aws.config-rule

Filters

remediation

Filter to look for config rules that match the given remediation configuration settings

This filter can be used in conjunction with account missing filter to look for managed config rules with missing remediation and to enable it accordingly.

example

policies:
  - name: config-managed-s3-bucket-public-write-remediate-event-with-filter
    description: |
      This policy detects if S3 bucket allows public write by the bucket policy
      or ACL and remediates.
    comment: |
      This policy detects if S3 bucket policy or ACL allows public write access.
      When the bucket is evaluated as 'NON_COMPLIANT', the action
      'AWS-DisableS3BucketPublicReadWrite' is triggered and remediates.
    resource: account
    filters:
      - type: missing
        policy:
          resource: config-rule
          filters:
            - type: remediation
              rule_name: &rule_name 'config-managed-s3-bucket-public-write-remediate-event'
              remediation: &remediation-config
                TargetId: AWS-DisableS3BucketPublicReadWrite
                Automatic: true
                MaximumAutomaticAttempts: 5
                RetryAttemptSeconds: 211
                Parameters:
                  AutomationAssumeRole:
                    StaticValue:
                      Values:
                        - 'arn:aws:iam::{account_id}:role/myrole'
                  S3BucketName:
                    ResourceValue:
                      Value: RESOURCE_ID
    actions:
      - type: toggle-config-managed-rule
        rule_name: *rule_name
        managed_rule_id: S3_BUCKET_PUBLIC_WRITE_PROHIBITED
        resource_types:
          - 'AWS::S3::Bucket'
        rule_parameters: '{}'
        remediation: *remediation-config
properties:
  remediation:
    properties:
      automatic:
        type: boolean
      execution_controls:
        type: object
      maximum_automatic_attempts:
        maximum: 25
        minimum: 1
        type: integer
      parameters:
        type: object
      retry_attempt_seconds:
        maximum: 2678000
        minimum: 1
        type: integer
      target_id:
        type: string
      target_type:
        type: string
    type: object
  rule_name:
    type: string
  rule_prefix:
    type: string
  type:
    enum:
    - remediation
required:
- type

Permissions - config:DescribeRemediationConfigurations

status

properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - status
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      url:
        type: string
    required:
    - url
    type: object
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
required:
- type

Permissions - config:DescribeConfigRuleEvaluationStatus

Actions

delete

Parent base class for filters and actions.

properties:
  type:
    enum:
    - delete
required:
- type

Permissions - config:DeleteConfigRule