aws.elb
Filters
attributes
Value Filter that allows filtering on ELB attributes
- example:
policies:
- name: elb-is-connection-draining
resource: elb
filters:
- type: attributes
key: ConnectionDraining.Enabled
value: true
op: eq
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- attributes
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- type
Permissions - elasticloadbalancing:DescribeLoadBalancerAttributes
default-vpc
Matches if an elb database is in the default vpc
- example:
policies:
- name: elb-default-vpc
resource: elb
filters:
- type: default-vpc
properties:
type:
enum:
- default-vpc
required:
- type
Permissions - ec2:DescribeVpcs
healthcheck-protocol-mismatch
Filters ELB that have a health check protocol mismatch
The mismatch occurs if the ELB has a different protocol to check than the associated instances allow to determine health status.
- example:
policies:
- name: elb-healthcheck-mismatch
resource: elb
filters:
- type: healthcheck-protocol-mismatch
properties:
type:
enum:
- healthcheck-protocol-mismatch
required:
- type
instance
Filter ELB by an associated instance value(s)
- example:
policies:
- name: elb-image-filter
resource: elb
filters:
- type: instance
key: ImageId
value: ami-01ab23cd
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- instance
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- type
Permissions - ec2:DescribeInstances, ec2:DescribeTags, ec2:DescribeTags
is-logging
- Matches ELBs that are logging to S3.
bucket and prefix are optional
- example:
policies:
- name: elb-is-logging-test
resource: elb
filters:
- type: is-logging
- name: elb-is-logging-bucket-and-prefix-test
resource: elb
filters:
- type: is-logging
bucket: prodlogs
prefix: elblogs
properties:
bucket:
type: string
prefix:
type: string
type:
enum:
- is-logging
required:
- type
Permissions - elasticloadbalancing:DescribeLoadBalancerAttributes
is-not-logging
- Matches ELBs that are NOT logging to S3.
or do not match the optional bucket and/or prefix.
- example:
policies:
- name: elb-is-not-logging-test
resource: elb
filters:
- type: is-not-logging
- name: is-not-logging-bucket-and-prefix-test
resource: app-elb
filters:
- type: is-not-logging
bucket: prodlogs
prefix: alblogs
properties:
bucket:
type: string
prefix:
type: string
type:
enum:
- is-not-logging
required:
- type
Permissions - elasticloadbalancing:DescribeLoadBalancerAttributes
is-ssl
Filters ELB that are using a SSL policy
- example:
policies:
- name: elb-using-ssl
resource: elb
filters:
- type: is-ssl
properties:
type:
enum:
- is-ssl
required:
- type
json-diff
Compute the diff from the current resource to a previous version.
A resource matches the filter if a diff exists between the current resource and the selected revision.
Utilizes config as a resource revision database.
Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).
properties:
selector:
enum:
- previous
- date
- locked
selector_value:
type: string
type:
enum:
- json-diff
required:
- type
Permissions - config:GetResourceConfigHistory
shield-enabled
Base class with helper methods for dealing with ARNs of resources protected by Shield
properties:
state:
type: boolean
type:
enum:
- shield-enabled
required:
- type
Permissions - shield:ListProtections
ssl-policy
Filter ELBs on the properties of SSLNegotation policies. TODO: Only works on custom policies at the moment.
whitelist: filter all policies containing permitted protocols blacklist: filter all policies containing forbidden protocols
Cannot specify both whitelist & blacklist in the same policy. These must be done seperately (seperate policy statements).
Likewise, if you want to reduce the consideration set such that we only compare certain keys (e.g. you only want to compare the Protocol- keys), you can use the matching option with a regular expression:
- example:
policies:
- name: elb-ssl-policies
resource: elb
filters:
- type: ssl-policy
blacklist:
- "Protocol-SSLv2"
- "Protocol-SSLv3"
- name: elb-modern-tls
resource: elb
filters:
- type: ssl-policy
matching: "^Protocol-"
whitelist:
- "Protocol-TLSv1.1"
- "Protocol-TLSv1.2"
oneOf:
- required:
- type
- whitelist
- required:
- type
- blacklist
properties:
blacklist:
items:
type: string
type: array
matching:
type: string
type:
enum:
- ssl-policy
whitelist:
items:
type: string
type: array
Permissions - elasticloadbalancing:DescribeLoadBalancerPolicies
Actions
delete
Action to delete ELB(s)
It is recommended to apply a filter to the delete policy to avoid unwanted deletion of any load balancers.
- example:
policies:
- name: elb-delete-unused
resource: elb
filters:
- Instances: []
actions:
- delete
properties:
type:
enum:
- delete
required:
- type
Permissions - elasticloadbalancing:DeleteLoadBalancer
disable-s3-logging
Disable s3 logging for ElasticLoadBalancers.
- example:
policies:
- name: turn-off-elb-logs
resource: elb
filters:
- type: is-logging
bucket: prodbucket
actions:
- type: disable-s3-logging
properties:
type:
enum:
- disable-s3-logging
required:
- type
Permissions - elasticloadbalancing:ModifyLoadBalancerAttributes
enable-s3-logging
Action to enable S3 logging for Elastic Load Balancers.
- example:
policies:
- name: elb-test
resource: elb
filters:
- type: is-not-logging
actions:
- type: enable-s3-logging
bucket: elblogtest
prefix: dahlogs
emit_interval: 5
properties:
bucket:
type: string
emit_interval:
type: integer
prefix:
type: string
type:
enum:
- enable-s3-logging
required:
- type
Permissions - elasticloadbalancing:ModifyLoadBalancerAttributes
set-shield
Enable shield protection on applicable resource.
setting sync parameter will also clear out stale shield protections for resources that no longer exist.
properties:
state:
type: boolean
sync:
type: boolean
type:
enum:
- set-shield
required:
- type
Permissions - shield:CreateProtection, shield:ListProtections
set-ssl-listener-policy
Action to set the ELB SSL listener policy
- example:
policies:
- name: elb-set-listener-custom-policy
resource: elb
actions:
- type: set-ssl-listener-policy
name: SSLNegotiation-Custom-Policy-01
attributes:
- Protocol-SSLv3
- Protocol-TLSv1.1
- DHE-RSA-AES256-SHA256
Alternatively, you can specify one of AWS recommended policies (https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-policy-table.html) by specifying an attribute where key=Reference-Security-Policy and value=name of the predefined policy. For example:
policies:
- name: elb-set-listener-predefined-policy
resource: elb
actions:
- type: set-ssl-listener-policy
name: SSLNegotiation-Predefined-Policy-01
attributes:
Reference-Security-Policy: ELBSecurityPolicy-TLS-1-2-2017-01
properties:
attributes:
anyOf:
- type: object
- items:
type: string
type: array
name:
type: string
type:
enum:
- set-ssl-listener-policy
required:
- name
- attributes
- type
Permissions - elasticloadbalancing:CreateLoadBalancerPolicy, elasticloadbalancing:SetLoadBalancerPoliciesOfListener