Last month AWS released cloudformation guard which is a neat little cli tool to check cloudformation template against rules or policies. The full AWS release announcement details the release.
Let's take a better look into why we should care about cloudformation guard (cfn-guard).
First let's think about the problem AWS are trying to solve with this release. When you create Infrastructure as Code (IaC) you are defining your stack as code and deploying into AWS. Which is great. But what if your configuration is missing something like volume or bucket encryption or maybe specific availability zones? This is where cfn-guard comes in, it allows you to generate a config file with a list of rules and then check the template before it's deployed into your account. This is key and really where cfn-guard shines.
Cfn-guard generates rules which live in a config file, this config file uses firewall like syntax to construct your rules or policy. Now you can create a policy that has everything you need, this might be encryption, authentication, regions and you start to see how enterprise customers might like this approach. The policies can live in your code repository and checked for each deployment.
The team at cloudformation have really designed cfn-guard to be used with CI/CD and automation, the tool itself supports your basic error codes 0/2 and suppression for those who care a little less about the rules than others.
The tool itself needs to be installed and is supported by Mac, Linux and Windows. The team have provided popular package repos to ease installation which gets you up in running in no time.
For the full installation details visit:
It's easy enough to generate rules against existing templates and can be done like so:
cfn-guard rulegen mytemplate.json
The output will be pretty messy but it gives you a starter, from you can chop and change the output as needed. If you want to save the output just pipe it out to file.
There aren't too many examples at the moment but there are some, you can access the examples here:
If you take a look at the security_rules.ruleset you get a pretty straight forward example of some of the capability cfn-guard has to offer.
I took a first look at this and decided to use one my previous CDK projects (AppSync WAF) to change the type of authentication to APIKEY and removed one of the firewall rules. Then used cfn-guard to check the synth'd template against my rules which are:
- Require cognito authentication
- Require WAF all predefined WAF rules
Cfn-guard worked as expected and notified me in the cli that two of the rules are not compliant. Neat, so now we can see how this could work with CDK in a CI/CD pipeline as well and fail the deployment in a stage.
I have a more detailed look at this walkthrough on my site for those who want more information:
I think this is a good start to policy as code in AWS using cloudformation. I like that the team have thought about how this integrates into existing dev workflows. There are not too many examples at the moment but the tool is extremely flexible and I suspect this will start to increase now that it's gone GA.