AWS CloudFormation Guard's Modes of Operation

AWS CloudFormation Guard is an open-source general-purpose policy-as-code evaluation tool. It provides developers with a simple-to-use, yet powerful and expressive domain-specific language (DSL) to define policies and enables developers to validate JSON- or YAML- formatted structured data with those policies.

As an example of how to use AWS CloudFormation Guard (cfn-guard), given a CloudFormation template (template.json):

json { "Resources": { "NewVolume": { "Type": "AWS::EC2::Volume", "Properties": { "Size": 500, "Encrypted": false, "AvailabilityZone": "us-west-2b" } }, "NewVolume2": { "Type": "AWS::EC2::Volume", "Properties": { "Size": 100, "Encrypted": false, "AvailabilityZone": "us-west-2c" } } }, "Parameters": { "InstanceName": "NewInstance" } }

And a rules file (rules.guard):

```

Create a variable named 'awsec2volume_resources' that selects all resources of type "AWS::EC2::Volume"

in the input resource template

let awsec2volume_resources = Resources.*[ Type == 'AWS::EC2::Volume' ]

Create a rule named awstemplateparameters for validation in the "Parameters" section of the template

rule awstemplateparameters { Parameters.InstanceName == "TestInstance" }

Create a rule named awsec2volume that filters on "AWS::EC2::Volume" type being present in the template

rule awsec2volume when %awsec2volumeresources !empty { %awsec2volumeresources.Properties.Encrypted == true %awsec2volumeresources.Properties.Size IN [50, 500] %awsec2volumeresources.Properties.AvailabilityZone IN ["us-west-2c", "us-west-2b"] } ```

You can check the compliance of template.json with rules.guard:

bash $ ./cfn-guard validate --data template.json --rules rules.guard _Summary Report_ Overall File Status = FAIL PASS/SKIP rules FAILED rules aws_template_parameters FAIL aws_ec2_volume FAIL

We designed cfn-guard to be plugged into your build processes.

If CloudFormation Guard validates the templates successfully, it gives you an exit status ($? in bash) of 0. If CloudFormation Guard identifies a rule violation, it gives you a status report of the rules that failed. Use the verbose flag -v to see the detailed evaluation tree that shows how CloudFormation Guard evaluated each rule.

Modes of Operation

cfn-guard has five modes of operation:

Validate

validate (like the example above) validates data against rules.

````bash Usage: cfn-guard validate [OPTIONS] <--rules [...]|--payload>

Options: -r, --rules [...] Provide a rules file or a directory of rules files. Supports passing multiple values by using this option repeatedly. Example: --rules rule1.guard --rules ./rules-dir1 --rules rule2.guard For directory arguments such as rules-dir1 above, scanning is only supported for files with following extensions: .guard, .ruleset -d, --data [...] Provide a data file or directory of data files in JSON or YAML. Supports passing multiple values by using this option repeatedly. Example: --data template1.yaml --data ./data-dir1 --data template2.yaml For directory arguments such as data-dir1 above, scanning is only supported for files with following extensions: .yaml, .yml, .json, .jsn, .template -i, --input-parameters [...] Provide a data file or directory of data files in JSON or YAML that specifies any additional parameters to use along with data files to be used as a combined context. All the parameter files passed as input get merged and this combined context is again merged with each file passed as an argument for data. Due to this, every file is expected to contain mutually exclusive properties, without any overlap. Supports passing multiple values by using this option repeatedly. Example: --input-parameters param1.yaml --input-parameters ./param-dir1 --input-parameters param2.yaml For directory arguments such as param-dir1 above, scanning is only supported for files with following extensions: .yaml, .yml, .json, .jsn, .template -t, --type Specify the type of data file used for improved messaging - ex: CFNTemplate [possible values: CFNTemplate] -o, --output-format Specify the format in which the output should be displayed [default: single-line-summary] [possible values: json, yaml, single-line-summary] -S, --show-summary Controls if the summary table needs to be displayed. --show-summary fail (default) or --show-summary pass,fail (only show rules that did pass/fail) or --show-summary none (to turn it off) or --show-summary all (to show all the rules that pass, fail or skip) [default: fail] [possible values: none, all, pass, fail, skip] -s, --show-clause-failures Show clause failure along with summary -a, --alphabetical Validate files in a directory ordered alphabetically -m, --last-modified Validate files in a directory ordered by last modified times -v, --verbose Verbose logging -p, --print-json Print output in json format -P, --payload Provide rules and data in the following JSON format via STDIN, {"rules":["", "", ...], "data":["", "", ...]}, where, - "rules" takes a list of string version of rules files as its value and - "data" takes a list of string version of data files as it value. When --payload is specified --rules and --data cannot be specified. -z, --structured Print out a list of structured and valid JSON/YAML. This argument conflicts with the following arguments: verbose print-json show-summary: all/fail/pass/skip output-format: single-line-summary -h, --help Print help ```

Rulegen

rulegen takes a JSON- or YAML-formatted CloudFormation template file and autogenerates a set of cfn-guard rules that match the properties of its resources. This is a useful way to get started with rule-writing or just create ready-to-use rules from known-good templates.

```bash cfn-guard-rulegen Autogenerate rules from an existing JSON- or YAML- formatted data. (Currently works with only CloudFormation templates)

USAGE: cfn-guard rulegen [OPTIONS] --template