aws.distribution¶
Filters¶
distribution-config¶
Check for Cloudfront distribution config values
- example
policies:
- name: logging-enabled
resource: distribution
filters:
- type: distribution-config
key: Logging.Enabled
value: False
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
type:
enum:
- distribution-config
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
required:
- type
Permissions - cloudfront:GetDistributionConfig
json-diff¶
Compute the diff from the current resource to a previous version.
A resource matches the filter if a diff exists between the current resource and the selected revision.
Utilizes config as a resource revision database.
Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).
properties:
selector:
enum:
- previous
- date
- locked
selector_value:
type: string
type:
enum:
- json-diff
required:
- type
Permissions - config:GetResourceConfigHistory
mismatch-s3-origin¶
- Check for existence of S3 bucket referenced by Cloudfront,
and verify whether owner is different from Cloudfront account owner.
- example
policies:
- name: mismatch-s3-origin
resource: distribution
filters:
- type: mismatch-s3-origin
check_custom_origins: true
properties:
check_custom_origins:
type: boolean
type:
enum:
- mismatch-s3-origin
required:
- type
Permissions - s3:ListAllMyBuckets
shield-enabled¶
Parent base class for filters and actions.
properties:
state:
type: boolean
type:
enum:
- shield-enabled
required:
- type
Permissions - shield:ListProtections
waf-enabled¶
Filter CloudFront distribution by waf-regional web-acl
- example
policies:
- name: filter-distribution-waf
resource: distribution
filters:
- type: waf-enabled
state: false
web-acl: test
properties:
state:
type: boolean
type:
enum:
- waf-enabled
web-acl:
type: string
required:
- type
Permissions - waf:ListWebACLs
wafv2-enabled¶
Filter CloudFront distribution by wafv2 web-acl
- example
policies:
- name: filter-distribution-wafv2
description: |
match resources that are NOT associated with any wafV2 web-acls
resource: distribution
filters:
- type: wafv2-enabled
state: false
- name: filter-distribution-wafv2-specific-acl
description: |
match resources that are NOT associated with wafV2's testv2 web-acl
resource: distribution
filters:
- type: wafv2-enabled
state: false
web-acl: testv2
- name: filter-distribution-wafv2-regex
description: |
match resources that are NOT associated with specified
wafV2 web-acl regex
resource: distribution
filters:
- type: wafv2-enabled
state: false
web-acl: .*FMManagedWebACLV2-?FMS-.*
properties:
state:
type: boolean
type:
enum:
- wafv2-enabled
web-acl:
type: string
required:
- type
Permissions - wafv2:ListWebACLs
Actions¶
disable¶
Action to disable a Distribution
- example
policies:
- name: distribution-delete
resource: distribution
filters:
- type: value
key: CacheBehaviors.Items[].ViewerProtocolPolicy
value: allow-all
op: contains
actions:
- type: disable
properties:
type:
enum:
- disable
required:
- type
Permissions - cloudfront:GetDistributionConfig, cloudfront:UpdateDistribution
set-attributes¶
Action to update the attributes of a distribution
- example
policies:
- name: enforce-distribution-logging
resource: distribution
filters:
- type: value
key: "Logging.Enabled"
value: null
actions:
- type: set-attributes
attributes:
Comment: ""
Enabled: true
Logging:
Enabled: true
IncludeCookies: false
Bucket: 'test-enable-logging-c7n.s3.amazonaws.com'
Prefix: ''
properties:
attributes:
type: object
type:
enum:
- set-attributes
required:
- attributes
Permissions - cloudfront:UpdateDistribution, cloudfront:GetDistributionConfig
set-protocols¶
Action to set mandatory https-only on a Distribution
- example
policies:
- name: distribution-set-ssl
resource: distribution
filters:
- type: value
key: CacheBehaviors.Items[].ViewerProtocolPolicy
value: allow-all
op: contains
actions:
- type: set-protocols
ViewerProtocolPolicy: https-only
properties:
OriginProtocolPolicy:
enum:
- http-only
- match-viewer
- https-only
OriginSslProtocols:
items:
enum:
- SSLv3
- TLSv1
- TLSv1.1
- TLSv1.2
type: array
ViewerProtocolPolicy:
enum:
- allow-all
- https-only
- redirect-to-https
type:
enum:
- set-protocols
Permissions - cloudfront:GetDistributionConfig, cloudfront:UpdateDistribution
set-shield¶
Enable shield protection on applicable resource.
setting sync parameter will also clear out stale shield protections for resources that no longer exist.
properties:
state:
type: boolean
sync:
type: boolean
type:
enum:
- set-shield
required:
- type
Permissions - shield:CreateProtection, shield:ListProtections
set-waf¶
Enable waf protection on CloudFront distribution.
- example
policies:
- name: set-waf-for-cloudfront
resource: distribution
filters:
- type: waf-enabled
state: false
web-acl: test
actions:
- type: set-waf
state: true
force: true
web-acl: test
- name: disassociate-waf-associate-wafv2-cf
resource: distribution
filters:
- type: waf-enabled
state: true
actions:
- type: set-wafv2
state: true
force: true
web-acl: testv2
properties:
force:
type: boolean
state:
type: boolean
type:
enum:
- set-waf
web-acl:
type: string
required:
- web-acl
- type
Permissions - cloudfront:UpdateDistribution, waf:ListWebACLs
set-wafv2¶
Enable wafv2 protection on CloudFront distribution.
- example
policies:
- name: set-wafv2-for-cloudfront
resource: distribution
filters:
- type: wafv2-enabled
state: false
web-acl: testv2
actions:
- type: set-wafv2
state: true
force: true
web-acl: testv2
- name: disassociate-wafv2-associate-waf-cf
resource: distribution
filters:
- type: wafv2-enabled
state: true
actions:
- type: set-waf
state: true
force: true
web-acl: test
policies:
- name: set-wafv2-for-cloudfront-regex
resource: distribution
filters:
- type: wafv2-enabled
state: false
web-acl: .*FMManagedWebACLV2-?FMS-.*
actions:
- type: set-wafv2
state: true
web-acl: FMManagedWebACLV2-?FMS-TestWebACL
properties:
force:
type: boolean
state:
type: boolean
type:
enum:
- set-wafv2
web-acl:
type: string
required:
- type
Permissions - cloudfront:UpdateDistribution, wafv2:ListWebACLs