aws.account
Filters
access-analyzer
Check for access analyzers in an account
- example:
policies:
- name: account-access-analyzer
resource: account
filters:
- type: access-analyzer
key: 'status'
value: ACTIVE
op: eq
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- access-analyzer
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- type
Permissions - access-analyzer:ListAnalyzers
check-cloudtrail
Verify cloud trail enabled for this account per specifications.
Returns an annotated account resource if trail is not enabled.
Of particular note, the current-region option will evaluate whether cloudtrail is available in the current region, either as a multi region trail or as a trail with it as the home region.
The log-metric-filter-pattern option checks for the existence of a cloudwatch alarm and a corresponding SNS subscription for a specific filter pattern
- example:
policies:
- name: account-cloudtrail-enabled
resource: account
region: us-east-1
filters:
- type: check-cloudtrail
global-events: true
multi-region: true
running: true
include-management-events: true
log-metric-filter-pattern: "{ ($.eventName = \"ConsoleLogin\") }"
Check for CloudWatch log group with a metric filter that has a filter pattern matching a regex pattern:
policies:
- name: account-cloudtrail-with-matching-log-metric-filter
resource: account
region: us-east-1
filters:
- type: check-cloudtrail
log-metric-filter-pattern:
type: value
op: regex
value: '\{ ?(\()? ?\$\.eventName ?= ?(")?ConsoleLogin(")? ?(\))? ?\}'
properties:
current-region:
type: boolean
file-digest:
type: boolean
global-events:
type: boolean
include-management-events:
type: boolean
kms:
type: boolean
kms-key:
type: string
log-metric-filter-pattern:
oneOf:
- $ref: '#/definitions/filters/value'
- type: string
multi-region:
type: boolean
notifies:
type: boolean
running:
type: boolean
type:
enum:
- check-cloudtrail
required:
- type
Permissions - cloudtrail:DescribeTrails, cloudtrail:GetTrailStatus, cloudtrail:GetEventSelectors, cloudwatch:DescribeAlarmsForMetric, logs:DescribeMetricFilters, sns:GetTopicAttributes
check-config
Is config service enabled for this account
- example:
policies:
- name: account-check-config-services
resource: account
region: us-east-1
filters:
- type: check-config
all-resources: true
global-resources: true
running: true
properties:
all-resources:
type: boolean
global-resources:
type: boolean
running:
type: boolean
type:
enum:
- check-config
required:
- type
Permissions - config:DescribeDeliveryChannels, config:DescribeConfigurationRecorders, config:DescribeConfigurationRecorderStatus
check-macie
Check status of macie v2 in the account.
Gets the macie session info for the account, and the macie master account for the current account if configured.
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- check-macie
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- type
Permissions - macie2:GetMacieSession, macie2:GetMasterAccount
credential
Use IAM Credential report to filter users.
The IAM Credential report aggregates multiple pieces of information on iam users. This makes it highly efficient for querying multiple aspects of a user that would otherwise require per user api calls.
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html
For example if we wanted to retrieve all users with mfa who have never used their password but have active access keys from the last month
- name: iam-mfa-active-keys-no-login
resource: iam-user
filters:
- type: credential
key: mfa_active
value: true
- type: credential
key: password_last_used
value: absent
- type: credential
key: access_keys.last_used_date
value_type: age
value: 30
op: less-than
Credential Report Transforms
We perform some default transformations from the raw credential report. Sub-objects (access_key_1, cert_2) are turned into array of dictionaries for matching purposes with their common prefixes stripped. N/A values are turned into None, TRUE/FALSE are turned into boolean values.
properties:
key:
enum:
- user
- arn
- user_creation_time
- password_enabled
- password_last_used
- password_last_changed
- password_next_rotation
- mfa_active
- access_keys
- access_keys.active
- access_keys.last_used_date
- access_keys.last_used_region
- access_keys.last_used_service
- access_keys.last_rotated
- certs
- certs.active
- certs.last_rotated
title: report key to search
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
report_delay:
default: 10
title: Number of seconds to wait for report generation.
type: number
report_generate:
default: true
title: Generate a report if none is present.
type: boolean
report_max_age:
default: 86400
title: Number of seconds to consider a report valid.
type: number
type:
enum:
- credential
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- type
Permissions - iam:GenerateCredentialReport, iam:GetCredentialReport
default-ebs-encryption
Filter an account by its ebs encryption status.
By default for key we match on the alias name for a key.
- example:
policies:
- name: check-default-ebs-encryption
resource: aws.account
filters:
- type: default-ebs-encryption
key: "alias/aws/ebs"
state: true
It is also possible to match on specific key attributes (tags, origin)
- example:
policies:
- name: check-ebs-encryption-key-origin
resource: aws.account
filters:
- type: default-ebs-encryption
key:
type: value
key: Origin
value: AWS_KMS
state: true
properties:
key:
oneOf:
- $ref: '#/definitions/filters/value'
- type: string
state:
type: boolean
type:
enum:
- default-ebs-encryption
required:
- type
Permissions - ec2:GetEbsEncryptionByDefault
emr-block-public-access
Check for EMR block public access configuration on an account
- example:
policies:
- name: get-emr-block-public-access
resource: account
filters:
- type: emr-block-public-access
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- emr-block-public-access
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- type
Permissions - elasticmapreduce:GetBlockPublicAccessConfiguration
glue-security-config
Filter aws account by its glue encryption status and KMS key
- example:
policies:
- name: glue-security-config
resource: aws.account
filters:
- type: glue-security-config
SseAwsKmsKeyId: alias/aws/glue
properties:
AwsKmsKeyId:
type: string
CatalogEncryptionMode:
enum:
- DISABLED
- SSE-KMS
ReturnConnectionPasswordEncrypted:
type: boolean
SseAwsKmsKeyId:
type: string
type:
enum:
- glue-security-config
Permissions - glue:GetDataCatalogEncryptionSettings
guard-duty
Check if the guard duty service is enabled.
This allows looking at account’s detector and its associated master if any.
- example:
Check to ensure guard duty is active on account and associated to a master.
policies:
- name: guardduty-enabled
resource: account
filters:
- type: guard-duty
Detector.Status: ENABLED
Master.AccountId: "00011001"
Master.RelationshipStatus: "Enabled"
patternProperties:
^Detector:
oneOf:
- type: object
- type: string
^Master:
oneOf:
- type: object
- type: string
properties:
match-operator:
enum:
- or
- and
type:
enum:
- guard-duty
Permissions - guardduty:GetAdministratorAccount, guardduty:ListDetectors, guardduty:GetDetector
has-virtual-mfa
Is the account configured with a virtual MFA device?
- example:
policies:
- name: account-with-virtual-mfa
resource: account
region: us-east-1
filters:
- type: has-virtual-mfa
value: true
properties:
type:
enum:
- has-virtual-mfa
value:
type: boolean
required:
- type
Permissions - iam:ListVirtualMFADevices
iam-summary
Return annotated account resource if iam summary filter matches.
Some use cases include, detecting root api keys or mfa usage.
Example iam summary wrt to matchable fields:
{
"AccessKeysPerUserQuota": 2,
"AccountAccessKeysPresent": 0,
"AccountMFAEnabled": 1,
"AccountSigningCertificatesPresent": 0,
"AssumeRolePolicySizeQuota": 2048,
"AttachedPoliciesPerGroupQuota": 10,
"AttachedPoliciesPerRoleQuota": 10,
"AttachedPoliciesPerUserQuota": 10,
"GroupPolicySizeQuota": 5120,
"Groups": 1,
"GroupsPerUserQuota": 10,
"GroupsQuota": 100,
"InstanceProfiles": 0,
"InstanceProfilesQuota": 100,
"MFADevices": 3,
"MFADevicesInUse": 2,
"Policies": 3,
"PoliciesQuota": 1000,
"PolicySizeQuota": 5120,
"PolicyVersionsInUse": 5,
"PolicyVersionsInUseQuota": 10000,
"Providers": 0,
"RolePolicySizeQuota": 10240,
"Roles": 4,
"RolesQuota": 250,
"ServerCertificates": 0,
"ServerCertificatesQuota": 20,
"SigningCertificatesPerUserQuota": 2,
"UserPolicySizeQuota": 2048,
"Users": 5,
"UsersQuota": 5000,
"VersionsPerPolicyQuota": 5,
}
For example to determine if an account has either not been enabled with root mfa or has root api keys.
policies:
- name: root-keys-or-no-mfa
resource: account
filters:
- type: iam-summary
key: AccountMFAEnabled
value: true
op: eq
value_type: swap
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- iam-summary
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- type
Permissions - iam:GetAccountSummary
lakeformation-s3-cross-account
Flags an account if its using a lakeformation s3 bucket resource from a different account.
- example:
policies:
- name: lakeformation-cross-account-bucket
resource: aws.account
filters:
- type: lakeformation-s3-cross-account
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- lakeformation-s3-cross-account
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- type
Permissions - lakeformation:ListResources
missing
Assert the absence of a particular resource.
Intended for use at a logical account/subscription/project level
This works as an effectively an embedded policy thats evaluated.
- example:
Notify if an s3 bucket is missing
policies:
- name: missing-s3-bucket
resource: account
filters:
- type: missing
policy:
resource: s3
filters:
- Name: my-bucket
actions:
- notify
properties:
policy:
properties:
resource:
type: string
required:
- resource
type: object
type:
enum:
- missing
required:
- policy
- type
organization
Check organization enrollment and configuration
- example:
determine if an account is not in an organization
policies:
- name: no-org
resource: account
filters:
- type: organization
key: Id
value: absent
- example:
determine if an account is setup for organization policies
policies:
- name: org-policies-not-enabled
resource: account
filters:
- type: organization
key: FeatureSet
value: ALL
op: not-equal
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- organization
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- type
Permissions - organizations:DescribeOrganization
password-policy
Check an account’s password policy.
Note that on top of the default password policy fields, we also add an extra key, PasswordPolicyConfigured which will be set to true or false to signify if the given account has attempted to set a policy at all.
- example:
policies:
- name: password-policy-check
resource: account
region: us-east-1
filters:
- type: password-policy
key: MinimumPasswordLength
value: 10
op: ge
- type: password-policy
key: RequireSymbols
value: true
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- password-policy
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- type
Permissions - iam:GetAccountPasswordPolicy
s3-public-block
Check for s3 public blocks on an account.
https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- s3-public-block
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- type
Permissions - s3:GetAccountPublicAccessBlock
securityhub
Filter an account depending on whether security hub is enabled or not.
- example:
policies:
- name: check-securityhub-status
resource: aws.account
filters:
- type: securityhub
enabled: true
properties:
enabled:
type: boolean
type:
enum:
- securityhub
required:
- type
Permissions - securityhub:DescribeHub
service-limit
Check if account’s service limits are past a given threshold.
Supported limits are per trusted advisor, which is variable based on usage in the account and support level enabled on the account.
The names attribute lets you filter which checks to query limits about. This is a case-insensitive globbing match on a check name. You can specify a name exactly or use globbing wildcards like VPC*.
The names are exactly what’s shown on the trusted advisor page:
or via the awscli:
aws –region us-east-1 support describe-trusted-advisor-checks –language en –query ‘checks[?category==`service_limits`].[name]’ –output text
While you can target individual checks via the names attribute, and that should be the preferred method, the following are provided for backward compatibility with the old style of checks:
services
The resulting limit’s service field must match one of these. These are case-insensitive globbing matches.
Note: If you haven’t specified any names to filter, then these service names are used as a case-insensitive prefix match on the check name. This helps limit the number of API calls we need to make.
limits
The resulting limit’s Limit Name field must match one of these. These are case-insensitive globbing matches.
Some example names and their corresponding service and limit names:
Check Name Service Limit Name ———————————- ————– ——————————— Auto Scaling Groups AutoScaling Auto Scaling groups Auto Scaling Launch Configurations AutoScaling Launch configurations CloudFormation Stacks CloudFormation Stacks ELB Application Load Balancers ELB Active Application Load Balancers ELB Classic Load Balancers ELB Active load balancers ELB Network Load Balancers ELB Active Network Load Balancers VPC VPC VPCs VPC Elastic IP Address VPC VPC Elastic IP addresses (EIPs) VPC Internet Gateways VPC Internet gateways
Note: Some service limits checks are being migrated to service quotas, which is expected to largely replace service limit checks in trusted advisor. In this case, some of these checks have no results.
- example:
policies:
- name: specific-account-service-limits
resource: account
filters:
- type: service-limit
names:
- IAM Policies
- IAM Roles
- "VPC*"
threshold: 1.0
- name: increase-account-service-limits
resource: account
filters:
- type: service-limit
services:
- EC2
threshold: 1.0
- name: specify-region-for-global-service
region: us-east-1
resource: account
filters:
- type: service-limit
services:
- IAM
limits:
- Roles
properties:
limits:
items:
type: string
type: array
names:
items:
type: string
type: array
refresh_period:
title: how long should a check result be considered fresh
type: integer
services:
items:
enum:
- AutoScaling
- CloudFormation
- DynamoDB
- EBS
- EC2
- ELB
- IAM
- RDS
- Route53
- SES
- VPC
type: array
threshold:
type: number
type:
enum:
- service-limit
required:
- type
Permissions - support:DescribeTrustedAdvisorCheckRefreshStatuses, support:DescribeTrustedAdvisorCheckResult, support:DescribeTrustedAdvisorChecks, support:RefreshTrustedAdvisorCheck
ses-send-stats
This filter annotates the account resource with SES send statistics for the last n number of days, not including the current date.
The stats are aggregated into daily metrics. Additionally, the filter also calculates and annotates the max daily bounce rate (percentage). Using this filter, users can alert when the bounce rate for a particular day is higher than the limit.
- example:
policies:
- name: ses-send-stats
resource: account
filters:
- type: ses-send-stats
days: 5
- type: value
key: '"c7n:ses-max-bounce-rate"'
op: ge
value: 10
properties:
days:
minimum: 2
type: number
type:
enum:
- ses-send-stats
required:
- days
- type
Permissions - ses:GetSendStatistics
shield-enabled
Parent base class for filters and actions.
properties:
state:
type: boolean
type:
enum:
- shield-enabled
required:
- type
Permissions - shield:DescribeSubscription
xray-encrypt-key
Determine if xray is encrypted.
- example:
policies:
- name: xray-encrypt-with-default
resource: aws.account
filters:
- type: xray-encrypt-key
key: default
- name: xray-encrypt-with-kms
resource: aws.account
filters:
- type: xray-encrypt-key
key: kms
- name: xray-encrypt-with-specific-key
resource: aws.account
filters:
- type: xray-encrypt-key
key: alias/my-alias or arn or keyid
properties:
key:
type: string
type:
enum:
- xray-encrypt-key
required:
- key
- type
Permissions - xray:GetEncryptionConfig
Actions
enable-cloudtrail
Enables logging on the trail(s) named in the policy
- Example:
policies:
- name: trail-test
description: Ensure CloudTrail logging is enabled
resource: account
actions:
- type: enable-cloudtrail
trail: mytrail
bucket: trails
properties:
bucket:
type: string
bucket-region:
type: string
file-digest:
type: boolean
global-events:
type: boolean
kms:
type: boolean
kms-key:
type: string
multi-region:
type: boolean
notify:
type: string
trail:
type: string
type:
enum:
- enable-cloudtrail
required:
- bucket
Permissions - cloudtrail:CreateTrail, cloudtrail:DescribeTrails, cloudtrail:GetTrailStatus, cloudtrail:StartLogging, cloudtrail:UpdateTrail, s3:CreateBucket, s3:GetBucketPolicy, s3:PutBucketPolicy
enable-data-events
Ensure all buckets in account are setup to log data events.
Note this works via a single trail for data events per https://aws.amazon.com/about-aws/whats-new/2017/09/aws-cloudtrail-enables-option-to-add-all-amazon-s3-buckets-to-data-events/
This trail should NOT be used for api management events, the configuration here is soley for data events. If directed to create a trail this will do so without management events.
- example:
policies:
- name: s3-enable-data-events-logging
resource: account
actions:
- type: enable-data-events
data-trail:
name: s3-events
multi-region: us-east-1
properties:
data-trail:
additionalProperties: false
properties:
create:
title: Should we create trail if needed for events?
type: boolean
key-id:
title: If creating, Enable kms on the trail
type: string
multi-region:
title: If creating, use this region for all data trails
type: string
name:
title: The name of the event trail
type: string
s3-bucket:
title: If creating, the bucket to store trail event data
type: string
s3-prefix:
type: string
topic:
title: If creating, the sns topic for the trail to send updates
type: string
type:
enum:
- ReadOnly
- WriteOnly
- All
required:
- name
type: object
type:
enum:
- enable-data-events
required:
- data-trail
- type
Permissions - cloudtrail:DescribeTrails, cloudtrail:GetEventSelectors, cloudtrail:PutEventSelectors
request-limit-increase
File support ticket to raise limit.
- Example:
policies:
- name: raise-account-service-limits
resource: account
filters:
- type: service-limit
services:
- EBS
limits:
- Provisioned IOPS (SSD) storage (GiB)
threshold: 60.5
actions:
- type: request-limit-increase
notify: [email, email2]
## You can use one of either percent-increase or an amount-increase.
percent-increase: 50
message: "Please raise the below account limit(s); \n {limits}"
oneOf:
- required:
- type
- percent-increase
- required:
- type
- amount-increase
properties:
amount-increase:
minimum: 1
type: number
message:
type: string
minimum-increase:
minimum: 1
type: number
notify:
items:
type: string
type: array
percent-increase:
minimum: 1
type: number
severity:
enum:
- urgent
- high
- normal
- low
type: string
subject:
type: string
type:
enum:
- request-limit-increase
Permissions - support:CreateCase
set-bedrock-model-invocation-logging
- Set Bedrock Model Invocation Logging Configuration on an account.
-
To delete a configuration, supply enabled to False
- example:
policies:
- name: set-bedrock-model-invocation-logging
resource: account
actions:
- type: set-bedrock-model-invocation-logging
enabled: True
loggingConfig:
textDataDeliveryEnabled: True
s3Config:
bucketName: test-bedrock-1
keyPrefix: logging/
- name: delete-bedrock-model-invocation-logging
resource: account
actions:
- type: set-bedrock-model-invocation-logging
enabled: False
properties:
enabled:
type: boolean
loggingConfig:
type: object
type:
enum:
- set-bedrock-model-invocation-logging
Permissions - bedrock:PutModelInvocationLoggingConfiguration
set-ebs-encryption
Set AWS EBS default encryption on an account
- example:
policies:
- name: set-default-ebs-encryption
resource: aws.account
filters:
- type: default-ebs-encryption
state: false
actions:
- type: set-ebs-encryption
state: true
key: alias/aws/ebs
properties:
key:
type: string
state:
type: boolean
type:
enum:
- set-ebs-encryption
required:
- type
Permissions - ec2:EnableEbsEncryptionByDefault, ec2:DisableEbsEncryptionByDefault
set-ec2-metadata-defaults
Modifies the default instance metadata service (IMDS) settings at the account level.
- example:
policies:
- name: set-ec2-metadata-defaults
resource: account
filters:
- or:
- type: ec2-metadata-defaults
key: HttpTokens
op: eq
value: optional
- type: ec2-metadata-defaults
key: HttpTokens
value: absent
actions:
- type: set-ec2-metadata-defaults
HttpTokens: required
properties:
HttpEndpoint:
enum:
- enabled
- disabled
- no-preference
HttpPutResponseHopLimit:
type: integer
HttpTokens:
enum:
- optional
- required
- no-preference
InstanceMetadataTags:
enum:
- enabled
- disabled
- no-preference
type:
enum:
- set-ec2-metadata-defaults
required:
- type
Permissions - ec2:ModifyInstanceMetadataDefaults
set-emr-block-public-access
- Action to put/update the EMR block public access configuration for your
AWS account in the current region
- example:
policies:
- name: set-emr-block-public-access
resource: account
filters:
- type: emr-block-public-access
key: BlockPublicAccessConfiguration.BlockPublicSecurityGroupRules
value: False
actions:
- type: set-emr-block-public-access
config:
BlockPublicSecurityGroupRules: True
PermittedPublicSecurityGroupRuleRanges:
- MinRange: 22
MaxRange: 22
- MinRange: 23
MaxRange: 23
properties:
config:
properties:
BlockPublicSecurityGroupRules:
type: boolean
PermittedPublicSecurityGroupRuleRanges:
items:
properties:
MaxRange:
minimum: 0
type: number
MinRange:
minimum: 0
type: number
required:
- MinRange
type: object
type: array
required:
- BlockPublicSecurityGroupRules
type: object
type:
enum:
- set-emr-block-public-access
required:
- config
Permissions - elasticmapreduce:PutBlockPublicAccessConfiguration
set-password-policy
Set an account’s password policy.
This only changes the policy for the items provided. If this is the first time setting a password policy and an item is not provided it will be set to the defaults defined in the boto docs for IAM.Client.update_account_password_policy
- example:
policies:
- name: set-account-password-policy
resource: account
filters:
- not:
- type: password-policy
key: MinimumPasswordLength
value: 10
op: ge
actions:
- type: set-password-policy
policy:
MinimumPasswordLength: 20
properties:
policy:
type: object
type:
enum:
- set-password-policy
required:
- type
Permissions - iam:GetAccountPasswordPolicy, iam:UpdateAccountPasswordPolicy
set-s3-public-block
Configure S3 Public Access Block on an account.
All public access block attributes can be set. If not specified they are merged with the extant configuration.
https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html
- example:
properties:
BlockPublicAcls:
type: boolean
BlockPublicPolicy:
type: boolean
IgnorePublicAcls:
type: boolean
RestrictPublicBuckets:
type: boolean
state:
default: true
type: boolean
type:
enum:
- set-s3-public-block
required:
- type
Permissions - s3:PutAccountPublicAccessBlock, s3:GetAccountPublicAccessBlock
set-shield-advanced
Enable/disable Shield Advanced on an account.
properties:
state:
type: boolean
type:
enum:
- set-shield-advanced
required:
- type
Permissions - shield:CreateSubscription, shield:DeleteSubscription
set-xray-encrypt
Enable specific xray encryption.
- example:
policies:
- name: xray-default-encrypt
resource: aws.account
actions:
- type: set-xray-encrypt
key: default
- name: xray-kms-encrypt
resource: aws.account
actions:
- type: set-xray-encrypt
key: alias/some/alias/key
properties:
key:
type: string
type:
enum:
- set-xray-encrypt
required:
- key
- type
Permissions - xray:PutEncryptionConfig
toggle-config-managed-rule
Enables or disables an AWS Config Managed Rule
- example:
policies:
- name: config-managed-s3-bucket-public-write-remediate-event
description: |
This policy detects if S3 bucket allows public write by the bucket policy
or ACL and remediates.
comment: |
This policy detects if S3 bucket policy or ACL allows public write access.
When the bucket is evaluated as 'NON_COMPLIANT', the action
'AWS-DisableS3BucketPublicReadWrite' is triggered and remediates.
resource: account
filters:
- type: missing
policy:
resource: config-rule
filters:
- type: remediation
rule_name: &rule_name 'config-managed-s3-bucket-public-write-remediate-event'
remediation: &remediation-config
TargetId: AWS-DisableS3BucketPublicReadWrite
Automatic: true
MaximumAutomaticAttempts: 5
RetryAttemptSeconds: 211
Parameters:
AutomationAssumeRole:
StaticValue:
Values:
- 'arn:aws:iam::{account_id}:role/myrole'
S3BucketName:
ResourceValue:
Value: RESOURCE_ID
actions:
- type: toggle-config-managed-rule
rule_name: *rule_name
managed_rule_id: S3_BUCKET_PUBLIC_WRITE_PROHIBITED
resource_types:
- 'AWS::S3::Bucket'
rule_parameters: '{}'
remediation: *remediation-config
properties:
enabled:
default: true
type: boolean
managed_rule_id:
type: string
remediation:
properties:
Automatic:
type: boolean
ExecutionControls:
type: object
MaximumAutomaticAttempts:
maximum: 25
minimum: 1
type: integer
Parameters:
type: object
RetryAttemptSeconds:
maximum: 2678000
minimum: 1
type: integer
TargetId:
type: string
TargetType:
type: string
type: object
resource_id:
type: string
resource_tag:
properties:
key:
type: string
value:
type: string
required:
- key
- value
type: object
resource_types:
items:
pattern: ^AWS::*
type: string
type: array
rule_name:
type: string
rule_parameters:
type: string
rule_prefix:
type: string
tags:
type: object
type:
enum:
- toggle-config-managed-rule
required:
- rule_name
- type
Permissions - config:DescribeConfigRules, config:DescribeRemediationConfigurations, config:PutRemediationConfigurations, config:PutConfigRule