aws.config-rule

Filters

remediation

Filter to look for config rules that match the given remediation configuration settings

This filter can be used in conjunction with account missing filter to look for managed config rules with missing remediation and to enable it accordingly.

example:

policies:
  - name: config-managed-s3-bucket-public-write-remediate-event-with-filter
    description: |
      This policy detects if S3 bucket allows public write by the bucket policy
      or ACL and remediates.
    comment: |
      This policy detects if S3 bucket policy or ACL allows public write access.
      When the bucket is evaluated as 'NON_COMPLIANT', the action
      'AWS-DisableS3BucketPublicReadWrite' is triggered and remediates.
    resource: account
    filters:
      - type: missing
        policy:
          resource: config-rule
          filters:
            - type: remediation
              rule_name: &rule_name 'config-managed-s3-bucket-public-write-remediate-event'
              remediation: &remediation-config
                TargetId: AWS-DisableS3BucketPublicReadWrite
                Automatic: true
                MaximumAutomaticAttempts: 5
                RetryAttemptSeconds: 211
                Parameters:
                  AutomationAssumeRole:
                    StaticValue:
                      Values:
                        - 'arn:aws:iam::{account_id}:role/myrole'
                  S3BucketName:
                    ResourceValue:
                      Value: RESOURCE_ID
    actions:
      - type: toggle-config-managed-rule
        rule_name: *rule_name
        managed_rule_id: S3_BUCKET_PUBLIC_WRITE_PROHIBITED
        resource_types:
          - 'AWS::S3::Bucket'
        rule_parameters: '{}'
        remediation: *remediation-config
properties:
  remediation:
    properties:
      automatic:
        type: boolean
      execution_controls:
        type: object
      maximum_automatic_attempts:
        maximum: 25
        minimum: 1
        type: integer
      parameters:
        type: object
      retry_attempt_seconds:
        maximum: 2678000
        minimum: 1
        type: integer
      target_id:
        type: string
      target_type:
        type: string
    type: object
  rule_name:
    type: string
  rule_prefix:
    type: string
  type:
    enum:
    - remediation
required:
- type

Permissions - config:DescribeRemediationConfigurations

status

properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
    - mod
  type:
    enum:
    - status
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

Permissions - config:DescribeConfigRuleEvaluationStatus

Actions

delete

Parent base class for filters and actions.

properties:
  type:
    enum:
    - delete
required:
- type

Permissions - config:DeleteConfigRule

rename-tag

Rename an existing tag key to a new value.

example:

rename Application, and Bap to App, if a resource has both of the old keys then we’ll use the value specified by Application, which is based on the order of values of old_keys.

policies:
- name: rename-tags-example
  resource: aws.log-group
  filters:
    - or:
      - "tag:Bap": present
      - "tag:Application": present
  actions:
    - type: rename-tag
      old_keys: [Application, Bap]
      new_key: App
properties:
  new_key:
    type: string
  old_key:
    type: string
  old_keys:
    items:
      type: string
    type: array
  type:
    enum:
    - rename-tag
required:
- type

Permissions - tag:TagResources, tag:UntagResources