Class ConfigRule

SecurityConfig / AwsConfig / AwsConfigRuleSet / ConfigRule

Description

AWS ConfigRule configuration

Example

Managed Config rule:

- name: accelerator-iam-user-group-membership-check
  complianceResourceTypes:
    - AWS::IAM::User
  identifier: IAM_USER_GROUP_MEMBERSHIP_CHECK

Custom Config rule:

- name: accelerator-attach-ec2-instance-profile
  type: Custom
  description: Custom rule for checking EC2 instance IAM profile attachment
  inputParameters:
    customRule:
      lambda:
        sourceFilePath: path/to/function.zip
        handler: index.handler
        runtime: nodejsXX.x
        rolePolicyFile: path/to/policy.json
      periodic: true
      maximumExecutionFrequency: Six_Hours
      configurationChanges: true
      triggeringResources:
        lookupType: ResourceTypes
        lookupKey: ResourceTypes
        lookupValue:
          - AWS::EC2::Instance

Managed Config rule with remediation:

- name: accelerator-s3-bucket-server-side-encryption-enabled
  identifier: S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED
  complianceResourceTypes:
    - AWS::S3::Bucket
  remediation:
    rolePolicyFile: path/to/policy.json
    automatic: true
    targetId: Put-S3-Encryption
    retryAttemptSeconds: 60
    maximumAutomaticAttempts: 5
    parameters:
      - name: BucketName
        value: RESOURCE_ID
        type: String
      - name: KMSMasterKey
        value: ${ACCEL_LOOKUP::KMS}
        type: StringList

Hierarchy

ConfigRule

Implements

IConfigRule

Index

Constructors

constructor

Properties

complianceResourceTypes customRule description identifier inputParameters name remediation tags type

Constructors

constructor

new ConfigRule(): ConfigRule
Returns ConfigRule

Properties

`Readonly` complianceResourceTypes

complianceResourceTypes: string[] = []

(OPTIONAL) Defines which resources trigger an evaluation for an AWS Config rule.

`Readonly` customRule

customRule: {
    configurationChanges: boolean;
    lambda: {
        handler: string;
        rolePolicyFile: string;
        runtime: string;
        sourceFilePath: string;
        timeout: number;
    };
    maximumExecutionFrequency: string;
    periodic: boolean;
    triggeringResources: {
        lookupKey: string;
        lookupType: string;
        lookupValue: never[];
    };
} = ...

(OPTIONAL) A custom config rule is backed by AWS Lambda function. This is required when creating custom config rule.

Type declaration

configurationChanges: boolean
lambda: {
    handler: string;
    rolePolicyFile: string;
    runtime: string;
    sourceFilePath: string;
    timeout: number;
}
- handler: string
- rolePolicyFile: string
- runtime: string
- sourceFilePath: string
- timeout: number
maximumExecutionFrequency: string
periodic: boolean
triggeringResources: {
    lookupKey: string;
    lookupType: string;
    lookupValue: never[];
}
- lookupKey: string
- lookupType: string
- lookupValue: never[]

`Readonly` description

description: "" = ''

(OPTIONAL) A description about this AWS Config rule.

`Readonly` identifier

identifier: "" = ''

(OPTIONAL) The identifier of the AWS managed rule.

`Readonly` inputParameters

inputParameters: {} = {}

(OPTIONAL) Input parameter values that are passed to the AWS Config rule.

Type declaration

`Readonly` name

name: "" = ''

A name for the AWS Config rule.

Remarks

Note: Changing this value of an AWS Config Rule will trigger a new resource creation.

`Readonly` remediation

remediation: ConfigRuleRemediation = ...

A remediation for the config rule, auto remediation to automatically remediate noncompliant resources.

`Readonly` tags

tags: never[] = []

(OPTIONAL) Tags for the config rule

`Readonly` type

type: "" = ''

(OPTIONAL) Config rule type Managed or Custom. For custom config rule, this parameter value is Custom, when creating managed config rule this parameter value can be undefined or empty string

Class ConfigRule

Description

Example

Hierarchy

Implements

Index

Constructors

Properties

Constructors

constructor

Returns ConfigRule

Properties

`Readonly` complianceResourceTypes

`Readonly` customRule

Type declaration

configurationChanges: boolean

lambda: {
    handler: string;
    rolePolicyFile: string;
    runtime: string;
    sourceFilePath: string;
    timeout: number;
}

handler: string

rolePolicyFile: string

runtime: string

sourceFilePath: string

timeout: number

maximumExecutionFrequency: string

periodic: boolean

triggeringResources: {
    lookupKey: string;
    lookupType: string;
    lookupValue: never[];
}

lookupKey: string

lookupType: string

lookupValue: never[]

`Readonly` description

`Readonly` identifier

`Readonly` inputParameters

Type declaration

`Readonly` name

Remarks

`Readonly` remediation

`Readonly` tags

`Readonly` type

Settings

Member Visibility

Theme

Class ConfigRule

Description

Example

Hierarchy

Implements

Index

Constructors

Properties

Constructors

constructor

Returns ConfigRule

Properties

Readonly complianceResourceTypes

Readonly customRule

Type declaration

configurationChanges: boolean

lambda: { handler: string; rolePolicyFile: string; runtime: string; sourceFilePath: string; timeout: number; }

handler: string

rolePolicyFile: string

runtime: string

sourceFilePath: string

timeout: number

maximumExecutionFrequency: string

periodic: boolean

triggeringResources: { lookupKey: string; lookupType: string; lookupValue: never[]; }

lookupKey: string

lookupType: string

lookupValue: never[]

Readonly description

Readonly identifier

Readonly inputParameters

Type declaration

Readonly name

Remarks

Readonly remediation

Readonly tags

Readonly type

Settings

Member Visibility

Theme

`Readonly` complianceResourceTypes

`Readonly` customRule

lambda: {
handler: string;
rolePolicyFile: string;
runtime: string;
sourceFilePath: string;
timeout: number;
}

triggeringResources: {
lookupKey: string;
lookupType: string;
lookupValue: never[];
}

`Readonly` description

`Readonly` identifier

`Readonly` inputParameters

`Readonly` name

`Readonly` remediation

`Readonly` tags

`Readonly` type