Using AWS CloudFormation Guardrails - Tutorial

Welcome to this tutorial on using AWS CloudFormation Guardrails. AWS CloudFormation is a powerful service for provisioning and managing AWS resources using infrastructure as code. CloudFormation Guardrails allow you to enforce security and compliance best practices by validating your CloudFormation templates against predefined rulesets. By using Guardrails, you can ensure that your infrastructure deployments adhere to your organization's policies and standards.

Example of Using CloudFormation Guardrails

Let's consider an example where you want to enforce a specific security requirement for Amazon S3 buckets in your CloudFormation templates. You can use a Guardrail rule to validate that all S3 buckets have server-side encryption enabled. Here's an example rule using AWS CloudFormation Guardrails (in AWS Config rule format):

{ "Version": "1.0", "ConfigRuleName": "S3BucketServerSideEncryption", "Description": "Checks whether Amazon S3 buckets have server-side encryption enabled.", "Source": { "Owner": "AWS", "SourceIdentifier": "S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED" } }

In the above example, the Guardrail rule uses the predefined rule identifier for checking whether server-side encryption is enabled for S3 buckets. When you deploy your CloudFormation templates, the Guardrail will evaluate the S3 buckets created and provide compliance status based on the encryption configuration.

Steps for Using CloudFormation Guardrails

  1. Enable AWS Config in your AWS account and create a new configuration recorder.
  2. Create and configure a new AWS Config rule using the desired Guardrail rule identifier or custom rule.
  3. Specify the Guardrail rule in your CloudFormation templates by referencing the rule identifier or custom rule.
  4. Deploy your CloudFormation stack and verify that the Guardrail rule is enforced.
  5. Regularly monitor the compliance status of your CloudFormation resources using AWS Config and address any non-compliant resources.

Common Mistakes with CloudFormation Guardrails

  • Not enabling AWS Config in the AWS account before using Guardrails.
  • Using incorrect rule identifiers or custom rules in CloudFormation templates, resulting in the failure to enforce desired guardrail checks.
  • Not regularly monitoring and addressing non-compliant resources identified by Guardrails, which can lead to security and compliance vulnerabilities.
  • Not following best practices and recommendations provided by AWS for creating custom Guardrail rules.

Frequently Asked Questions (FAQs)

1. Can I create custom Guardrail rules in AWS CloudFormation?

No, AWS CloudFormation does not provide the ability to create custom Guardrail rules. You can only use predefined rule identifiers or custom rules defined in AWS Config.

2. Can I use CloudFormation Guardrails with existing CloudFormation stacks?

Yes, you can enable Guardrails and apply them to existing CloudFormation stacks by configuring AWS Config rules and referencing the rule identifiers or custom rules in your templates.

3. How often does AWS Config evaluate Guardrail compliance?

The evaluation frequency of AWS Config rules, including Guardrails, can be configured to occur every few minutes or at a specified interval. You can choose the frequency that best suits your needs.

4. Can I override Guardrail rules for specific resources?

No, Guardrail rules cannot be overridden at the resource level. The rules are applied uniformly to all resources that match the evaluation criteria.

5. Are there any additional costs associated with using CloudFormation Guardrails?

There are no additional costs for using CloudFormation Guardrails. However, AWS Config may have associated costs based on the number of configuration items recorded and the number of evaluations performed.


Using AWS CloudFormation Guardrails allows you to enforce security and compliance best practices in your infrastructure-as-code deployments. By leveraging predefined rule sets or custom rules, you can validate your CloudFormation templates and ensure that your resources adhere to the desired policies and standards. Regular monitoring of compliance status and addressing non-compliant resources will help maintain a secure and compliant infrastructure.