Class ConfigRule

SecurityConfig / AwsConfig / AwsConfigRuleSet / ConfigRule

AWS ConfigRule configuration

Example

Managed Config rule:

- name: accelerator-iam-user-group-membership-check
  complianceResourceTypes:
    - AWS::IAM::User
  identifier: IAM_USER_GROUP_MEMBERSHIP_CHECK

Custom Config rule:

- name: accelerator-attach-ec2-instance-profile
  type: Custom
  description: Custom rule for checking EC2 instance IAM profile attachment
  inputParameters:
    customRule:
      lambda:
        sourceFilePath: path/to/function.zip
        handler: index.handler
        runtime: nodejs14.x
        rolePolicyFile: path/to/policy.json
      periodic: true
      maximumExecutionFrequency: Six_Hours
      configurationChanges: true
      triggeringResources:
        lookupType: ResourceTypes
        lookupKey: ResourceTypes
        lookupValue:
          - AWS::EC2::Instance

Managed Config rule with remediation:

- name: accelerator-s3-bucket-server-side-encryption-enabled
  identifier: S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED
  complianceResourceTypes:
    - AWS::S3::Bucket
  remediation:
    rolePolicyFile: path/to/policy.json
    automatic: true
    targetId: Put-S3-Encryption
    retryAttemptSeconds: 60
    maximumAutomaticAttempts: 5
    parameters:
      - name: BucketName
        value: RESOURCE_ID
        type: String
      - name: KMSMasterKey
        value: ${ACCEL_LOOKUP::KMS}
        type: StringList

Hierarchy

  • ConfigRule

Implements

Constructors

constructor

Properties

complianceResourceTypes customRule description identifier inputParameters name remediation tags type

Constructors

constructor

Properties

Readonly complianceResourceTypes

complianceResourceTypes: string[] = []

(OPTIONAL) Defines which resources trigger an evaluation for an AWS Config rule.

Readonly customRule

customRule: {
    configurationChanges: boolean;
    lambda: {
        handler: string;
        rolePolicyFile: string;
        runtime: string;
        sourceFilePath: string;
        timeout: number;
    };
    maximumExecutionFrequency: string;
    periodic: boolean;
    triggeringResources: {
        lookupKey: string;
        lookupType: string;
        lookupValue: never[];
    };
} = ...

(OPTIONAL) A custom config rule is backed by AWS Lambda function. This is required when creating custom config rule.

Type declaration

  • configurationChanges: boolean

    Whether to run the rule on configuration changes.

    Default: false

  • lambda: {
        handler: string;
        rolePolicyFile: string;
        runtime: string;
        sourceFilePath: string;
        timeout: number;
    }

    The Lambda function to run.

    • handler: string

      The name of the method within your code that Lambda calls to execute your function. The format includes the file name. It can also include namespaces and other qualifiers, depending on the runtime. For more information, see https://docs.aws.amazon.com/lambda/latest/dg/gettingstarted-features.html#gettingstarted-features-programmingmodel.

    • rolePolicyFile: string

      Lambda execution role policy definition file

    • runtime: string

      The runtime environment for the Lambda function that you are uploading. For valid values, see the Runtime property in the AWS Lambda Developer Guide.

    • sourceFilePath: string

      The source code file path of your Lambda function. This is a zip file containing lambda function, this file must be available in config repository.

    • timeout: number

      Lambda timeout duration in seconds

  • maximumExecutionFrequency: string

    The maximum frequency at which the AWS Config rule runs evaluations.

    Default: MaximumExecutionFrequency.TWENTY_FOUR_HOURS

  • periodic: boolean

    Whether to run the rule on a fixed frequency.

    Default

    true

  • triggeringResources: {
        lookupKey: string;
        lookupType: string;
        lookupValue: never[];
    }

    Defines which resources trigger an evaluation for an AWS Config rule.

    • lookupKey: string

      Resource lookup type, resource can be lookup by tag or types. When resource needs to lookup by tag, this field will have tag name.

    • lookupType: string

      An enum to identify triggering resource types. Possible values ResourceId, Tag, or ResourceTypes

      Triggering resource can be lookup by resource id, tags or resource types.

    • lookupValue: never[]

      Resource lookup value, when resource lookup using tag, this field will have tag value to search resource.

Readonly description

description: "" = ''

(OPTIONAL) A description about this AWS Config rule.

Readonly identifier

identifier: "" = ''

(OPTIONAL) The identifier of the AWS managed rule.

Readonly inputParameters

inputParameters: {} = {}

(OPTIONAL) Input parameter values that are passed to the AWS Config rule.

Type declaration

    Readonly name

    name: "" = ''

    A name for the AWS Config rule.

    Remarks

    Note: Changing this value of an AWS Config Rule will trigger a new resource creation.

    Readonly remediation

    remediation: {
        automatic: boolean;
        maximumAutomaticAttempts: number;
        parameters: never[];
        retryAttemptSeconds: number;
        rolePolicyFile: string;
        targetAccountName: string;
        targetDocumentLambda: {
            handler: string;
            rolePolicyFile: string;
            runtime: string;
            sourceFilePath: string;
            timeout: number;
        };
        targetId: string;
        targetVersion: string;
    } = ...

    A remediation for the config rule, auto remediation to automatically remediate noncompliant resources.

    Type declaration

    • automatic: boolean

      The remediation is triggered automatically.

    • maximumAutomaticAttempts: number

      The maximum number of failed attempts for auto-remediation. If you do not select a number, the default is 5.

      For example, if you specify MaximumAutomaticAttempts as 5 with RetryAttemptSeconds as 50 seconds, AWS Config will put a RemediationException on your behalf for the failing resource after the 5th failed attempt within 50 seconds.

    • parameters: never[]

      List of remediation parameters

    • retryAttemptSeconds: number

      Maximum time in seconds that AWS Config runs auto-remediation. If you do not select a number, the default is 60 seconds.

      For example, if you specify RetryAttemptSeconds as 50 seconds and MaximumAutomaticAttempts as 5, AWS Config will run auto-remediations 5 times within 50 seconds before throwing an exception.

    • rolePolicyFile: string

      Remediation assume role policy definition json file. This file must be present in config repository.

      Create your own custom remediation actions using AWS Systems Manager Automation documents. When a role needed to be created to perform custom remediation actions, role permission needs to be defined in this file.

    • targetAccountName: string

      Name of the account owning the public document to perform custom remediation actions. Accelerator creates these documents in Audit account and shared with other accounts.

    • targetDocumentLambda: {
          handler: string;
          rolePolicyFile: string;
          runtime: string;
          sourceFilePath: string;
          timeout: number;
      }

      Target SSM document remediation lambda function

      • handler: string

        The name of the method within your code that Lambda calls to execute your function. The format includes the file name. It can also include namespaces and other qualifiers, depending on the runtime. For more information, see https://docs.aws.amazon.com/lambda/latest/dg/gettingstarted-features.html#gettingstarted-features-programmingmodel.

      • rolePolicyFile: string

        Lambda execution role policy definition file

      • runtime: string

        The runtime environment for the Lambda function that you are uploading. For valid values, see the Runtime property in the AWS Lambda Developer Guide.

      • sourceFilePath: string

        The source code file path of your Lambda function. This is a zip file containing lambda function, this file must be available in config repository.

      • timeout: number

        Lambda function execution timeout in seconds

    • targetId: string

      Target ID is the name of the public document.

      The name of the AWS SSM document to perform custom remediation actions.

    • targetVersion: string

      Version of the target. For example, version of the SSM document.

      If you make backward incompatible changes to the SSM document, you must call PutRemediationConfiguration API again to ensure the remediations can run.

    Readonly tags

    tags: never[] = []

    (OPTIONAL) Tags for the config rule

    Readonly type

    type: "" = ''

    (OPTIONAL) Config rule type Managed or Custom. For custom config rule, this parameter value is Custom, when creating managed config rule this parameter value can be undefined or empty string

    Settings

    Member Visibility

    Theme

    Generated using TypeDoc