rdklib 0.0.2

Rule Development Kit Library for AWS Config

RDKlib

RDKlib is a Python library to enable you to run custom AWS Config Rules at scale. The library can be used to:

• Help you to focus only on the compliance logic, while the library does the heavy lifting

• Ease maintenance by moving the boilerplate code as a AWS Lambda Layer

• Ease deployment by using AWS Serverless Application Repository

RDKLib works in synergy with the AWS Config Rule Development Kit (https://github.com/awslabs/aws-config-rdk).

Getting Started

Install the library locally

pip install git+https://github.com/awslabs/aws-config-rdklib

Create a rule using the RDK

The runtime of your RDK rule have to be set to python3.6-lib in the RDK to provide you the Rule template.

• For periodic trigger:

rdk create YOUR_RULE_NAME --runtime python3.6-lib --maximum-frequency TwentyFour_Hours

• For configuration change trigger (for example S3 Bucket)

rdk create YOUR_RULE_NAME --runtime python3.6-lib --resource-types AWS::S3::Bucket

Note: you need to install the RDK (see https://github.com/awslabs/aws-config-rdk#getting-started)

Deploy your rule with RDKlib layer

RDKLib is designed to work as a AWS Lambda Layer. It allows you to use the library without needing to include it in your deployment package.

1. Install RDKlib layer (with AWS CLI)

aws serverlessrepo create-cloud-formation-change-set --application-id arn:aws:serverlessrepo:ap-southeast-1:711761543063:applications/rdklib --stack-name RDKlib-Layer

# Copy/paste the full change-set ARN to customize the following command
aws cloudformation execute-change-set --change-set-name NAME_OF_THE_CHANGE_SET

aws cloudformation describe-stack-resources --stack-name serverlessrepo-RDKlib-Layer
# Copy the ARN of the Lambda layer in the "PhysicalResourceId" key (i.e. arn:aws:lambda:YOUR_REGION:YOUR_ACCOUNT:layer:rdklib-layer:1).

Note: You can do the same step manually going to https://console.aws.amazon.com/lambda/home#/create/function?tab=serverlessApps and find “rdklib”

2. Deploy the rule

rdk deploy YOUR_RULE_NAME --rdklib-layer-arn YOUR_RDKLIB_LAYER_ARN

Dev Guide

class ClientFactory

method build_client()

Create or reuse a boto3 client. It minimizes the number of STS calls by reusing existing client, if already available.

Request Syntax

response = client_factory.build_client(
    service='string')

Parameter

• service (string) – [REQUIRED]

  The boto3 name of the AWS service

class ConfigRule

method evaluate_parameters()

Used to analyze the validity of the input parameters of the Config Rule.

Parameter

• rule_parameters (dict)

  The input parameters of the Config Rule.

Return Syntax

If one of the parameters is invalid, raise an InvalidParametersError error.

raise InvalidParametersError("Error message to display")

If the parameters are all valid, return a dict.

return valid_rule_parameters

method evaluate_change()

Used to evaluate Configuration Change triggered rule.

Parameters

• event

  Lambda event provided by Config.

• client_factory (ClientFactory)

  ClientFactory object to be used in this rule.

• configuration_item (dict)

  The full configuration Item, even if oversized.

• valid_rule_parameters (dict)

  The output of the evaluate_parameters() method.

Return Syntax

Return an list of Evaluation object(s).

return [Evaluation()]

It can be an empty list, if no evaluation.

method evaluate_periodic()

Used to evaluate Periodic triggered rule.

Parameters

• event

  Lambda event provided by Config.

• client_factory (ClientFactory)

  ClientFactory object to be used in this rule.

• valid_rule_parameters (dict)

  The output of the evaluate_parameters() method.

Return Syntax

Return an list of Evaluation object(s).

return [Evaluation()]

It can be an empty list, if no evaluation.

class Evaluation

Class for the Evaluation object.

Request Syntax

evaluation = Evaluation(
    complianceType='ComplianceType',
    complianceResourceId='string',
    annotation='string',
    complianceResourceType='string')

Parameter

• complianceType (ComplianceType) [REQUIRED]

  Compliance type of the evaluation.

• complianceResourceId (string) [OPTIONAL]

  ResourceId of the evaluation. It gets autopopulated for Configuration Change triggered rule.

• annotation (string) [OPTIONAL]

  Annotation for the evaluation. It gets shorten to 255 characters automatically.

• complianceResourceType (string) [OPTIONAL]

  ResourceType of the evaluation. It gets autopopulated for Configuration Change triggered rule.

class ComplianceType

Class for the ComplianceType object.

Request Syntax

Evaluation will display as “Compliant”

compliance_type = ComplianceType.COMPLIANT

Evaluation will display as “Non Compliant”

compliance_type = ComplianceType.NON_COMPLIANT

Evaluation will not display:

compliance_type = ComplianceType.NOT_APPLICABLE

License

This project is licensed under the Apache-2.0 License.

Feedback / Questions

Feel free to email rdk-maintainers@amazon.com

Authors

• Jonathan Rault - Maintainer, design, code, testing, feedback

• Ricky Chau - Maintainer, code, testing

• Michael Borchert - Design, code, testing, feedback

• Joe Lee - Design, feedback

• Chris Gutierrez - Design, feedback