aws.elb

Filters

default-vpc

Matches if an elb database is in the default vpc

example

policies:
  - name: elb-default-vpc
    resource: elb
    filters:
      - type: default-vpc
properties:
  type:
    enum:
    - default-vpc
required:
- type

healthcheck-protocol-mismatch

Filters ELB that have a healtch check protocol mismatch

The mismatch occurs if the ELB has a different protocol to check than the associated instances allow to determine health status.

example

policies:
  - name: elb-healthcheck-mismatch
    resource: elb
    filters:
      - type: healthcheck-protocol-mismatch
properties:
  type:
    enum:
    - healthcheck-protocol-mismatch
required:
- type

instance

Filter ELB by an associated instance value(s)

example

policies:
  - name: elb-image-filter
    resource: elb
    filters:
      - type: instance
        key: ImageId
        value: ami-01ab23cd
properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - instance
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      url:
        type: string
    required:
    - url
    type: object
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
required:
- type

is-logging

Matches ELBs that are logging to S3.

bucket and prefix are optional

example

policies:
- name: elb-is-logging-test
  resource: elb
  filters:
    - type: is-logging

- name: elb-is-logging-bucket-and-prefix-test
  resource: elb
  filters:
    - type: is-logging
      bucket: prodlogs
      prefix: elblogs
properties:
  bucket:
    type: string
  prefix:
    type: string
  type:
    enum:
    - is-logging
required:
- type

is-not-logging

Matches ELBs that are NOT logging to S3.

or do not match the optional bucket and/or prefix.

example

policies:
    - name: elb-is-not-logging-test
      resource: elb
      filters:
        - type: is-not-logging

    - name: is-not-logging-bucket-and-prefix-test
      resource: app-elb
      filters:
        - type: is-not-logging
          bucket: prodlogs
          prefix: alblogs
properties:
  bucket:
    type: string
  prefix:
    type: string
  type:
    enum:
    - is-not-logging
required:
- type

is-ssl

Filters ELB that are using a SSL policy

example

policies:
  - name: elb-using-ssl
    resource: elb
    filters:
      - type: is-ssl
properties:
  type:
    enum:
    - is-ssl
required:
- type

shield-enabled

properties:
  state:
    type: boolean
  type:
    enum:
    - shield-enabled
required:
- type

ssl-policy

Filter ELBs on the properties of SSLNegotation policies. TODO: Only works on custom policies at the moment.

whitelist: filter all policies containing permitted protocols blacklist: filter all policies containing forbidden protocols

Cannot specify both whitelist & blacklist in the same policy. These must be done seperately (seperate policy statements).

Likewise, if you want to reduce the consideration set such that we only compare certain keys (e.g. you only want to compare the Protocol- keys), you can use the matching option with a regular expression:

example

policies:
  - name: elb-ssl-policies
    resource: elb
    filters:
      - type: ssl-policy
        blacklist:
            - "Protocol-SSLv2"
            - "Protocol-SSLv3"
  - name: elb-modern-tls
    resource: elb
    filters:
      - type: ssl-policy
        matching: "^Protocol-"
        whitelist:
            - "Protocol-TLSv1.1"
            - "Protocol-TLSv1.2"
oneOf:
- required:
  - type
  - whitelist
- required:
  - type
  - blacklist
properties:
  blacklist:
    items:
      type: string
    type: array
  matching:
    type: string
  type:
    enum:
    - ssl-policy
  whitelist:
    items:
      type: string
    type: array

Actions

delete

Action to delete ELB(s)

It is recommended to apply a filter to the delete policy to avoid unwanted deletion of any load balancers.

example

policies:
  - name: elb-delete-unused
    resource: elb
    filters:
      - Instances: []
    actions:
      - delete
properties:
  type:
    enum:
    - delete
required:
- type

disable-s3-logging

Disable s3 logging for ElasticLoadBalancers.

example

policies:
  - name: turn-off-elb-logs
    resource: elb
    filters:
      - type: is-logging
        bucket: prodbucket
    actions:
      - type: disable-s3-logging
properties:
  type:
    enum:
    - disable-s3-logging
required:
- type

enable-s3-logging

Action to enable S3 logging for Elastic Load Balancers.

example

policies:
  - name: elb-test
    resource: elb
    filters:
      - type: is-not-logging
    actions:
      - type: enable-s3-logging
        bucket: elblogtest
        prefix: dahlogs
        emit_interval: 5
properties:
  bucket:
    type: string
  emit_interval:
    type: integer
  prefix:
    type: string
  type:
    enum:
    - enable-s3-logging
required:
- type

set-shield

Enable shield protection on applicable resource.

setting sync parameter will also clear out stale shield protections for resources that no longer exist.

properties:
  state:
    type: boolean
  sync:
    type: boolean
  type:
    enum:
    - set-shield
required:
- type

set-ssl-listener-policy

Action to set the ELB SSL listener policy

example

policies:
  - name: elb-set-listener-policy
    resource: elb
    actions:
      - type: set-ssl-listener-policy
        name: SSLNegotiation-Policy-01
        attributes:
          - Protocol-SSLv3
          - Protocol-TLSv1.1
          - DHE-RSA-AES256-SHA256
properties:
  attributes:
    items:
      type: string
    type: array
  name:
    type: string
  type:
    enum:
    - set-ssl-listener-policy
required:
- name
- attributes
- type