Dome9 recently announced an exciting new capability in our industry-leading public cloud security platform. The Dome9 Compliance Engine now offers support for automated security and compliance assessments of AWS CloudFormation templates (CFT). Our customers can test the security and compliance posture of their infrastructure templates and proactively harden security before deploying software-defined infrastructure in live AWS environments.

This feature is a real game changer for building security into DevOps workflows. Get ready to save plenty of money, time and, of course, money!

How it works

The Dome9 Compliance Engine is an automation framework for assessing public cloud environments for compliance against industry standards such as PCI DSS and HIPAA as well as security best practices such as CIS AWS Foundations Benchmark. The results of compliance assessments are available as an intuitive visual report, a printable compliance report, or a JSON result.

With this announcement, DevOps and security teams can use run compliance assessments against CloudFormation Templates (CFTs). They can upload the CFT using the Dome9 console, or pass the CFT as a parameter to an API call and check whether it complies with compliance and governance requirements before the CFT is deployed to a live environment.

The Compliance Engine takes care of resolving CFT parameter values and intrinsic functions, effectively simulating the deployment of the CFT. No need to deploy the CFT in a live environment or install anything to test compliance. Because compliance checks can be triggered programmatically, they can be built into DevOps workflows, gating the CI/CD pipeline.

Why is this important?

Infrastructure as Code allows operations teams to manage and provision infrastructure for workloads using machine-readable blueprints rather than through manual configuration. Tools such as AWS CloudFormation templates free infrastructure operations from the constraints of physical hardware and operations teams, allowing for  more creatively controlled as software. What this gives you and your team more than anything is speed and consistency. Or, as one InfoWorld story puts it:

“A dedicated team of DevOps resources can be most effective in this area as Infrastructure as Code continues to gain widespread adoption. Imagine for a moment that instead of troubleshooting failures, you can simply re-provision to a previously certified configuration. Not only are you proving your ability to respond in the face of a disaster, but you may even benefit from automating your infrastructure builds, where applicable, by re-purposing valuable time and resources for other important work.”

DevOps teams deploying to the public cloud now routinely build CFTs based on their applications’ infrastructure needs. Checking the security posture of these CFTs is a slow, manual, error-prone process that requires extensive back and forth between ops and security.

While there has been a lot of talk about the need for building security into DevOps (Gartner calls this DevSecOps), much of the focus has been on application security tools such as static and dynamic code analysis. This is a gap that needs addressing.

By adding CFT support to its compliance Engine, Dome9 gives you the ability to speed up infrastructure security for DevOps and reduce incident risk with automated checking. In short, using this platform, a single engineer can accomplish in a few clicks what it used to take full security teams hours, days or even weeks to accomplish.

This is a great time to be in the cloud space and even better time to start getting ahead by considering advantage services like IaC and products which support them such as Dome9.

Take it for a spin


The writing’s on the wall. It is clear that infrastructure-as-code will become an indispensable tool in the DevOps arsenal for consistent and fast infrastructure deployment. According to the 2017 State of DevOps report from Puppet, organizations that incorporate security and quality early and often in the development process spend 50 percent less time remediating security issues.

Security and compliance management in DevOps needs to take infrastructure into account, and the Dome9 Compliance Engine allows you to do just that.

If you would like to try out this new capability, drop us a note at for early access. If you are a current Dome9 customer, you can send us a message from within the platform to enable CFT checking.