Maintained with ☕️ by
IcePanel logo

Build AWS Config rules using AWS CloudFormation Guard

Share

Services

AWS Config now supports an easier way to author custom AWS Config rules using AWS CloudFormation Guard ([cfn-guard](https://github.com/aws-cloudformation/cloudformation-guard)). With this release, users with limited programming experience can use Guard to define and review custom policies that check your resources have desired configurations. AWS Config rules are a way of creating and implementing compliance policies against resource configurations. Currently, AWS Config offers both managed rules, which AWS builds and maintains to meet common compliance use cases, and custom rules, which users create to meet their specific compliance needs. Guard is an open source tool offering policy-as-code, such that users can define policies to validate JSON- or YAML-formatted data using a domain-specific language (DSL). Previously, to create a custom rule, you would have to define an AWS Lambda function, typically in languages such as Java or Python. Now, you can author AWS Config custom rules using Guard DSL without needing to develop AWS Lambda functions. Security and compliance administrators have a simpler way to write custom logic which reflects the compliance needs your organization has defined for itself. To get started, you can use the AWS Config console to create your own AWS Config rule through the ‘Add rule’ workflow. The rule logic will be validated for correctness prior to deployment such that you do not have to perform error checking for oversized configuration items or deleted resources; Guard also simplifies permissioning to place the rules in your account. As a result, AWS Config rules using Guard removes the complexity of rule authoring, reducing overall development time for rules. Once the rule is deployed, you will be able to view logs of resource compliance status based on your rule evaluations in AWS Config. AWS Config rules using Guard are available in all commercial [AWS regions](/about-aws/global-infrastructure/regional-product-services/) and are charged the same as AWS Config rules, which uses a tiered pricing model based on the number of rules evaluations you run each month; there is no additional charge for authoring these rules in Guard. To learn more about authoring AWS Config rules using Guard, see our [documentation](https://docs.aws.amazon.com/config/index.html). To learn more about our pricing, visit the AWS Config [pricing page](/config/pricing/).