AWS CloudFormation Guard
A policy-as-code evaluation tool for ensuring compliance and governance in AWS CloudFormation templates.
| Category | Compliance & Governance |
|---|---|
| Community Stars | 1309 |
| Last Commit | 1 month ago |
| Last page update | 19 days ago |
| Pricing Details | Free and open-source. |
| Target Audience | Developers and DevOps teams working with AWS CloudFormation and infrastructure as code. |
AWS CloudFormation Guard manages ensuring compliance and governance in infrastructure as code (IaC) deployments, particularly for AWS CloudFormation templates. This open-source, policy-as-code evaluation tool provides a declarative domain-specific language (DSL) that allows developers to express policy rules in a simple and powerful way.
The technical architecture of CloudFormation Guard revolves around its command-line interface (CLI) and the DSL it uses. The DSL enables the creation of rules to validate structured hierarchical JSON or YAML data, including but not limited to CloudFormation templates, Terraform configurations, and Kubernetes manifests. These rules can be used for preventative governance, detective governance, and deployment safety, ensuring that infrastructure configurations comply with organizational best practices for security, compliance, and operational standards.
Operationally, CloudFormation Guard integrates with GitHub Actions, allowing automated compliance checks during the CI/CD pipeline. This integration does not require credentials, as it performs static analysis of the templates against predefined rules. The tool also supports unit testing of these rules to ensure they function as intended.
Key operational considerations include the need to maintain simple and named rules for ease of maintenance and testing. Complex rules can be challenging to manage and may lead to increased testing overhead. Additionally, while CloudFormation Guard does not provide server-side enforcement, it can be used in conjunction with CloudFormation Hooks to proactively enforce policies before resource creation, update, or deletion operations.
Technically, the tool supports the validation of JSON or YAML-formatted data against policy rules, with the ability to query key/value pairs in AWS Config Configuration Items. However, it has limitations, such as only being able to query specific key/value pairs in the given JSON records. The DSL syntax allows for the declaration of variables and the creation of rules with conditional statements, making it versatile for various compliance scenarios.