What is AWS CloudFormation Guard?

AWS CloudFormation Guard is an open-source, general-purpose, policy-as-code evaluation tool. The Guard command line interface (CLI) provides a simple-to-use, yet powerful and expressive, declarative domain-specific language (DSL) that you can use to express policy as code. In addition, you can use CLI commands to validate structured hierarchical JSON or YAML data against those rules. Guard also provides a built-in unit testing framework to verify that your rules work as intended.

Guard doesn't validate CloudFormation templates for valid syntax or allowed property values. You can use the cfn-lint tool to perform a thorough inspection of template structure.

For detailed information about AWS CloudFormation Guard development, refer to the Guard GitHub repository

Note

The latest version of Guard (version 3.0.0) uses Guard 2 rules syntax. Rules written with Guard 1 rules syntax are incompatible with Guard version 2.0 and later. Guard 1 rules can be migrated to Guard 2 rules syntax with the migrate command that is available in Guard 2.1.4. For more information, refer to Migrating Guard 1 rules to Guard 2 and later.

Are you a first-time Guard user?

If you're a first-time user of Guard, we recommend that you begin by reading the following sections:

• Setting up Guard – This section describes how to install Guard. With Guard, you can write policy rules using the Guard DSL and validate your JSON- or YAML-formatted structured data against those rules.

• Writing Guard rules – This section provides detailed walkthroughs for writing policy rules.

• Testing Guard rules – This section provides a detailed walkthrough for testing your rules to verify that they work as intended, and validating your JSON- or YAML-formatted structured data against your rules.

• Validating input data against Guard rules – This section provides a detailed walkthrough for validating your JSON- or YAML-formatted structured data against your rules.

• Guard CLI reference – This section describes the commands that are available in the Guard CLI.

Features of Guard

Using Guard, you can write policy rules to validate any JSON- or YAML-formatted structured data against, including but not limited to AWS CloudFormation templates. Guard supports the entire spectrum of end-to-end evaluation of policy checks. Rules are useful in the following business domains:

• Preventative governance and compliance (shift-left testing) – Validate infrastructure as code (IaC) or infrastructure and service compositions against policy rules that represent your organizational best practices for security and compliance. For example, you can validate CloudFormation templates, CloudFormation change sets, JSON-based Terraform configuration files, or Kubernetes configurations.

• Detective governance and compliance – Validate conformity of Configuration Management Database (CMDB) resources such as AWS Config-based configuration items (CIs). For example, developers can use Guard policies against AWS Config CIs to continuously monitor the state of deployed AWS and non-AWS resources, detect violations from policies, and start remediation.

• Deployment safety – Ensure that changes are safe before deployment. For example, validate CloudFormation change sets against policy rules to prevent changes that result in resource replacement, such as renaming an Amazon DynamoDB table.

Accessing Guard

To access the Guard DSL and commands, you must install the Guard CLI. For information about installing the Guard CLI, see Setting up Guard.

Best practices

When you use Guard version 2.0 or later, be aware of the following best practices:

• Migrating Guard 1 rules to Guard 2 and later.

• Write simple rules, and use named rules to reference them in other rules. Complex rules can be difficult to maintain and test.