aws.elb

Filters

attributes

Value Filter that allows filtering on ELB attributes

example:

policies:
    - name: elb-is-connection-draining
      resource: elb
      filters:
        - type: attributes
          key: ConnectionDraining.Enabled
          value: true
          op: eq
properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - attributes
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

Permissions - elasticloadbalancing:DescribeLoadBalancerAttributes

default-vpc

Matches if an elb database is in the default vpc

example:

policies:
  - name: elb-default-vpc
    resource: elb
    filters:
      - type: default-vpc
properties:
  type:
    enum:
    - default-vpc
required:
- type

Permissions - ec2:DescribeVpcs

healthcheck-protocol-mismatch

Filters ELB that have a health check protocol mismatch

The mismatch occurs if the ELB has a different protocol to check than the associated instances allow to determine health status.

example:

policies:
  - name: elb-healthcheck-mismatch
    resource: elb
    filters:
      - type: healthcheck-protocol-mismatch
properties:
  type:
    enum:
    - healthcheck-protocol-mismatch
required:
- type

instance

Filter ELB by an associated instance value(s)

example:

policies:
  - name: elb-image-filter
    resource: elb
    filters:
      - type: instance
        key: ImageId
        value: ami-01ab23cd
properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - instance
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

Permissions - ec2:DescribeInstances, ec2:DescribeTags

is-logging

Matches ELBs that are logging to S3.

bucket and prefix are optional

example:

policies:
- name: elb-is-logging-test
  resource: elb
  filters:
    - type: is-logging

- name: elb-is-logging-bucket-and-prefix-test
  resource: elb
  filters:
    - type: is-logging
      bucket: prodlogs
      prefix: elblogs
properties:
  bucket:
    type: string
  prefix:
    type: string
  type:
    enum:
    - is-logging
required:
- type

Permissions - elasticloadbalancing:DescribeLoadBalancerAttributes

is-not-logging

Matches ELBs that are NOT logging to S3.

or do not match the optional bucket and/or prefix.

example:

policies:
    - name: elb-is-not-logging-test
      resource: elb
      filters:
        - type: is-not-logging

    - name: is-not-logging-bucket-and-prefix-test
      resource: app-elb
      filters:
        - type: is-not-logging
          bucket: prodlogs
          prefix: alblogs
properties:
  bucket:
    type: string
  prefix:
    type: string
  type:
    enum:
    - is-not-logging
required:
- type

Permissions - elasticloadbalancing:DescribeLoadBalancerAttributes

is-ssl

Filters ELB that are using a SSL policy

example:

policies:
  - name: elb-using-ssl
    resource: elb
    filters:
      - type: is-ssl
properties:
  type:
    enum:
    - is-ssl
required:
- type

json-diff

Compute the diff from the current resource to a previous version.

A resource matches the filter if a diff exists between the current resource and the selected revision.

Utilizes config as a resource revision database.

Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).

properties:
  selector:
    enum:
    - previous
    - date
    - locked
  selector_value:
    type: string
  type:
    enum:
    - json-diff
required:
- type

Permissions - config:GetResourceConfigHistory

shield-enabled

Base class with helper methods for dealing with ARNs of resources protected by Shield

properties:
  state:
    type: boolean
  type:
    enum:
    - shield-enabled
required:
- type

Permissions - shield:ListProtections

ssl-policy

Filter ELBs on the properties of SSLNegotation policies. TODO: Only works on custom policies at the moment.

whitelist: filter all policies containing permitted protocols blacklist: filter all policies containing forbidden protocols

Cannot specify both whitelist & blacklist in the same policy. These must be done seperately (seperate policy statements).

Likewise, if you want to reduce the consideration set such that we only compare certain keys (e.g. you only want to compare the Protocol- keys), you can use the matching option with a regular expression:

example:

policies:
  - name: elb-ssl-policies
    resource: elb
    filters:
      - type: ssl-policy
        blacklist:
            - "Protocol-SSLv2"
            - "Protocol-SSLv3"
  - name: elb-modern-tls
    resource: elb
    filters:
      - type: ssl-policy
        matching: "^Protocol-"
        whitelist:
            - "Protocol-TLSv1.1"
            - "Protocol-TLSv1.2"
oneOf:
- required:
  - type
  - whitelist
- required:
  - type
  - blacklist
properties:
  blacklist:
    items:
      type: string
    type: array
  matching:
    type: string
  type:
    enum:
    - ssl-policy
  whitelist:
    items:
      type: string
    type: array

Permissions - elasticloadbalancing:DescribeLoadBalancerPolicies

Actions

delete

Action to delete ELB(s)

It is recommended to apply a filter to the delete policy to avoid unwanted deletion of any load balancers.

example:

policies:
  - name: elb-delete-unused
    resource: elb
    filters:
      - Instances: []
    actions:
      - delete
properties:
  type:
    enum:
    - delete
required:
- type

Permissions - elasticloadbalancing:DeleteLoadBalancer

disable-s3-logging

Disable s3 logging for ElasticLoadBalancers.

example:

policies:
  - name: turn-off-elb-logs
    resource: elb
    filters:
      - type: is-logging
        bucket: prodbucket
    actions:
      - type: disable-s3-logging
properties:
  type:
    enum:
    - disable-s3-logging
required:
- type

Permissions - elasticloadbalancing:ModifyLoadBalancerAttributes

enable-s3-logging

Action to enable S3 logging for Elastic Load Balancers.

example:

policies:
  - name: elb-test
    resource: elb
    filters:
      - type: is-not-logging
    actions:
      - type: enable-s3-logging
        bucket: elblogtest
        prefix: dahlogs
        emit_interval: 5
properties:
  bucket:
    type: string
  emit_interval:
    type: integer
  prefix:
    type: string
  type:
    enum:
    - enable-s3-logging
required:
- type

Permissions - elasticloadbalancing:ModifyLoadBalancerAttributes

set-shield

Enable shield protection on applicable resource.

setting sync parameter will also clear out stale shield protections for resources that no longer exist.

properties:
  state:
    type: boolean
  sync:
    type: boolean
  type:
    enum:
    - set-shield
required:
- type

Permissions - shield:CreateProtection, shield:ListProtections

set-ssl-listener-policy

Action to set the ELB SSL listener policy

example:

policies:
  - name: elb-set-listener-custom-policy
    resource: elb
    actions:
      - type: set-ssl-listener-policy
        name: SSLNegotiation-Custom-Policy-01
        attributes:
          - Protocol-SSLv3
          - Protocol-TLSv1.1
          - DHE-RSA-AES256-SHA256

Alternatively, you can specify one of AWS recommended policies (https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-policy-table.html) by specifying an attribute where key=Reference-Security-Policy and value=name of the predefined policy. For example:

policies:
  - name: elb-set-listener-predefined-policy
    resource: elb
    actions:
      - type: set-ssl-listener-policy
        name: SSLNegotiation-Predefined-Policy-01
        attributes:
          Reference-Security-Policy: ELBSecurityPolicy-TLS-1-2-2017-01
properties:
  attributes:
    anyOf:
    - type: object
    - items:
        type: string
      type: array
  name:
    type: string
  type:
    enum:
    - set-ssl-listener-policy
required:
- name
- attributes
- type

Permissions - elasticloadbalancing:CreateLoadBalancerPolicy, elasticloadbalancing:SetLoadBalancerPoliciesOfListener