aws.app-elb

Resource manager for v2 ELBs (AKA ALBs and NLBs).

Filters

attributes

Value filter that allows filtering on ELBv2 attributes

example:

policies:
    - name: alb-http2-enabled
      resource: app-elb
      filters:
        - type: attributes
          key: routing.http2.enabled
          value: true
          op: eq
properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - attributes
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

Permissions - elasticloadbalancing:DescribeLoadBalancerAttributes

default-vpc

Filter all ELB that exist within the default vpc

example:

policies:
  - name: appelb-in-default-vpc
    resource: app-elb
    filters:
      - default-vpc
properties:
  type:
    enum:
    - default-vpc
required:
- type

Permissions - ec2:DescribeVpcs

healthcheck-protocol-mismatch

Filter AppELBs with mismatched health check protocols

A mismatched health check protocol is where the protocol on the target group does not match the load balancer health check protocol

example:

policies:
  - name: appelb-healthcheck-mismatch
    resource: app-elb
    filters:
      - healthcheck-protocol-mismatch
properties:
  type:
    enum:
    - healthcheck-protocol-mismatch
required:
- type

Permissions - elasticloadbalancing:DescribeTargetGroups

is-logging

Matches AppELBs that are logging to S3.

bucket and prefix are optional

example:

policies:
    - name: alb-is-logging-test
      resource: app-elb
      filters:
        - type: is-logging

    - name: alb-is-logging-bucket-and-prefix-test
      resource: app-elb
      filters:
        - type: is-logging
          bucket: prodlogs
          prefix: alblogs
properties:
  bucket:
    type: string
  prefix:
    type: string
  type:
    enum:
    - is-logging
required:
- type

Permissions - elasticloadbalancing:DescribeLoadBalancerAttributes

is-not-logging

Matches AppELBs that are NOT logging to S3.

or do not match the optional bucket and/or prefix.

example:

policies:
    - name: alb-is-not-logging-test
      resource: app-elb
      filters:
        - type: is-not-logging

    - name: alb-is-not-logging-bucket-and-prefix-test
      resource: app-elb
      filters:
        - type: is-not-logging
          bucket: prodlogs
          prefix: alblogs
properties:
  bucket:
    type: string
  prefix:
    type: string
  type:
    enum:
    - is-not-logging
required:
- type

Permissions - elasticloadbalancing:DescribeLoadBalancerAttributes

json-diff

Compute the diff from the current resource to a previous version.

A resource matches the filter if a diff exists between the current resource and the selected revision.

Utilizes config as a resource revision database.

Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).

properties:
  selector:
    enum:
    - previous
    - date
    - locked
  selector_value:
    type: string
  type:
    enum:
    - json-diff
required:
- type

Permissions - config:GetResourceConfigHistory

listener

Filter ALB based on matching listener attributes

Adding the matched flag will filter on previously matched listeners

example:

policies:
  - name: app-elb-invalid-ciphers
    resource: app-elb
    filters:
      - type: listener
        key: Protocol
        value: HTTPS
      - type: listener
        key: SslPolicy
        value: ['ELBSecurityPolicy-TLS-1-1-2017-01','ELBSecurityPolicy-TLS-1-2-2017-01']
        op: ni
        matched: true
    actions:
      - type: modify-listener
        sslpolicy: "ELBSecurityPolicy-TLS-1-2-2017-01"
properties:
  default:
    type: object
  key:
    type: string
  matched:
    type: boolean
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - listener
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

Permissions - elasticloadbalancing:DescribeLoadBalancerAttributes

shield-enabled

Base class with helper methods for dealing with ARNs of resources protected by Shield

properties:
  state:
    type: boolean
  type:
    enum:
    - shield-enabled
required:
- type

Permissions - shield:ListProtections

target-group

Filter ALB based on matching target group value

properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - target-group
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

Permissions - elasticloadbalancing:DescribeTargetGroups

Actions

delete

Action to delete an ELB

To avoid unwanted deletions of ELB, it is recommended to apply a filter to the rule

example:

policies:
  - name: appelb-delete-failed-elb
    resource: app-elb
    filters:
      - State: failed
    actions:
      - delete
properties:
  force:
    type: boolean
  type:
    enum:
    - delete
required:
- type

Permissions - elasticloadbalancing:DeleteLoadBalancer, elasticloadbalancing:ModifyLoadBalancerAttributes

modify-attributes

Modify load balancer attributes.

example:

policies:
  - name: turn-on-elb-deletion-protection
    resource: app-elb
    filters:
      - type: attributes
        key: "deletion_protection.enabled"
        value: false
    actions:
      - type: modify-attributes
        attributes:
          "deletion_protection.enabled": "true"
          "idle_timeout.timeout_seconds": 120
properties:
  attributes:
    additionalProperties: false
    properties:
      access_logs.s3.bucket:
        type: string
      access_logs.s3.enabled:
        enum:
        - 'true'
        - 'false'
        - true
        - false
      access_logs.s3.prefix:
        type: string
      deletion_protection.enabled:
        enum:
        - 'true'
        - 'false'
        - true
        - false
      idle_timeout.timeout_seconds:
        type: number
      load_balancing.cross_zone.enabled:
        enum:
        - 'true'
        - 'false'
        - true
        - false
      routing.http.desync_mitigation_mode:
        enum:
        - monitor
        - defensive
        - strictest
      routing.http.drop_invalid_header_fields.enabled:
        enum:
        - 'true'
        - 'false'
        - true
        - false
      routing.http2.enabled:
        enum:
        - 'true'
        - 'false'
        - true
        - false
    type: object
  type:
    enum:
    - modify-attributes

Permissions - elasticloadbalancing:ModifyLoadBalancerAttributes

modify-listener

Action to modify the policy for an App ELB

example:

policies:
  - name: appelb-modify-listener
    resource: app-elb
    filters:
      - type: listener
        key: Protocol
        value: HTTP
    actions:
      - type: modify-listener
        protocol: HTTPS
        sslpolicy: "ELBSecurityPolicy-TLS-1-2-2017-01"
        certificate: "arn:aws:acm:region:123456789012:certificate/12345678-                    1234-1234-1234-123456789012"
properties:
  certificate:
    type: string
  port:
    type: integer
  protocol:
    enum:
    - HTTP
    - HTTPS
    - TCP
    - TLS
    - UDP
    - TCP_UDP
    - GENEVE
  sslpolicy:
    type: string
  type:
    enum:
    - modify-listener
required:
- type

Permissions - elasticloadbalancing:ModifyListener

set-s3-logging

Action to enable/disable S3 logging for an application loadbalancer.

example:

policies:
  - name: elbv2-test
    resource: app-elb
    filters:
      - type: is-not-logging
    actions:
      - type: set-s3-logging
        bucket: elbv2logtest
        prefix: dahlogs
        state: enabled
properties:
  bucket:
    type: string
  prefix:
    type: string
  state:
    enum:
    - enabled
    - disabled
  type:
    enum:
    - set-s3-logging
required:
- state

Permissions - elasticloadbalancing:ModifyLoadBalancerAttributes

set-shield

Enable shield protection on applicable resource.

setting sync parameter will also clear out stale shield protections for resources that no longer exist.

properties:
  state:
    type: boolean
  sync:
    type: boolean
  type:
    enum:
    - set-shield
required:
- type

Permissions - shield:CreateProtection, shield:ListProtections

set-waf

Enable wafv2 protection on Application LoadBalancer.

example:

policies:
  - name: set-waf-for-elb
    resource: app-elb
    filters:
      - type: waf-enabled
        state: false
        web-acl: test
    actions:
      - type: set-waf
        state: true
        web-acl: test

  - name: disassociate-wafv2-associate-waf-regional-elb
    resource: app-elb
    filters:
      - type: wafv2-enabled
        state: true
    actions:
      - type: set-waf
        state: true
        web-acl: test
properties:
  state:
    type: boolean
  type:
    enum:
    - set-waf
  web-acl:
    type: string
required:
- web-acl
- type

Permissions - waf-regional:AssociateWebACL, waf-regional:ListWebACLs

set-wafv2

Enable wafv2 protection on Application LoadBalancer.

Supports regex expression for web-acl

example:

policies:
  - name: set-wafv2-for-elb
    resource: app-elb
    filters:
      - type: wafv2-enabled
        state: false
        web-acl: testv2
    actions:
      - type: set-wafv2
        state: true
        web-acl: testv2

  - name: disassociate-waf-regional-associate-wafv2-elb
    resource: app-elb
    filters:
      - type: waf-enabled
        state: true
    actions:
      - type: set-wafv2
        state: true

policies:
  - name: set-wafv2-for-elb-regex
    resource: app-elb
    filters:
      - type: wafv2-enabled
        state: false
        web-acl: .*FMManagedWebACLV2-?FMS-.*
    actions:
      - type: set-wafv2
        state: true
        web-acl: FMManagedWebACLV2-?FMS-TestWebACL
properties:
  state:
    type: boolean
  type:
    enum:
    - set-wafv2
  web-acl:
    type: string
required:
- type

Permissions - wafv2:AssociateWebACL, wafv2:DisassociateWebACL, wafv2:ListWebACLs