|
| 1 | +--- |
| 2 | +title: "Activate a Guard Hook" |
| 3 | +weight: 630 |
| 4 | +--- |
| 5 | + |
| 6 | +### Introduction |
| 7 | + |
| 8 | +To use an AWS Guard Hook in your account, you must first activate the Hook for the account and Region where you want to use it. Activating a Hook makes it usable in stack operations in the account and Region where it's activated. |
| 9 | + |
| 10 | +When you activate a Guard Hook, CloudFormation creates an entry in your account's registry for the activated Hook as a private Hook. This allows you to set any configuration properties the Hook includes. Configuration properties define how the Hook is configured for a given AWS account and Region. |
| 11 | + |
| 12 | +#### Using AWS Console to Create a Guard Hook |
| 13 | + |
| 14 | +##### **Open AWS CloudFormation Hooks** |
| 15 | + |
| 16 | +1. Open **AWS CloudFormation Console**. |
| 17 | +2. Navigate to the **Hooks** section. |
| 18 | +3. Click on **With Guard** option in the **Create a Hook** dropdown list. |
| 19 | + |
| 20 | + |
| 21 | + |
| 22 | +##### **Step 1: Provide your Guard rules** |
| 23 | + |
| 24 | +Configure the Guard Hook source with your S3-stored rules: |
| 25 | + |
| 26 | + |
| 27 | + |
| 28 | +Use the following parameters: |
| 29 | + |
| 30 | +1. **Guard Hook source** – Select **Store your Guard rules in S3** |
| 31 | +2. **S3 URI** – Enter the **S3 URI of your Guard rules file** (e.g., `s3://guard-hook-bucket-<your-name>/hooks/s3-security-rules.guard`) |
| 32 | + |
| 33 | +::alert[If you need to find your S3 URI, refer back to the [Write Guard rules for Hook](../write-guard-rules/) section where you uploaded your Guard rules file.]{type="info"} |
| 34 | + |
| 35 | +3. **Object version** – (Optional) If your S3 bucket has versioning enabled, you can specify a version |
| 36 | +4. **S3 bucket for Guard output report** – (Optional) You can use the same bucket for output reports |
| 37 | + |
| 38 | +Click **Next** to continue. |
| 39 | + |
| 40 | +##### **Step 2: Hook details and settings** |
| 41 | + |
| 42 | +Configure the Hook behavior and execution settings: |
| 43 | + |
| 44 | + |
| 45 | + |
| 46 | +Use the following parameters: |
| 47 | + |
| 48 | +1. **Hook Name** – `S3SecurityGuardHook` |
| 49 | +2. **Hook Targets** – Select **Resources**. |
| 50 | + ::alert[We choose **Resources** as the target because our Guard rules are designed to evaluate individual CloudFormation resources (specifically S3 buckets) rather than the entire template.]{type="info"} |
| 51 | +3. **Hook Actions** – Select **Create**. |
| 52 | + ::alert[This implements evaluation during CloudFormation **CREATE** operation]{type="info"} |
| 53 | +4. **Hook Mode** – Set to **Fail**. |
| 54 | + ::alert[With Hook Mode being Warn the hook will only emit a warning message when a hook fails, without stopping the provisioning operation. While with Fail mode the hook will stop the provisioning operation when a Hook fails.]{type="info"} |
| 55 | +5. **Execution Role** – Choose **Existing Execution Role** and select the **GuardHookExecutionRole** created earlier. |
| 56 | + |
| 57 | +::alert[To find your execution role, look for a role name similar to `GuardHookExecutionRoleStack-GuardHookExecutionRole-<random-string>` that was created in the [Prepare to create a Guard Hook](../prepare-guard-hook/) section.]{type="info"} |
| 58 | + |
| 59 | +Click **Next** to continue. |
| 60 | + |
| 61 | +##### **Step 3: Apply Hook filters (Optional)** |
| 62 | + |
| 63 | +Configure which resources the Hook should target: |
| 64 | + |
| 65 | + |
| 66 | + |
| 67 | +For **Hook filters** we will add **`AWS::S3::Bucket`** to filter the hook to just check for the creations of S3 buckets. |
| 68 | + |
| 69 | +We will use the default options for the other configurations here so there is no need to update them. |
| 70 | + |
| 71 | +Click **Next** to continue. |
| 72 | + |
| 73 | +##### **Step 4: Review and activate** |
| 74 | + |
| 75 | +Review all your settings before creating the Hook: |
| 76 | + |
| 77 | + |
| 78 | + |
| 79 | +Review the settings: |
| 80 | +- **Hook Name**: S3SecurityGuardHook |
| 81 | +- **Guard Rules Source**: S3 URI pointing to your rules file |
| 82 | +- **Target**: Resources (AWS::S3::Bucket) |
| 83 | +- **Actions**: Create |
| 84 | +- **Mode**: Fail |
| 85 | +- **Execution Role**: GuardHookExecutionRole |
| 86 | + |
| 87 | +Click **Create** to register the Hook and wait for a few seconds for the Hook to be created and activated. |
| 88 | + |
| 89 | + |
| 90 | + |
| 91 | +### Alternative: Using AWS CLI to Activate Guard Hook |
| 92 | + |
| 93 | +You can also activate the Guard Hook using the AWS CLI: |
| 94 | + |
| 95 | +```bash |
| 96 | +# First, activate the Hook type |
| 97 | +aws cloudformation activate-type \ |
| 98 | + --type HOOK \ |
| 99 | + --type-name "AWS::CloudFormation::GuardHook" \ |
| 100 | + --publisher-id "AWS" \ |
| 101 | + --region us-east-1 |
| 102 | + |
| 103 | +# Then, set the Hook configuration |
| 104 | +aws cloudformation set-type-configuration \ |
| 105 | + --type HOOK \ |
| 106 | + --type-name "AWS::CloudFormation::GuardHook" \ |
| 107 | + --configuration '{ |
| 108 | + "CloudFormationConfiguration": { |
| 109 | + "HookConfiguration": { |
| 110 | + "TargetStacks": "ALL", |
| 111 | + "FailureMode": "FAIL", |
| 112 | + "Properties": { |
| 113 | + "GuardRuleS3Uri": "s3://your-guard-rules-bucket/hooks/s3-security-rules.guard", |
| 114 | + "OutputS3Uri": "s3://your-guard-rules-bucket/guard-output/", |
| 115 | + "ExecutionRoleArn": "arn:aws:iam::123456789012:role/GuardHookExecutionRole" |
| 116 | + } |
| 117 | + }, |
| 118 | + "TargetOperations": ["CREATE"], |
| 119 | + "TargetFilters": { |
| 120 | + "Types": ["AWS::S3::Bucket"] |
| 121 | + } |
| 122 | + } |
| 123 | + }' \ |
| 124 | + --region us-east-1 |
| 125 | +``` |
| 126 | + |
| 127 | +### Understanding Guard Hook Configuration |
| 128 | + |
| 129 | +The Guard Hook configuration includes several important settings: |
| 130 | + |
| 131 | +#### **Guard Rules Source** |
| 132 | +- **S3 URI**: Points to your Guard rules file in S3 |
| 133 | +- **Versioning**: Optionally specify a specific version for consistency |
| 134 | +- **Access**: The execution role must have read permissions to this S3 location |
| 135 | + |
| 136 | +#### **Target Configuration** |
| 137 | +- **Resources**: Targets individual resource operations |
| 138 | +- **Filters**: Limits evaluation to specific resource types (AWS::S3::Bucket) |
| 139 | +- **Actions**: Specifies when to run (CREATE, UPDATE, DELETE) |
| 140 | + |
| 141 | +#### **Execution Settings** |
| 142 | +- **Failure Mode**: FAIL stops operations on rule violations, WARN allows them to continue |
| 143 | +- **Execution Role**: IAM role with necessary S3 permissions |
| 144 | + |
| 145 | +#### **Output Configuration** |
| 146 | +- **Output S3 URI**: Optional location for detailed validation reports |
| 147 | +- **Report Format**: JSON or YAML format for output reports |
| 148 | + |
| 149 | +### Conclusion |
| 150 | + |
| 151 | +Once the Hook is activated, it will automatically evaluate CloudFormation stack changes based on the defined Guard rules. By enforcing S3 security best practices, the Guard Hook ensures that only compliant S3 bucket configurations are deployed. You can now proceed to the test section and monitor the Hook's behavior in your stack operations using the activated hook. |
| 152 | + |
| 153 | +The Guard Hook will evaluate your S3 resources against the rules we defined: |
| 154 | +- ✅ Versioning must be enabled |
| 155 | +- ✅ Public access must be blocked |
| 156 | +- ✅ Server-side encryption must be configured |
| 157 | +- ✅ No public read access allowed |
| 158 | + |
| 159 | +Choose **Next** to test the Guard Hook functionality! |
0 commit comments