AWS Config Rule
Check if any AWS resources are failing AWS config rule checks.
apiVersion: canaries.flanksource.com/v1
kind: Canary
metadata:
name: aws-config-rule
spec:
interval: 30
awsConfigRule:
- description: "AWS Config Rule Checker"
name: AWS Config Rule Checker
rules:
- "s3-bucket-public-read-prohibited"
ignoreRules:
- "s3-bucket-public-write-prohibited"
| Field | Description | Scheme | Required |
|---|---|---|---|
rules |
Specify one or more Config rule names to filter the results by rule. | []string |
|
ignoreRules |
List of rules which would be omitted from the fetch result. | []string |
|
complianceTypes |
Filters the results by compliance. The allowed values are INSUFFICIENT_DATA, NON_COMPLIANT, NOT_APPLICABLE, COMPLIANT |
[]string |
|
* |
All other commons field | Common | |
| Connection | |||
connection |
Path of existing connection e.g. connection://aws/instance/ Mutuall exclusive with accessKey |
Connection | |
accessKey |
Mutually exclusive with connection |
EnvVar | Yes |
secretKey |
Mutually exclusive with connection |
EnvVar | Yes |
endpoint |
Custom AWS Config endpoint | string | |
region |
AWS region | string | |
skipTLSVerify |
Skip TLS verify when connecting to AWS | bool |
Connecting to AWS
There are 3 options when connecting to AWS:
- An AWS instance profile or pod identity (the default if no
connectionoraccessKeyis specified) -
connection, this is the recommended method, connections are reusable and secureaws-connection.yamlapiVersion: canaries.flanksource.com/v1 kind: Canary metadata: name: aws-config-rule spec: interval: 30 awsConfigRule: - name: AWS Config Rule Checker connection: connection://aws/internal rules: - "s3-bucket-public-read-prohibited" -
accessKeyandsecretKeyEnvVar with the credentials stored in a secret.aws.yamlapiVersion: canaries.flanksource.com/v1 kind: Canary metadata: name: aws-config-rule spec: interval: 30 awsConfigRule: - name: AWS Config Rule Checker accessKey: valueFrom: secretKeyRef: name: aws-credentials key: AWS_ACCESS_KEY_ID secretKey: valueFrom: secretKeyRef: name: aws-credentials key: AWS_SECRET_ACCESS_KEY region: us-east-1 rules: - "s3-bucket-public-read-prohibited"