TL;DR, What is AWS CloudFormation Guard?

AWS CloudFormation Guard is an open-source, policy-as-code command-line tool that validates your infrastructure-as-code (IaC) templates against company policies.

For DevOps and compliance teams, we know proactively enforcing security standards before deployment is a major challenge. CloudFormation Guard (cfn-guard) helps you tackle this by letting you write rules that check templates for misconfigurations and policy violations. An infrastructure-as-code security approach like this helps prevent vulnerabilities from ever reaching production. By integrating these checks into your CI/CD pipelines, your teams can shift security left and automate compliance, embedding DevSecOps best practices directly into the development workflow.

A powerful compliance automation tool, CloudFormation Guard is developed and maintained by Amazon Web Services.

AWS Security Best Practices [Cheat Sheet]

This cheat sheet goes beyond the essential AWS security best practices and offers actionable step-by-step implementations, relevant code snippets, and industry- leading recommendations to fortify your AWS security posture.

Your work email here

Download cheat sheet

Common use cases

1. Integrate cfn-guard into CI/CD pipelines to automatically validate IaC templates before deployment. A pre-deployment check like this prevents non-compliant resources from being provisioned by failing the build if any rule violations are found, thereby enforcing infrastructure-as-code security standards.

2. Developers can run cfn-guard locally to get immediate feedback on IaC templates during the authoring process. This "shift-left" approach helps you identify and fix compliance issues early in the development cycle, reducing rework and embedding security directly into the workflow.

3. Use CloudFormation Guard to regularly audit infrastructure by validating IaC templates generated from existing cloud resources. Running these checks helps identify configuration drift and ensures ongoing adherence to organizational policies, providing valuable data points for security audits and compliance reports.

4. Leverage cfn-guard-rulegen to automatically create rules from known-compliant "golden" templates. Your newly generated policies can then be version-controlled, creating an auditable, centralized source of truth for infrastructure standards that can be enforced consistently across all teams and projects.

5. Apply a single, consistent set of policies across diverse IaC formats, including AWS CloudFormation, Terraform, and Kubernetes. Doing so enables centralized governance in hybrid or multi-cloud environments, ensuring that security and operational standards are uniformly applied regardless of the underlying platform.

How does AWS CloudFormation Guard work?

AWS CloudFormation Guard works as a command-line tool to validate your infrastructure-as-code (IaC) templates against user-defined policies. The process is straightforward: compliance administrators write rules using Guard's simple domain-specific language (DSL) and save them as .guard files. From there, developers use the cfn-guard CLI to run these policies against their JSON or YAML templates, like those for CloudFormation or Kubernetes. The tool’s evaluation engine systematically checks the template's resources against the rules and generates a detailed report, flagging any non-compliant configurations so they can be fixed before deployment.

• Policy-as-Code DSL: Guard uses a purpose-built, declarative language that lets you write intuitive rules representing security, cost, or configuration guidelines.

• Template Evaluation Engine: Its core engine parses both the .guard rule files and your target IaC template, systematically comparing resource configurations against the specified policies.

• Detailed Failure Reporting: When a violation is found, the CLI gives you clear, actionable feedback, identifying the exact rule that failed and the non-compliant resource with --structured output for JSON/YAML machine-readable results.

• Automated Rule Generation: A companion tool, cfn-guard-rulegen, can automatically generate a baseline set of rules from an existing, known-compliant template, which helps speed up initial policy creation.

AWS Security Foundations For Dummies

Everything you need to know to protect your AWS environment

Your work email here

Download guide

Core Capabilities:

1. CloudFormation Guard offers an intuitive, human-readable DSL for defining compliance rules. Its declarative policy-as-code syntax is designed for non-programmers to quickly write policies for required and prohibited resource configurations. The language supports conditional logic and comparisons, making it a flexible compliance automation tool for complex cloud environments.

2. The tool works on more than just AWS CloudFormation; it can validate any JSON- or YAML-formatted IaC file, including Terraform JSON configurations and Kubernetes manifests. Cfn-guard’s broad compatibility makes it a versatile solution for enforcing consistent infrastructure-as-code security policies across diverse and multi-cloud technology stacks.

3. The cfn-guard-rulegen companion CLI helps you adopt policies faster by automatically extracting rules from existing, compliant infrastructure templates. This rule generation feature helps codify organizational best practices from "golden" configurations, significantly speeding up the initial authoring process and establishing a baseline for policy as code.

4. Policy authors can write polymorphic, reusable rules that dynamically adapt based on context, such as different deployment environments (e.g., dev vs. prod). Using a single rule set across various scenarios reduces maintenance overhead while ensuring consistent policy enforcement.

5. Guard delivers verbose, machine-readable CLI outputs that clearly identify policy violations. The tool highlights the specific code snippets responsible for failures, giving developers immediate and actionable feedback. A better developer experience like this helps you quickly pinpoint and remediate issues, supporting core DevSecOps best practices.

Limitations

1. CloudFormation Guard is designed to validate IaC templates before deployment, so it doesn't natively scan live cloud environments for compliance. It isn't a substitute for a real-time cloud security posture management (CSPM) tool and can't detect configuration drift or manual changes made post-deployment. While you can use it for auditing, doing so requires an external process to capture the current state as code.

2. While Guard supports Terraform, it validates the JSON plan output rather than native HCL files. An extra conversion step in the workflow can be cumbersome and may lose context like comments from the original HCL. Because of this dependency, developers must be familiar with the JSON representation of their resources, which looks quite different from the more human-readable HCL source.

3. Although the DSL is designed to be human-readable, your teams must still invest time in learning Guard's specific syntax, functions, and query structure. Authoring and debugging complex conditional logic can be tricky for engineers unfamiliar with policy-as-code concepts. The initial training investment can potentially slow adoption compared to policy engines that use a more general-purpose language.

4. By default, Guard evaluates templates on a file-by-file basis and doesn't have built-in awareness of dependencies defined in other IaC files. Validating applications that span multiple interconnected templates (e.g., using CloudFormation stack outputs as inputs for another) may require custom scripting or orchestration to provide the necessary context, as the tool doesn't natively resolve cross-template references.

5. The cfn-guard rulegen tool gives you a strong starting point by extracting rules from existing templates, but the output often requires significant manual review and refinement. The generated rules are literal interpretations of the source template's properties and may be too specific or lack the abstract logic needed for broad, flexible application. They serve as a baseline but aren't a substitute for well-designed policies.

Getting Started

Step 1:

To install AWS CloudFormation Guard, open your terminal and run the appropriate command for your system:

For macOS or Ubuntu:

curl --proto '=https' --tlsv1.2 -sSf https://raw.githubusercontent.com/aws-cloudformation/cloudformation-guard/main/install-guard.sh | sh

Add ~/.guard/bin/ to your PATH after installation if needed.

Alternatively, on macOS you can use Homebrew:

brew install cloudformation-guard

For Windows (PowerShell as Administrator):

$GuardWindowsInstallScript = Invoke-WebRequest https://raw.githubusercontent.com/aws-cloudformation/cloudformation-guard/main/install-guard.ps1; Invoke-Expression $($GuardWindowsInstallScript.Content)

Step 2:

Once installed, verify by running:

cfn-guard help

Step 3:

To validate a template using Guard rules:

cfn-guard validate --rules your-rules.guard --data your-template.yaml --show-summary

From pre-deployment checks to full cloud visibility

CloudFormation Guard enforces policies in your templates. Wiz extends that protection to your live cloud, detecting drift, vulnerabilities, and identity risks that sneak in post-deployment.

Work Email*

First Name*

Last Name*

Country

Phone Number*

Company*

Keep me updated about Wiz product releases, industry news, and events (You can unsubscribe at any time)

Subscribe me to the Wiz blog digest emails

Submit

For information about how Wiz handles your personal data, please see our Privacy Policy.

Your work email here

Get a demo

Alternatives

FAQs