Amazon Web Services Inc. on Thursday announced the general availability of CloudFormation Guard, an open-source tool that helps companies ensure their cloud environments comply with cybersecurity policies and other internal rules.

The tool joins the growing list of open-source technologies offered by AWS. Previously, the Amazon.com Inc. subsidiary released Bottlerocket, an operating system for running software containers. 

CloudFormation Guard gets its name from AWS’ CloudFormation service, which administrators use to define the configuration settings of their AWS deployments. CloudFormation Guard ensures that any new resources added to a deployment comply with the information technology team’s policies. The tool can, for example, be used to enforce a rule that requires developers to enable encryption for new S3 storage buckets they provision.

Administrators can interact with CloudFormation Guard via a command-line interface that has its own specialized syntax for creating configuration rules. Rules may specify properties that cloud resources are required to have, for example encryption. A rule may also specify properties that resources shouldn’t have, say support for the ability to access data from outside the corporate network.

The tool could come handy for large enterprises that rely on AWS. In an organization where hundreds of developers use the company AWS environment, there’s a good chance that occasional human error will lead to some resources being provisioned without all the required configuration settings. The ability to automatically enforce configuration compliance rules reduces the risk of such mistakes. 

Improving security is just one of the applications AWS sees for CloudFormation Guard. Administrators can also use it to optimize cloud costs by limiting what kind of infrastructure developers are allowed to provision. Another application is ensuring that cloud resources’ configuration complies with data regulations.

CloudFormation Guard is launching into general availability with several improvements over its initial preview version, which AWS revealed earlier this year. Administrators can now create a broader variety of rules for tasks as fine-grained as controlling how a cloud instance is updated and deleted. Moreover, CloudFormation Guard now comes bundled with cfn-guard-rulegen, another open-source tool developed by AWS that speeds up rule creation by enabling administrators to draw on existing policies implemented in their cloud environments. 

CloudFormation Guard is available on GitHub. 

Photo: AWS