Rule Development Kit Library for AWS Config
Project description
RDKlib
RDKlib is a Python library to enable you to run custom AWS Config Rules at scale. The library can be used to:
Help you to focus only on the compliance logic, while the library does the heavy lifting
Ease maintenance by moving the boilerplate code as a AWS Lambda Layer
Ease deployment by using AWS Serverless Application Repository
RDKLib works in synergy with the AWS Config Rule Development Kit (https://github.com/awslabs/aws-config-rdk).
Getting Started
Install the library locally
pip install git+https://github.com/awslabs/aws-config-rdklib
Create a rule using the RDK
The runtime of your RDK rule have to be set to python3.6-lib in the RDK to provide you the Rule template.
For periodic trigger:
rdk create YOUR_RULE_NAME --runtime python3.6-lib --maximum-frequency TwentyFour_Hours
For configuration change trigger (for example S3 Bucket)
rdk create YOUR_RULE_NAME --runtime python3.6-lib --resource-types AWS::S3::Bucket
Note: you need to install the RDK (see https://github.com/awslabs/aws-config-rdk#getting-started)
Deploy your rule with RDKlib layer
RDKLib is designed to work as a AWS Lambda Layer. It allows you to use the library without needing to include it in your deployment package.
Install RDKlib layer (with AWS CLI)
aws serverlessrepo create-cloud-formation-change-set --application-id arn:aws:serverlessrepo:ap-southeast-1:711761543063:applications/rdklib --stack-name RDKlib-Layer # Copy/paste the full change-set ARN to customize the following command aws cloudformation execute-change-set --change-set-name NAME_OF_THE_CHANGE_SET aws cloudformation describe-stack-resources --stack-name serverlessrepo-RDKlib-Layer # Copy the ARN of the Lambda layer in the "PhysicalResourceId" key (i.e. arn:aws:lambda:YOUR_REGION:YOUR_ACCOUNT:layer:rdklib-layer:1).
Note: You can do the same step manually going to https://console.aws.amazon.com/lambda/home#/create/function?tab=serverlessApps and find “rdklib”
Deploy the rule
rdk deploy YOUR_RULE_NAME --rdklib-layer-arn YOUR_RDKLIB_LAYER_ARN
Dev Guide
class ClientFactory
- method build_client()
Create or reuse a boto3 client. It minimizes the number of STS calls by reusing existing client, if already available.
Request Syntax
response = client_factory.build_client( service='string')
Parameter
service (string) – [REQUIRED]
The boto3 name of the AWS service
class ConfigRule
- method evaluate_parameters()
Used to analyze the validity of the input parameters of the Config Rule.
Parameter
rule_parameters (dict)
The input parameters of the Config Rule.
- Return Syntax
If one of the parameters is invalid, raise an InvalidParametersError error.
raise InvalidParametersError("Error message to display")
If the parameters are all valid, return a dict.
return valid_rule_parameters
- method evaluate_change()
Used to evaluate Configuration Change triggered rule.
Parameters
event
Lambda event provided by Config.
client_factory (ClientFactory)
ClientFactory object to be used in this rule.
configuration_item (dict)
The full configuration Item, even if oversized.
valid_rule_parameters (dict)
The output of the evaluate_parameters() method.
- Return Syntax
Return an list of Evaluation object(s).
return [Evaluation()]
It can be an empty list, if no evaluation.
- method evaluate_periodic()
Used to evaluate Periodic triggered rule.
Parameters
event
Lambda event provided by Config.
client_factory (ClientFactory)
ClientFactory object to be used in this rule.
valid_rule_parameters (dict)
The output of the evaluate_parameters() method.
- Return Syntax
Return an list of Evaluation object(s).
return [Evaluation()]
It can be an empty list, if no evaluation.
class Evaluation
Class for the Evaluation object.
Request Syntax
evaluation = Evaluation(
complianceType='ComplianceType',
complianceResourceId='string',
annotation='string',
complianceResourceType='string')
Parameter
complianceType (ComplianceType) [REQUIRED]
Compliance type of the evaluation.
complianceResourceId (string) [OPTIONAL]
ResourceId of the evaluation. It gets autopopulated for Configuration Change triggered rule.
annotation (string) [OPTIONAL]
Annotation for the evaluation. It gets shorten to 255 characters automatically.
complianceResourceType (string) [OPTIONAL]
ResourceType of the evaluation. It gets autopopulated for Configuration Change triggered rule.
class ComplianceType
Class for the ComplianceType object.
Request Syntax
Evaluation will display as “Compliant”
compliance_type = ComplianceType.COMPLIANT
Evaluation will display as “Non Compliant”
compliance_type = ComplianceType.NON_COMPLIANT
Evaluation will not display:
compliance_type = ComplianceType.NOT_APPLICABLE
License
This project is licensed under the Apache-2.0 License.
Feedback / Questions
Feel free to email rdk-maintainers@amazon.com
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.