The cfn-nag (https://github.com/stelligent/cfn_nag) tool looks for patterns in AWS CloudFormation templates that may indicate insecure infrastructure. Roughly speaking, it will look for the following:
- IAM rules that are too permissive (wildcards)
- Security group rules that are too permissive (wildcards)
- Access logs that aren't enabled
- Encryption that isn't enabled