Achieving organisation-scoped AWS Config compliance using Cloudformation Lambda Hooks

Overview AWS Cloudformation Hooks is an existing AWS feature that helps ensure compliance of AWS resources when being created or updated in accounts as Infrastructure as Code (IaC) via Cloudformation or CDK , against an organization’s defined standards. Examples of such checks can include ensuring that RDS, S3 or other data storage resources are configured with at-rest encryption, that log groups have retention policies, EC2 instances are not publicly-exposed etc. These rules typically strongly-align with and promote AWS Well-Architected best practices. AWS first introduced the ability to create custom Cloudformation hooks in 2022, using Java or Python code to allow organizations to also define their own rules. Implementation required the following steps: i. Initialising an AWS Cloudformation Hooks project using the Cloudformation CLI. ii. Implementing the hook’s handler logic to evaluate compliance of resources included within Cloudformation stacks. iii. Packaging and registering the