Prerequisites Using the validate command Validating multiple rules against multiple data files

Validating input data against AWS CloudFormation Guard rules

You can use the AWS CloudFormation Guard validate command to validate data against Guard rules. For more information about the validate command, including its parameters and options, see validate.

Prerequisites

Write Guard rules to validate your input data against. For more information, see Writing Guard rules.
Test your rules to ensure that they work as intended. For more information, see Testing Guard rules.

Using the `validate` command

To validate your input data against your Guard rules, such as an AWS CloudFormation template, run the Guard validate command. For the --rules parameter, specify the name of a rules file. For the --data parameter, specify the name of the input data file.


cfn-guard validate \
  --rules rules.guard \
  --data template.json

If Guard successfully validates the templates, the validate command returns an exit status of 0 ($? in bash). If Guard identifies a rule violation, the validate command returns a status report of the rules that failed. Use the summary flag (-s all) to see the detailed evaluation tree that shows how Guard evaluated each rule.


template.json Status = PASS / SKIP
PASS/SKIP rules
rules.guard/rule    PASS

Validating multiple rules against multiple data files

To help maintain rules, you can write rules into multiple files and organize the rules as you want. Then, you can validate multiple rule files against a data file or multiple data files. The validate command can take a directory of files for the --data and --rules options. For example, you can run the following command where /path/to/dataDirectory contains one or more data files and /path/to/ruleDirectory contains one or more rules files.


cfn-guard validate --data /path/to/dataDirectory --rules /path/to/ruleDirectory

You can write rules to check whether various resources defined in multiple CloudFormation templates have the appropriate property assignments to guarantee encryption at rest. For search and maintenance ease, you can have rules for checking encryption at rest in each resource in separate files, called s3_bucket_encryption.guard, ec2_volume_encryption.guard, and rds_dbinstance_encrytion.guard in a directory with the path ~/GuardRules/encryption_at_rest. The CloudFormation templates that you need to validate are in a directory with the path ~/CloudFormation/templates. In this case, run the validate command as follows.


cfn-guard validate --data ~/CloudFormation/templates --rules ~/GuardRules/encryption_at_rest

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Using input parameters with Guard rules

Troubleshooting Guard