aws.elb

Filters

attributes

Value Filter that allows filtering on ELB attributes

example:

policies:
    - name: elb-is-connection-draining
      resource: elb
      filters:
        - type: attributes
          key: ConnectionDraining.Enabled
          value: true
          op: eq

Permissions - elasticloadbalancing:DescribeLoadBalancerAttributes

default-vpc

Matches if an elb database is in the default vpc

example:

policies:
  - name: elb-default-vpc
    resource: elb
    filters:
      - type: default-vpc

Permissions - ec2:DescribeVpcs

healthcheck-protocol-mismatch

Filters ELB that have a health check protocol mismatch

The mismatch occurs if the ELB has a different protocol to check than the associated instances allow to determine health status.

example:

policies:
  - name: elb-healthcheck-mismatch
    resource: elb
    filters:
      - type: healthcheck-protocol-mismatch

instance

Filter ELB by an associated instance value(s)

example:

policies:
  - name: elb-image-filter
    resource: elb
    filters:
      - type: instance
        key: ImageId
        value: ami-01ab23cd

Permissions - ec2:DescribeInstances, ec2:DescribeTags, ec2:DescribeTags

is-logging

Matches ELBs that are logging to S3.

bucket and prefix are optional

example:

policies:
- name: elb-is-logging-test
  resource: elb
  filters:
    - type: is-logging

- name: elb-is-logging-bucket-and-prefix-test
  resource: elb
  filters:
    - type: is-logging
      bucket: prodlogs
      prefix: elblogs

Permissions - elasticloadbalancing:DescribeLoadBalancerAttributes

is-not-logging

Matches ELBs that are NOT logging to S3.

or do not match the optional bucket and/or prefix.

example:

policies:
    - name: elb-is-not-logging-test
      resource: elb
      filters:
        - type: is-not-logging

    - name: is-not-logging-bucket-and-prefix-test
      resource: app-elb
      filters:
        - type: is-not-logging
          bucket: prodlogs
          prefix: alblogs

Permissions - elasticloadbalancing:DescribeLoadBalancerAttributes

is-ssl

Filters ELB that are using a SSL policy

example:

policies:
  - name: elb-using-ssl
    resource: elb
    filters:
      - type: is-ssl

json-diff

Compute the diff from the current resource to a previous version.

A resource matches the filter if a diff exists between the current resource and the selected revision.

Utilizes config as a resource revision database.

Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).

Permissions - config:GetResourceConfigHistory

shield-enabled

Base class with helper methods for dealing with ARNs of resources protected by Shield

Permissions - shield:ListProtections

ssl-policy

Filter ELBs on the properties of SSLNegotation policies. TODO: Only works on custom policies at the moment.

whitelist: filter all policies containing permitted protocols blacklist: filter all policies containing forbidden protocols

Cannot specify both whitelist & blacklist in the same policy. These must be done seperately (seperate policy statements).

Likewise, if you want to reduce the consideration set such that we only compare certain keys (e.g. you only want to compare the Protocol- keys), you can use the matching option with a regular expression:

example:

policies:
  - name: elb-ssl-policies
    resource: elb
    filters:
      - type: ssl-policy
        blacklist:
            - "Protocol-SSLv2"
            - "Protocol-SSLv3"
  - name: elb-modern-tls
    resource: elb
    filters:
      - type: ssl-policy
        matching: "^Protocol-"
        whitelist:
            - "Protocol-TLSv1.1"
            - "Protocol-TLSv1.2"

Permissions - elasticloadbalancing:DescribeLoadBalancerPolicies

Actions

delete

Action to delete ELB(s)

It is recommended to apply a filter to the delete policy to avoid unwanted deletion of any load balancers.

example:

policies:
  - name: elb-delete-unused
    resource: elb
    filters:
      - Instances: []
    actions:
      - delete

Permissions - elasticloadbalancing:DeleteLoadBalancer

disable-s3-logging

Disable s3 logging for ElasticLoadBalancers.

example:

policies:
  - name: turn-off-elb-logs
    resource: elb
    filters:
      - type: is-logging
        bucket: prodbucket
    actions:
      - type: disable-s3-logging

Permissions - elasticloadbalancing:ModifyLoadBalancerAttributes

enable-s3-logging

Action to enable S3 logging for Elastic Load Balancers.

example:

policies:
  - name: elb-test
    resource: elb
    filters:
      - type: is-not-logging
    actions:
      - type: enable-s3-logging
        bucket: elblogtest
        prefix: dahlogs
        emit_interval: 5

Permissions - elasticloadbalancing:ModifyLoadBalancerAttributes

set-shield

Enable shield protection on applicable resource.

setting sync parameter will also clear out stale shield protections for resources that no longer exist.

Permissions - shield:CreateProtection, shield:ListProtections

set-ssl-listener-policy

Action to set the ELB SSL listener policy

example:

policies:
  - name: elb-set-listener-custom-policy
    resource: elb
    actions:
      - type: set-ssl-listener-policy
        name: SSLNegotiation-Custom-Policy-01
        attributes:
          - Protocol-SSLv3
          - Protocol-TLSv1.1
          - DHE-RSA-AES256-SHA256

Alternatively, you can specify one of AWS recommended policies (https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-policy-table.html) by specifying an attribute where key=Reference-Security-Policy and value=name of the predefined policy. For example:

policies:
  - name: elb-set-listener-predefined-policy
    resource: elb
    actions:
      - type: set-ssl-listener-policy
        name: SSLNegotiation-Predefined-Policy-01
        attributes:
          Reference-Security-Policy: ELBSecurityPolicy-TLS-1-2-2017-01

Permissions - elasticloadbalancing:CreateLoadBalancerPolicy, elasticloadbalancing:SetLoadBalancerPoliciesOfListener