AWS releases CloudFormation Guard compliance tool

Get a free Techzine subscription!

AWS had launched its new CloudFormation Guard compliance tool. The new service helps enterprises keep their AWS infrastructure and application resources in compliance.

Amazon Web Services has released CloudFormation Guard, an open-source command line interface (CLI) designed to help AWS admins maintain compliance with their company policy guidelines.

The company announced the new product as a preview in June and has made CloudFormation Guard generally available as October 1st.

The actual command line reference for CloudFormation Guard is “cfn-guard” and is available on GitHub.

A simple “policy-as-code” language

CloudFormation Guard provides compliance administrators with a simple, policy-as-code language to define rules. It can check for both required and prohibited resource configurations. Cfn-guard enables developers to validate their CloudFormation templates against those rules.

According to Amazon, CloudFormation Guard helps enterprises minimize risks related to overspending on operating costs, security vulnerabilities, legal issues, and more. For example, administrators can create rules to ensure that developers always create encrypted Amazon S3 buckets. CloudFormation Guard has a lightweight, declarative syntax that allows administrators to define rules quickly without needing to learn a programming language, according to the press release.

Developers can use cfn-guard either locally while editing templates or automatically as part of a CI/CD pipeline to stop deployment of non-compliant resources. If resources in the template fail the rules, cfn-guard provides developers information to help identify non-compliant resources. 

Improvements since the June preview

The version of CloudFormation Guard that AWS has made generally available boasts several improvements over the initial preview version. Administrators can now create a broader variety of rules for tasks as fine-grained as controlling how a cloud instance is updated and deleted.

Administrators can also leverage a second open-source CLI to extract rules from existing compliant CloudFormation templates. With this CLI (cfn-guard-rulegen), administrators don’t have to create rules from scratch which speeds up the rules authoring process.

The AWS CloudFormation team welcomes feedback on the preview of AWS CloudFormation Guard and the contributions to the open source project.