# Validating input data against AWS CloudFormation Guard rules Validating input data against Guard rules You can use the AWS CloudFormation Guard `validate` command to validate data against Guard rules. For more information about the `validate` command, including its parameters and options, see [validate](cfn-guard-validate.md). ## Prerequisites Prerequisites + Write Guard rules to validate your input data against. For more information, see [Writing Guard rules](writing-rules.md). + Test your rules to ensure that they work as intended. For more information, see [Testing Guard rules](testing-rules.md). ## Using the `validate` command Using the `validate` command To validate your input data against your Guard rules, such as an AWS CloudFormation template, run the Guard `validate` command. For the `--rules` parameter, specify the name of a rules file. For the `--data` parameter, specify the name of the input data file. ``` cfn-guard validate --rules rules.guard --data template.json ``` If Guard successfully validates the templates, the `validate` command returns an exit status of `0` (`$?` in bash). If Guard identifies a rule violation, the `validate` command returns a status report of the rules that failed. Use the summary flag (`-s all`) to see the detailed evaluation tree that shows how Guard evaluated each rule. ``` template.json Status = FAIL SKIP rules rules.guard/aws_apigateway_deployment_checks SKIP rules.guard/aws_apigateway_stage_checks SKIP rules.guard/aws_dynamodb_table_checks SKIP PASS rules rules.guard/aws_events_rule_checks PASS rules.guard/aws_iam_role_checks PASS FAILED rules rules.guard/aws_ec2_volume_checks FAIL rules.guard/mixed_types_checks FAIL --- Evaluation of rules rules.guard against data template.json -- Property [/Resources/vol2/Properties/Encrypted] in data [template.json] is not compliant with [rules.guard/aws_ec2_volume_checks] because provided value [false] did not match expected value [true]. Error Message [] Property traversed until [/Resources/vol2/Properties] in data [template.json] is not compliant with [rules.guard/aws_ec2_volume_checks] due to retrieval error. Error Message [Attempting to retrieve array index or key from map at path = /Resources/vol2/Properties , Type was not an array/object map, Remaining Query = Size] Property [/Resources/vol2/Properties/Encrypted] in data [template.json] is not compliant with [rules.guard/mixed_types_checks] because provided value [false] did not match expected value [true]. Error Message [] -- Rule [rules.guard/aws_iam_role_checks] is compliant for data [template.json] Rule [rules.guard/aws_events_rule_checks] is compliant for data [template.json] -- Rule [rules.guard/aws_apigateway_deployment_checks] is not applicable for data [template.json] Rule [rules.guard/aws_apigateway_stage_checks] is not applicable for data [template.json] Rule [rules.guard/aws_dynamodb_table_checks] is not applicable for data [template.json] ``` ## Validating multiple rules against multiple data files Validating multiple rules against multiple data files To help maintain rules, you can write rules into multiple files and organize the rules as you want. Then, you can validate multiple rule files against a data file or multiple data files. The `validate` command can take a directory of files for the `--data` and `--rules` options. For example, you can run the following command where `/path/to/dataDirectory` contains one or more data files and `/path/to/ruleDirectory` contains one or more rules files. ``` cfn-guard validate --data /path/to/dataDirectory --rules /path/to/ruleDirectory ``` You can write rules to check whether various resources defined in multiple CloudFormation templates have the appropriate property assignments to guarantee encryption at rest. For search and maintenance ease, you can have rules for checking encryption at rest in each resource in separate files, called `s3_bucket_encryption.guard`, `ec2_volume_encryption.guard`, and `rds_dbinstance_encrytion.guard` in a directory with the path `~/GuardRules/encryption_at_rest`. The CloudFormation templates that you need to validate are in a directory with the path `~/CloudFormation/templates`. In this case, run the `validate` command as follows. ``` cfn-guard validate --data ~/CloudFormation/templates --rules ~/GuardRules/encryption_at_rest ```