Skip to main content

AWS Config Rule

Check if any AWS resources are failing AWS config rule checks.

apiVersion: canaries.flanksource.com/v1
kind: Canary
metadata:
name: aws-config-rule
spec:
interval: 30
awsConfigRule:
- description: "AWS Config Rule Checker"
name: AWS Config Rule Checker
rules:
- "s3-bucket-public-read-prohibited"
ignoreRules:
- "s3-bucket-public-write-prohibited"
FieldDescriptionSchemeRequired
rulesSpecify one or more Config rule names to filter the results by rule.[]string
ignoreRulesList of rules which would be omitted from the fetch result.[]string
complianceTypesFilters the results by compliance. The allowed values are INSUFFICIENT_DATA, NON_COMPLIANT, NOT_APPLICABLE, COMPLIANT[]string
nameName of the check, must be unique within the canarystringYes
descriptionDescription for the checkstring
iconIcon for overwriting default icon on the dashboardstring
labelsLabels for checkmap[string]string
testEvaluate whether a check is healthyExpression
displayExpression to change the formatting of the displayExpression
transformTransform data from a check into multiple individual checksExpression
metricsMetrics to export from[]Metrics
Connection
connection Connection
accessKey Mutually exclusive with connection EnvVarYes
secretKey Mutually exclusive with connection EnvVarYes
endpointCustom AWS Config endpointstring
regionAWS regionstring
skipTLSVerifySkip TLS verify when connecting to AWSbool

Connecting to AWS

There are 3 options when connecting to AWS:

  1. An AWS instance profile or pod identity (the default if no connection or accessKey is specified)

  2. connection, this is the recommended method, connections are reusable and secure

    aws-connection.yaml
    apiVersion: canaries.flanksource.com/v1
    kind: Canary
    metadata:
    name: aws-config-rule
    spec:
    interval: 30
    awsConfigRule:
    - name: AWS Config Rule Checker
    connection: connection://aws/internal
    rules:
    - "s3-bucket-public-read-prohibited"
  3. accessKey and secretKey EnvVar with the credentials stored in a secret.

    aws.yaml
    apiVersion: canaries.flanksource.com/v1
    kind: Canary
    metadata:
    name: aws-config-rule
    spec:
    interval: 30
    awsConfigRule:
    - name: AWS Config Rule Checker
    accessKey:
    valueFrom:
    secretKeyRef:
    name: aws-credentials
    key: AWS_ACCESS_KEY_ID
    secretKey:
    valueFrom:
    secretKeyRef:
    name: aws-credentials
    key: AWS_SECRET_ACCESS_KEY
    region: us-east-1
    rules:
    - "s3-bucket-public-read-prohibited"