aws.cfn

Filters

• config-compliance

• event

• finding

• json-diff

• list-item

• ops-item

• reduce

• template

• value

json-diff

Compute the diff from the current resource to a previous version.

A resource matches the filter if a diff exists between the current resource and the selected revision.

Utilizes config as a resource revision database.

Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).

properties:
  selector:
    enum:
    - previous
    - date
    - locked
  selector_value:
    type: string
  type:
    enum:
    - json-diff
required:
- type

Permissions - config:GetResourceConfigHistory

template

Filter CloudFormation stacks based on their template body

This filter retrieves the CloudFormation template for each stack and searches for the regex pattern provided in the template

example:

policies:
  - name: detect-api-keys-in-templates
    resource: cfn
    filters:
      - type: template
        pattern: "API_KEY[0-9A-Z]"

param pattern:

The regular expression pattern to search for within the template

param change-set-name:

The name of the change set to retrieve the template for

param template-stage:

The stage of the template to retrieve (‘Original’ or ‘Processed’)

properties:
  change_set_name:
    type: string
  pattern:
    type: string
  template_stage:
    enum:
    - Original
    - Processed
    type: string
  type:
    enum:
    - template
required:
- pattern
- type

Permissions - cloudformation:GetTemplate

Actions

• auto-tag-user

• copy-related-tag

• delete

• invoke-lambda

• invoke-sfn

• notify

• post-finding

• post-item

• put-metric

• remove-tag

• set-protection

• tag

• webhook

delete

Action to delete cloudformation stacks

It is recommended to use a filter to avoid unwanted deletion of stacks

If you enable the force option, it will automatically disable termination protection if required. This is useful because you cannot filter on EnableTerminationProtection since that field is only included by AWS when the DescribeStacks API is called with a specific stack name or id.

example:

policies:
  - name: cloudformation-delete-failed-stacks
    resource: cfn
    filters:
      - StackStatus: ROLLBACK_COMPLETE
    actions:
      - type: delete
        force: true

properties:
  force:
    default: false
    type: boolean
  type:
    enum:
    - delete
required:
- type

Permissions - cloudformation:DeleteStack, cloudformation:UpdateStack

set-protection

Action to disable termination protection

It is recommended to use a filter to avoid unwanted deletion of stacks

example:

policies:
  - name: cloudformation-disable-protection
    resource: cfn
    filters:
      - StackStatus: CREATE_COMPLETE
    actions:
      - type: set-protection
        state: False

properties:
  state:
    default: false
    type: boolean
  type:
    enum:
    - set-protection
required:
- type

Permissions - cloudformation:UpdateStack