Question 1

How to write a CloudFormation Guard rule for S3 bucket encryption?

Accepted Answer

Use clauses like 'Properties.BucketEncryption.ServerSideEncryptionConfiguration[*].ServerSideEncryptionByDefault.SSEAlgorithm IN ["aws:KMS"]' within a rule block. The README provides a detailed S3 example with query syntax for such checks.

Question 2

CloudFormation Guard vs Open Policy Agent for policy as code?

Accepted Answer

Guard offers a simpler, AWS-tailored DSL with deep CloudFormation integration, ideal for teams focused on AWS infrastructure. OPA uses the more complex Rego language and is general-purpose, better for multi-cloud or custom policy needs.

Question 3

Can CloudFormation Guard validate Kubernetes YAML files directly?

Accepted Answer

Yes, Guard can validate Kubernetes YAML by writing rules targeting fields like 'apiVersion' and 'kind'. The README shows an example with pod container limits to enforce resource constraints.

Question 4

How to integrate AWS CloudFormation Guard into a CI/CD pipeline?

Accepted Answer

Use the provided GitHub Action templates or Docker image to run 'cfn-guard validate' in workflows. The README includes examples for JUnit and SARIF outputs in GitHub Actions and CircleCI.

Question 5

What are the biggest limitations of CloudFormation Guard?

Accepted Answer

Key limitations include no support for external rule sourcing, no HCL file validation for Terraform, and breaking changes between major versions. The README's FAQ 10 details these with workarounds.

Question 6

How to migrate from Guard 1.0 to the latest version?

Accepted Answer

Download the latest release artifacts and use the 'migrate' command to transition rules. The README outlines steps and warns of incompatibilities, requiring manual review of updated grammar.

AWS CloudFormation Guard

What is AWS CloudFormation Guard?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions