How to use cfn-guard with AWS Config

How to use cfn-guard with AWS Config. I'm not sure when but AWS Config now supports using Guard!

How to use cfn-guard with AWS Config
Photo by Tobias Tullius / Unsplash

I'm not sure when but AWS Config now supports using Guard rules to determine the compliance of resources. This is a pretty neat integration and one of the first I've seen from AWS on a side Open Source Project they have created.

Previously you would need to create and manage a Lambda to verify the compliance of resources which was a bit of a burden operations teams.

I was alerted to this awesome addition via twitter, thanks Ben! I'd recommend following him on Twitter.

How to

The following steps assume you have AWS Config all configured and up and running.

This is pretty easy via the UI, so just follow the prompted steps if you need to complete this first.

Once enabled your AWS Config Dasboard will look something like this.

Now we can create a custom rule backed by Guard. Select Rules in the AWS Config dashboard.

Then select Add Rule

You'll be prompted to select the rule type. Here you can see we have an additional option for Create custom rule using Guard.

After selecting this we give our rule a Name & Description. Pretty standard stuff.

Now we can add our Guard rule content. We are going to use the example code from the AWS Documentation to show the compliance status of point in time recovery (PITR) enabled on active Amazon DynamoDB tables

Here is the Guard Rule contents, its pretty simple to follow.

  • Verify that configuration.tableStatus is ACTIVE
  • Verify that supplementaryConfiguration.ContinuousBackupsDescription.pointInTimeRecoveryDescription.pointInTimeRecoveryStatus is ENABLED
# This rule checks if point in time recovery (PITR) is enabled on active Amazon DynamoDB tables
let status = ['ACTIVE']

rule tableisactive when
    resourceType == "AWS::DynamoDB::Table" {
    configuration.tableStatus == %status
}

rule checkcompliance when
    resourceType == "AWS::DynamoDB::Table"
    tableisactive {
        let pitr = supplementaryConfiguration.ContinuousBackupsDescription.pointInTimeRecoveryDescription.pointInTimeRecoveryStatus
        %pitr == "ENABLED"
}

Next we make sure our rule is targetted to the resource type we are validating, here this is AWS::DynamoDB::Table

Select Resources and AWS DynamoDB Table for the Resource Type.

Click Next and Add Rule and we have our rule created.

Testing our Guard Rule

To test our new rule I've created a simple Dynamodb Table via the UI. This has no point in time recovery set to it should trigger our Guard Rule.

Very promptly we can see that our rule has been triggered

If we take a closer look at the JSON Configuration of our resource via AWS Config we can see how our compliance item has been flagged.

The attribute pointInTimeRecoveryStatus is DISABLED

"supplementaryConfiguration": {
    "ContinuousBackupsDescription": {
      "continuousBackupsStatus": "ENABLED",
      "pointInTimeRecoveryDescription": {
        "pointInTimeRecoveryStatus": "DISABLED"
      }
    },
    "Tags": []
  }

What about Cloudformation Support?

I was excited at first to see a reference in the documentation for use with Cloudformation..

However having played with cloudformation I can't get this to work as the CustomPolicyDetails doesn't seem to have been extended in Cloudformation to support the PolicyText payload.

I'll get this logged out with AWS Support to see if this is available and report back here.

Without this support, creating rules via the UI or AWS Cli really isn't feasible for us at the moment but I hope this is supported soon!

There is all sort of policy as code validation that can be done with Guard so make sure you go check out the GitHub repo!

Hope this help someone else!

Cheers