Validating input data against AWS CloudFormation Guard rules - AWS CloudFormation Guard

Validating input data against AWS CloudFormation Guard rules

You can use the AWS CloudFormation Guard validate command to validate data against Guard rules. For more information about the validate command, including its parameters and options, see validate.

Prerequisites

  • Write Guard rules to validate your input data against. For more information, see Writing Guard rules.

  • Test your rules to ensure that they work as intended. For more information, see Testing Guard rules.

Using the validate command

To validate your input data against your Guard rules, such as an AWS CloudFormation template, run the Guard validate command. For the --rules parameter, specify the name of a rules file. For the --data parameter, specify the name of the input data file.

cfn-guard validate \ --rules rules.guard \ --data template.json

If Guard successfully validates the templates, the validate command returns an exit status of 0 ($? in bash). If Guard identifies a rule violation, the validate command returns a status report of the rules that failed. Use the summary flag (-s all) to see the detailed evaluation tree that shows how Guard evaluated each rule.

template.json Status = FAIL SKIP rules rules.guard/aws_apigateway_deployment_checks SKIP rules.guard/aws_apigateway_stage_checks SKIP rules.guard/aws_dynamodb_table_checks SKIP PASS rules rules.guard/aws_events_rule_checks PASS rules.guard/aws_iam_role_checks PASS FAILED rules rules.guard/aws_ec2_volume_checks FAIL rules.guard/mixed_types_checks FAIL --- Evaluation of rules rules.guard against data template.json -- Property [/Resources/vol2/Properties/Encrypted] in data [template.json] is not compliant with [rules.guard/aws_ec2_volume_checks] because provided value [false] did not match expected value [true]. Error Message [] Property traversed until [/Resources/vol2/Properties] in data [template.json] is not compliant with [rules.guard/aws_ec2_volume_checks] due to retrieval error. Error Message [Attempting to retrieve array index or key from map at path = /Resources/vol2/Properties , Type was not an array/object map, Remaining Query = Size] Property [/Resources/vol2/Properties/Encrypted] in data [template.json] is not compliant with [rules.guard/mixed_types_checks] because provided value [false] did not match expected value [true]. Error Message [] -- Rule [rules.guard/aws_iam_role_checks] is compliant for data [template.json] Rule [rules.guard/aws_events_rule_checks] is compliant for data [template.json] -- Rule [rules.guard/aws_apigateway_deployment_checks] is not applicable for data [template.json] Rule [rules.guard/aws_apigateway_stage_checks] is not applicable for data [template.json] Rule [rules.guard/aws_dynamodb_table_checks] is not applicable for data [template.json]

Validating multiple rules against multiple data files

To help maintain rules, you can write rules into multiple files and organize the rules as you want. Then, you can validate multiple rule files against a data file or multiple data files. The validate command can take a directory of files for the --data and --rules options. For example, you can run the following command where /path/to/dataDirectory contains one or more data files and /path/to/ruleDirectory contains one or more rules files.

cfn-guard validate --data /path/to/dataDirectory --rules /path/to/ruleDirectory

You can write rules to check whether various resources defined in multiple CloudFormation templates have the appropriate property assignments to guarantee encryption at rest. For search and maintenance ease, you can have rules for checking encryption at rest in each resource in separate files, called s3_bucket_encryption.guard, ec2_volume_encryption.guard, and rds_dbinstance_encrytion.guard in a directory with the path ~/GuardRules/encryption_at_rest. The CloudFormation templates that you need to validate are in a directory with the path ~/CloudFormation/templates. In this case, run the validate command as follows.

cfn-guard validate --data ~/CloudFormation/templates --rules ~/GuardRules/encryption_at_rest