Skip to main content

AWS Config Rule

Check if any AWS resources are failing AWS config rule checks.

aws-config-rule.yaml
apiVersion: canaries.flanksource.com/v1
kind: Canary
metadata:
  name: awsconfigrule-pass
spec:
  interval: 30
  awsConfigRule:
    - name: AWS Config Rule
      region: "eu-west-1"
      complianceTypes: [NON_COMPLIANT]
      transform:
        expr: |
          results.rules.map(i,
            i.resources.map(r,
             {
              'name': i.rule + "/" + r.type + "/" + r.id,
              'description': i.rule,
              'icon': 'aws-config-alarm',
              'duration': time.Since(timestamp(r.recorded)).getMilliseconds(),
              'labels': {'id': r.id, 'type': r.type},
              'message': i.description + i.annotation + r.annotation
            })
          ).flatten().toJSON()
FieldDescriptionScheme
name*

Name of the check, must be unique within the canary

string

complianceTypes

Filters the results by compliance. The allowed values are INSUFFICIENT_DATA, NON_COMPLIANT, NOT_APPLICABLE, COMPLIANT

string

ignoredRules

List of rules which would be omitted from the fetch result

[]string

rules

Specify one or more Config rule names to filter the results by rule

[]string

description

Description for the check

string

display

Expression to change the formatting of the display

Expression

icon

Icon for overwriting default icon on the dashboard

Icon

labels

Labels for check

map[string]string

metrics

Metrics to export from

[]Metrics

test

Evaluate whether a check is healthy

Expression

transform

Transform data from a check into multiple individual checks

Expression

connection

The connection to use, mutually exclusive with accessKey and secretKey

Connection

accessKey

EnvVar

secretKey

EnvVar

region

The AWS region

string

endpoint

Custom AWS Endpoint to use

string

skipTLSVerify

Skip TLS verify when connecting to AWS

boolean

Connecting to AWS

There are 3 options when connecting to AWS:

  1. An AWS instance profile or pod identity (the default if no connection or accessKey is specified)

  2. connection, this is the recommended method, connections are reusable and secure

    aws-connection.yaml
    apiVersion: canaries.flanksource.com/v1
    kind: Canary
    metadata:
      name: aws-config-rule
    spec:
      interval: 30
      awsConfigRule:
        - name: AWS Config Rule Checker
          connection: connection://aws/internal
          rules:
            - 's3-bucket-public-read-prohibited'

  3. accessKey and secretKey EnvVar with the credentials stored in a secret.

    aws.yaml
    apiVersion: canaries.flanksource.com/v1
    kind: Canary
    metadata:
      name: aws-config-rule
    spec:
      interval: 30
      awsConfigRule:
        - name: AWS Config Rule Checker
          accessKey:
            valueFrom:
              secretKeyRef:
                name: aws-credentials
                key: AWS_ACCESS_KEY_ID
          secretKey:
            valueFrom:
              secretKeyRef:
                name: aws-credentials
                key: AWS_SECRET_ACCESS_KEY
          region: us-east-1
          rules:
            - 's3-bucket-public-read-prohibited'