aws.distribution¶
Filters¶
distribution-config¶
Check for Cloudfront distribution config values
- example:
policies:
- name: logging-enabled
resource: distribution
filters:
- type: distribution-config
key: Logging.Enabled
value: False
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
type:
enum:
- distribution-config
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- type
Permissions - cloudfront:GetDistributionConfig
json-diff¶
Compute the diff from the current resource to a previous version.
A resource matches the filter if a diff exists between the current resource and the selected revision.
Utilizes config as a resource revision database.
Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).
properties:
selector:
enum:
- previous
- date
- locked
selector_value:
type: string
type:
enum:
- json-diff
required:
- type
Permissions - config:GetResourceConfigHistory
mismatch-s3-origin¶
- Check for existence of S3 bucket referenced by Cloudfront,
and verify whether owner is different from Cloudfront account owner.
- example:
policies:
- name: mismatch-s3-origin
resource: distribution
filters:
- type: mismatch-s3-origin
check_custom_origins: true
properties:
check_custom_origins:
type: boolean
type:
enum:
- mismatch-s3-origin
required:
- type
Permissions - s3:ListAllMyBuckets
shield-enabled¶
Base class with helper methods for dealing with ARNs of resources protected by Shield
properties:
state:
type: boolean
type:
enum:
- shield-enabled
required:
- type
Permissions - shield:ListProtections
waf-enabled¶
Filter CloudFront distribution by waf-regional web-acl
- example:
policies:
- name: filter-distribution-waf
resource: distribution
filters:
- type: waf-enabled
state: false
web-acl: test
properties:
state:
type: boolean
type:
enum:
- waf-enabled
web-acl:
type: string
required:
- type
Permissions - waf:ListWebACLs
Actions¶
disable¶
Action to disable a Distribution
- example:
policies:
- name: distribution-delete
resource: distribution
filters:
- type: value
key: CacheBehaviors.Items[].ViewerProtocolPolicy
value: allow-all
op: contains
actions:
- type: disable
properties:
type:
enum:
- disable
required:
- type
Permissions - cloudfront:GetDistributionConfig, cloudfront:UpdateDistribution
rename-tag¶
Rename an existing tag key to a new value.
- example:
rename Application, and Bap to App, if a resource has both of the old keys then we’ll use the value specified by Application, which is based on the order of values of old_keys.
policies: - name: rename-tags-example resource: aws.log-group filters: - or: - "tag:Bap": present - "tag:Application": present actions: - type: rename-tag old_keys: [Application, Bap] new_key: App
properties:
new_key:
type: string
old_key:
type: string
old_keys:
items:
type: string
type: array
type:
enum:
- rename-tag
required:
- type
Permissions - tag:TagResources, tag:UntagResources
set-attributes¶
Action to update the attributes of a distribution
- example:
policies:
- name: enforce-distribution-logging
resource: distribution
filters:
- type: value
key: "Logging.Enabled"
value: null
actions:
- type: set-attributes
attributes:
Comment: ""
Enabled: true
Logging:
Enabled: true
IncludeCookies: false
Bucket: 'test-enable-logging-c7n.s3.amazonaws.com'
Prefix: ''
properties:
attributes:
type: object
type:
enum:
- set-attributes
required:
- attributes
Permissions - cloudfront:UpdateDistribution, cloudfront:GetDistributionConfig
set-protocols¶
Action to set mandatory https-only on a Distribution
- example:
policies:
- name: distribution-set-ssl
resource: distribution
filters:
- type: value
key: CacheBehaviors.Items[].ViewerProtocolPolicy
value: allow-all
op: contains
actions:
- type: set-protocols
ViewerProtocolPolicy: https-only
properties:
OriginProtocolPolicy:
enum:
- http-only
- match-viewer
- https-only
OriginSslProtocols:
items:
enum:
- SSLv3
- TLSv1
- TLSv1.1
- TLSv1.2
type: array
ViewerProtocolPolicy:
enum:
- allow-all
- https-only
- redirect-to-https
type:
enum:
- set-protocols
Permissions - cloudfront:GetDistributionConfig, cloudfront:UpdateDistribution
set-shield¶
Enable shield protection on applicable resource.
setting sync parameter will also clear out stale shield protections for resources that no longer exist.
properties:
state:
type: boolean
sync:
type: boolean
type:
enum:
- set-shield
required:
- type
Permissions - shield:CreateProtection, shield:ListProtections
set-waf¶
Enable waf protection on CloudFront distribution.
- example:
policies:
- name: set-waf-for-cloudfront
resource: distribution
filters:
- type: waf-enabled
state: false
web-acl: test
actions:
- type: set-waf
state: true
force: true
web-acl: test
- name: disassociate-waf-associate-wafv2-cf
resource: distribution
filters:
- type: waf-enabled
state: true
actions:
- type: set-wafv2
state: true
force: true
web-acl: testv2
properties:
force:
type: boolean
state:
type: boolean
type:
enum:
- set-waf
web-acl:
type: string
required:
- web-acl
- type
Permissions - cloudfront:UpdateDistribution, waf:ListWebACLs
set-wafv2¶
Enable wafv2 protection on CloudFront distribution.
- example:
policies:
- name: set-wafv2-for-cloudfront
resource: distribution
filters:
- type: wafv2-enabled
state: false
web-acl: testv2
actions:
- type: set-wafv2
state: true
force: true
web-acl: testv2
- name: disassociate-wafv2-associate-waf-cf
resource: distribution
filters:
- type: wafv2-enabled
state: true
actions:
- type: set-waf
state: true
force: true
web-acl: test
policies:
- name: set-wafv2-for-cloudfront-regex
resource: distribution
filters:
- type: wafv2-enabled
state: false
web-acl: .*FMManagedWebACLV2-?FMS-.*
actions:
- type: set-wafv2
state: true
web-acl: FMManagedWebACLV2-?FMS-TestWebACL
properties:
force:
type: boolean
state:
type: boolean
type:
enum:
- set-wafv2
web-acl:
type: string
required:
- type
Permissions - cloudfront:UpdateDistribution, wafv2:ListWebACLs