aws.elb

Filters

attributes

Value Filter that allows filtering on ELB attributes

example

policies:
    - name: elb-is-connection-draining
      resource: elb
      filters:
        - type: attributes
          key: ConnectionDraining.Enabled
          value: true
          op: eq
properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - attributes
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      url:
        type: string
    required:
    - url
    type: object
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
required:
- type

default-vpc

Matches if an elb database is in the default vpc

example

policies:
  - name: elb-default-vpc
    resource: elb
    filters:
      - type: default-vpc
properties:
  type:
    enum:
    - default-vpc
required:
- type

healthcheck-protocol-mismatch

Filters ELB that have a health check protocol mismatch

The mismatch occurs if the ELB has a different protocol to check than the associated instances allow to determine health status.

example

policies:
  - name: elb-healthcheck-mismatch
    resource: elb
    filters:
      - type: healthcheck-protocol-mismatch
properties:
  type:
    enum:
    - healthcheck-protocol-mismatch
required:
- type

instance

Filter ELB by an associated instance value(s)

example

policies:
  - name: elb-image-filter
    resource: elb
    filters:
      - type: instance
        key: ImageId
        value: ami-01ab23cd
properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - instance
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      url:
        type: string
    required:
    - url
    type: object
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
required:
- type

is-logging

Matches ELBs that are logging to S3.

bucket and prefix are optional

example

policies:
- name: elb-is-logging-test
  resource: elb
  filters:
    - type: is-logging

- name: elb-is-logging-bucket-and-prefix-test
  resource: elb
  filters:
    - type: is-logging
      bucket: prodlogs
      prefix: elblogs
properties:
  bucket:
    type: string
  prefix:
    type: string
  type:
    enum:
    - is-logging
required:
- type

is-not-logging

Matches ELBs that are NOT logging to S3.

or do not match the optional bucket and/or prefix.

example

policies:
    - name: elb-is-not-logging-test
      resource: elb
      filters:
        - type: is-not-logging

    - name: is-not-logging-bucket-and-prefix-test
      resource: app-elb
      filters:
        - type: is-not-logging
          bucket: prodlogs
          prefix: alblogs
properties:
  bucket:
    type: string
  prefix:
    type: string
  type:
    enum:
    - is-not-logging
required:
- type

is-ssl

Filters ELB that are using a SSL policy

example

policies:
  - name: elb-using-ssl
    resource: elb
    filters:
      - type: is-ssl
properties:
  type:
    enum:
    - is-ssl
required:
- type

json-diff

Compute the diff from the current resource to a previous version.

A resource matches the filter if a diff exists between the current resource and the selected revision.

Utilizes config as a resource revision database.

Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).

properties:
  selector:
    enum:
    - previous
    - date
    - locked
  selector_value:
    type: string
  type:
    enum:
    - json-diff
required:
- type

shield-enabled

Parent base class for filters and actions.

properties:
  state:
    type: boolean
  type:
    enum:
    - shield-enabled
required:
- type

ssl-policy

Filter ELBs on the properties of SSLNegotation policies. TODO: Only works on custom policies at the moment.

whitelist: filter all policies containing permitted protocols blacklist: filter all policies containing forbidden protocols

Cannot specify both whitelist & blacklist in the same policy. These must be done seperately (seperate policy statements).

Likewise, if you want to reduce the consideration set such that we only compare certain keys (e.g. you only want to compare the Protocol- keys), you can use the matching option with a regular expression:

example

policies:
  - name: elb-ssl-policies
    resource: elb
    filters:
      - type: ssl-policy
        blacklist:
            - "Protocol-SSLv2"
            - "Protocol-SSLv3"
  - name: elb-modern-tls
    resource: elb
    filters:
      - type: ssl-policy
        matching: "^Protocol-"
        whitelist:
            - "Protocol-TLSv1.1"
            - "Protocol-TLSv1.2"
oneOf:
- required:
  - type
  - whitelist
- required:
  - type
  - blacklist
properties:
  blacklist:
    items:
      type: string
    type: array
  matching:
    type: string
  type:
    enum:
    - ssl-policy
  whitelist:
    items:
      type: string
    type: array

Actions

delete

Action to delete ELB(s)

It is recommended to apply a filter to the delete policy to avoid unwanted deletion of any load balancers.

example

policies:
  - name: elb-delete-unused
    resource: elb
    filters:
      - Instances: []
    actions:
      - delete
properties:
  type:
    enum:
    - delete
required:
- type

disable-s3-logging

Disable s3 logging for ElasticLoadBalancers.

example

policies:
  - name: turn-off-elb-logs
    resource: elb
    filters:
      - type: is-logging
        bucket: prodbucket
    actions:
      - type: disable-s3-logging
properties:
  type:
    enum:
    - disable-s3-logging
required:
- type

enable-s3-logging

Action to enable S3 logging for Elastic Load Balancers.

example

policies:
  - name: elb-test
    resource: elb
    filters:
      - type: is-not-logging
    actions:
      - type: enable-s3-logging
        bucket: elblogtest
        prefix: dahlogs
        emit_interval: 5
properties:
  bucket:
    type: string
  emit_interval:
    type: integer
  prefix:
    type: string
  type:
    enum:
    - enable-s3-logging
required:
- type

set-shield

Enable shield protection on applicable resource.

setting sync parameter will also clear out stale shield protections for resources that no longer exist.

properties:
  state:
    type: boolean
  sync:
    type: boolean
  type:
    enum:
    - set-shield
required:
- type

set-ssl-listener-policy

Action to set the ELB SSL listener policy

example

policies:
  - name: elb-set-listener-policy
    resource: elb
    actions:
      - type: set-ssl-listener-policy
        name: SSLNegotiation-Policy-01
        attributes:
          - Protocol-SSLv3
          - Protocol-TLSv1.1
          - DHE-RSA-AES256-SHA256
properties:
  attributes:
    items:
      type: string
    type: array
  name:
    type: string
  type:
    enum:
    - set-ssl-listener-policy
required:
- name
- attributes
- type