aws.elb
Filters
attributes
Value Filter that allows filtering on ELB attributes
- example:
policies:
- name: elb-is-connection-draining
resource: elb
filters:
- type: attributes
key: ConnectionDraining.Enabled
value: true
op: eq
Permissions - elasticloadbalancing:DescribeLoadBalancerAttributes
default-vpc
Matches if an elb database is in the default vpc
- example:
policies:
- name: elb-default-vpc
resource: elb
filters:
- type: default-vpc
Permissions - ec2:DescribeVpcs
healthcheck-protocol-mismatch
Filters ELB that have a health check protocol mismatch
The mismatch occurs if the ELB has a different protocol to check than the associated instances allow to determine health status.
- example:
policies:
- name: elb-healthcheck-mismatch
resource: elb
filters:
- type: healthcheck-protocol-mismatch
instance
Filter ELB by an associated instance value(s)
- example:
policies:
- name: elb-image-filter
resource: elb
filters:
- type: instance
key: ImageId
value: ami-01ab23cd
Permissions - ec2:DescribeInstances, ec2:DescribeTags, ec2:DescribeTags
is-logging
- Matches ELBs that are logging to S3.
bucket and prefix are optional
- example:
policies:
- name: elb-is-logging-test
resource: elb
filters:
- type: is-logging
- name: elb-is-logging-bucket-and-prefix-test
resource: elb
filters:
- type: is-logging
bucket: prodlogs
prefix: elblogs
Permissions - elasticloadbalancing:DescribeLoadBalancerAttributes
is-not-logging
- Matches ELBs that are NOT logging to S3.
or do not match the optional bucket and/or prefix.
- example:
policies:
- name: elb-is-not-logging-test
resource: elb
filters:
- type: is-not-logging
- name: is-not-logging-bucket-and-prefix-test
resource: app-elb
filters:
- type: is-not-logging
bucket: prodlogs
prefix: alblogs
Permissions - elasticloadbalancing:DescribeLoadBalancerAttributes
is-ssl
Filters ELB that are using a SSL policy
- example:
policies:
- name: elb-using-ssl
resource: elb
filters:
- type: is-ssl
json-diff
Compute the diff from the current resource to a previous version.
A resource matches the filter if a diff exists between the current resource and the selected revision.
Utilizes config as a resource revision database.
Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).
Permissions - config:GetResourceConfigHistory
shield-enabled
Base class with helper methods for dealing with ARNs of resources protected by Shield
Permissions - shield:ListProtections
ssl-policy
Filter ELBs on the properties of SSLNegotation policies. TODO: Only works on custom policies at the moment.
whitelist: filter all policies containing permitted protocols blacklist: filter all policies containing forbidden protocols
Cannot specify both whitelist & blacklist in the same policy. These must be done seperately (seperate policy statements).
Likewise, if you want to reduce the consideration set such that we only compare certain keys (e.g. you only want to compare the Protocol- keys), you can use the matching option with a regular expression:
- example:
policies:
- name: elb-ssl-policies
resource: elb
filters:
- type: ssl-policy
blacklist:
- "Protocol-SSLv2"
- "Protocol-SSLv3"
- name: elb-modern-tls
resource: elb
filters:
- type: ssl-policy
matching: "^Protocol-"
whitelist:
- "Protocol-TLSv1.1"
- "Protocol-TLSv1.2"
Permissions - elasticloadbalancing:DescribeLoadBalancerPolicies
Actions
delete
Action to delete ELB(s)
It is recommended to apply a filter to the delete policy to avoid unwanted deletion of any load balancers.
- example:
policies:
- name: elb-delete-unused
resource: elb
filters:
- Instances: []
actions:
- delete
Permissions - elasticloadbalancing:DeleteLoadBalancer
disable-s3-logging
Disable s3 logging for ElasticLoadBalancers.
- example:
policies:
- name: turn-off-elb-logs
resource: elb
filters:
- type: is-logging
bucket: prodbucket
actions:
- type: disable-s3-logging
Permissions - elasticloadbalancing:ModifyLoadBalancerAttributes
enable-s3-logging
Action to enable S3 logging for Elastic Load Balancers.
- example:
policies:
- name: elb-test
resource: elb
filters:
- type: is-not-logging
actions:
- type: enable-s3-logging
bucket: elblogtest
prefix: dahlogs
emit_interval: 5
Permissions - elasticloadbalancing:ModifyLoadBalancerAttributes
set-shield
Enable shield protection on applicable resource.
setting sync parameter will also clear out stale shield protections for resources that no longer exist.
Permissions - shield:CreateProtection, shield:ListProtections
set-ssl-listener-policy
Action to set the ELB SSL listener policy
- example:
policies:
- name: elb-set-listener-custom-policy
resource: elb
actions:
- type: set-ssl-listener-policy
name: SSLNegotiation-Custom-Policy-01
attributes:
- Protocol-SSLv3
- Protocol-TLSv1.1
- DHE-RSA-AES256-SHA256
Alternatively, you can specify one of AWS recommended policies (https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-policy-table.html) by specifying an attribute where key=Reference-Security-Policy and value=name of the predefined policy. For example:
policies:
- name: elb-set-listener-predefined-policy
resource: elb
actions:
- type: set-ssl-listener-policy
name: SSLNegotiation-Predefined-Policy-01
attributes:
Reference-Security-Policy: ELBSecurityPolicy-TLS-1-2-2017-01
Permissions - elasticloadbalancing:CreateLoadBalancerPolicy, elasticloadbalancing:SetLoadBalancerPoliciesOfListener