Skip to main content

AWS Config Rule

Check if any AWS resources are failing AWS config rule checks.

apiVersion: canaries.flanksource.com/v1
kind: Canary
metadata:
name: aws-config-rule
spec:
interval: 30
awsConfigRule:
- description: "AWS Config Rule Checker"
name: AWS Config Rule Checker
rules:
- "s3-bucket-public-read-prohibited"
ignoreRules:
- "s3-bucket-public-write-prohibited"
FieldDescriptionSchemeRequired
rulesSpecify one or more Config rule names to filter the results by rule.[]string
ignoreRulesList of rules which would be omitted from the fetch result.[]string
complianceTypesFilters the results by compliance. The allowed values are INSUFFICIENT_DATA, NON_COMPLIANT, NOT_APPLICABLE, COMPLIANT[]string
*All other commons fieldCommon
Connection
connectionPath of existing connection e.g. connection://aws/instance/ Mutuall exclusive with accessKeyConnection
accessKeyMutually exclusive with connectionEnvVarYes
secretKeyMutually exclusive with connectionEnvVarYes
endpointCustom AWS Config endpointstring
regionAWS regionstring
skipTLSVerifySkip TLS verify when connecting to AWSbool

Connecting to AWS

There are 3 options when connecting to AWS:

  1. An AWS instance profile or pod identity (the default if no connection or accessKey is specified)

  2. connection, this is the recommended method, connections are reusable and secure

    aws-connection.yaml
    apiVersion: canaries.flanksource.com/v1
    kind: Canary
    metadata:
    name: aws-config-rule
    spec:
    interval: 30
    awsConfigRule:
    - name: AWS Config Rule Checker
    connection: connection://aws/internal
    rules:
    - "s3-bucket-public-read-prohibited"
  3. accessKey and secretKey EnvVar with the credentials stored in a secret.

    aws.yaml
    apiVersion: canaries.flanksource.com/v1
    kind: Canary
    metadata:
    name: aws-config-rule
    spec:
    interval: 30
    awsConfigRule:
    - name: AWS Config Rule Checker
    accessKey:
    valueFrom:
    secretKeyRef:
    name: aws-credentials
    key: AWS_ACCESS_KEY_ID
    secretKey:
    valueFrom:
    secretKeyRef:
    name: aws-credentials
    key: AWS_SECRET_ACCESS_KEY
    region: us-east-1
    rules:
    - "s3-bucket-public-read-prohibited"