shisho VS cloudformation-guard

If you now use these services to fix the infrastructure findings, a drift occurs that is not always easy to fix. It is better to check for possible problems before the actual deployment. This approach is called “Shift-Left”. This can be done with the package cdk-validator-cfnguard. It's based on the CloudFormation Guard package.

AWS Config rules allow you to determine if a resource is compliant or not. Previously when you wanted to do custom checks you needed to write AWS Lambda functions to validate the configuration of a resource. Since Aug 2, 2022 you have the ability to use cfn-guard rules to achieve the same.

In my previous blog, How do you prove that your infrastructure is compliant. I explained how you can prove your infrastructure is compliant using CloudFormation Guard. But, how do you write those rules? And even more important, how do you test your rules? If you look at the repository CloudFormation Guard. You will notice that the project itself offers a testing framework. Alright! Let’s build a ruleset and write some tests for it!

When you use CloudFormation Guard in combination with CodeBuild Reports it makes it easier to see what rules have failed and keeps a history. When you have a solid set of compliance rules. It gives you a report that you can use to prove that the build of the infrastructure was compliant. You are also able to prevent non-compliant code rollout in production.

cloudformation-guard.

AWS CloudFormation: can help with deploying compliant stacks. You can make sure that a stack is compliant by using AWS CloudFormation guard.

See https://github.com/aws-cloudformation/cloudformation-guard

Currently, we're also exploring the brand new AWS Config rules backed by guard. Now you can write rules using guard which is a policy-as-code language. Here is some example of a Guard Rule which we are testing.

https://github.com/aws-cloudformation/cloudformation-guard is also very useful, but more so when you want to keep your templates consistent to standards.