aws.account

Filters

access-analyzer

Check for access analyzers in an account

example:

policies:
  - name: account-access-analyzer
    resource: account
    filters:
      - type: access-analyzer
        key: 'status'
        value: ACTIVE
        op: eq
properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - access-analyzer
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

Permissions - access-analyzer:ListAnalyzers

check-cloudtrail

Verify cloud trail enabled for this account per specifications.

Returns an annotated account resource if trail is not enabled.

Of particular note, the current-region option will evaluate whether cloudtrail is available in the current region, either as a multi region trail or as a trail with it as the home region.

The log-metric-filter-pattern option checks for the existence of a cloudwatch alarm and a corresponding SNS subscription for a specific filter pattern

example:

policies:
  - name: account-cloudtrail-enabled
    resource: account
    region: us-east-1
    filters:
      - type: check-cloudtrail
        global-events: true
        multi-region: true
        running: true
        include-management-events: true
        log-metric-filter-pattern: "{ ($.eventName = \"ConsoleLogin\") }"

Check for CloudWatch log group with a metric filter that has a filter pattern matching a regex pattern:

policies:
  - name: account-cloudtrail-with-matching-log-metric-filter
    resource: account
    region: us-east-1
    filters:
      - type: check-cloudtrail
        log-metric-filter-pattern:
            type: value
            op: regex
            value: '\{ ?(\()? ?\$\.eventName ?= ?(")?ConsoleLogin(")? ?(\))? ?\}'
properties:
  current-region:
    type: boolean
  file-digest:
    type: boolean
  global-events:
    type: boolean
  include-management-events:
    type: boolean
  kms:
    type: boolean
  kms-key:
    type: string
  log-metric-filter-pattern:
    oneOf:
    - $ref: '#/definitions/filters/value'
    - type: string
  multi-region:
    type: boolean
  notifies:
    type: boolean
  running:
    type: boolean
  type:
    enum:
    - check-cloudtrail
required:
- type

Permissions - cloudtrail:DescribeTrails, cloudtrail:GetTrailStatus, cloudtrail:GetEventSelectors, cloudwatch:DescribeAlarmsForMetric, logs:DescribeMetricFilters, sns:GetTopicAttributes

check-config

Is config service enabled for this account

example:

policies:
  - name: account-check-config-services
    resource: account
    region: us-east-1
    filters:
      - type: check-config
        all-resources: true
        global-resources: true
        running: true
properties:
  all-resources:
    type: boolean
  global-resources:
    type: boolean
  running:
    type: boolean
  type:
    enum:
    - check-config
required:
- type

Permissions - config:DescribeDeliveryChannels, config:DescribeConfigurationRecorders, config:DescribeConfigurationRecorderStatus

check-macie

Check status of macie v2 in the account.

Gets the macie session info for the account, and the macie master account for the current account if configured.

properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - check-macie
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

Permissions - macie2:GetMacieSession, macie2:GetMasterAccount

credential

Use IAM Credential report to filter users.

The IAM Credential report aggregates multiple pieces of information on iam users. This makes it highly efficient for querying multiple aspects of a user that would otherwise require per user api calls.

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html

For example if we wanted to retrieve all users with mfa who have never used their password but have active access keys from the last month

- name: iam-mfa-active-keys-no-login
  resource: iam-user
  filters:
    - type: credential
      key: mfa_active
      value: true
    - type: credential
      key: password_last_used
      value: absent
    - type: credential
      key: access_keys.last_used_date
      value_type: age
      value: 30
      op: less-than

Credential Report Transforms

We perform some default transformations from the raw credential report. Sub-objects (access_key_1, cert_2) are turned into array of dictionaries for matching purposes with their common prefixes stripped. N/A values are turned into None, TRUE/FALSE are turned into boolean values.

properties:
  key:
    enum:
    - user
    - arn
    - user_creation_time
    - password_enabled
    - password_last_used
    - password_last_changed
    - password_next_rotation
    - mfa_active
    - access_keys
    - access_keys.active
    - access_keys.last_used_date
    - access_keys.last_used_region
    - access_keys.last_used_service
    - access_keys.last_rotated
    - certs
    - certs.active
    - certs.last_rotated
    title: report key to search
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  report_delay:
    default: 10
    title: Number of seconds to wait for report generation.
    type: number
  report_generate:
    default: true
    title: Generate a report if none is present.
    type: boolean
  report_max_age:
    default: 86400
    title: Number of seconds to consider a report valid.
    type: number
  type:
    enum:
    - credential
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

Permissions - iam:GenerateCredentialReport, iam:GetCredentialReport

default-ebs-encryption

Filter an account by its ebs encryption status.

By default for key we match on the alias name for a key.

example:

policies:
  - name: check-default-ebs-encryption
    resource: aws.account
    filters:
     - type: default-ebs-encryption
       key: "alias/aws/ebs"
       state: true

It is also possible to match on specific key attributes (tags, origin)

example:

policies:
  - name: check-ebs-encryption-key-origin
    resource: aws.account
    filters:
     - type: default-ebs-encryption
       key:
         type: value
         key: Origin
         value: AWS_KMS
       state: true
properties:
  key:
    oneOf:
    - $ref: '#/definitions/filters/value'
    - type: string
  state:
    type: boolean
  type:
    enum:
    - default-ebs-encryption
required:
- type

Permissions - ec2:GetEbsEncryptionByDefault

emr-block-public-access

Check for EMR block public access configuration on an account

example:

policies:
  - name: get-emr-block-public-access
    resource: account
    filters:
      - type: emr-block-public-access
properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - emr-block-public-access
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

Permissions - elasticmapreduce:GetBlockPublicAccessConfiguration

glue-security-config

Filter aws account by its glue encryption status and KMS key

example:

policies:
  - name: glue-security-config
    resource: aws.account
    filters:
      - type: glue-security-config
        SseAwsKmsKeyId: alias/aws/glue
properties:
  AwsKmsKeyId:
    type: string
  CatalogEncryptionMode:
    enum:
    - DISABLED
    - SSE-KMS
  ReturnConnectionPasswordEncrypted:
    type: boolean
  SseAwsKmsKeyId:
    type: string
  type:
    enum:
    - glue-security-config

Permissions - glue:GetDataCatalogEncryptionSettings

guard-duty

Check if the guard duty service is enabled.

This allows looking at account’s detector and its associated master if any.

example:

Check to ensure guard duty is active on account and associated to a master.

policies:
  - name: guardduty-enabled
    resource: account
    filters:
      - type: guard-duty
        Detector.Status: ENABLED
        Master.AccountId: "00011001"
        Master.RelationshipStatus: "Enabled"
patternProperties:
  ^Detector:
    oneOf:
    - type: object
    - type: string
  ^Master:
    oneOf:
    - type: object
    - type: string
properties:
  match-operator:
    enum:
    - or
    - and
  type:
    enum:
    - guard-duty

Permissions - guardduty:GetMasterAccount, guardduty:ListDetectors, guardduty:GetDetector

has-virtual-mfa

Is the account configured with a virtual MFA device?

example:

policies:
    - name: account-with-virtual-mfa
      resource: account
      region: us-east-1
      filters:
        - type: has-virtual-mfa
          value: true
properties:
  type:
    enum:
    - has-virtual-mfa
  value:
    type: boolean
required:
- type

Permissions - iam:ListVirtualMFADevices

iam-summary

Return annotated account resource if iam summary filter matches.

Some use cases include, detecting root api keys or mfa usage.

Example iam summary wrt to matchable fields:

{
      "AccessKeysPerUserQuota": 2,
      "AccountAccessKeysPresent": 0,
      "AccountMFAEnabled": 1,
      "AccountSigningCertificatesPresent": 0,
      "AssumeRolePolicySizeQuota": 2048,
      "AttachedPoliciesPerGroupQuota": 10,
      "AttachedPoliciesPerRoleQuota": 10,
      "AttachedPoliciesPerUserQuota": 10,
      "GroupPolicySizeQuota": 5120,
      "Groups": 1,
      "GroupsPerUserQuota": 10,
      "GroupsQuota": 100,
      "InstanceProfiles": 0,
      "InstanceProfilesQuota": 100,
      "MFADevices": 3,
      "MFADevicesInUse": 2,
      "Policies": 3,
      "PoliciesQuota": 1000,
      "PolicySizeQuota": 5120,
      "PolicyVersionsInUse": 5,
      "PolicyVersionsInUseQuota": 10000,
      "Providers": 0,
      "RolePolicySizeQuota": 10240,
      "Roles": 4,
      "RolesQuota": 250,
      "ServerCertificates": 0,
      "ServerCertificatesQuota": 20,
      "SigningCertificatesPerUserQuota": 2,
      "UserPolicySizeQuota": 2048,
      "Users": 5,
      "UsersQuota": 5000,
      "VersionsPerPolicyQuota": 5,
  }

For example to determine if an account has either not been enabled with root mfa or has root api keys.

policies:
  - name: root-keys-or-no-mfa
    resource: account
    filters:
      - type: iam-summary
        key: AccountMFAEnabled
        value: true
        op: eq
        value_type: swap
properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - iam-summary
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

Permissions - iam:GetAccountSummary

lakeformation-s3-cross-account

Flags an account if its using a lakeformation s3 bucket resource from a different account.

example:

policies:
  - name: lakeformation-cross-account-bucket
    resource: aws.account
    filters:
     - type: lakeformation-s3-cross-account
properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - lakeformation-s3-cross-account
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

Permissions - lakeformation:ListResources

missing

Assert the absence of a particular resource.

Intended for use at a logical account/subscription/project level

This works as an effectively an embedded policy thats evaluated.

example:

Notify if an s3 bucket is missing

policies:
  - name: missing-s3-bucket
    resource: account
    filters:
      - type: missing
        policy:
          resource: s3
          filters:
            - Name: my-bucket
    actions:
      - notify
properties:
  policy:
    properties:
      resource:
        type: string
    required:
    - resource
    type: object
  type:
    enum:
    - missing
required:
- policy
- type

organization

Check organization enrollment and configuration

example:

determine if an account is not in an organization

policies:
  - name: no-org
    resource: account
    filters:
      - type: organization
        key: Id
        value: absent
example:

determine if an account is setup for organization policies

policies:
  - name: org-policies-not-enabled
    resource: account
    filters:
      - type: organization
        key: FeatureSet
        value: ALL
        op: not-equal
properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - organization
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

Permissions - organizations:DescribeOrganization

password-policy

Check an account’s password policy.

Note that on top of the default password policy fields, we also add an extra key, PasswordPolicyConfigured which will be set to true or false to signify if the given account has attempted to set a policy at all.

example:

policies:
  - name: password-policy-check
    resource: account
    region: us-east-1
    filters:
      - type: password-policy
        key: MinimumPasswordLength
        value: 10
        op: ge
      - type: password-policy
        key: RequireSymbols
        value: true
properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - password-policy
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

Permissions - iam:GetAccountPasswordPolicy

s3-public-block

Check for s3 public blocks on an account.

https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html

properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - s3-public-block
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

Permissions - s3:GetAccountPublicAccessBlock

securityhub

Filter an account depending on whether security hub is enabled or not.

example:

policies:
  - name: check-securityhub-status
    resource: aws.account
    filters:
     - type: securityhub
       enabled: true
properties:
  enabled:
    type: boolean
  type:
    enum:
    - securityhub
required:
- type

Permissions - securityhub:DescribeHub

service-limit

Check if account’s service limits are past a given threshold.

Supported limits are per trusted advisor, which is variable based on usage in the account and support level enabled on the account.

The names attribute lets you filter which checks to query limits about. This is a case-insensitive globbing match on a check name. You can specify a name exactly or use globbing wildcards like VPC*.

The names are exactly what’s shown on the trusted advisor page:

or via the awscli:

aws –region us-east-1 support describe-trusted-advisor-checks –language en –query ‘checks[?category==`service_limits`].[name]’ –output text

While you can target individual checks via the names attribute, and that should be the preferred method, the following are provided for backward compatibility with the old style of checks:

  • services

    The resulting limit’s service field must match one of these. These are case-insensitive globbing matches.

    Note: If you haven’t specified any names to filter, then these service names are used as a case-insensitive prefix match on the check name. This helps limit the number of API calls we need to make.

  • limits

    The resulting limit’s Limit Name field must match one of these. These are case-insensitive globbing matches.

Some example names and their corresponding service and limit names:

Check Name Service Limit Name ———————————- ————– ——————————— Auto Scaling Groups AutoScaling Auto Scaling groups Auto Scaling Launch Configurations AutoScaling Launch configurations CloudFormation Stacks CloudFormation Stacks ELB Application Load Balancers ELB Active Application Load Balancers ELB Classic Load Balancers ELB Active load balancers ELB Network Load Balancers ELB Active Network Load Balancers VPC VPC VPCs VPC Elastic IP Address VPC VPC Elastic IP addresses (EIPs) VPC Internet Gateways VPC Internet gateways

Note: Some service limits checks are being migrated to service quotas, which is expected to largely replace service limit checks in trusted advisor. In this case, some of these checks have no results.

example:

policies:
  - name: specific-account-service-limits
    resource: account
    filters:
      - type: service-limit
        names:
          - IAM Policies
          - IAM Roles
          - "VPC*"
        threshold: 1.0

  - name: increase-account-service-limits
    resource: account
    filters:
      - type: service-limit
        services:
          - EC2
        threshold: 1.0

  - name: specify-region-for-global-service
    region: us-east-1
    resource: account
    filters:
      - type: service-limit
        services:
          - IAM
        limits:
          - Roles
properties:
  limits:
    items:
      type: string
    type: array
  names:
    items:
      type: string
    type: array
  refresh_period:
    title: how long should a check result be considered fresh
    type: integer
  services:
    items:
      enum:
      - AutoScaling
      - CloudFormation
      - DynamoDB
      - EBS
      - EC2
      - ELB
      - IAM
      - RDS
      - Route53
      - SES
      - VPC
    type: array
  threshold:
    type: number
  type:
    enum:
    - service-limit
required:
- type

Permissions - support:DescribeTrustedAdvisorCheckRefreshStatuses, support:DescribeTrustedAdvisorCheckResult, support:DescribeTrustedAdvisorChecks, support:RefreshTrustedAdvisorCheck

ses-send-stats

This filter annotates the account resource with SES send statistics for the last n number of days, not including the current date.

The stats are aggregated into daily metrics. Additionally, the filter also calculates and annotates the max daily bounce rate (percentage). Using this filter, users can alert when the bounce rate for a particular day is higher than the limit.

example:

policies:
  - name: ses-send-stats
    resource: account
    filters:
      - type: ses-send-stats
        days: 5
      - type: value
        key: '"c7n:ses-max-bounce-rate"'
        op: ge
        value: 10
properties:
  days:
    minimum: 2
    type: number
  type:
    enum:
    - ses-send-stats
required:
- days
- type

Permissions - ses:GetSendStatistics

shield-enabled

Parent base class for filters and actions.

properties:
  state:
    type: boolean
  type:
    enum:
    - shield-enabled
required:
- type

Permissions - shield:DescribeSubscription

xray-encrypt-key

Determine if xray is encrypted.

example:

policies:
  - name: xray-encrypt-with-default
    resource: aws.account
    filters:
       - type: xray-encrypt-key
         key: default
  - name: xray-encrypt-with-kms
    resource: aws.account
    filters:
       - type: xray-encrypt-key
         key: kms
  - name: xray-encrypt-with-specific-key
    resource: aws.account
    filters:
       - type: xray-encrypt-key
         key: alias/my-alias or arn or keyid
properties:
  key:
    type: string
  type:
    enum:
    - xray-encrypt-key
required:
- key
- type

Permissions - xray:GetEncryptionConfig

Actions

enable-cloudtrail

Enables logging on the trail(s) named in the policy

Example:

policies:
  - name: trail-test
    description: Ensure CloudTrail logging is enabled
    resource: account
    actions:
      - type: enable-cloudtrail
        trail: mytrail
        bucket: trails
properties:
  bucket:
    type: string
  bucket-region:
    type: string
  file-digest:
    type: boolean
  global-events:
    type: boolean
  kms:
    type: boolean
  kms-key:
    type: string
  multi-region:
    type: boolean
  notify:
    type: string
  trail:
    type: string
  type:
    enum:
    - enable-cloudtrail
required:
- bucket

Permissions - cloudtrail:CreateTrail, cloudtrail:DescribeTrails, cloudtrail:GetTrailStatus, cloudtrail:StartLogging, cloudtrail:UpdateTrail, s3:CreateBucket, s3:GetBucketPolicy, s3:PutBucketPolicy

enable-data-events

Ensure all buckets in account are setup to log data events.

Note this works via a single trail for data events per https://aws.amazon.com/about-aws/whats-new/2017/09/aws-cloudtrail-enables-option-to-add-all-amazon-s3-buckets-to-data-events/

This trail should NOT be used for api management events, the configuration here is soley for data events. If directed to create a trail this will do so without management events.

example:

policies:
  - name: s3-enable-data-events-logging
    resource: account
    actions:
     - type: enable-data-events
       data-trail:
         name: s3-events
         multi-region: us-east-1
properties:
  data-trail:
    additionalProperties: false
    properties:
      create:
        title: Should we create trail if needed for events?
        type: boolean
      key-id:
        title: If creating, Enable kms on the trail
        type: string
      multi-region:
        title: If creating, use this region for all data trails
        type: string
      name:
        title: The name of the event trail
        type: string
      s3-bucket:
        title: If creating, the bucket to store trail event data
        type: string
      s3-prefix:
        type: string
      topic:
        title: If creating, the sns topic for the trail to send updates
        type: string
      type:
        enum:
        - ReadOnly
        - WriteOnly
        - All
    required:
    - name
    type: object
  type:
    enum:
    - enable-data-events
required:
- data-trail
- type

Permissions - cloudtrail:DescribeTrails, cloudtrail:GetEventSelectors, cloudtrail:PutEventSelectors

request-limit-increase

File support ticket to raise limit.

Example:

policies:
  - name: raise-account-service-limits
    resource: account
    filters:
      - type: service-limit
        services:
          - EBS
        limits:
          - Provisioned IOPS (SSD) storage (GiB)
        threshold: 60.5
    actions:
      - type: request-limit-increase
        notify: [email, email2]
        ## You can use one of either percent-increase or an amount-increase.
        percent-increase: 50
        message: "Please raise the below account limit(s); \n {limits}"
oneOf:
- required:
  - type
  - percent-increase
- required:
  - type
  - amount-increase
properties:
  amount-increase:
    minimum: 1
    type: number
  message:
    type: string
  minimum-increase:
    minimum: 1
    type: number
  notify:
    items:
      type: string
    type: array
  percent-increase:
    minimum: 1
    type: number
  severity:
    enum:
    - urgent
    - high
    - normal
    - low
    type: string
  subject:
    type: string
  type:
    enum:
    - request-limit-increase

Permissions - support:CreateCase

set-bedrock-model-invocation-logging

Set Bedrock Model Invocation Logging Configuration on an account.

https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/bedrock/client/put_model_invocation_logging_configuration.html

To delete a configuration, supply enabled to False

example:

policies:
  - name: set-bedrock-model-invocation-logging
    resource: account
    actions:
      - type: set-bedrock-model-invocation-logging
        enabled: True
        loggingConfig:
          textDataDeliveryEnabled: True
          s3Config:
            bucketName: test-bedrock-1
            keyPrefix:  logging/

  - name: delete-bedrock-model-invocation-logging
    resource: account
    actions:
      - type: set-bedrock-model-invocation-logging
        enabled: False
properties:
  enabled:
    type: boolean
  loggingConfig:
    type: object
  type:
    enum:
    - set-bedrock-model-invocation-logging

Permissions - bedrock:PutModelInvocationLoggingConfiguration

set-ebs-encryption

Set AWS EBS default encryption on an account

example:

policies:
  - name: set-default-ebs-encryption
    resource: aws.account
    filters:
     - type: default-ebs-encryption
       state: false
    actions:
     - type: set-ebs-encryption
       state: true
       key: alias/aws/ebs
properties:
  key:
    type: string
  state:
    type: boolean
  type:
    enum:
    - set-ebs-encryption
required:
- type

Permissions - ec2:EnableEbsEncryptionByDefault, ec2:DisableEbsEncryptionByDefault

set-emr-block-public-access

Action to put/update the EMR block public access configuration for your

AWS account in the current region

example:

policies:
  - name: set-emr-block-public-access
    resource: account
    filters:
      - type: emr-block-public-access
        key: BlockPublicAccessConfiguration.BlockPublicSecurityGroupRules
        value: False
    actions:
      - type: set-emr-block-public-access
        config:
            BlockPublicSecurityGroupRules: True
            PermittedPublicSecurityGroupRuleRanges:
                - MinRange: 22
                  MaxRange: 22
                - MinRange: 23
                  MaxRange: 23
properties:
  config:
    properties:
      BlockPublicSecurityGroupRules:
        type: boolean
      PermittedPublicSecurityGroupRuleRanges:
        items:
          properties:
            MaxRange:
              minimum: 0
              type: number
            MinRange:
              minimum: 0
              type: number
          required:
          - MinRange
          type: object
        type: array
    required:
    - BlockPublicSecurityGroupRules
    type: object
  type:
    enum:
    - set-emr-block-public-access
required:
- config

Permissions - elasticmapreduce:PutBlockPublicAccessConfiguration

set-password-policy

Set an account’s password policy.

This only changes the policy for the items provided. If this is the first time setting a password policy and an item is not provided it will be set to the defaults defined in the boto docs for IAM.Client.update_account_password_policy

example:

policies:
  - name: set-account-password-policy
    resource: account
    filters:
      - not:
        - type: password-policy
          key: MinimumPasswordLength
          value: 10
          op: ge
    actions:
        - type: set-password-policy
          policy:
            MinimumPasswordLength: 20
properties:
  policy:
    type: object
  type:
    enum:
    - set-password-policy
required:
- type

Permissions - iam:GetAccountPasswordPolicy, iam:UpdateAccountPasswordPolicy

set-s3-public-block

Configure S3 Public Access Block on an account.

All public access block attributes can be set. If not specified they are merged with the extant configuration.

https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html

example:

properties:
  BlockPublicAcls:
    type: boolean
  BlockPublicPolicy:
    type: boolean
  IgnorePublicAcls:
    type: boolean
  RestrictPublicBuckets:
    type: boolean
  state:
    default: true
    type: boolean
  type:
    enum:
    - set-s3-public-block
required:
- type

Permissions - s3:PutAccountPublicAccessBlock, s3:GetAccountPublicAccessBlock

set-shield-advanced

Enable/disable Shield Advanced on an account.

properties:
  state:
    type: boolean
  type:
    enum:
    - set-shield-advanced
required:
- type

Permissions - shield:CreateSubscription, shield:DeleteSubscription

set-xray-encrypt

Enable specific xray encryption.

example:

policies:
  - name: xray-default-encrypt
    resource: aws.account
    actions:
      - type: set-xray-encrypt
        key: default
  - name: xray-kms-encrypt
    resource: aws.account
    actions:
      - type: set-xray-encrypt
        key: alias/some/alias/key
properties:
  key:
    type: string
  type:
    enum:
    - set-xray-encrypt
required:
- key
- type

Permissions - xray:PutEncryptionConfig

toggle-config-managed-rule

Enables or disables an AWS Config Managed Rule

example:

policies:
  - name: config-managed-s3-bucket-public-write-remediate-event
    description: |
      This policy detects if S3 bucket allows public write by the bucket policy
      or ACL and remediates.
    comment: |
      This policy detects if S3 bucket policy or ACL allows public write access.
      When the bucket is evaluated as 'NON_COMPLIANT', the action
      'AWS-DisableS3BucketPublicReadWrite' is triggered and remediates.
    resource: account
    filters:
      - type: missing
        policy:
          resource: config-rule
          filters:
            - type: remediation
              rule_name: &rule_name 'config-managed-s3-bucket-public-write-remediate-event'
              remediation: &remediation-config
                TargetId: AWS-DisableS3BucketPublicReadWrite
                Automatic: true
                MaximumAutomaticAttempts: 5
                RetryAttemptSeconds: 211
                Parameters:
                  AutomationAssumeRole:
                    StaticValue:
                      Values:
                        - 'arn:aws:iam::{account_id}:role/myrole'
                  S3BucketName:
                    ResourceValue:
                      Value: RESOURCE_ID
    actions:
      - type: toggle-config-managed-rule
        rule_name: *rule_name
        managed_rule_id: S3_BUCKET_PUBLIC_WRITE_PROHIBITED
        resource_types:
          - 'AWS::S3::Bucket'
        rule_parameters: '{}'
        remediation: *remediation-config
properties:
  enabled:
    default: true
    type: boolean
  managed_rule_id:
    type: string
  remediation:
    properties:
      Automatic:
        type: boolean
      ExecutionControls:
        type: object
      MaximumAutomaticAttempts:
        maximum: 25
        minimum: 1
        type: integer
      Parameters:
        type: object
      RetryAttemptSeconds:
        maximum: 2678000
        minimum: 1
        type: integer
      TargetId:
        type: string
      TargetType:
        type: string
    type: object
  resource_id:
    type: string
  resource_tag:
    properties:
      key:
        type: string
      value:
        type: string
    required:
    - key
    - value
    type: object
  resource_types:
    items:
      pattern: ^AWS::*
      type: string
    type: array
  rule_name:
    type: string
  rule_parameters:
    type: string
  rule_prefix:
    type: string
  tags:
    type: object
  type:
    enum:
    - toggle-config-managed-rule
required:
- rule_name
- type

Permissions - config:DescribeConfigRules, config:DescribeRemediationConfigurations, config:PutRemediationConfigurations, config:PutConfigRule