of the development stream. So earlier. So this is about really trying to catch things before they get deployed versus waiting for them to get deployed it and then reactively doing it. So it's proactive. So help us understand how hooks works from a using experience perspective.
[05:05]
Stella He
You can start using hooks by authoring policies. So you define your policies as part of authoring a hook and then you codify your organizational best practices or your security or your compliance rules to be enforced through Hooks. After that you can configure your cloudformation hooks to send a warning or block the provisioning of the operations when there is a any non compliant resource configurations found.
[05:30]
Simon Shuberty
So it's kind of like an automated gate, but you get to choose the details. Tell me more about this building thing, what am I making?
[05:38]
Stella He
You can author this hooks using a lambda function. We just launch a new pre built lambda hook that you can just author it as a lambda function. Alternatively, you can also use CloudFormation Guard domain specific language, store it as an S3 object and run it using the pre built guard hook. Lastly, as a last resort, if in any case you cannot leverage this pre built hooks, you can also create your custom hooks and register the hooks to cloudformation registry.
[06:08]
Simon Shuberty
So you can kind of choose your own adventure. And James, we're going to come to you and figure out which part of the adventure you chose. That's for sure. But beyond kind of, I guess, stopping bad things happening before they happen or what other ideas do you have for how hooks can be used?
[06:24]
Stella He
So we launched the new integration with AWS Cloud Control API and this helps a lot of customers to standardize their proactive control regardless of their infrastructure as code tools. So Cloud Control APIs is a service that allows developers to manage AWS resources in a consistent and unified way. It provides a standard interface to create, update, delete or query cloud resources regardless of the service or the product. So now that hooks is integrated between CloudFormation and Cloud Control API, if you have other infrastructure as code tool aside from cloudformation, you can still have the same standard and evaluate your resource configuration.
[07:08]
Simon Shuberty
Nice. That's handy. Now James, you'll hear from GoDaddy, a company that probably many people know. In fact, I think I mentioned to you last time we spoke that I have my GoDaddy renewal. I will be paying it for all my domains. But let's start with. Tell us a bit about GoDaddy and your role there.
[07:26]
James Kelly
Yeah, so I am a senior software engineer with our cloud governance team at GoDaddy. So at GoDaddy we have hundreds of developers across all sorts of different teams and they're all constantly deploying to the cloud. So we have a cloud mandate that means we deploy all of our workloads to the cloud and we want to make sure that everything is secure, like security is mission critical for us. But you may have someone who is a database expert and they may not be as familiar with the nuances of all of the AWS VPC products. Right. So when they Say, oh, I can't connect to my database. I see this thing that says publicly accessible, right. So we'll have a control and say, no, you can't do that. And it proactively ensures that, like you said, we're not detectively reacting to it where it's already out in the wild and we're proactively ensuring that it doesn't get out there in the first place. So that's been really key for us. Pivoting to hooks and the cloudformation hooks have distracted a lot of the complexity of like a custom solution over to the AWS side. So they're unique because they're the only AWS managed proactive solution for custom controls, at least.
[08:38]
Simon Shuberty
So you can choose your own, your own adventure. Because I guess there are lots of ways to tackle this and you guys were tackling it with some custom stuff you've written. And in many ways it's the classic can you tell me you're building this so I don't have to build it myself type thing that you've kind of just said. Yep, we're using this.
[08:56]
James Kelly
Absolutely. Yeah. We were starting down this whole custom solution, but due to the way that different things work, it used privilege escalation and different proxies of stacks and the whole thing was really brittle. So as soon as we heard that hooks was in alpha, I think we immediately pivoted to that. And the fact that it's AWS managed and supported has just absolutely been a killer feature for enterprise security. I mean, it makes it super easy for. It's powerful for us to configure the controls exactly how we need to, but it abstracts away all the complexity of having to design and maintain those system ourselves. And we're actually hoping to move to AWS guard for the rules and use the guard hook. So at the end of the day, we're just writing rules and everything else just kind of works.
[09:44]
Simon Shuberty
You spend more time on the rules and understanding that because you guys have a really interesting approach where you are very focused on not just saying, well, here's the rules for the organization. You're like, no, well, we can tweak based upon the stacks and the resources and the approach. Tell us more about that because I know a lot of security folks and a lot of developers are struggling with, will you give me sort of this one size fits, fits all approach? And it doesn't work for us. I don't like it. So how do you tackle governance to allow, I guess, that responsible flexibility?
[10:13]
James Kelly
Yeah, that's a great question. One of the very smart design decisions that was made. I can't take credit because it's before I got to the project, but we basically decided that at the account level of granularity, we would allow for any control that we have to have an override and that would be built into the system. And that's really given us the flexibility that we need for those special cases. Maybe I have an account over here where they need this one specific thing, but we don't want to open the door for everybody, right?
[10:43]
Simon Shuberty
Everyone. Yeah.
[10:44]
James Kelly
And in Guard, we were able to adapt that into the Guard hook. Originally we had kind of more of a custom lambda hook where we did all this custom logic ourselves, but we were actually able to do that in the Guard DSL as well by sitting different input parameters and putting logic in each of the rules that says, hey, if this account has input parameters, which we as the governance team control as the inputs to the hook, that means we're not going to enforce this specific rule. So we get very granular controls, but we can still have full flexibility and we move to that. That's been the big boon for us, is the flexibility for the devs.
[11:25]
Simon Shuberty
I see that as a huge thing. I want to keep, I guess, pressing into that because often the governance teams and security teams are seen as the department of no, and somewhat unfairly, because also they have to clean up the mess if a mess is made. But there's often, I think, a cultural aspect too, that I'm interested to understand more about. Because for a lot of folks, they're so beaten down by bad things happening or getting blamed for bad things, like, well, that's it. We're just locking it out for everyone. I don't care if the developers complain. Tough. And clearly there's been a conscious conceptual decision here to say we recognize the need for flexibility and will allow it within certain parameters. How do you set those parameters? What's the matter of all of this? To help folks who maybe are trying to build that into their own organization.
[12:11]
James Kelly
Yeah. Well, you've hit on something that I think is important, which is you sacrifice Developer Velocity in a lot of these more rigid systems. So we had a service catalog approach, which is another good tool, but the way that GoDaddy had implemented it was not great. It was kind of similar to what Stella was saying, where there's kind of one template and for say an S3 bucket and if you need something different, then that's too bad for you. And it didn't allow developers to try new services or different approaches and it really slowed down the development process. So at GoDaddy, we highly value experimentation, but we also highly value security. So what we ended up doing for hooks is we decided on essentially specific rule categories, and those have to do with other GoDaddy isms around the AWS cloud. We have a very specific setup for our VPCs and other things, and we know that if essentially you adhere to these categories of rules, that you can have a secure deployment. So we actually just finished a project that I led where we used the CloudFormation reference, the AWS online documentation. We use LLM inference to parse through because there's hundreds of these different properties. We used to do that manually. So that sped that up a lot. And that really gives us a good starting point for manual review into. Okay. For a new service that maybe I'm not familiar with, but a developer wants to leverage. What are the potential, you know, is there things that need to be encrypted in transit or encrypted at rest? Are there things that could be publicly accessible over a network? Having those declared for your org, if they're kind of special for your setup, really helps you find the controls you need to have.
[13:55]
Simon Shuberty
I think it's really fascinating. And how do you, I guess, manage that stream of requests of, hey, I want to do something a little bit different or unusual, like, do you have a structured process? Is it on demand? Help us understand that?
[14:08]
James Kelly
Yeah, it is kind of a structured process where we try to get some head start from a team, you know, before they want to go and use something. And like I said, we went in. It's just kind of a very basic kind of. I guess it's being called agentic AI now, but it's a, you know, we're just have a little bit of structure around the prompts where we'll feed in all of the cloudformation documentation, which is an awesome natural language source of documentation for every cloudformation resource type and every property of every resource type. Just this huge amount of information. Feed that in and that gets a good starting point. I'd say like an 80% for us to jump off and go in. We engage with our security team, we engage with the team who's implementing it, and we engage with our AWS technical account managers to really understand what the control should be. We finalize those, and once we have that in place, we can turn it on not just for that one team, but for all the teams at GoDaddy in a secure fashion.
[15:13]
Simon Shuberty
It's interesting to hear. Again, I think One of the benefits of LLMs, et cetera, is that just that processing of reams of code and reams of information that can be impenetrable. I know from a security professional standpoint, you feel almost overwhelmed to try and keep across every single thing. And now you kind of can. If you know how to prompt it the right way, you're getting the right answers for yourself.
[15:33]
James Kelly
Yeah, it's definitely getting there. And we've seen in our case, I mean, there's over 240 different Cloudformation services and growing every day, which is cool. But there's also times when a team comes and they say, hey, I want this new service. I've never heard of this thing before.
[15:50]
Simon Shuberty
Are you making that up? Is it April 1st? Yeah.
[15:53]
James Kelly
Well, it's every new day. Amazon's coming out with new stuff, which is, it's powerful, but it's also hard to keep up with, like you said. So for us the key has been getting us to that 80% or 90% as a jumping off point for manual effort and review versus before where we were was doing everything from scratch. And I can tell you that there are 167 properties of the AWS S3 bucket resource type. I have read all of them.
[16:23]
Simon Shuberty
You'll now name them.
[16:25]
James Kelly
Yeah, I wouldn't recommend that as an approach. And you can still have very high level of security, especially if you have again, custom controls for things that your enterprise cares about above and beyond the general ones, for sure.
[16:41]
Simon Shuberty
Now you talked about, I guess a behavioral change or an environmental change when you sort of were able to move away from a classic service catalog approach to one where I guess any cloudformation based tool is going to work in this environment. Let's unpick that a little bit because it's interesting how and for a lot of folks, they may never use cloudformation, but they use the SAM framework or they may use cdk. So help us understand how that's affected the developer experience.
[17:08]
James Kelly
Yeah, I mean with an organization as big as we are, I think we have at least 500 developers that I've seen in a single zoom meeting. And having all those people, you have different approaches, different tools that people want to use, all sorts of stuff. And in service catalog, it was very much for our setup. Again, the way that we had implemented it, you had to do things in a very specific way. And the whole reason for us to undertake this effort was to increase developer velocity. So now they have the freedom not only to use whatever services they want and whatever resource types they want. They can also use whatever tooling they want. So we recommend AWS CDK because it is AWS supported. We also think it's a very good tool. But they're also free to use other tools. And we're bringing on cloud control API support like Stella mentioned, which enables the use of other tools, including things like Terraform, that's a real cloud crowd pleaser and some other things with the same rule set. So we're not writing any more rules, we're writing them once and we're giving the flexibility to our developers to say, okay, you can use any sort of, you can use Sam, you can use whatever tooling you want. We're going to evaluate it with the same rules and it's up to you to choose your own adventure there.
[18:27]
Simon Shuberty
That's very cool because I guess again, from a, from a classic security mentality perspective, it's like I want one way to do things, I want one set of rules. You know, if every time you add a new thing, it's now, you know, exponentially more complicated for me, etc. And this is trying to overcome that while still providing, I guess, you know, that great developer ergonomics. Because if there's one thing I've seen that affects developer productivity, it's the ergonomics of the developer environment. And there is no one developer environment. Everyone has their own preferences and everyone's right.
[18:57]
James Kelly
Right. Yeah. And especially with all of the new opportunities opened up by LLMs and things of that nature, it's more important than ever for us to be able to validate ideas quickly and enable teams to chase after something if they see value there. And if there is, you know, iterate on that and refine it. And it's so much faster now that, I mean, used to have to again, our system had to open a pull request against this template, wait for someone to merge it. I think it'll get deployed tomorrow and then you can see if you made the right change. So just leagues faster.
[19:35]
Simon Shuberty
That's so cool. That's so cool. Now you and the team have jumped onto using hooks really early on. So much so you have the T shirt, you have the hooked on hooks T shirt, limited edition T shirt. I don't have one of those. But you've got one. So you deserve it because you've done the work. What suggestions would you make for listeners who are thinking about exploring hooks? Or maybe you've started using it because you've clearly learned a lot. What are some of the deep down tips you'd give us?
[20:02]
James Kelly
Yeah, so we adopted hooks before a lot of these cool new features that were announced at the last re invent where I got this nice T shirt from the team and those are where I would start. So the AWS console, actually the Cloudformation team completely redid it. There's an awesome GUI section that has documentation and stuff for people just getting started, I'd recommend starting with the pre built Guard hook. It's completely free to use, which is a nice perk, and pairing it with a managed rule set from the AWS Guard rule registry. So it's a predefined find rule repository in Cloudformation Guard and it has a lot of common AWS services to get you started so you don't have to do any work. You can pull the pre built hook, you can pull some pre built rules and get going immediately with those if you want to start defining your own custom rule set. Like I said, the CloudFormation Resources property reference, it's excellent source of structured natural language documentation and that's a good place to start on your journey if you want to enable some more fringe services that aren't in the registry.
[21:12]
Simon Shuberty
That's amazing. And so for those customers who want to go really deep, they want API level control. How detailed can you get? What do you found?
[21:23]
James Kelly
Works well. So the other really nice pre built hook that Stell mentioned is the pre built lambda hook. So it used to be that you had to define your own lambda and register in Cloudformation, which you can still do. There's a lot of extra overhead and little details you have to do. And what they've done is they've made it just as easy as authoring a regular lambda function. We're going to give you this event payload, you're going to give us this response and it's just going to work. So if you want to do something crazy like make a real time API call, you want to go check the state of the world in some case and make a decision based on that, you absolutely could do that. And it just is a lot simpler with the framework that they've set up now at the last reinvent with these.
[22:04]
Stella He
New releases, you can just give the ARN of this lambda and we'll spin it up for you.
[22:10]
Simon Shuberty
That's cool, that's nice. Now with anything, people want to get around things, no matter how well intentioned they are. You know, if, if, if, if I'm trying to, to do something that is not in cloud formation, can I just bypass it? Can I, can I get around it?
[22:26]
James Kelly
Yeah. So couple Tips from how we set up our IAM roles and permissions to kind of pair with this that I would recommend for anybody. So remember, hooks only apply to operations within Cloudformation or Cloud Control API. So that means if I'm making a real a direct API call, something like S3 create bucket, it's not going to be governed by hooks. And hooks themselves are also deployed per region. They're not per account. So it's very important to make sure that your users can't accidentally or not bypass the governance by either making a direct API call to create or update a resource source or by deploying something in a region that doesn't have a hook provisioned yet. So the way we do that is we use the IAM AWS called via first condition key. And if you give that a value of cloudformation.Amazon.aws.com that basically says that the API call must originate from Cloudformation or Cloud Control API. And then you can pair that with the AWS requested region IAM key and use a array value of regions where you have hooks configured. Those two conditions together ensure that the user is going through the hook governance and a region that has a hook enabled. So you'll want to pair that with your hook deployment. Once you have that set up, you can basically be ensured that for the resource types that you're governing, they're going through the hook governance process.
[23:49]
Simon Shuberty
That's fantastic. Really, really interesting. Stella, do you see this as an example of how most customers are using hooks? Are you seeing variations? What's been the adoption?
[23:59]
Stella He
I feel like a lot of customers, they are monitoring their detective controls to start and then they look at what are the common issues they have been facing and equivalent of proactive controls. That's usually how they will just set it up and then they implement it across our organization. And they will put this in a warm mode where they will still allow the resources to be proficient. After a while they will like couple weeks they will flip the hooks into fail mode where this will block their deployments and then they usually see a decline in their detective controls alarms.
[24:35]
Simon Shuberty
So it's kind of a soft launch rather than a hard launch. It's like we'll just monitor things, see behaviors and also, I mean far be it for me to say that a security person may get something wrong, but we may have a rule that's a little too restrictive that we might want to also adapt. So that gives us the chance to do that. So it's kind of like feel your way before just bringing down the hammer and saying you will not deploy this way.
[24:57]
Stella He
Yes, yes, this is helpful. Who want to test it out and see what's the impact for the organization and move forward to be more governing after that.
[25:07]
Simon Shuberty
Nice. Well, I think that the takeaways here are if you're not using cloudformation in some form, even if it's not directly as I mentioned, could be via some other tool you should be and if you're using it then you should be using hooks. So James, thanks so much for coming on the show and sharing with us your own journey and the journey of GoDaddy and the team.
[25:23]
James Kelly
Yeah, thank you for having me.
[25:24]
Simon Shuberty
And Stella, thanks so much for unpacking what the team is working on. I'm sure they've got lots more in the cupboard coming out as well. It doesn't stop here. There's more coming.
[25:33]
Stella He
Thank you.
[25:34]
Simon Shuberty
Fantastic. And we do thank you all for listening and we do love to get your feedback. AWspodcast.com is the place to do it and until next time, keep on building.