aws.config-rule
Filters
remediation
Filter to look for config rules that match the given remediation configuration settings
This filter can be used in conjunction with account missing filter to look for managed config rules with missing remediation and to enable it accordingly.
- example:
policies:
- name: config-managed-s3-bucket-public-write-remediate-event-with-filter
description: |
This policy detects if S3 bucket allows public write by the bucket policy
or ACL and remediates.
comment: |
This policy detects if S3 bucket policy or ACL allows public write access.
When the bucket is evaluated as 'NON_COMPLIANT', the action
'AWS-DisableS3BucketPublicReadWrite' is triggered and remediates.
resource: account
filters:
- type: missing
policy:
resource: config-rule
filters:
- type: remediation
rule_name: &rule_name 'config-managed-s3-bucket-public-write-remediate-event'
remediation: &remediation-config
TargetId: AWS-DisableS3BucketPublicReadWrite
Automatic: true
MaximumAutomaticAttempts: 5
RetryAttemptSeconds: 211
Parameters:
AutomationAssumeRole:
StaticValue:
Values:
- 'arn:aws:iam::{account_id}:role/myrole'
S3BucketName:
ResourceValue:
Value: RESOURCE_ID
actions:
- type: toggle-config-managed-rule
rule_name: *rule_name
managed_rule_id: S3_BUCKET_PUBLIC_WRITE_PROHIBITED
resource_types:
- 'AWS::S3::Bucket'
rule_parameters: '{}'
remediation: *remediation-config
properties:
remediation:
properties:
automatic:
type: boolean
execution_controls:
type: object
maximum_automatic_attempts:
maximum: 25
minimum: 1
type: integer
parameters:
type: object
retry_attempt_seconds:
maximum: 2678000
minimum: 1
type: integer
target_id:
type: string
target_type:
type: string
type: object
rule_name:
type: string
rule_prefix:
type: string
type:
enum:
- remediation
required:
- type
Permissions - config:DescribeRemediationConfigurations
status
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- status
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- type
Permissions - config:DescribeConfigRuleEvaluationStatus
Actions
delete
Parent base class for filters and actions.
properties:
type:
enum:
- delete
required:
- type
Permissions - config:DeleteConfigRule
rename-tag
Rename an existing tag key to a new value.
- example:
rename Application, and Bap to App, if a resource has both of the old keys then we’ll use the value specified by Application, which is based on the order of values of old_keys.
policies: - name: rename-tags-example resource: aws.log-group filters: - or: - "tag:Bap": present - "tag:Application": present actions: - type: rename-tag old_keys: [Application, Bap] new_key: App
properties:
new_key:
type: string
old_key:
type: string
old_keys:
items:
type: string
type: array
type:
enum:
- rename-tag
required:
- type
Permissions - tag:TagResources, tag:UntagResources