aws.rest-stage

Filters

• client-certificate

• config-compliance

• event

• finding

• json-diff

• marked-for-op

• ops-item

• reduce

• tag-count

• value

• waf-enabled

• wafv2-enabled

client-certificate

Filter API stages by a client certificate

example

policies:
  - name: rest-stages-old-certificate
    resource: rest-stage
    filters:
      - type: client-certificate
        key: createdDate
        value_type: age
        value: 90
        op: greater-than

properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - client-certificate
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      url:
        type: string
    required:
    - url
    type: object
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
required:
- type

Permissions - apigateway:GET

json-diff

Compute the diff from the current resource to a previous version.

A resource matches the filter if a diff exists between the current resource and the selected revision.

Utilizes config as a resource revision database.

Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).

properties:
  selector:
    enum:
    - previous
    - date
    - locked
  selector_value:
    type: string
  type:
    enum:
    - json-diff
required:
- type

Permissions - config:GetResourceConfigHistory

waf-enabled

Filter API Gateway stage by waf-regional web-acl

example

policies:
  - name: filter-apigw-waf-regional
    resource: rest-stage
    filters:
      - type: waf-enabled
        state: false
        web-acl: test

properties:
  state:
    type: boolean
  type:
    enum:
    - waf-enabled
  web-acl:
    type: string
required:
- type

Permissions - waf:ListWebACLs, waf:GetWebACL

wafv2-enabled

Filter API Gateway stage by wafv2 web-acl

example

policies:
  - name: filter-wafv2-apigw
    resource: rest-stage
    filters:
      - type: wafv2-enabled
        state: false
        web-acl: testv2

properties:
  state:
    type: boolean
  type:
    enum:
    - wafv2-enabled
  web-acl:
    type: string
required:
- type

Permissions - wafv2:ListWebACLs

Actions

• auto-tag-user

• copy-related-tag

• delete

• invoke-lambda

• invoke-sfn

• mark-for-op

• notify

• post-finding

• post-item

• put-metric

• remove-tag

• set-waf

• set-wafv2

• tag

• update

• webhook

delete

Delete an api stage

example

policies:
  - name: delete-rest-stage
    resource: rest-stage
    filters:
      - methodSettings."*/*".cachingEnabled: true
    actions:
      - type: delete

properties:
  type:
    enum:
    - delete
required:
- type

Permissions - apigateway:DELETE

set-waf

Enable waf protection on API Gateway stage.

example

policies:
  - name: set-waf-for-stage
    resource: rest-stage
    filters:
      - type: waf-enabled
        state: false
        web-acl: test
    actions:
      - type: set-waf
        state: true
        web-acl: test

  - name: disassociate-wafv2-associate-waf-regional-apigw
    resource: rest-stage
    filters:
      - type: wafv2-enabled
        state: true
    actions:
      - type: set-waf
        state: true
        web-acl: test

properties:
  state:
    type: boolean
  type:
    enum:
    - set-waf
  web-acl:
    type: string
required:
- web-acl
- type

Permissions - waf-regional:AssociateWebACL, waf-regional:ListWebACLs

set-wafv2

Enable wafv2 protection on API Gateway stage.

example

policies:
  - name: set-wafv2-for-stage
    resource: rest-stage
    filters:
      - type: wafv2-enabled
        state: false
        web-acl: testv2
    actions:
      - type: set-wafv2
        state: true
        web-acl: testv2

  - name: disassociate-waf-regional-associate-wafv2-apigw
    resource: rest-stage
    filters:
      - type: waf-enabled
        state: true
    actions:
      - type: set-wafv2
        state: true
        web-acl: testv2

properties:
  state:
    type: boolean
  type:
    enum:
    - set-wafv2
  web-acl:
    type: string
required:
- type

Permissions - wafv2:AssociateWebACL, wafv2:ListWebACLs

update

Update/remove values of an api stage

example

policies:
  - name: disable-stage-caching
    resource: rest-stage
    filters:
      - methodSettings."*/*".cachingEnabled: true
    actions:
      - type: update
        patch:
          - op: replace
            path: /*/*/caching/enabled
            value: 'false'

properties:
  patch:
    items:
      additonalProperties: false
      properties:
        from:
          type: string
        op:
          enum:
          - add
          - remove
          - update
          - copy
          - replace
          - test
        path:
          type: string
        value:
          type: string
      required:
      - op
      - path
      type: object
    type: array
  type:
    enum:
    - update
required:
- patch
- type

Permissions - apigateway:PATCH