Introducing AWS CloudFormation Guard (Preview) – a new open-source CLI for infrastructure compliance

Posted on: Jun 16, 2020

Update as of Oct 1, 2020: AWS CloudFormation Guard is now generally available.

AWS CloudFormation announces the preview of AWS CloudFormation Guard (cfn-guard), an open-source command line interface (CLI) that helps enterprises keep their AWS infrastructure and application resources in compliance with their company policy guidelines. Cfn-guard provides compliance administrators with a simple, policy-as-code language to define rules that can check for both required and prohibited resource configurations. It enables developers to validate their CloudFormation templates against those rules.

Cfn-guard helps enterprises minimize risks related to overspending on operating costs, security vulnerabilities, legal issues, and more. For example, administrators can create rules to ensure that developers always create encrypted Amazon S3 buckets. Cfn-guard has a lightweight, declarative syntax that allows administrators to define rules quickly without needing to learn a programming language.  

The administrators can also leverage a second open-source CLI called cfn-guard-rulegen to extract rules from existing compliant CloudFormation templates. With cfn-guard-rulegen, administrators don’t have to create rules from scratch which speeds up the rules authoring process. The rules become a consistent record of compliant resource configurations that administrators can check into a source control such as GitHub to share across teams.  

Developers can use cfn-guard either locally while editing templates or automatically as part of a CI/CD pipeline to stop deployment of non-compliant resources. If resources in the template fail the rules, cfn-guard provides developers information to help identify non-compliant resources. 

AWS CloudFormation team welcomes feedback on the preview of AWS CloudFormation Guard and the contributions to the open source project. To get started, visit cfn-guard on GitHub.