aws.app-elb
Resource manager for v2 ELBs (AKA ALBs and NLBs).
Filters
attributes
Value filter that allows filtering on ELBv2 attributes
- example:
policies:
- name: alb-http2-enabled
resource: app-elb
filters:
- type: attributes
key: routing.http2.enabled
value: true
op: eq
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- attributes
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- type
Permissions - elasticloadbalancing:DescribeLoadBalancerAttributes
default-vpc
Filter all ELB that exist within the default vpc
- example:
policies:
- name: appelb-in-default-vpc
resource: app-elb
filters:
- default-vpc
properties:
type:
enum:
- default-vpc
required:
- type
Permissions - ec2:DescribeVpcs
healthcheck-protocol-mismatch
Filter AppELBs with mismatched health check protocols
A mismatched health check protocol is where the protocol on the target group does not match the load balancer health check protocol
- example:
policies:
- name: appelb-healthcheck-mismatch
resource: app-elb
filters:
- healthcheck-protocol-mismatch
properties:
type:
enum:
- healthcheck-protocol-mismatch
required:
- type
Permissions - elasticloadbalancing:DescribeTargetGroups
is-logging
- Matches AppELBs that are logging to S3.
bucket and prefix are optional
- example:
policies:
- name: alb-is-logging-test
resource: app-elb
filters:
- type: is-logging
- name: alb-is-logging-bucket-and-prefix-test
resource: app-elb
filters:
- type: is-logging
bucket: prodlogs
prefix: alblogs
properties:
bucket:
type: string
prefix:
type: string
type:
enum:
- is-logging
required:
- type
Permissions - elasticloadbalancing:DescribeLoadBalancerAttributes
is-not-logging
- Matches AppELBs that are NOT logging to S3.
or do not match the optional bucket and/or prefix.
- example:
policies:
- name: alb-is-not-logging-test
resource: app-elb
filters:
- type: is-not-logging
- name: alb-is-not-logging-bucket-and-prefix-test
resource: app-elb
filters:
- type: is-not-logging
bucket: prodlogs
prefix: alblogs
properties:
bucket:
type: string
prefix:
type: string
type:
enum:
- is-not-logging
required:
- type
Permissions - elasticloadbalancing:DescribeLoadBalancerAttributes
json-diff
Compute the diff from the current resource to a previous version.
A resource matches the filter if a diff exists between the current resource and the selected revision.
Utilizes config as a resource revision database.
Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).
properties:
selector:
enum:
- previous
- date
- locked
selector_value:
type: string
type:
enum:
- json-diff
required:
- type
Permissions - config:GetResourceConfigHistory
listener
Filter ALB based on matching listener attributes
Adding the matched flag will filter on previously matched listeners
- example:
policies:
- name: app-elb-invalid-ciphers
resource: app-elb
filters:
- type: listener
key: Protocol
value: HTTPS
- type: listener
key: SslPolicy
value: ['ELBSecurityPolicy-TLS-1-1-2017-01','ELBSecurityPolicy-TLS-1-2-2017-01']
op: ni
matched: true
actions:
- type: modify-listener
sslpolicy: "ELBSecurityPolicy-TLS-1-2-2017-01"
properties:
default:
type: object
key:
type: string
matched:
type: boolean
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- listener
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- type
Permissions - elasticloadbalancing:DescribeLoadBalancerAttributes
shield-enabled
Base class with helper methods for dealing with ARNs of resources protected by Shield
properties:
state:
type: boolean
type:
enum:
- shield-enabled
required:
- type
Permissions - shield:ListProtections
target-group
Filter ALB based on matching target group value
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- target-group
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- type
Permissions - elasticloadbalancing:DescribeTargetGroups
Actions
delete
Action to delete an ELB
To avoid unwanted deletions of ELB, it is recommended to apply a filter to the rule
- example:
policies:
- name: appelb-delete-failed-elb
resource: app-elb
filters:
- State: failed
actions:
- delete
properties:
force:
type: boolean
type:
enum:
- delete
required:
- type
Permissions - elasticloadbalancing:DeleteLoadBalancer, elasticloadbalancing:ModifyLoadBalancerAttributes
modify-attributes
Modify load balancer attributes.
- example:
policies:
- name: turn-on-elb-deletion-protection
resource: app-elb
filters:
- type: attributes
key: "deletion_protection.enabled"
value: false
actions:
- type: modify-attributes
attributes:
"deletion_protection.enabled": "true"
"idle_timeout.timeout_seconds": 120
properties:
attributes:
additionalProperties: false
properties:
access_logs.s3.bucket:
type: string
access_logs.s3.enabled:
enum:
- 'true'
- 'false'
- true
- false
access_logs.s3.prefix:
type: string
deletion_protection.enabled:
enum:
- 'true'
- 'false'
- true
- false
idle_timeout.timeout_seconds:
type: number
load_balancing.cross_zone.enabled:
enum:
- 'true'
- 'false'
- true
- false
routing.http.desync_mitigation_mode:
enum:
- monitor
- defensive
- strictest
routing.http.drop_invalid_header_fields.enabled:
enum:
- 'true'
- 'false'
- true
- false
routing.http2.enabled:
enum:
- 'true'
- 'false'
- true
- false
type: object
type:
enum:
- modify-attributes
Permissions - elasticloadbalancing:ModifyLoadBalancerAttributes
modify-listener
Action to modify the policy for an App ELB
- example:
policies:
- name: appelb-modify-listener
resource: app-elb
filters:
- type: listener
key: Protocol
value: HTTP
actions:
- type: modify-listener
protocol: HTTPS
sslpolicy: "ELBSecurityPolicy-TLS-1-2-2017-01"
certificate: "arn:aws:acm:region:123456789012:certificate/12345678- 1234-1234-1234-123456789012"
properties:
certificate:
type: string
port:
type: integer
protocol:
enum:
- HTTP
- HTTPS
- TCP
- TLS
- UDP
- TCP_UDP
- GENEVE
sslpolicy:
type: string
type:
enum:
- modify-listener
required:
- type
Permissions - elasticloadbalancing:ModifyListener
set-s3-logging
Action to enable/disable S3 logging for an application loadbalancer.
- example:
policies:
- name: elbv2-test
resource: app-elb
filters:
- type: is-not-logging
actions:
- type: set-s3-logging
bucket: elbv2logtest
prefix: dahlogs
state: enabled
properties:
bucket:
type: string
prefix:
type: string
state:
enum:
- enabled
- disabled
type:
enum:
- set-s3-logging
required:
- state
Permissions - elasticloadbalancing:ModifyLoadBalancerAttributes
set-shield
Enable shield protection on applicable resource.
setting sync parameter will also clear out stale shield protections for resources that no longer exist.
properties:
state:
type: boolean
sync:
type: boolean
type:
enum:
- set-shield
required:
- type
Permissions - shield:CreateProtection, shield:ListProtections
set-waf
Enable wafv2 protection on Application LoadBalancer.
- example:
policies:
- name: set-waf-for-elb
resource: app-elb
filters:
- type: waf-enabled
state: false
web-acl: test
actions:
- type: set-waf
state: true
web-acl: test
- name: disassociate-wafv2-associate-waf-regional-elb
resource: app-elb
filters:
- type: wafv2-enabled
state: true
actions:
- type: set-waf
state: true
web-acl: test
properties:
state:
type: boolean
type:
enum:
- set-waf
web-acl:
type: string
required:
- web-acl
- type
Permissions - waf-regional:AssociateWebACL, waf-regional:ListWebACLs
set-wafv2
Enable wafv2 protection on Application LoadBalancer.
Supports regex expression for web-acl
- example:
policies:
- name: set-wafv2-for-elb
resource: app-elb
filters:
- type: wafv2-enabled
state: false
web-acl: testv2
actions:
- type: set-wafv2
state: true
web-acl: testv2
- name: disassociate-waf-regional-associate-wafv2-elb
resource: app-elb
filters:
- type: waf-enabled
state: true
actions:
- type: set-wafv2
state: true
policies:
- name: set-wafv2-for-elb-regex
resource: app-elb
filters:
- type: wafv2-enabled
state: false
web-acl: .*FMManagedWebACLV2-?FMS-.*
actions:
- type: set-wafv2
state: true
web-acl: FMManagedWebACLV2-?FMS-TestWebACL
properties:
state:
type: boolean
type:
enum:
- set-wafv2
web-acl:
type: string
required:
- type
Permissions - wafv2:AssociateWebACL, wafv2:DisassociateWebACL, wafv2:ListWebACLs