本文属于机器翻译版本。若本译文内容与英语原文存在差异，则一律以英文原文为准。

# 根据 AWS CloudFormation Guard 规则验证输入数据
<a name="validating-rules"></a>

您可以使用 AWS CloudFormation Guard `validate`命令根据防护规则验证数据。有关该`validate`命令的更多信息，包括其参数和选项，请参阅[验证](cfn-guard-validate.md)。

## 先决条件
<a name="validating-rules-prerequisites"></a>
+ 编写 Guard 规则来验证您的输入数据。有关更多信息，请参阅 [编写警卫规则](writing-rules.md)。
+ 测试您的规则，确保它们按预期运行。有关更多信息，请参阅 [测试防护规则](testing-rules.md)。

## 使用 `validate` 命令
<a name="validating-rules-walkthrough"></a>

要根据 Guard 规则（例如 AWS CloudFormation 模板）验证您的输入数据，请运行 Guard `validate` 命令。为`--rules`参数指定规则文件的名称。为`--data`参数指定输入数据文件的名称。

```
cfn-guard validate --rules {{rules.guard}} --data {{template.json}}
```

如果 Guard 成功验证了模板，则该`validate`命令将返回退出状态`0`（`$?`在 bash 中）。如果 Guard 发现了违反规则的情况，则该`validate`命令将返回失败规则的状态报告。使用摘要标志 (`-s all`) 查看详细的评估树，该树显示 Guard 是如何评估每条规则的。

```
template.json Status = FAIL
SKIP rules
rules.guard/aws_apigateway_deployment_checks    SKIP
rules.guard/aws_apigateway_stage_checks         SKIP
rules.guard/aws_dynamodb_table_checks           SKIP
PASS rules
rules.guard/aws_events_rule_checks              PASS
rules.guard/aws_iam_role_checks                 PASS
FAILED rules
rules.guard/aws_ec2_volume_checks               FAIL
rules.guard/mixed_types_checks                  FAIL
---
Evaluation of rules rules.guard against data template.json
--
Property [/Resources/vol2/Properties/Encrypted] in data [template.json] is not compliant with [rules.guard/aws_ec2_volume_checks] because provided value [false] did not match expected value [true]. Error Message []
Property traversed until [/Resources/vol2/Properties] in data [template.json] is not compliant with [rules.guard/aws_ec2_volume_checks] due to retrieval error. Error Message [Attempting to retrieve array index or key from map at path = /Resources/vol2/Properties , Type was not an array/object map, Remaining Query = Size]
Property [/Resources/vol2/Properties/Encrypted] in data [template.json] is not compliant with [rules.guard/mixed_types_checks] because provided value [false] did not match expected value [true]. Error Message []
--
Rule [rules.guard/aws_iam_role_checks] is compliant for data [template.json]
Rule [rules.guard/aws_events_rule_checks] is compliant for data [template.json]
--
Rule [rules.guard/aws_apigateway_deployment_checks] is not applicable for data [template.json]
Rule [rules.guard/aws_apigateway_stage_checks] is not applicable for data [template.json]
Rule [rules.guard/aws_dynamodb_table_checks] is not applicable for data [template.json]
```

## 针对多个数据文件验证多条规则
<a name="validating-rules-overview"></a>

为了帮助维护规则，您可以将规则写入多个文件并根据需要组织规则。然后，您可以根据一个或多个数据文件验证多个规则文件。该`validate`命令可以获取`--data`和`--rules`选项的文件目录。例如，您可以运行以下命令，其中`/path/to/dataDirectory`包含一个或多个数据文件并`/path/to/ruleDirectory`包含一个或多个规则文件。

```
cfn-guard validate --data /path/to/dataDirectory --rules /path/to/ruleDirectory
```

您可以编写规则来检查在多个 CloudFormation模板中定义的各种资源是否具有适当的属性分配，以保证静态加密。为了便于搜索和维护，您可以制定规则，用于检查每个资源的静态加密情况，这些文件名为`s3_bucket_encryption.guard``ec2_volume_encryption.guard`、，以及`rds_dbinstance_encrytion.guard`带有路径的目录`~/GuardRules/encryption_at_rest`。您需要验证的 CloudFormation模板位于路径为的目录中`~/CloudFormation/templates`。在这种情况下，按如下方式运行`validate`命令。

```
cfn-guard validate --data ~/CloudFormation/templates --rules ~/GuardRules/encryption_at_rest
```