Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News AWS Open-Sources CloudFormation Compliance Analyzer

AWS Open-Sources CloudFormation Compliance Analyzer

This item in japanese

AWS has announced the preview release of CloudFormation Guard, an open-source CLI tool to enforce compliance policies against CloudFormation templates. CloudFormation Guard provides a lightweight, declarative syntax for defining rules. It supports lists, wildcards, regex and declaration of variables, and can work with CloudFormation intrinsic functions.

CloudFormation Guard can be used to create rules to minimize risks such as overspending, security vulnerabilities, or legal issues. As an example, rules could be created to ensure S3 buckets are encrypted by default or prevent the usage of particular availability zones. The tool can be run locally while editing templates or it can be integrated into a pipeline as part of a CI or CD run. If any resources within the template fail the rules, CloudFormation Guard will provide error messages to help identify non-compliant resources. This is similar to other compliance tools such as the open-source CFRipper and TrendMicro's Conformity.

Included with the release is a second CLI tool called CloudFormation Guard Rulegen. This tool can automatically generate CloudFormation Guard rules from existing CloudFormation Templates. The output from this can be sorted and piped into a file for editing and extracting the desired rule sets.

The most basic rule takes the form <CloudFormation Resource Type> <Property> == <Value>. For example, to confirm that a particular instance type is used, the rule would lool like: AWS::EC2::Instance InstanceType == t3.medium. Fields nested within CloudFront resource properties can be addressed using dot notation. For example, the following rule: AWS::IAM::Role AssumeRolePolicyDocument.Statement.0.Principal.Service.0 == would match this CloudFormation template's Resource section:

    Type: 'AWS::IAM::Role'
          - Effect: Allow

CloudFormation Guard supports operators for equality (==), inequality (!=), list inclusion (IN), and list exclusion (NOT_IN). Within a rule set, each rule is implicitly AND'd to every other rule, however there is an explicit OR operator available.

There is also support for creating variables using a LET syntax and environment variables using a Makefile-style notation (). Environment variables can then be passed in via the command line using a variable set.

Wildcards can be used to refer to list items. They work as a preprocessor macro that reads both the rules file and the template to expand the wildcards into lists of rules that match the length in the template. Rules can also be matched against regular expressions using the Rust Regex syntax.

AWS CloudFormation Guard and Guard Rulegen are both open-source and available via GitHub. The AWS CloudFormation team is looking for feedback and contributions on the preview release.

Rate this Article