The CDK Construct Library for AWS::Config
Project description
AWS Config Construct Library
This is a developer preview (public beta) module. Releases might lack important features and might have future breaking changes.
This API is still under active development and subject to non-backward compatible changes or removal in any future version. Use of the API is not recommended in production environments. Experimental APIs are not subject to the Semantic Versioning model.
This module is part of the AWS Cloud Development Kit project.
Supported:
- Config rules
Not supported
- Configuration recoder
- Delivery channel
- Aggregation
Rules
AWS managed rules
To set up a managed rule, define a ManagedRule
and specify its identifier:
new ManagedRule(this, 'AccessKeysRotated', {
identifier: 'ACCESS_KEYS_ROTATED'
});
Available identifiers and parameters are listed in the List of AWS Config Managed Rules.
Higher level constructs for managed rules are available, see Managed Rules. Prefer to use those constructs when available (PRs welcome to add more of those).
Custom rules
To set up a custom rule, define a CustomRule
and specify the Lambda Function to run and the trigger types:
new CustomRule(this, 'CustomRule', {
lambdaFunction: myFn,
configurationChanges: true,
periodic: true
});
Restricting the scope
By default rules are triggered by changes to all resources. Use the scopeToResource()
, scopeToResources()
or scopeToTag()
methods to restrict the scope of both managed and custom rules:
const sshRule = new ManagedRule(this, 'SSH', {
identifier: 'INCOMING_SSH_DISABLED'
});
// Restrict to a specific security group
rule.scopeToResource('AWS::EC2::SecurityGroup', 'sg-1234567890abcdefgh');
const customRule = new CustomRule(this, 'CustomRule', {
lambdaFunction: myFn,
configurationChanges: true
});
// Restrict to a specific tag
customRule.scopeToTag('Cost Center', 'MyApp');
Only one type of scope restriction can be added to a rule (the last call to scopeToXxx()
sets the scope).
Events
To define Amazon CloudWatch event rules, use the onComplianceChange()
or onReEvaluationStatus()
methods:
const rule = new CloudFormationStackDriftDetectionCheck(this, 'Drift');
rule.onComplianceChange('TopicEvent', {
target: new targets.SnsTopic(topic))
});
Example
Creating custom and managed rules with scope restriction and events:
// A custom rule that runs on configuration changes of EC2 instances
const fn = new lambda.Function(this, 'CustomFunction', {
code: lambda.AssetCode.inline('exports.handler = (event) => console.log(event);'),
handler: 'index.handler',
runtime: lambda.Runtime.NODEJS_8_10
});
const customRule = new config.CustomRule(this, 'Custom', {
configurationChanges: true,
lambdaFunction: fn
});
customRule.scopeToResource('AWS::EC2::Instance');
// A rule to detect stacks drifts
const driftRule = new config.CloudFormationStackDriftDetectionCheck(this, 'Drift');
// Topic for compliance events
const complianceTopic = new sns.Topic(this, 'ComplianceTopic');
// Send notification on compliance change
driftRule.onComplianceChange('ComplianceChange', {
target: new targets.SnsTopic(complianceTopic)
});
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for aws-cdk.aws-config-0.38.0.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | 345346547bcb8e0e69f58b68512002b60fd9140d850baee56259bbd7ead1507b |
|
MD5 | ccc5535a7d5173c317f326d438a0ac01 |
|
BLAKE2b-256 | 6b3af3017c4376987762fe1574b0e219393b93a9928703ff4504835d8e682b1a |
Hashes for aws_cdk.aws_config-0.38.0-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 3c3de5fe6f838a7606aa751772c4830c4fd273c471739e758b3a35da367ebbf2 |
|
MD5 | dd24a50e94b95d899b913de9ff491c62 |
|
BLAKE2b-256 | d8ff2e70e362f8612cfdbb9828332b5bf130fa6df8d6e9e564a235f9bbb1ea89 |