AWS CloudFormation Guard is a policy-as-code tool that enables validation of JSON- and YAML-formatted infrastructure configurations against customizable compliance and governance rules.
Guard offers a policy-as-code domain-specific language (DSL) to write rules and validate JSON- and YAML-formatted data such as CloudFormation Templates, K8s configurations, and Terraform JSON plans/configurations against those rules. Take this survey to provide feedback about cfn-guard: https://amazonmr.au1.qualtrics.com/jfe/form/SV_bpyzpfoYGGuuUl0
This tool is primarily used by developers and DevOps teams to enforce security, compliance, and governance best practices by validating Infrastructure-as-Code templates such as CloudFormation, Terraform JSON plans, and Kubernetes configurations before deployment. It helps ensure deployment safety, continuous compliance monitoring, and risk assessment by detecting policy violations early in the development lifecycle.
Guard 2.0 and later versions are not backward compatible with Guard 1.0 rules, so migration is necessary to avoid breaking changes. The tool supports integration into CI/CD pipelines and can be deployed as a Lambda function via SAM CLI. Users should review intrinsic function handling changes in Guard 3.0 to ensure existing tests remain valid.
Download the latest release artifacts from the GitHub releases page
Use the Guard CLI or integrate via SAM CLI for cfn-guard-lambda deployment
Optionally use Guard as a Docker image or GitHub Action for automation
Run the migrate command to update legacy Guard 1.0 rules to the latest grammarguard validate <template-file> --rules <rules-file>
Validates a JSON or YAML template file against the specified Guard policy rules
guard test <test-file>
Runs tests on Guard rules, supporting intrinsic function handling and advanced regex
guard migrate <old-rules-file>
Migrates Guard 1.0 rules to the updated 2.x+ grammar
guard validate --structured
Outputs validation results in JSON or YAML parseable format for automation