Config

Guard Custom policy

Guard Custom policy: using Guard DSL (Domain Specific Language: policy-as-code language) to evaluate the config changes.

Basic structure

rule rule_name when condition { 
    assertion 
}

example rule

# Check if DynamoDB tables have Point-in-Time Recovery enabled
rule dynamodb_pitr_enabled when 
    resourceType == "AWS::DynamoDB::Table" {
    
    configuration.pointInTimeRecoveryDescription.pointInTimeRecoveryStatus == "ENABLED"
    <<
    Violation: DynamoDB table must have Point-in-Time Recovery enabled
    Fix: Enable Point-in-Time Recovery for the DynamoDB table
    >>
}

PreviousWAF Nextstorage

Last updated 10 days ago