AWS Config Rule
Check if any AWS resources are failing AWS config rule checks.
apiVersion: canaries.flanksource.com/v1
kind: Canary
metadata:
name: aws-config-rule
spec:
interval: 30
awsConfigRule:
- description: "AWS Config Rule Checker"
name: AWS Config Rule Checker
rules:
- "s3-bucket-public-read-prohibited"
ignoreRules:
- "s3-bucket-public-write-prohibited"
| Field | Description | Scheme | Required |
|---|---|---|---|
rules | Specify one or more Config rule names to filter the results by rule. | []string | |
ignoreRules | List of rules which would be omitted from the fetch result. | []string | |
complianceTypes | Filters the results by compliance. The allowed values are INSUFFICIENT_DATA, NON_COMPLIANT, NOT_APPLICABLE, COMPLIANT | []string | |
name | Name of the check, must be unique within the canary | string | Yes |
description | Description for the check | string | |
icon | Icon for overwriting default icon on the dashboard | string | |
labels | Labels for check | map[string]string | |
test | Evaluate whether a check is healthy | Expression | |
display | Expression to change the formatting of the display | Expression | |
transform | Transform data from a check into multiple individual checks | Expression | |
metrics | Metrics to export from | []Metrics | |
| Connection | |||
connection | Path of existing connection e.g. connection://aws/instance Mutually exclusive with accessKey Commercial Edition Required | Connection | |
accessKey | Mutually exclusive with connection | EnvVar | Yes |
secretKey | Mutually exclusive with connection | EnvVar | Yes |
endpoint | Custom AWS Config endpoint | string | |
region | AWS region | string | |
skipTLSVerify | Skip TLS verify when connecting to AWS | bool |
Connecting to AWS
There are 3 options when connecting to AWS:
An AWS instance profile or pod identity (the default if no
connectionoraccessKeyis specified)connection, this is the recommended method, connections are reusable and secureaws-connection.yamlapiVersion: canaries.flanksource.com/v1
kind: Canary
metadata:
name: aws-config-rule
spec:
interval: 30
awsConfigRule:
- name: AWS Config Rule Checker
connection: connection://aws/internal
rules:
- "s3-bucket-public-read-prohibited"accessKeyandsecretKeyEnvVar with the credentials stored in a secret.aws.yamlapiVersion: canaries.flanksource.com/v1
kind: Canary
metadata:
name: aws-config-rule
spec:
interval: 30
awsConfigRule:
- name: AWS Config Rule Checker
accessKey:
valueFrom:
secretKeyRef:
name: aws-credentials
key: AWS_ACCESS_KEY_ID
secretKey:
valueFrom:
secretKeyRef:
name: aws-credentials
key: AWS_SECRET_ACCESS_KEY
region: us-east-1
rules:
- "s3-bucket-public-read-prohibited"