Options
All
  • Public
  • Public/Protected
  • All
Menu

AWS ConfigRule configuration

example

Managed Config rule:

- name: accelerator-iam-user-group-membership-check
complianceResourceTypes:
- AWS::IAM::User
identifier: IAM_USER_GROUP_MEMBERSHIP_CHECK

Custom Config rule:

- name: accelerator-attach-ec2-instance-profile
type: Custom
description: Custom rule for checking EC2 instance IAM profile attachment
inputParameters:
customRule:
lambda:
sourceFilePath: path/to/function.zip
handler: index.handler
runtime: nodejs14.x
rolePolicyFile: path/to/policy.json
periodic: true
maximumExecutionFrequency: Six_Hours
configurationChanges: true
triggeringResources:
lookupType: ResourceTypes
lookupKey: ResourceTypes
lookupValue:
- AWS::EC2::Instance

Managed Config rule with remediation:

- name: accelerator-s3-bucket-server-side-encryption-enabled
identifier: S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED
complianceResourceTypes:
- AWS::S3::Bucket
remediation:
rolePolicyFile: path/to/policy.json
automatic: true
targetId: Put-S3-Encryption
retryAttemptSeconds: 60
maximumAutomaticAttempts: 5
parameters:
- name: BucketName
value: RESOURCE_ID
type: String
- name: KMSMasterKey
value: ${ACCEL_LOOKUP::KMS}
type: StringList

Hierarchy

  • ConfigRule

Implements

Index

Constructors

Properties

complianceResourceTypes: string[] = []

Defines which resources trigger an evaluation for an AWS Config rule.

customRule: { configurationChanges: boolean; lambda: { handler: string; rolePolicyFile: string; runtime: string; sourceFilePath: string; timeout: number }; maximumExecutionFrequency: string; periodic: boolean; triggeringResources: { lookupKey: string; lookupType: string; lookupValue: never[] } } = ...

A custom config rule is backed by AWS Lambda function. This is required when creating custom config rule.

Type declaration

  • configurationChanges: boolean
  • lambda: { handler: string; rolePolicyFile: string; runtime: string; sourceFilePath: string; timeout: number }
    • handler: string
    • rolePolicyFile: string
    • runtime: string
    • sourceFilePath: string
    • timeout: number
  • maximumExecutionFrequency: string
  • periodic: boolean
  • triggeringResources: { lookupKey: string; lookupType: string; lookupValue: never[] }
    • lookupKey: string
    • lookupType: string
    • lookupValue: never[]
description: "" = ''

A description about this AWS Config rule.

identifier: "" = ''

The identifier of the AWS managed rule.

inputParameters: {} = {}

Input parameter values that are passed to the AWS Config rule.

Type declaration

    name: "" = ''

    A name for the AWS Config rule.

    remediation: { automatic: boolean; maximumAutomaticAttempts: number; parameters: never[]; retryAttemptSeconds: number; rolePolicyFile: string; targetAccountName: string; targetDocumentLambda: { handler: string; rolePolicyFile: string; runtime: string; sourceFilePath: string; timeout: number }; targetId: string; targetVersion: string } = ...

    A remediation for the config rule, auto remediation to automatically remediate noncompliant resources.

    Type declaration

    • automatic: boolean
    • maximumAutomaticAttempts: number
    • parameters: never[]
    • retryAttemptSeconds: number
    • rolePolicyFile: string
    • targetAccountName: string
    • targetDocumentLambda: { handler: string; rolePolicyFile: string; runtime: string; sourceFilePath: string; timeout: number }
      • handler: string
      • rolePolicyFile: string
      • runtime: string
      • sourceFilePath: string
      • timeout: number
    • targetId: string
    • targetVersion: string
    tags: never[] = []

    Tags for the config rule

    type: "" = ''

    Config rule type Managed or Custom. For custom config rule, this parameter value is Custom, when creating managed config rule this parameter value can be undefined or empty string

    Generated using TypeDoc