aws.apigateway resources¶
aws.rest-account¶
Actions¶
update¶
Update the cloudwatch role associated to a rest account
- example
policies:
- name: correct-rest-account-log-role
resource: rest-account
filters:
- cloudwatchRoleArn: arn:aws:iam::000000000000:role/GatewayLogger
actions:
- type: update
patch:
- op: replace
path: /cloudwatchRoleArn
value: arn:aws:iam::000000000000:role/BetterGatewayLogger
properties:
patch:
items:
additonalProperties: false
properties:
from:
type: string
op:
enum:
- add
- remove
- update
- copy
- replace
- test
path:
type: string
value:
type: string
required:
- op
- path
type: object
type: array
type:
enum:
- update
required:
- patch
- type
aws.rest-api¶
Filters¶
cross-account¶
Check a resource’s embedded iam policy for cross account access.
properties:
actions:
items:
type: string
type: array
everyone_only:
type: boolean
type:
enum:
- cross-account
whitelist:
items:
type: string
type: array
whitelist_conditions:
items:
type: string
type: array
whitelist_from: &id001
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
whitelist_orgids:
items:
type: string
type: array
whitelist_orgids_from: *id001
whitelist_vpc:
items:
type: string
type: array
whitelist_vpc_from: *id001
whitelist_vpce:
items:
type: string
type: array
whitelist_vpce_from: *id001
required:
- type
Actions¶
update¶
Update configuration of a REST API.
Non-exhaustive list of updateable attributes. https://docs.aws.amazon.com/apigateway/api-reference/link-relation/restapi-update/#remarks
- example
contrived example to update description on api gateways
policies:
- name: apigw-description
resource: rest-api
filters:
- description: empty
actions:
- type: update
patch:
- op: replace
path: /description
value: "not empty :-)"
properties:
patch:
items:
additonalProperties: false
properties:
from:
type: string
op:
enum:
- add
- remove
- update
- copy
- replace
- test
path:
type: string
value:
type: string
required:
- op
- path
type: object
type: array
type:
enum:
- update
required:
- patch
- type
aws.rest-resource¶
Filters¶
rest-integration¶
Filter rest resources based on a key value for the rest method integration of the api
- example
policies:
- name: api-method-integrations-with-type-aws
resource: rest-resource
filters:
- type: rest-integration
key: type
value: AWS
properties:
default:
type: object
key:
type: string
method:
enum:
- all
- ANY
- PUT
- GET
- POST
- DELETE
- OPTIONS
- HEAD
- PATCH
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
type:
enum:
- rest-integration
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
required:
- type
rest-method¶
Filter rest resources based on a key value for the rest method of the api
- example
policies:
- name: api-without-key-required
resource: rest-resource
filters:
- type: rest-method
key: apiKeyRequired
value: false
properties:
default:
type: object
key:
type: string
method:
enum:
- all
- ANY
- PUT
- GET
- POST
- DELETE
- OPTIONS
- HEAD
- PATCH
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
type:
enum:
- rest-method
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
required:
- type
Actions¶
delete-integration¶
Delete an api integration. Useful if the integration type is a security risk.
- example
policies:
- name: enforce-no-resource-integration-with-type-aws
resource: rest-resource
filters:
- type: rest-integration
key: type
value: AWS
actions:
- type: delete-integration
properties:
type:
enum:
- delete-integration
required:
- type
update-integration¶
Change or remove api integration properties based on key value
- example
policies:
- name: enforce-timeout-on-api-integration
resource: rest-resource
filters:
- type: rest-integration
key: timeoutInMillis
value: 29000
actions:
- type: update-integration
patch:
- op: replace
path: /timeoutInMillis
value: "3000"
properties:
patch:
items:
additonalProperties: false
properties:
from:
type: string
op:
enum:
- add
- remove
- update
- copy
- replace
- test
path:
type: string
value:
type: string
required:
- op
- path
type: object
type: array
type:
enum:
- update-integration
required:
- patch
- type
update-method¶
Change or remove api method behaviors based on key value
- example
policies:
- name: enforce-iam-permissions-on-api
resource: rest-resource
filters:
- type: rest-method
key: authorizationType
value: NONE
op: eq
actions:
- type: update-method
patch:
- op: replace
path: /authorizationType
value: AWS_IAM
properties:
patch:
items:
additonalProperties: false
properties:
from:
type: string
op:
enum:
- add
- remove
- update
- copy
- replace
- test
path:
type: string
value:
type: string
required:
- op
- path
type: object
type: array
type:
enum:
- update-method
required:
- patch
- type
aws.rest-stage¶
Actions¶
delete¶
Delete an api stage
- example
policies:
- name: delete-rest-stage
resource: rest-stage
filters:
- methodSettings."*/*".cachingEnabled: true
actions:
- type: delete
properties:
type:
enum:
- delete
required:
- type
update¶
Update/remove values of an api stage
- example
policies:
- name: disable-stage-caching
resource: rest-stage
filters:
- methodSettings."*/*".cachingEnabled: true
actions:
- type: update
patch:
- op: replace
path: /*/*/caching/enabled
value: 'false'
properties:
patch:
items:
additonalProperties: false
properties:
from:
type: string
op:
enum:
- add
- remove
- update
- copy
- replace
- test
path:
type: string
value:
type: string
required:
- op
- path
type: object
type: array
type:
enum:
- update
required:
- patch
- type