cloudformation-guard
by aws-cloudformation
AWS CloudFormation Guard is a policy-as-code tool that enables validation of JSON- and YAML-formatted infrastructure configurations against customizable compliance and governance rules.
Guard offers a policy-as-code domain-specific language (DSL) to write rules and validate JSON- and YAML-formatted data such as CloudFormation Templates, K8s configurations, and Terraform JSON plans/configurations against those rules. Take this survey to provide feedback about cfn-guard: https://amazonmr.au1.qualtrics.com/jfe/form/SV_bpyzpfoYGGuuUl0
Primary Use Case
This tool is primarily used by developers and DevOps teams to enforce security, compliance, and governance best practices by validating Infrastructure-as-Code templates such as CloudFormation, Terraform JSON plans, and Kubernetes configurations before deployment. It helps ensure deployment safety, continuous compliance monitoring, and risk assessment by detecting policy violations early in the development lifecycle.
- Domain-specific language (DSL) for writing expressive policy rules
- Validation of JSON- and YAML-formatted data including CloudFormation Templates, Terraform plans, and Kubernetes configs
- Support for stateful rules with built-in functions
- Integration with CI/CD pipelines for deployment safety checks
- Advanced regular expression support and intrinsic function handling
- Output in JSON/YAML parseable formats for automation
- Support for AWS Config-based continuous compliance monitoring
- Backward compatibility migration tools from Guard 1.0 to 2.x+
Installation
- Download the latest release artifacts from the GitHub releases page
- Use the Guard CLI or integrate via SAM CLI for cfn-guard-lambda deployment
- Optionally use Guard as a Docker image or GitHub Action for automation
- Run the migrate command to update legacy Guard 1.0 rules to the latest grammar
Usage
>_ guard validate <template-file> --rules <rules-file>Validates a JSON or YAML template file against the specified Guard policy rules
>_ guard test <test-file>Runs tests on Guard rules, supporting intrinsic function handling and advanced regex
>_ guard migrate <old-rules-file>Migrates Guard 1.0 rules to the updated 2.x+ grammar
>_ guard validate --structuredOutputs validation results in JSON or YAML parseable format for automation
- Integrate Guard policies into CI/CD pipelines for automated pre-deployment compliance checks to prevent misconfigurations.
- Leverage Guard's stateful rules to detect drift in live infrastructure configurations for continuous compliance monitoring.
- Use Guard to enforce organizational security baselines across multi-cloud and hybrid environments by validating Terraform, Kubernetes, and CloudFormation templates.
- Combine Guard with AWS Config rules for real-time detection and automated remediation of policy violations.
- Develop custom Guard policies to simulate attack surface reduction techniques during purple team exercises.
Docs Take 2 Hours. AI Takes 10 Seconds.
Ask anything about cloudformation-guard. Installation? Config? Troubleshooting? Get answers trained on real docs and GitHub issues—not generic ChatGPT fluff.
This tool hasn't been indexed yet. Request indexing to enable AI chat.
Admin will review your request within 24 hours