Validating input data against AWS CloudFormation Guard rules
You can use the AWS CloudFormation Guard validate command to validate data against
Guard rules. For more information about the validate command, including its
parameters and options, see validate.
Prerequisites
-
Write Guard rules to validate your input data against. For more information, see Writing Guard rules.
-
Test your rules to ensure that they work as intended. For more information, see Testing Guard rules.
Using the validate command
To validate your input data against your Guard
rules, such as an AWS CloudFormation template, run the Guard validate command. For the --rules
parameter, specify the name of a rules file. For the --data parameter, specify
the name of the input data file.
cfn-guard validate \ --rulesrules.guard\ --datatemplate.json
If Guard successfully validates the templates, the validate command
returns an exit status of 0 ($? in bash). If Guard identifies
a rule violation, the validate command returns a status report of the rules that
failed. Use the summary flag (-s all) to see the detailed evaluation tree that shows
how Guard evaluated each rule.
template.json Status = FAIL SKIP rules rules.guard/aws_apigateway_deployment_checks SKIP rules.guard/aws_apigateway_stage_checks SKIP rules.guard/aws_dynamodb_table_checks SKIP PASS rules rules.guard/aws_events_rule_checks PASS rules.guard/aws_iam_role_checks PASS FAILED rules rules.guard/aws_ec2_volume_checks FAIL rules.guard/mixed_types_checks FAIL --- Evaluation of rules rules.guard against data template.json -- Property [/Resources/vol2/Properties/Encrypted] in data [template.json] is not compliant with [rules.guard/aws_ec2_volume_checks] because provided value [false] did not match expected value [true]. Error Message [] Property traversed until [/Resources/vol2/Properties] in data [template.json] is not compliant with [rules.guard/aws_ec2_volume_checks] due to retrieval error. Error Message [Attempting to retrieve array index or key from map at path = /Resources/vol2/Properties , Type was not an array/object map, Remaining Query = Size] Property [/Resources/vol2/Properties/Encrypted] in data [template.json] is not compliant with [rules.guard/mixed_types_checks] because provided value [false] did not match expected value [true]. Error Message [] -- Rule [rules.guard/aws_iam_role_checks] is compliant for data [template.json] Rule [rules.guard/aws_events_rule_checks] is compliant for data [template.json] -- Rule [rules.guard/aws_apigateway_deployment_checks] is not applicable for data [template.json] Rule [rules.guard/aws_apigateway_stage_checks] is not applicable for data [template.json] Rule [rules.guard/aws_dynamodb_table_checks] is not applicable for data [template.json]
Validating multiple rules against multiple data files
To help maintain rules, you can write rules into multiple files and organize the rules
as you want. Then, you can validate multiple rule files against a data file or multiple data
files. The validate command can take a directory of files for the
--data and --rules options. For example, you can run the following
command where /path/to/dataDirectory contains one or more data files and
/path/to/ruleDirectory contains one or more rules files.
cfn-guard validate --data /path/to/dataDirectory --rules /path/to/ruleDirectory
You can write rules to check whether various resources defined in multiple CloudFormation
templates have the appropriate property assignments to guarantee encryption at rest. For
search and maintenance ease, you can have rules for checking encryption at rest in each
resource in separate files, called s3_bucket_encryption.guard,
ec2_volume_encryption.guard, and rds_dbinstance_encrytion.guard in
a directory with the path ~/GuardRules/encryption_at_rest. The CloudFormation
templates that you need to validate are in a directory with the path
~/CloudFormation/templates. In this case, run the validate command
as follows.
cfn-guard validate --data ~/CloudFormation/templates --rules ~/GuardRules/encryption_at_rest
