aws.distribution

Filters

• config-compliance

• event

• finding

• json-diff

• marked-for-op

• metrics

• mismatch-s3-origin

• ops-item

• shield-enabled

• shield-metrics

• tag-count

• value

• waf-enabled

json-diff

Compute the diff from the current resource to a previous version.

A resource matches the filter if a diff exists between the current resource and the selected revision.

Utilizes config as a resource revision database.

Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).

properties:
  selector:
    enum:
    - previous
    - date
    - locked
  selector_value:
    type: string
  type:
    enum:
    - json-diff
required:
- type

mismatch-s3-origin

Check for existence of S3 bucket referenced by Cloudfront,

and verify whether owner is different from Cloudfront account owner.

example

policies:
  - name: mismatch-s3-origin
    resource: distribution
    filters:
      - type: mismatch-s3-origin
        check_custom_origins: true

properties:
  check_custom_origins:
    type: boolean
  type:
    enum:
    - mismatch-s3-origin
required:
- type

shield-enabled

properties:
  state:
    type: boolean
  type:
    enum:
    - shield-enabled
required:
- type

waf-enabled

properties:
  state:
    type: boolean
  type:
    enum:
    - waf-enabled
  web-acl:
    type: string
required:
- type

Actions

• auto-tag-user

• copy-related-tag

• disable

• invoke-lambda

• invoke-sfn

• mark-for-op

• notify

• post-finding

• post-item

• put-metric

• remove-tag

• set-attributes

• set-protocols

• set-shield

• set-waf

• tag

• webhook

disable

Action to disable a Distribution

example

policies:
  - name: distribution-delete
    resource: distribution
    filters:
      - type: value
        key: CacheBehaviors.Items[].ViewerProtocolPolicy
        value: allow-all
        op: contains
    actions:
      - type: disable

properties:
  type:
    enum:
    - disable
required:
- type

set-attributes

Action to update the attributes of a distribution

example

policies:
- name: enforce-distribution-logging
  resource: distribution
  filters:
    - type: value
      key: "Logging.Enabled"
      value: null
  actions:
    - type: set-attributes
      attributes:
        Comment: ""
        Enabled: true
        Logging:
            Enabled: true
            IncludeCookies: false
            Bucket: 'test-enable-logging-c7n.s3.amazonaws.com'
            Prefix: ''

properties:
  attributes:
    type: object
  type:
    enum:
    - set-attributes
required:
- attributes

set-protocols

Action to set mandatory https-only on a Distribution

example

policies:
  - name: distribution-set-ssl
    resource: distribution
    filters:
      - type: value
        key: CacheBehaviors.Items[].ViewerProtocolPolicy
        value: allow-all
        op: contains
    actions:
      - type: set-protocols
        ViewerProtocolPolicy: https-only

properties:
  OriginProtocolPolicy:
    enum:
    - http-only
    - match-viewer
    - https-only
  OriginSslProtocols:
    items:
      enum:
      - SSLv3
      - TLSv1
      - TLSv1.1
      - TLSv1.2
    type: array
  ViewerProtocolPolicy:
    enum:
    - allow-all
    - https-only
    - redirect-to-https
  type:
    enum:
    - set-protocols

set-shield

Enable shield protection on applicable resource.

setting sync parameter will also clear out stale shield protections for resources that no longer exist.

properties:
  state:
    type: boolean
  sync:
    type: boolean
  type:
    enum:
    - set-shield
required:
- type

set-waf

properties:
  force:
    type: boolean
  state:
    type: boolean
  type:
    enum:
    - set-waf
  web-acl:
    type: string
required:
- web-acl
- type