├── .github ├── actions │ └── dep-setup │ │ └── action.yml ├── dependabot.yml ├── get_config_supported_resources.py └── workflows │ ├── publish.yaml │ └── validate.yaml ├── .gitignore ├── .readthedocs.yaml ├── .safety-project.ini ├── LICENSE ├── NOTICE.txt ├── README.md ├── developer_notes.md ├── docs ├── advanced-features │ ├── cross-Account-deployments.md │ ├── custom-lambda-name.md │ ├── disable-resource-check.md │ ├── generate-lambda-layer.md │ ├── managed-rules.md │ ├── multi-region-deployment.md │ └── rulesets.md ├── commands │ ├── clean.md │ ├── create-rule-template.md │ ├── create.md │ ├── deploy.md │ ├── export.md │ ├── init.md │ ├── logs.md │ ├── modify.md │ ├── rulesets.md │ ├── sample-ci.md │ ├── test-local.md │ └── undeploy.md ├── images │ ├── compliance_evaluation.png │ ├── config_change_triggered.jpeg │ ├── config_hybrid.jpeg │ ├── config_periodic.jpeg │ └── lambda_logic1.png ├── index.md ├── legacy-docs.md ├── remediation.md ├── requirements.txt └── rule-management │ ├── creating-rules.md │ ├── deploy-rules.md │ ├── modifying-rules.md │ ├── rdk-lambda-function │ ├── lambda-function-logic.md │ └── writing-an-evaluate_compliance-function.md │ └── writing-unit-tests.md ├── integration └── config-opscenter-integration-example │ ├── .DS_Store │ ├── AWS_Config_and_OpsCenter.pdf │ ├── AWS_Config_and_OpsCenter.xml │ ├── README.md │ ├── build.sh │ ├── cleanup.sh │ ├── opsitem-role.yaml │ └── s3EncryptedConfigRule.yaml ├── mkdocs.yml ├── poetry.lock ├── policy └── rdk-minimum-permissions.json ├── pyproject.toml ├── rdk-workshop ├── WorkshopSetup.yaml └── instructions.md ├── rdk ├── __init__.py ├── cli.py ├── rdk.py ├── rdklib_versions.yaml ├── supported_resource_types.yaml └── template │ ├── configManagedRule.yaml │ ├── configManagedRuleOrganization.yaml │ ├── configManagedRuleWithRemediation.yaml │ ├── configRule.yaml │ ├── configRuleAssumeRolePolicyDoc.json │ ├── configRuleOrganization.yaml │ ├── deliveryPermissionsPolicy.json │ ├── example_ci │ ├── AWS_ACM_Certificate.json │ ├── AWS_ApiGatewayV2_Api.json │ ├── AWS_ApiGatewayV2_Stage.json │ ├── AWS_ApiGateway_RestApi.json │ ├── AWS_ApiGateway_Stage.json │ ├── AWS_AutoScaling_AutoScalingGroup.json │ ├── AWS_AutoScaling_LaunchConfiguration.json │ ├── AWS_AutoScaling_ScalingPolicy.json │ ├── AWS_AutoScaling_ScheduledAction.json │ ├── AWS_CLOUDFRONT_DISTRIBUTION.json │ ├── AWS_CLOUDFRONT_STREAMINGDISTRIBUTION.json │ ├── AWS_CloudFormation_Stack.json │ ├── AWS_CloudWatch_Alarm.json │ ├── AWS_Cloudtrail_Trail.json │ ├── AWS_CodeBuild_Project.json │ ├── AWS_CodePipeline_Pipeline.json │ ├── AWS_DynamoDB_Table.json │ ├── AWS_EC2_CapacityReservation.json │ ├── AWS_EC2_CustomerGateway.json │ ├── AWS_EC2_EIP.json │ ├── AWS_EC2_FlowLog.json │ ├── AWS_EC2_Host.json │ ├── AWS_EC2_Instance.json │ ├── AWS_EC2_InternetGateway.json │ ├── AWS_EC2_LaunchTemplate.json │ ├── AWS_EC2_NatGateway.json │ ├── AWS_EC2_NetworkAcl.json │ ├── AWS_EC2_NetworkInterface.json │ ├── AWS_EC2_RouteTable.json │ ├── AWS_EC2_SecurityGroup.json │ ├── AWS_EC2_Subnet.json │ ├── AWS_EC2_VPC.json │ ├── AWS_EC2_VPCPeeringConnection.json │ ├── AWS_EC2_VPNConnection.json │ ├── AWS_EC2_VPNGateway.json │ ├── AWS_EC2_Volume.json │ ├── AWS_ECR_PublicRepository.json │ ├── AWS_ECR_Repository.json │ ├── AWS_ECS_TaskDefinition.json │ ├── AWS_EKS_Cluster.json │ ├── AWS_ELASTICLOADBALANCING_LOADBALANCER.json │ ├── AWS_ElasticBeanstalk_Application.json │ ├── AWS_ElasticBeanstalk_ApplicationVersion.json │ ├── AWS_ElasticBeanstalk_Environment.json │ ├── AWS_ElasticLoadBalancingV2_Listener.json │ ├── AWS_ElasticLoadBalancingV2_LoadBalancer.json │ ├── AWS_ElasticSearch_Domain.json │ ├── AWS_Glue_Classifier.json │ ├── AWS_Glue_Job.json │ ├── AWS_Glue_MLTransform.json │ ├── AWS_IAM_Group.json │ ├── AWS_IAM_Policy.json │ ├── AWS_IAM_Role.json │ ├── AWS_IAM_User.json │ ├── AWS_KMS_Key.json │ ├── AWS_LAMBDA_FUNCTION.json │ ├── AWS_NetworkFirewall_RuleGroup.json │ ├── AWS_OpenSearch_Domain.json │ ├── AWS_R53_HostedZone.json │ ├── AWS_RDS_DBCluster.json │ ├── AWS_RDS_DBClusterSnapshot.json │ ├── AWS_RDS_DBInstance.json │ ├── AWS_RDS_DBSecurityGroup.json │ ├── AWS_RDS_DBSnapshot.json │ ├── AWS_RDS_DBSubnetGroup.json │ ├── AWS_RDS_EventSubscription.json │ ├── AWS_Redshift_Cluster.json │ ├── AWS_Redshift_ClusterParameterGroup.json │ ├── AWS_Redshift_ClusterSecurityGroup.json │ ├── AWS_Redshift_ClusterSnapshot.json │ ├── AWS_Redshift_ClusterSubnetGroup.json │ ├── AWS_Redshift_EventSubscription.json │ ├── AWS_S3_AccountPublicAccessBlock.json │ ├── AWS_S3_Bucket.json │ ├── AWS_SNS_Topic.json │ ├── AWS_SSM_ManagedInstanceInventory.json │ ├── AWS_SSM_ManagedInstanceInventory_Linux.json │ ├── AWS_SSM_ManagedInstanceInventory_Windows.json │ ├── AWS_ShieldRegional_Protection.json │ └── AWS_Shield_Protection.json │ ├── runtime │ ├── java8 │ │ ├── build.gradle │ │ ├── jars │ │ │ └── readme.txt │ │ └── src │ │ │ └── main │ │ │ └── java │ │ │ └── com │ │ │ └── rdk │ │ │ ├── RuleCode.java │ │ │ └── RuleUtil.java │ ├── python3.10-lib │ │ ├── rule_code.py │ │ └── rule_test.py │ ├── python3.10 │ │ ├── rule_code.py │ │ └── rule_test.py │ ├── python3.11-lib │ │ ├── rule_code.py │ │ └── rule_test.py │ ├── python3.11 │ │ ├── rule_code.py │ │ └── rule_test.py │ ├── python3.12-lib │ │ ├── rule_code.py │ │ └── rule_test.py │ ├── python3.12 │ │ ├── rule_code.py │ │ └── rule_test.py │ ├── python3.13-lib │ │ ├── rule_code.py │ │ └── rule_test.py │ ├── python3.7-lib │ │ ├── rule_code.py │ │ └── rule_test.py │ ├── python3.7 │ │ ├── rule_code.py │ │ └── rule_test.py │ ├── python3.8-lib │ │ ├── rule_code.py │ │ └── rule_test.py │ ├── python3.8 │ │ ├── rule_code.py │ │ └── rule_test.py │ ├── python3.9-lib │ │ ├── rule_code.py │ │ └── rule_test.py │ └── python3.9 │ │ ├── rule_code.py │ │ └── rule_test.py │ ├── terraform │ ├── 0.11 │ │ ├── config_rule.tf │ │ └── variables.tf │ └── 0.12 │ │ ├── config_rule.tf │ │ └── variables.tf │ └── test_event_template.yaml ├── test-region.yaml ├── testing ├── copy-to-s3-buildspec.yaml ├── copy_to_s3.sh ├── linux-python3-buildspec.yaml ├── multi_region_execution_test.py ├── partition_test.py ├── test_windows.sh ├── win_multi_region_execution_test.py ├── win_partition_test.py └── windows-python3-buildspec.yaml └── update_rdklib_versions.py /.github/actions/dep-setup/action.yml: -------------------------------------------------------------------------------- 1 | name: Dependency Setup 2 | description: 'Action to setup the runtime environment for CI jobs.' 3 | 4 | inputs: 5 | python-version: 6 | description: 'The Python version to be used during setup' 7 | required: true 8 | 9 | runs: 10 | using: "composite" 11 | steps: 12 | - name: Setup Python 13 | uses: actions/setup-python@v4 14 | with: 15 | python-version: '${{ inputs.python-version }}' 16 | 17 | - name: Cache Poetry 18 | id: cache-poetry 19 | uses: actions/cache@v3 20 | with: 21 | path: ${{github.workspace}}/.poetry 22 | key: poetry-self-${{ hashFiles('.github/workflows/*.yml') }} 23 | restore-keys: poetry-self- 24 | 25 | - name: Install Poetry 26 | if: steps.cache-poetry.outputs.cache-hit != 'true' 27 | shell: bash 28 | run: | 29 | export POETRY_HOME=${{github.workspace}}/.poetry 30 | curl -sSL https://raw.githubusercontent.com/python-poetry/install.python-poetry.org/main/install-poetry.py -O 31 | python install-poetry.py --preview 32 | rm install-poetry.py 33 | 34 | - name: Add Poetry to $PATH 35 | shell: bash 36 | run: echo "${{github.workspace}}/.poetry/bin" >> $GITHUB_PATH 37 | 38 | - name: Add poethepoet plugin 39 | shell: bash 40 | run: poetry self add 'poethepoet[poetry_plugin]' 41 | 42 | - name: Poetry Version 43 | shell: bash 44 | run: poetry --version 45 | 46 | - name: Check pyproject.toml validity 47 | shell: bash 48 | run: poetry check --no-interaction 49 | 50 | - name: Cache Dependencies 51 | id: cache-deps 52 | uses: actions/cache@v3 53 | with: 54 | path: ${{github.workspace}}/.venv 55 | key: poetry-deps-${{ hashFiles('**/poetry.lock') }} 56 | restore-keys: poetry-deps- 57 | 58 | - name: Install Deps 59 | if: steps.cache-deps.cache-hit != 'true' 60 | shell: bash 61 | run: | 62 | poetry config virtualenvs.in-project true 63 | poetry install --no-interaction 64 | -------------------------------------------------------------------------------- /.github/dependabot.yml: -------------------------------------------------------------------------------- 1 | # To get started with Dependabot version updates, you'll need to specify which 2 | # package ecosystems to update and where the package manifests are located. 3 | # Please see the documentation for all configuration options: 4 | # https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file 5 | 6 | version: 2 7 | updates: 8 | - package-ecosystem: "" # See documentation for possible values 9 | directory: "/" # Location of package manifests 10 | schedule: 11 | interval: "weekly" 12 | -------------------------------------------------------------------------------- /.github/get_config_supported_resources.py: -------------------------------------------------------------------------------- 1 | import argparse 2 | from selenium import webdriver 3 | from selenium.webdriver.common.keys import Keys 4 | from selenium.webdriver.common.by import By 5 | from selenium.webdriver.chrome.options import Options 6 | from selenium.common.exceptions import NoSuchElementException 7 | import json 8 | import logging 9 | from concurrent import futures 10 | from collections import Counter 11 | import os 12 | import time 13 | import re 14 | import yaml 15 | 16 | """ 17 | Summary 18 | This is a simple web scraper to list the resource types supported by AWS Config. 19 | 20 | It will write its output to supported_resource_types.yaml -- this should be moved to the rdk subfolder after validating. 21 | """ 22 | 23 | all_resources = ["ALL"] # Special string to support all resource types"] 24 | 25 | undocumented_but_supported = [ 26 | "AWS::EventSchemas::Registry", 27 | "AWS::IoTTwinMaker::ComponentType", 28 | ] 29 | 30 | all_resources += undocumented_but_supported 31 | 32 | url = "https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html" 33 | # Start the browser 34 | chrome_options = Options() 35 | chrome_options.add_argument("--headless=new") 36 | chrome_options.add_argument("--no-sandbox") 37 | chrome_options.add_experimental_option("excludeSwitches", ["enable-logging"]) 38 | driver = webdriver.Chrome( 39 | options=chrome_options, 40 | ) 41 | 42 | # Open the login page 43 | driver.get(url) 44 | driver.implicitly_wait(2) 45 | 46 | # Iterate through every h2 header 47 | services = driver.find_elements(By.CLASS_NAME, "table-contents") 48 | 49 | # Walk through the table items 50 | for service in services: 51 | if service.text == "": 52 | continue 53 | navigator = service 54 | try: 55 | # Find everything with a class of code and get its text 56 | resources = navigator.find_elements(By.CLASS_NAME, "code") 57 | except NoSuchElementException: 58 | logging.info(f"No resources found for {service.text}") 59 | continue 60 | if len(resources) == 0: 61 | logging.info(f"No resources found for {service.text}") 62 | continue 63 | # Assert that it matches "AWS::*" 64 | for resource in resources: 65 | if re.match(r"AWS::.*", resource.text): 66 | # Remove any asterisks 67 | resource_type = resource.text.replace("*", "") 68 | # Add it to the output list 69 | all_resources.append(resource_type) 70 | logging.info(resource_type) 71 | 72 | driver.quit() 73 | 74 | # Return the output list, sorted 75 | yaml_output = {"supported_resources": sorted(list(set((all_resources))))} 76 | yaml_output_string = yaml.dump(yaml_output) 77 | with open("supported_resource_types.yaml", "w") as f: 78 | f.write(yaml_output_string) 79 | -------------------------------------------------------------------------------- /.github/workflows/publish.yaml: -------------------------------------------------------------------------------- 1 | name: 'Publish Release' 2 | 3 | on: 4 | push: 5 | tags: 6 | - '*' 7 | 8 | jobs: 9 | publish: 10 | name: Publish Release 11 | runs-on: ubuntu-latest 12 | steps: 13 | - name: Checkout Source 14 | uses: actions/checkout@v3 15 | with: 16 | fetch-depth: 0 17 | 18 | - name: Setup Dependencies 19 | uses: './.github/actions/dep-setup' 20 | with: 21 | python-version: '3.10' 22 | 23 | - name: Run Safety CLI to check for vulnerabilities 24 | uses: pyupio/safety-action@v1 25 | with: 26 | api-key: ${{ secrets.SAFETY_API_KEY }} 27 | 28 | - name: Get Python Module Version 29 | run: | 30 | MODULE_VERSION=$(poetry version --short) 31 | echo "MODULE_VERSION=$MODULE_VERSION" >> $GITHUB_ENV 32 | 33 | - name: Verify Versions Match 34 | run: | 35 | TAG_VERSION=$(git describe HEAD --tags --abbrev=0) 36 | echo "Git Tag Version: $TAG_VERSION" 37 | echo "Python Module Version: $MODULE_VERSION" 38 | if [[ "$TAG_VERSION" != "$MODULE_VERSION" ]]; then exit 1; fi 39 | 40 | - name: Publish to PyPi 41 | run: poetry publish --build 42 | env: 43 | POETRY_PYPI_TOKEN_PYPI: ${{ secrets.POETRY_PYPI_TOKEN_PYPI }} 44 | 45 | - name: Release 46 | uses: softprops/action-gh-release@v1 47 | with: 48 | discussion_category_name: announcements 49 | generate_release_notes: true 50 | files: | 51 | dist/rdk-${{env.MODULE_VERSION}}-py3-none-any.whl 52 | dist/rdk-${{env.MODULE_VERSION}}.tar.gz 53 | -------------------------------------------------------------------------------- /.github/workflows/validate.yaml: -------------------------------------------------------------------------------- 1 | name: 'Validation' 2 | 3 | on: 4 | push: 5 | branches: 6 | - main 7 | pull_request: 8 | branches: 9 | - main 10 | 11 | jobs: 12 | ## TODO: Enable this once the repo is totally formatted to standard. 13 | # lint-style: 14 | # name: Linting and Styling 15 | # runs-on: ubuntu-latest 16 | # steps: 17 | # - name: Checkout Source 18 | # uses: actions/checkout@v3 19 | # with: 20 | # fetch-depth: 0 21 | 22 | # - name: Setup Dependencies 23 | # uses: './.github/actions/dep-setup' 24 | # with: 25 | # python-version: '3.10' 26 | 27 | # - name: Run Styling Enforcement 28 | # shell: bash 29 | # run: poetry poe check 30 | 31 | # # TODO: As soon as the repo is in a state to enable this, we'll do so. 32 | # - name: Run Style Linting Enforcement 33 | # shell: bash 34 | # run: poetry poe lint 35 | 36 | ## TODO: Enable unit tests via GH Actions when unit tests are fixed and migrated to pytest. 37 | # unit-tests: 38 | # name: Run Unit Tests 39 | # strategy: 40 | # matrix: 41 | # version: ['3.7', '3.8', '3.9', '3.10', '3.11'] 42 | # os: [ubuntu-latest] 43 | # runs-on: ${{ matrix.os }} 44 | # steps: 45 | # - name: Checkout Source 46 | # uses: actions/checkout@v3 47 | # with: 48 | # fetch-depth: 0 49 | 50 | # - name: Setup Dependencies 51 | # uses: './.github/actions/dep-setup' 52 | # with: 53 | # python-version: '${{ matrix.version }}' 54 | 55 | # - name: Run Tests 56 | # shell: bash 57 | # run: poetry poe test 58 | 59 | # - name: Codecov 60 | # uses: codecov/codecov-action@v3 61 | 62 | security: 63 | name: Run Security Checks 64 | runs-on: ubuntu-latest 65 | steps: 66 | - name: Checkout Source 67 | uses: actions/checkout@v3 68 | with: 69 | fetch-depth: 0 70 | 71 | - name: Setup Dependencies 72 | uses: './.github/actions/dep-setup' 73 | with: 74 | python-version: '3.10' 75 | 76 | - name: Run Security Checks 77 | shell: bash 78 | run: poetry poe safety 79 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Created by https://www.gitignore.io/api/python 2 | .gitignore 3 | ### Python ### 4 | # Byte-compiled / optimized / DLL files 5 | rdk/__pycache__/ 6 | *.py[cod] 7 | *$py.class 8 | 9 | # C extensions 10 | *.so 11 | 12 | # Distribution / packaging 13 | .Python 14 | build/ 15 | develop-eggs/ 16 | dist/ 17 | downloads/ 18 | eggs/ 19 | .eggs/ 20 | lib/ 21 | lib64/ 22 | parts/ 23 | sdist/ 24 | var/ 25 | wheels/ 26 | *.egg-info/ 27 | .installed.cfg 28 | *.egg 29 | 30 | # PyInstaller 31 | # Usually these files are written by a python script from a template 32 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 33 | *.manifest 34 | *.spec 35 | 36 | # Installer logs 37 | pip-log.txt 38 | pip-delete-this-directory.txt 39 | 40 | # Unit test / coverage reports 41 | htmlcov/ 42 | .tox/ 43 | .coverage 44 | .coverage.* 45 | .cache 46 | .pytest_cache/ 47 | nosetests.xml 48 | coverage.xml 49 | *.cover 50 | .hypothesis/ 51 | 52 | # Translations 53 | *.mo 54 | *.pot 55 | 56 | # Flask stuff: 57 | instance/ 58 | .webassets-cache 59 | 60 | # Scrapy stuff: 61 | .scrapy 62 | 63 | # Sphinx documentation 64 | docs/_build/ 65 | 66 | # PyBuilder 67 | target/ 68 | 69 | # Jupyter Notebook 70 | .ipynb_checkpoints 71 | 72 | # pyenv 73 | .python-version 74 | 75 | # celery beat schedule file 76 | celerybeat-schedule.* 77 | 78 | # SageMath parsed files 79 | *.sage.py 80 | 81 | # Environments 82 | .env 83 | .venv 84 | env/ 85 | venv/ 86 | ENV/ 87 | env.bak/ 88 | venv.bak/ 89 | 90 | # intellij project setting 91 | .idea 92 | 93 | # Spyder project settings 94 | .spyderproject 95 | .spyproject 96 | 97 | # Rope project settings 98 | .ropeproject 99 | 100 | # mkdocs documentation 101 | /site 102 | 103 | # mypy 104 | .mypy_cache/ 105 | 106 | 107 | # End of https://www.gitignore.io/api/python 108 | 109 | 110 | .vscode/launch.json 111 | 112 | .vscode/settings.json 113 | 114 | myAutomationTest/ 115 | 116 | myAutomationTestWithManegedRule/ 117 | 118 | myAutomationTestWithManPeridoc/ 119 | 120 | myAutomationTestWithResouceType/ 121 | 122 | .vscode/sk.py 123 | 124 | CLOUD_TRAIL_ENCRYPTION_ENABLED/ 125 | 126 | API_GW_NOT_EDGE_OPTIMISED/ 127 | 128 | manageTest/ 129 | 130 | football/ 131 | 132 | .infracost 133 | 134 | # For testing guard rule functionality 135 | myguardrule/ -------------------------------------------------------------------------------- /.readthedocs.yaml: -------------------------------------------------------------------------------- 1 | # .readthedocs.yaml 2 | # NOTE - Currently set to OFF until issues with RTD integration with MkDocs is resolved. 3 | # Read the Docs configuration file 4 | # See https://docs.readthedocs.io/en/stable/config-file/v2.html for details 5 | 6 | # Required 7 | version: 2 8 | 9 | # Set the version of Python and other tools you might need 10 | build: 11 | os: ubuntu-22.04 12 | tools: 13 | python: "3.12" 14 | 15 | # Build documentation in the docs/ directory with mkdocs 16 | mkdocs: 17 | configuration: mkdocs.yml 18 | 19 | # We recommend specifying your dependencies to enable reproducible builds: 20 | # https://docs.readthedocs.io/en/stable/guides/reproducible-builds.html 21 | # Removed April 2025 22 | # python: 23 | # install: 24 | # - requirements: docs/requirements.txt 25 | -------------------------------------------------------------------------------- /.safety-project.ini: -------------------------------------------------------------------------------- 1 | [project] 2 | id = aws-config-rdk 3 | url = /codebases/aws-config-rdk/findings 4 | name = aws-config-rdk 5 | 6 | -------------------------------------------------------------------------------- /NOTICE.txt: -------------------------------------------------------------------------------- 1 | rdk 2 | Copyright 2017-2023 Amazon.com, Inc. or its affiliates. All Rights Reserved. 3 | -------------------------------------------------------------------------------- /docs/advanced-features/cross-Account-deployments.md: -------------------------------------------------------------------------------- 1 | # Cross-Account Deployments 2 | 3 | Features have been added to the RDK to facilitate the cross-account 4 | deployment pattern that enterprise customers have standardized for 5 | custom Config Rules. A cross-account architecture is one in which the 6 | Lambda functions are deployed to a single central "Compliance" account 7 | (which may be the same as a central "Security" account), and the 8 | Config Rules are deployed to any number of "Satellite" accounts that 9 | are used by other teams or departments. This gives the compliance team 10 | confidence that their rule logic cannot be tampered with and makes it 11 | much easier for them to modify rule logic without having to go through a 12 | complex deployment process to potentially hundreds of AWS accounts. The 13 | cross-account pattern uses two advanced RDK features: 14 | 15 | - `--functions-only` (`-f`) deployment 16 | - `create-rule-template` command 17 | 18 | ## Functions-Only Deployment 19 | 20 | By using the `-f` or `--functions-only` flag on the `deploy` command the 21 | RDK will deploy only the necessary Lambda Functions, Lambda Execution 22 | Role, and Lambda Permissions to the account specified by the execution 23 | credentials. It accomplishes this by batching up all of the Lambda 24 | function CloudFormation snippets for the selected Rule(s) into a single 25 | dynamically generated template and deploy that CloudFormation template. 26 | One consequence of this is that subsequent deployments that specify a 27 | different set of rules for the same stack name will update that 28 | CloudFormation stack, and any Rules that were included in the first 29 | deployment but not in the second will be removed. You can use the 30 | `--stack-name` parameter to override the default CloudFormation stack 31 | name if you need to manage different subsets of your Lambda Functions 32 | independently. The intended usage is to deploy the functions for all of 33 | the Config rules in the Security/Compliance account, which can be done 34 | simply by using `rdk deploy -f --all` from your working directory. 35 | 36 | ## create-rule-template command 37 | 38 | This command generates a CloudFormation template that defines the AWS 39 | Config rules themselves, along with the Config Role, Config data bucket, 40 | Configuration Recorder, and Delivery channel necessary for the Config 41 | rules to work in a satellite account. You must specify the file name for 42 | the generated template using the `--output-file` or 43 | `-o` command line flags. The generated template takes a 44 | single parameter of the AccountID of the central compliance account that 45 | contains the Lambda functions that will back your custom Config Rules. 46 | The generated template can be deployed in the desired satellite accounts 47 | through any of the means that you can deploy any other CloudFormation 48 | template, including the console, the CLI, as a CodePipeline task, or 49 | using StackSets. The `create-rule-template` command takes all of the 50 | standard arguments for selecting Rules to include in the generated 51 | template, including lists of individual Rule names, an `--all` flag, or 52 | using the RuleSets feature described below. 53 | 54 | ```bash 55 | rdk create-rule-template -o remote-rule-template.json --all 56 | Generating CloudFormation template! 57 | CloudFormation template written to remote-rule-template.json 58 | ``` 59 | -------------------------------------------------------------------------------- /docs/advanced-features/custom-lambda-name.md: -------------------------------------------------------------------------------- 1 | # Custom Lambda Function Name 2 | 3 | As of version 0.7.14, instead of defaulting the lambda function names to 4 | `RDK-Rule-Function-` it is possible to customize the name for 5 | the Lambda function to any 64 characters string as per Lambda's naming 6 | standards using the optional `--custom-lambda-name` flag while 7 | performing `rdk create`. This opens up new features like : 8 | 9 | 1. Longer config rule name. 10 | 2. Custom lambda function naming as per personal or enterprise standards. 11 | 12 | ```bash 13 | rdk create MyLongerRuleName --runtime python3.11 --resource-types AWS::EC2::Instance --custom-lambda-name custom-prefix-for-MyLongerRuleName 14 | Running create! 15 | Local Rule files created. 16 | ``` 17 | 18 | The above example would create files with config rule name as 19 | `MyLongerRuleName` and lambda function with the name 20 | `custom-prefix-for-MyLongerRuleName` instead of 21 | `RDK-Rule-Function-MyLongerRuleName` 22 | -------------------------------------------------------------------------------- /docs/advanced-features/disable-resource-check.md: -------------------------------------------------------------------------------- 1 | # Disable the supported resource types check 2 | 3 | It is now possible to define a resource type that is not yet supported 4 | by rdk. To disable the supported resource check use the optional flag 5 | '--skip-supported-resource-check' during the create command. 6 | 7 | ```bash 8 | rdk create MyRule --runtime python3.11 --resource-types AWS::New::ResourceType --skip-supported-resource-check 9 | 'AWS::New::ResourceType' not found in list of accepted resource types. 10 | Skip-Supported-Resource-Check Flag set (--skip-supported-resource-check), ignoring missing resource type error. 11 | Running create! 12 | Local Rule files created. 13 | ``` 14 | -------------------------------------------------------------------------------- /docs/advanced-features/generate-lambda-layer.md: -------------------------------------------------------------------------------- 1 | # Using RDK to Generate a Lambda Layer in a region (Python3) 2 | 3 | By default `rdk init --generate-lambda-layer` will generate an rdklib 4 | lambda layer while running init in whatever region it is run, to force 5 | re-generation of the layer, run `rdk init --generate-lambda-layer` again 6 | over a region 7 | 8 | To use this generated lambda layer, add the flag 9 | `--generated-lambda-layer` when running `rdk deploy`. For example: 10 | `rdk -f regions.yaml deploy LP3_TestRule_P39_lib --generated-lambda-layer` 11 | 12 | If you created layer with a custom name (by running 13 | `rdk init --custom-lambda-layer`, add a similar `custom-lambda-layer` 14 | flag when running deploy. 15 | -------------------------------------------------------------------------------- /docs/advanced-features/managed-rules.md: -------------------------------------------------------------------------------- 1 | # Managed Rules 2 | 3 | The RDK is able to deploy AWS Managed Rules. 4 | 5 | To do so, create a rule using `rdk create` and provide a valid 6 | SourceIdentifier via the `--source-identifier` CLI option. The list of 7 | Managed Rules can be found 8 | [here](https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html) 9 | , and note that the Identifier can be obtained by replacing the dashes 10 | with underscores and using all capitals (for example, the 11 | "guardduty-enabled-centralized" rule has the SourceIdentifier 12 | "GUARDDUTY_ENABLED_CENTRALIZED"). Just like custom Rules you will need 13 | to specify source events and/or a maximum evaluation frequency, and also 14 | pass in any Rule parameters. The resulting Rule directory will contain 15 | only the parameters.json file, but using `rdk deploy` or 16 | `rdk create-rule-template` can be used to deploy the Managed Rule like 17 | any other Custom Rule. 18 | -------------------------------------------------------------------------------- /docs/advanced-features/multi-region-deployment.md: -------------------------------------------------------------------------------- 1 | # Deploying Rules Across Multiple Regions 2 | 3 | The RDK is able to run init/deploy/undeploy across multiple regions with 4 | a `rdk -f -t ` 5 | 6 | If no region group is specified, rdk will deploy to the `default` region 7 | set. 8 | 9 | To create a sample starter region group, run `rdk create-region-set` to 10 | specify the filename, add the `-o ` this 11 | will create a region set with the following tests and regions 12 | `"default":["us-east-1","us-west-1","eu-north-1","ap-east-1"],"aws-cn-region-set":["cn-north-1","cn-northwest-1"]` 13 | -------------------------------------------------------------------------------- /docs/advanced-features/rulesets.md: -------------------------------------------------------------------------------- 1 | # RuleSets 2 | 3 | New as of version 0.3.11, it is possible to add RuleSet tags to rules 4 | that can be used to deploy and test groups of rules together. Rules can 5 | belong to multiple RuleSets, and RuleSet membership is stored only in 6 | the parameters.json metadata. The [deploy](../commands/deploy.md), 7 | [create-rule-template](../commands/create-rule-template.md), and [test-local](../commands/test-local.md) 8 | commands are RuleSet-aware such that a RuleSet can be passed in as the 9 | target instead of `--all` or a specific named Rule. 10 | 11 | A comma-delimited list of RuleSets can be added to a Rule when you 12 | create it (using the `--rulesets` flag), as part of a `modify` command, 13 | or using new `ruleset` subcommands to add or remove individual rules 14 | from a RuleSet. 15 | 16 | Running `rdk rulesets list` will display a list of the RuleSets 17 | currently defined across all of the Rules in the working directory 18 | 19 | ```bash 20 | rdk rulesets list 21 | RuleSets: AnotherRuleSet MyNewSet 22 | ``` 23 | 24 | Naming a specific RuleSet will list all of the Rules that are part of 25 | that RuleSet. 26 | 27 | ```bash 28 | rdk rulesets list AnotherRuleSet 29 | Rules in AnotherRuleSet : RSTest 30 | ``` 31 | 32 | Rules can be added to or removed from RuleSets using the `add` and 33 | `remove` subcommands: 34 | 35 | ```bash 36 | rdk rulesets add MyNewSet RSTest 37 | RSTest added to RuleSet MyNewSet 38 | 39 | rdk rulesets remove AnotherRuleSet RSTest 40 | RSTest removed from RuleSet AnotherRuleSet 41 | ``` 42 | 43 | RuleSets are a convenient way to maintain a single repository of Config 44 | Rules that may need to have subsets of them deployed to different 45 | environments. For example your development environment may contain some 46 | of the Rules that you run in Production but not all of them; RuleSets 47 | gives you a way to identify and selectively deploy the appropriate Rules 48 | to each environment. 49 | -------------------------------------------------------------------------------- /docs/commands/clean.md: -------------------------------------------------------------------------------- 1 | # Clean 2 | 3 | The `clean` command is the inverse of the `init` command, and can be 4 | used to completely remove Config resources from an account, including 5 | the Configuration Recorder, Delivery Channel, S3 buckets, Roles, and 6 | Permissions. This is useful for testing account provisioning automation 7 | and for running automated tests in a clean environment. 8 | -------------------------------------------------------------------------------- /docs/commands/create-rule-template.md: -------------------------------------------------------------------------------- 1 | # Create-Rule-Template 2 | 3 | Generates and saves to a file a single CloudFormation template that can 4 | be used to deploy the specified Rule(s) into any account. This feature 5 | has two primary uses: 6 | 7 | - Multi-account Config setup in which the Lambda Functions for custom rules are deployed into a centralized \"security\" or \"compliance\" account and the Config Rules themselves are deployed into \"application\" or \"satellite\" accounts. 8 | - Combine many Config Rules into a single CloudFormation template for easier atomic deployment and management. 9 | 10 | The generated CloudFormation template includes a Parameter for the 11 | AccountID that contains the Lambda functions that provide the compliance 12 | logic for the Rules, and also exposes all of the Config Rule input 13 | parameters as CloudFormation stack parameters. 14 | 15 | By default the generated CloudFormation template will set up Config as 16 | per the settings used by the RDK `init` command, but those resources can 17 | be omitted using the `--rules-only` flag. 18 | 19 | The `--config-role-arn` flag can be used for assigning existing config 20 | role to the created Configuration Recorder. The 21 | `-t | --tag-config-rules-script ` can now be used for output 22 | the script generated for create tags for each config rule. 23 | 24 | As of version 0.6, RDK supports Config remediation. Note that in order 25 | to use SSM documents for remediation you must supply all of the 26 | necessary document parameters. These can be found in the SSM document 27 | listing on the AWS console, but RDK will *not* validate at rule creation 28 | that you have all of the necessary parameters supplied. 29 | -------------------------------------------------------------------------------- /docs/commands/create.md: -------------------------------------------------------------------------------- 1 | # Create 2 | 3 | As of version 0.6, RDK supports Config remediation. Note that in order 4 | to use SSM documents for remediation you must supply all of the 5 | necessary document parameters. These can be found in the SSM document 6 | listing on the AWS console, but RDK will *not* validate at rule creation 7 | that you have all of the necessary parameters supplied. 8 | -------------------------------------------------------------------------------- /docs/commands/deploy.md: -------------------------------------------------------------------------------- 1 | # Deploy 2 | 3 | This command will deploy the specified Rule(s) to the Account and Region 4 | determined by the credentials being used to execute the command, and the 5 | value of the AWS_DEFAULT_REGION environment variable, unless those 6 | credentials or region are overridden using the common flags. 7 | 8 | Once deployed, RDK will **not** explicitly start a Rule evaluation. 9 | Depending on the changes being made to your Config Rule setup AWS Config 10 | may re-evaluate the deployed Rules automatically, or you can run an 11 | evaluation using the AWS configservice CLI. 12 | 13 | The `--functions-only` flag can be used as part of a multi-account 14 | deployment strategy to push **only** the Lambda functions (and 15 | necessary Roles and Permssions) to the target account. This is intended 16 | to be used in conjunction with the `create-rule-template` command in 17 | order to separate the compliance logic from the evaluated accounts. For 18 | an example of how this looks in practice, check out the [AWS 19 | Compliance-as-Code 20 | Engine](https://github.com/awslabs/aws-config-engine-for-compliance-as-code/). 21 | The `--rdklib-layer-arn` flag can be used for attaching Lambda Layer ARN 22 | that contains the desired rdklib. Note that Lambda Layers are 23 | region-specific. The `--lambda-role-arn` flag can be used for assigning 24 | existing iam role to all Lambda functions created for Custom Config 25 | Rules. The `--lambda-layers` flag can be used for attaching a 26 | comma-separated list of Lambda Layer ARNs to deploy with your Lambda 27 | function(s). The `--lambda-subnets` flag can be used for attaching a 28 | comma-separated list of Subnets to deploy your Lambda function(s). The 29 | `--lambda-security-groups` flag can be used for attaching a 30 | comma-separated list of Security Groups to deploy with your Lambda 31 | function(s). The `--custom-code-bucket` flag can be used for providing 32 | the custom code S3 bucket name, which is not created with rdk init, for 33 | generated cloudformation template storage. The `--boundary-policy-arn` 34 | flag can be used for attaching boundary Policy ARN that will be added to 35 | rdkLambdaRole. The `--lambda-timeout` flag can be used for specifying 36 | the timeout associated to the lambda function 37 | 38 | Note: Behind the scenes the `--functions-only` flag generates a 39 | CloudFormation template and runs a \"create\" or \"update\" on the 40 | targeted AWS Account and Region. If subsequent calls to `deploy` with 41 | the `--functions-only` flag are made with the same stack name (either 42 | the default or otherwise) but with *different Config rules targeted*, 43 | any Rules deployed in previous `deploy`s but not included in the latest 44 | `deploy` will be removed. After a functions-only `deploy` **only** the 45 | Rules specifically targeted by that command (either through Rulesets or 46 | an explicit list supplied on the command line) will be deployed in the 47 | environment, all others will be removed.s 48 | -------------------------------------------------------------------------------- /docs/commands/export.md: -------------------------------------------------------------------------------- 1 | # Export 2 | 3 | This command will export the specified Rule(s) to the terraform file, it 4 | supports the terraform versions 0.11 and 0.12. 5 | 6 | The `--format` flag can be used to specify export format, currently it 7 | supports only terraform. The `--version` flag can be used to specify the 8 | terraform version. The `--rdklib-layer-arn` flag can be used for 9 | attaching Lambda Layer ARN that contains the desired rdklib. Note that 10 | Lambda Layers are region-specific. The `--lambda-role-arn` flag can be 11 | used for assigning existing iam role to all Lambda functions created for 12 | Custom Config Rules. The `--lambda-layers` flag can be used for 13 | attaching a comma-separated list of Lambda Layer ARNs to deploy with 14 | your Lambda function(s). The `--lambda-subnets` flag can be used for 15 | attaching a comma-separated list of Subnets to deploy your Lambda 16 | function(s). The `--lambda-security-groups` flag can be used for 17 | attaching a comma-separated list of Security Groups to deploy with your 18 | Lambda function(s). The `--lambda-timeout` flag can be used for 19 | specifying the timeout associated to the lambda function 20 | -------------------------------------------------------------------------------- /docs/commands/init.md: -------------------------------------------------------------------------------- 1 | # Init 2 | 3 | Sets up the AWS Config Service in an AWS Account. This includes: 4 | 5 | - Config Configuration Recorder 6 | - Config Delivery Channel 7 | - IAM Role for Delivery Channel 8 | - S3 Bucket for Configuration Snapshots 9 | - S3 Bucket for Lambda Code 10 | 11 | Additionally, `init` will make sure that the Configuration Recorder is 12 | on and functioning, that the Delivery Channel has the appropriate Role 13 | attached, and that the Delivery Channel Role has the proper permissions. 14 | 15 | Note: Even without Config Rules running the Configuration Recorder is 16 | still capturing Configuration Item snapshots and storing them in S3, so 17 | running `init` will incur AWS charges! 18 | 19 | Also Note: AWS Config is a regional service, so running `init` will only 20 | set up Config in the region currently specified in your 21 | AWS_DEFAULT_REGION environment variable or in the `--region` flag. 22 | 23 | Advanced Options: 24 | 25 | - `--config-bucket-exists-in-another-account`: \[optional\] If the bucket being used by a Config Delivery Channel exists in another account, it is possible to skip the check that the bucket exists. This is useful when using `init` to initialize AWS Config in an account which already has a delivery channel setup with a central bucket. Currently, the rdk lists out all the buckets within the account your are running `init` from, to check if the provided bucket name exists, if it doesn\'t then it will create it. This presents an issue when a Config Delivery Channel has been configured to push configuration recordings to a central bucket. The bucket will never be found as it doesn\'t exist in the same account, but cannot be created as bucket names have to be globally unique. 26 | - `--skip-code-bucket-creation`: \[optional\] If you want to use custom code bucket for rdk, enable this and use flag `--custom-code-bucket` to `rdk deploy` 27 | - `control-tower`: \[optional\] If your account is part of an AWS Control Tower setup \--control-tower will skip the setup of configuration_recorder and delivery_channel 28 | -------------------------------------------------------------------------------- /docs/commands/logs.md: -------------------------------------------------------------------------------- 1 | # Logs 2 | 3 | The `logs` command provides a shortcut to accessing the CloudWatch Logs 4 | output from the Lambda Functions that back your custom Config Rules. 5 | Logs are displayed in chronological order going back the number of log 6 | entries specified by the `--number` flag (default 3). It supports a 7 | `--follow` flag similar to the UNIX command `tail` so that you can 8 | choose to continually poll CloudWatch to deliver new log items as they 9 | are delivered by your Lambda function. 10 | 11 | In addition to any output that your function emits via `print()` or 12 | `console.log()` commands, Lambda will also record log lines for the 13 | start and stop of each Lambda invocation, including the runtime and 14 | memory usage. 15 | -------------------------------------------------------------------------------- /docs/commands/modify.md: -------------------------------------------------------------------------------- 1 | # Modify 2 | 3 | Used to modify the local metadata for Config Rules created by the RDK. 4 | This command takes the same arguments as the `create` command (all of 5 | them optional), and overwrites the Rule metadata for any flag specified. 6 | Changes made using `modify` are not automatically pushed out to your AWS 7 | Account, and must be deployed as usual using the `deploy` command. 8 | -------------------------------------------------------------------------------- /docs/commands/rulesets.md: -------------------------------------------------------------------------------- 1 | # Rulesets 2 | 3 | Rulesets provide a mechanism to tag individual Config Rules into groups 4 | that can be acted on as a unit. Ruleset tags are single keywords, and 5 | the commands `deploy`, `create-rule-template`, and `undeploy` can all 6 | expand Ruleset parameters and operate on the resulting list of Rules. 7 | 8 | The most common use-case for Rulesets is to define standardized Account 9 | metadata or data classifications, and then tag individual Rules to all 10 | of the appropriate metadata tags or classification levels. 11 | 12 | Example: If you have Account classifications of \"Public\", \"Private\", 13 | and \"Restricted\" you can tag all of your Rules as \"Restricted\", and 14 | a subset of them that deal with private network security as \"Private\". 15 | Then when you need to deploy controls to a new \"Private\" account you 16 | can simply use `rdk create-rule-template --rulesets Private` to generate 17 | a CloudFormation template that includes all of the Rules necessary for 18 | your \"Private\" classification, but omit the Rules that are only 19 | necessary for \"Restricted\" accounts. Additionally, as your compliance 20 | requirements change and you add Config Rules you can tag them as 21 | appropriate, re-generate your CloudFormation templates, and re-deploy to 22 | make sure your Accounts are all up-to-date. 23 | 24 | You may also choose to classify accounts using binary attributes 25 | (\"Prod\" vs. \"Non-Prod\" or \"PCI\" vs. \"Non-PCI\"), and then 26 | generate account-specific CloudFormation templates using the Account 27 | metadata to ensure that the appropriate controls are deployed. 28 | -------------------------------------------------------------------------------- /docs/commands/sample-ci.md: -------------------------------------------------------------------------------- 1 | # Sample-CI 2 | 3 | This utility command outputs a sample Configuration Item for the 4 | specified resource type. This can be useful when writing new custom 5 | Config Rules to help developers know what the CI structure and plausible 6 | values for the resource type are. 7 | 8 | Note that you can construct Config Evaluations for any resource type 9 | that is supported by CloudFormation, however you can not create 10 | change-triggered Config Rules for resource types not explicitly 11 | supported by Config, and some of the console functionality in AWS Config 12 | may be limited. 13 | 14 | [CFN-supported 15 | resources](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-supported-resources.html) 16 | [Config-supported 17 | resources](https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html) 18 | -------------------------------------------------------------------------------- /docs/commands/test-local.md: -------------------------------------------------------------------------------- 1 | # Test-Local 2 | 3 | Shorthand command for running the unit tests defined for Config Rules 4 | that use a Python runtime. When a Python 3.7+ Rule is created using the 5 | `create` command a unit test template is created in the Rule directory. 6 | This test boilerplate includes minimal tests, as well as a framework for 7 | using the `unittest.mock` library for stubbing out Boto3 calls. This 8 | allows more sophisticated test cases to be written for Periodic rules 9 | that need to make API calls to gather information about the environment. 10 | -------------------------------------------------------------------------------- /docs/commands/undeploy.md: -------------------------------------------------------------------------------- 1 | # Undeploy 2 | 3 | The inverse of `deploy`, this command is used to remove a Config Rule 4 | and its Lambda Function from the targeted account. 5 | 6 | This is intended to be used primarily for clean-up for testing 7 | deployment automation (perhaps from a CI/CD pipeline) to ensure that it 8 | works from an empty account, or to clean up a test account during 9 | development. See also the [clean](./clean.md) command if you want to 10 | more thoroughly scrub Config from your account. 11 | -------------------------------------------------------------------------------- /docs/images/compliance_evaluation.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awslabs/aws-config-rdk/aa40a5773dc15ffdf07a7d556fe0ec75b4a9678d/docs/images/compliance_evaluation.png -------------------------------------------------------------------------------- /docs/images/config_change_triggered.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awslabs/aws-config-rdk/aa40a5773dc15ffdf07a7d556fe0ec75b4a9678d/docs/images/config_change_triggered.jpeg -------------------------------------------------------------------------------- /docs/images/config_hybrid.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awslabs/aws-config-rdk/aa40a5773dc15ffdf07a7d556fe0ec75b4a9678d/docs/images/config_hybrid.jpeg -------------------------------------------------------------------------------- /docs/images/config_periodic.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awslabs/aws-config-rdk/aa40a5773dc15ffdf07a7d556fe0ec75b4a9678d/docs/images/config_periodic.jpeg -------------------------------------------------------------------------------- /docs/images/lambda_logic1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awslabs/aws-config-rdk/aa40a5773dc15ffdf07a7d556fe0ec75b4a9678d/docs/images/lambda_logic1.png -------------------------------------------------------------------------------- /docs/rule-management/modifying-rules.md: -------------------------------------------------------------------------------- 1 | # Modifying rules 2 | 3 | Once you have created the rule, you can modify your rules by either editing _parameters.json_ or by running `rdk modify` command which takes the same arguments and options as `rdk create` command. 4 | 5 | To edit your rule evaluation logic, edit the python file in your rule 6 | directory to add whatever logic your Rule requires in the 7 | `evaluate_compliance` function (view [Writing and evaluate_compliance function for more information](./rdk-lambda-function/writing-an-evaluate_compliance-function.md)). 8 | It is worth noting that until you actually call the `deploy` command 9 | your rule only exists in your working directory, none of the Rule 10 | commands discussed thus far actually makes changes to your account. 11 | -------------------------------------------------------------------------------- /integration/config-opscenter-integration-example/.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awslabs/aws-config-rdk/aa40a5773dc15ffdf07a7d556fe0ec75b4a9678d/integration/config-opscenter-integration-example/.DS_Store -------------------------------------------------------------------------------- /integration/config-opscenter-integration-example/AWS_Config_and_OpsCenter.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/awslabs/aws-config-rdk/aa40a5773dc15ffdf07a7d556fe0ec75b4a9678d/integration/config-opscenter-integration-example/AWS_Config_and_OpsCenter.pdf -------------------------------------------------------------------------------- /integration/config-opscenter-integration-example/AWS_Config_and_OpsCenter.xml: -------------------------------------------------------------------------------- 1 | 7Vptc6I8FP01flwnhBfxo1q32+nL9qnddfeTEyEiUyBMCL7sr38SCAqEbq2LrdNpnbHkJsTknMO9N1c7+ijcXFIUL2+Ji4MOBO6mo190IOxrPf4uDNvcYBYGj/pubtL2hon/B0sjkNbUd3FSGcgICZgfV40OiSLssIoNUUrW1WELElQ/NUYeVgwTBwWqdeq7bJlbbRPs7d+w7y2LT9aA7AlRMVgakiVyybpk0scdfUQJYflVuBnhQGBX4JLf9/WZ3t3CKI7YITeA/4Lpj+uHX3Q2C4ez+6fNzU/ni5HPskJBKjcsF8u2BQKUpJGLxSSgow/XS5/hSYwc0bvmlHPbkoUBb2n8Ul2UXOcKU4Y3JZNc5CUmIWZ0y4fIXqMn17AtlCABXO/x10w7ty1L2Ot9ORBJzr3d3HtY+IVE5hUomeeHErTByyjpQEUJAngilKzzQ6l/diD1FJAG0wk3TLYJw2HCr25RxJ0KVbAjKQv8CI92jk5AuCARG5GA0GyMzl9fxWKGHkWuj/d9EYn4NMOEUfKESzcssj8xkR8ETRO5KFnuCBPA+9w33qA5Du5J4jOfRLwv9F1XLHM3YBD4nuiYE8ZIyDuQNAR4waosN4lA7EqGAq3Y5UQiIe5J+HA/8nhLF60likVPuPFECOqidWJ0Y0rc1GFXjljgMKb5RXVMkmM+CyXib+a+jAbJ2adSnP2M4riQFr73MWXm8DVlhJ6H0Jwc6nZcmnaUvHqnio19VV4h+sMx4AoLSOpOEXOWH1NlZ+XMHAH2OgO7pQTjSKGdyo8VJ4KS0r7HySh/0k+hr5qKhiNNNy1Fd3LwQdLaKaguLUbiF7xXWUWwpiLxkSiJ840u/I1YxzAmvphlvOKTJYXUmsRVi4IzEie7BbSgI1Or6agIdCUd9Rqy+cLWvo40RUdYgPSpoeM1lAE4y9/nKMlubkE7Oqzl77bxztqBinZGJIwDH0Xc5UNA0wAnn0I6XkgCwBlsRz27k91rPY91KvXoinoShlgqTn3OEkUeVqSDI3cgqliCiAAlie8ceEZmiHqY/W0xciB2KwUwFc0SWmZDvC9sFAeI+atq2awJQvkJ90ISpXRDr4YJWFQPiikSklIHy7vKZa76RLZdZb2ekOTIKBNljO62/Q8kqyU1h2LEhHvg+coVj7VvyTI4K5b1vl1jWTuOZV0HXQABAKYG+yYEenVaHXatXs/mnTYEVl1Kp1bAAeXCEuN1n60dyP2ZUGoYVS+rVGEPpVSZCLwta2r58uHHzVhUSm4Hd4PL8e347lHhkYei2hGwMSCXo7c0KfG1HoZ359CmQ2W1kNpCsOz1K+CbTTV3qIoInqqsoKmF0gdOwcXV4PHq+93H5cHQe2dGhFo/5GGMGx4xUiPZM4le/sUXqKemL9EV1FJWhaN/zWlrWbUJxKshNw0TB+Eu31oa4W6a8FOyx5mP23jurKrXg0DrmgrlTf67EEr7jKslPbzBTpqlMCjlAKMMbgge0mhOyNOr8xm88dkvoYEuMGXzd9YsWhcbqZCssS017jH1+TYFe39/5I5NjfhGsoD14iPxXgG3B2GhkCJSGqCwvDboWmZNftbb5kpQLcaUFfZ5kD72IF1CsZ0yHqgmCLqlBia76WutFuLS9PftlHkrO0onP7889K8naXrd8J08xQkJVpVzlhWIrGBO+ZXHMiAsFApSonki/s3FDnfO7ahTmeI+jvFF75vCm0aVW3hsCm/2axPxU5qhGz0bWsC2+qalt+RceHP/w5l8+P7XR/r4fw== -------------------------------------------------------------------------------- /integration/config-opscenter-integration-example/README.md: -------------------------------------------------------------------------------- 1 | ### AWS Config and OpsCenter integration ### 2 | 3 | This is an example showing how we can create a CloudWatch event to monitoring 4 | a change of compliance status and create an OpsItem in OpsCenter. 5 | 6 | # Scenario 7 | 8 | User wants to leverage OpsCenter to have a central location where operations engineers and IT professionals 9 | can view, investigate, and resolve operational work items (OpsItems) related to AWS resources. User also wants 10 | to create OpsItem automatically on non-compliant resouces found by AWS Config. In addition, OpsCenter provides 11 | action action to trigger a runbook. Engineers/professionals can easily trigger the remediation process with this 12 | feature. 13 | 14 | 15 | # Example Walkthrough 16 | 17 | pre-requisite: 18 | aws account, 19 | awscli, 20 | IAM role permission to create config rules, cloudwatch event and opsitem with cloudformation 21 | 22 | 1. execute "sh build.sh" 23 | - create an IAM role and a managed config rule that checks if server side encryption enabled for a S3 bucket 24 | 25 | 2. [Optional] Create a non-encrypted S3 bucket if you do not have one 26 | 27 | 3. Go to AWS Config > Rules > my-config-rule-S3BucketServerSideEncryptionEnabled in Console 28 | - click action button and select re-evaluate 29 | 30 | 4. Once the evaluation is done, go to AWS Systems Manager > OpsCenter in the console and user will see OpsItems created 31 | - User can get the details for the non-compliant resources, suggested runbook for remediation 32 | - User can execute the runbook to resolve the issue. 33 | - Please check the doc for more information on OpsCenter 34 | https://docs.aws.amazon.com/systems-manager/latest/userguide/OpsCenter.html 35 | 36 | 5. execute "sh cleanup.sh" 37 | -------------------------------------------------------------------------------- /integration/config-opscenter-integration-example/build.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | 4 | aws cloudformation deploy --stack-name my-opsitem-role \ 5 | --template-file opsitem-role.yaml \ 6 | --capabilities CAPABILITY_IAM 7 | 8 | aws cloudformation deploy --stack-name my-config-rule \ 9 | --template-file s3EncryptedConfigRule.yaml -------------------------------------------------------------------------------- /integration/config-opscenter-integration-example/cleanup.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | 4 | aws cloudformation delete-stack --stack-name my-opsitem-role 5 | aws cloudformation delete-stack --stack-name my-config-rule -------------------------------------------------------------------------------- /integration/config-opscenter-integration-example/opsitem-role.yaml: -------------------------------------------------------------------------------- 1 | # Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved. 2 | # Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance with 3 | # the License. A copy of the License is located at 4 | # http://aws.amazon.com/apache2.0/ 5 | # or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR 6 | # CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and 7 | # limitations under the License. 8 | 9 | AWSTemplateFormatVersion: '2010-09-09' 10 | Description: Role to create OpsItem with CloudWatch event 11 | 12 | Resources: 13 | 14 | OpsItemEventRole: 15 | Type: AWS::IAM::Role 16 | Properties: 17 | AssumeRolePolicyDocument: 18 | Version: 2012-10-17 19 | Statement: 20 | - Effect: Allow 21 | Principal: 22 | Service: 23 | - events.amazonaws.com 24 | Action: 25 | - sts:AssumeRole 26 | Path: / 27 | Policies: 28 | - PolicyName: create-opsitem-event 29 | PolicyDocument: 30 | Version: "2012-10-17" 31 | Statement: 32 | - Effect: Allow 33 | Action: 34 | - ssm:CreateOpsItem 35 | Resource: "*" 36 | 37 | 38 | Outputs: 39 | OpsItemEventRoleArn: 40 | Value: !GetAtt OpsItemEventRole.Arn 41 | Description: 'Role to create OpsItem with CloudWatch event' 42 | Export: 43 | Name: "OpsItemEventRoleArn" -------------------------------------------------------------------------------- /mkdocs.yml: -------------------------------------------------------------------------------- 1 | site_name: AWS RDK Documentation 2 | theme: 3 | name: mkdocs 4 | palette: 5 | scheme: default 6 | primary: navy 7 | plugins: 8 | - search 9 | # TODO: Enable this if/when docstrings are expanded in the core rdk module. 10 | # - mkdocstrings: 11 | # handlers: 12 | # python: 13 | # paths: [rdk] 14 | # markdown_extensions: 15 | # - markdown_include.include: 16 | # base_path: . 17 | docs_dir: docs 18 | nav: 19 | - 'Rule Management': 20 | - 'Creating Rules': 'rule-management/creating-rules.md' 21 | - 'Deploying Rules': 'rule-management/deploy-rules.md' 22 | - 'Modifying Rules': 'rule-management/modifying-rules.md' 23 | - 'Writing Unit Tests': 'rule-management/writing-unit-tests.md' 24 | - 'RDK Lambda Function': 25 | - 'Lambda Function Logic': 'rule-management/rdk-lambda-function/lambda-function-logic.md' 26 | - 'Writing an evaluate_compliance function': 'rule-management/rdk-lambda-function/writing-an-evaluate_compliance-function.md' 27 | - 'Non-Compliant Resource Remediation': 'remediation.md' 28 | - 'Advanced Features': 29 | - 'advanced-features/cross-Account-deployments.md' 30 | - 'advanced-features/custom-lambda-name.md' 31 | - 'advanced-features/disable-resource-check.md' 32 | - 'advanced-features/generate-lambda-layer.md' 33 | - 'advanced-features/managed-rules.md' 34 | - 'advanced-features/multi-region-deployment.md' 35 | - 'advanced-features/rulesets.md' 36 | - 'Commands': 37 | - 'commands/clean.md' 38 | - 'commands/create-rule-template.md' 39 | - 'commands/create.md' 40 | - 'commands/deploy.md' 41 | - 'commands/export.md' 42 | - 'commands/init.md' 43 | - 'commands/logs.md' 44 | - 'commands/modify.md' 45 | - 'commands/rulesets.md' 46 | - 'commands/sample-ci.md' 47 | - 'commands/test-local.md' 48 | - 'commands/undeploy.md' 49 | - 'Legacy RDK Documentation': 'legacy-docs.md' -------------------------------------------------------------------------------- /policy/rdk-minimum-permissions.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Sid": "RdkPermissions", 6 | "Action": [ 7 | "iam:Get*", 8 | "iam:List*", 9 | "iam:DeleteRole", 10 | "iam:DeleteRolePolicy", 11 | "iam:DetachRolePolicy", 12 | "lambda:AddPermission", 13 | "lambda:CreateFunction", 14 | "lambda:CreateEventSourceMapping", 15 | "lambda:DeleteFunction", 16 | "lambda:RemovePermission", 17 | "lambda:UpdateFunctionConfiguration", 18 | "lambda:UpdateFunctionCode", 19 | "lambda:PublishVersion", 20 | "lambda:Get*", 21 | "lambda:List*", 22 | "config:Describe*", 23 | "config:Put*", 24 | "config:List*", 25 | "config:StartConfigurationRecorder", 26 | "config:Get*", 27 | "config:StartConfigRulesEvaluation", 28 | "config:DeleteConfigRule", 29 | "cloudformation:*", 30 | "logs:Describe*", 31 | "logs:FilterLogEvents", 32 | "logs:GetLogEvents", 33 | "s3:List*", 34 | "s3:CreateBucket", 35 | "sts:GetCallerIdentity" 36 | ], 37 | "Effect": "Allow", 38 | "Resource": "*" 39 | }, 40 | { 41 | "Sid": "RdkPermissionsS3", 42 | "Action": [ 43 | "s3:PutObject", 44 | "s3:GetObject" 45 | ], 46 | "Effect": "Allow", 47 | "Resource": "arn:aws:s3:::config-rule-code-bucket*" 48 | }, 49 | { 50 | "Sid": "RdkPermissionsRolePolicyAttachment", 51 | "Action": [ 52 | "iam:AttachRolePolicy", 53 | "iam:PutRolePolicy", 54 | "iam:PassRole" 55 | ], 56 | "Effect": "Allow", 57 | "Resource": ["arn:aws:iam::*:role/rdk/*"] 58 | }, 59 | { 60 | "Sid": "RdkPermissionsPassRole", 61 | "Action": [ 62 | "iam:CreateRole", 63 | "iam:PassRole", 64 | "iam:PutRolePolicy" 65 | ], 66 | "Effect": "Allow", 67 | "Resource": "arn:aws:iam::*:role/rdk/*" 68 | } 69 | ] 70 | } 71 | -------------------------------------------------------------------------------- /rdk/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright 2017, 2018 Amazon.com, Inc. or its affiliates. All Rights Reserved. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at 4 | # 5 | # http://aws.amazon.com/apache2.0/ 6 | # 7 | # or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. 8 | 9 | MY_VERSION = "0.17.19" 10 | -------------------------------------------------------------------------------- /rdk/cli.py: -------------------------------------------------------------------------------- 1 | # Copyright 2017-2021 Amazon.com, Inc. or its affiliates. All Rights Reserved. 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at 4 | # 5 | # http://aws.amazon.com/apache2.0/ 6 | # 7 | # or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. 8 | 9 | import concurrent.futures 10 | import copy 11 | 12 | from rdk import rdk 13 | 14 | 15 | def main(): 16 | # Set up command-line argument parser and parse the args. 17 | my_parser = rdk.get_command_parser() 18 | args = my_parser.parse_args() 19 | my_rdk = rdk.rdk(args) 20 | 21 | if args.region_file: 22 | if args.command in ["init", "deploy", "undeploy", "deploy-organization", "undeploy-organization"]: 23 | regions = rdk.parse_region_file(args) 24 | print(f"{args.command.capitalize()}ing rules in the following regions: {regions}.") 25 | if args.command in ["undeploy", "undeploy-organization"] and "--force" not in args.command_args: 26 | my_input = input("Delete specified Rules and Lambda Functions from your AWS Account? (y/N): ") 27 | while my_input.lower() not in ["y", "n"]: 28 | my_input = input(f"Invalid input: {my_input}. Please enter either 'y' or 'n': ") 29 | if my_input.lower() == "y": 30 | vars(args)["command_args"].append("--force") 31 | elif my_input.lower() == "n" or my_input == "": 32 | exit(0) 33 | 34 | args_list = [] 35 | for region in regions: 36 | vars(args)["region"] = region 37 | args_list.append(copy.copy(args)) 38 | 39 | data = [] 40 | with concurrent.futures.ProcessPoolExecutor(max_workers=16) as executor: 41 | future_run_multi_region = {executor.submit(rdk.run_multi_region, args): args for args in args_list} 42 | for future in concurrent.futures.as_completed(future_run_multi_region): 43 | data.append(future.result()) 44 | exit(0) 45 | else: 46 | my_parser.error("Command must be 'init', 'deploy', or 'undeploy' when --region-file argument is provided.") 47 | 48 | return_val = my_rdk.process_command() 49 | exit(return_val) 50 | -------------------------------------------------------------------------------- /rdk/rdklib_versions.yaml: -------------------------------------------------------------------------------- 1 | 2 | # This file should be updated to contain the latest stable Lambda layer from the rdklib SAM application. 3 | # Layers are published to each region, which is why some have more versions than others. 4 | # This file was automatically generated by update_rdklib_versions.py; check for accuracy before deploying. 5 | rdklib_layer_versions: 6 | ap-northeast-1: 32 7 | ap-northeast-2: 32 8 | ap-south-1: 32 9 | ap-southeast-1: 91 10 | ap-southeast-2: 30 11 | ca-central-1: 32 12 | eu-central-1: 31 13 | eu-north-1: 31 14 | eu-west-1: 32 15 | eu-west-2: 28 16 | eu-west-3: 32 17 | sa-east-1: 32 18 | us-east-1: 33 19 | us-east-2: 94 20 | us-west-1: 30 21 | us-west-2: 31 22 | -------------------------------------------------------------------------------- /rdk/template/configManagedRule.yaml: -------------------------------------------------------------------------------- 1 | AWSTemplateFormatVersion: "2010-09-09" 2 | Description: AWS CloudFormation template to create Managed AWS Config rules. You 3 | will be billed for the AWS resources used if you create a stack from this 4 | template. 5 | Parameters: 6 | RuleName: 7 | Description: Name of the Rule 8 | Type: String 9 | MinLength: "1" 10 | MaxLength: "128" 11 | Description: 12 | Description: Description of the Rule 13 | Type: String 14 | MinLength: "1" 15 | MaxLength: "255" 16 | SourceEvents: 17 | Description: Event Type 18 | Type: CommaDelimitedList 19 | Default: NONE 20 | SourcePeriodic: 21 | Description: Execution Frequency 22 | Type: String 23 | MinLength: "1" 24 | MaxLength: "255" 25 | Default: NONE 26 | SourceIdentifier: 27 | Description: Source Identifier of Managed Rule 28 | Type: String 29 | MinLength: "1" 30 | MaxLength: "255" 31 | SourceInputParameters: 32 | Description: Input Parameters 33 | Type: String 34 | Default: "{}" 35 | EvaluationMode: 36 | Description: The evaluation mode to use, either DETECTIVE, PROACTIVE, or BOTH. 37 | Type: String 38 | Default: DETECTIVE 39 | AllowedValues: 40 | - DETECTIVE 41 | - PROACTIVE 42 | - BOTH 43 | Conditions: 44 | RemoveEventScope: 45 | Fn::Or: 46 | - Fn::Not: 47 | - Condition: EventTriggered 48 | - Fn::Equals: 49 | - Fn::Join: 50 | - "," 51 | - Ref: SourceEvents 52 | - ALL 53 | EventTriggered: 54 | Fn::Not: 55 | - Fn::Equals: 56 | - Fn::Join: 57 | - "," 58 | - Ref: SourceEvents 59 | - NONE 60 | PeriodicTriggered: 61 | Fn::Not: 62 | - Fn::Equals: 63 | - Ref: SourcePeriodic 64 | - NONE 65 | UseBothEvaluationModes: 66 | Fn::Equals: 67 | - Ref: EvaluationMode 68 | - "BOTH" 69 | Resources: 70 | rdkConfigRule: 71 | Type: AWS::Config::ConfigRule 72 | Properties: 73 | ConfigRuleName: 74 | Ref: RuleName 75 | Description: 76 | Ref: Description 77 | Scope: 78 | Fn::If: 79 | - RemoveEventScope 80 | - Ref: AWS::NoValue 81 | - ComplianceResourceTypes: 82 | Ref: SourceEvents 83 | MaximumExecutionFrequency: 84 | Fn::If: 85 | - PeriodicTriggered 86 | - Ref: SourcePeriodic 87 | - Ref: AWS::NoValue 88 | Source: 89 | Owner: AWS 90 | SourceIdentifier: 91 | Ref: SourceIdentifier 92 | InputParameters: 93 | Ref: SourceInputParameters 94 | EvaluationModes: 95 | Fn::If: 96 | - UseBothEvaluationModes 97 | - 98 | - Mode: DETECTIVE 99 | - Mode: PROACTIVE 100 | - 101 | - Mode: 102 | Ref: EvaluationMode -------------------------------------------------------------------------------- /rdk/template/configManagedRuleOrganization.yaml: -------------------------------------------------------------------------------- 1 | AWSTemplateFormatVersion: "2010-09-09" 2 | Description: AWS CloudFormation template to create Managed AWS Config rules. You 3 | will be billed for the AWS resources used if you create a stack from this 4 | template. 5 | Parameters: 6 | RuleName: 7 | Description: Name of the Rule 8 | Type: String 9 | MinLength: "1" 10 | MaxLength: "128" 11 | Description: 12 | Description: Description of the Rule 13 | Type: String 14 | MinLength: "1" 15 | MaxLength: "255" 16 | SourceEvents: 17 | Description: Event Type 18 | Type: CommaDelimitedList 19 | Default: NONE 20 | SourcePeriodic: 21 | Description: Execution Frequency 22 | Type: String 23 | MinLength: "1" 24 | MaxLength: "255" 25 | Default: NONE 26 | SourceIdentifier: 27 | Description: Source Identifier of Managed Rule 28 | Type: String 29 | MinLength: "1" 30 | MaxLength: "255" 31 | SourceInputParameters: 32 | Description: Input Parameters 33 | Type: String 34 | Default: "{}" 35 | ExcludedAccounts: 36 | Description: List of account IDs to exclude from rule deployment 37 | Type: CommaDelimitedList 38 | Default: "" 39 | Conditions: 40 | RemoveEventScope: 41 | Fn::Or: 42 | - Fn::Not: 43 | - Condition: EventTriggered 44 | - Fn::Equals: 45 | - Fn::Join: 46 | - "," 47 | - Ref: SourceEvents 48 | - ALL 49 | EventTriggered: 50 | Fn::Not: 51 | - Fn::Equals: 52 | - Fn::Join: 53 | - "," 54 | - Ref: SourceEvents 55 | - NONE 56 | PeriodicTriggered: 57 | Fn::Not: 58 | - Fn::Equals: 59 | - Ref: SourcePeriodic 60 | - NONE 61 | ExcludedAccountsPresent: 62 | Fn::Not: 63 | - Fn::Equals: 64 | - Fn::Join: 65 | - "," 66 | - Ref: ExcludedAccounts 67 | - "" 68 | Resources: 69 | rdkConfigRule: 70 | Type: AWS::Config::OrganizationConfigRule 71 | Properties: 72 | OrganizationConfigRuleName: 73 | Ref: RuleName 74 | OrganizationManagedRuleMetadata: 75 | Description: 76 | Ref: Description 77 | RuleIdentifier: 78 | Ref: SourceIdentifier 79 | InputParameters: 80 | Ref: SourceInputParameters 81 | ResourceTypesScope: 82 | Fn::If: 83 | - RemoveEventScope 84 | - Ref: AWS::NoValue 85 | - Ref: SourceEvents 86 | MaximumExecutionFrequency: 87 | Fn::If: 88 | - PeriodicTriggered 89 | - Ref: SourcePeriodic 90 | - Ref: AWS::NoValue 91 | ExcludedAccounts: 92 | Fn::If: 93 | - ExcludedAccountsPresent 94 | - Ref: ExcludedAccounts 95 | - Ref: AWS::NoValue 96 | -------------------------------------------------------------------------------- /rdk/template/configManagedRuleWithRemediation.yaml: -------------------------------------------------------------------------------- 1 | AWSTemplateFormatVersion: "2010-09-09" 2 | Description: AWS CloudFormation template to create Managed AWS Config rules. You 3 | will be billed for the AWS resources used if you create a stack from this 4 | template. 5 | Parameters: 6 | RuleName: 7 | Description: Name of the Rule 8 | Type: String 9 | MinLength: "1" 10 | MaxLength: "128" 11 | Description: 12 | Description: Description of the Rule 13 | Type: String 14 | MinLength: "1" 15 | MaxLength: "255" 16 | SourceEvents: 17 | Description: Event Type 18 | Type: CommaDelimitedList 19 | Default: NONE 20 | SourcePeriodic: 21 | Description: Execution Frequency 22 | Type: String 23 | MinLength: "1" 24 | MaxLength: "255" 25 | Default: NONE 26 | SourceIdentifier: 27 | Description: Source Identifier of Managed Rule 28 | Type: String 29 | MinLength: "1" 30 | MaxLength: "255" 31 | SourceInputParameters: 32 | Description: Input Parameters 33 | Type: String 34 | Default: "{}" 35 | EvaluationMode: 36 | Description: The evaluation mode to use, either DETECTIVE, PROACTIVE, or BOTH. 37 | Type: String 38 | Default: DETECTIVE 39 | AllowedValues: 40 | - DETECTIVE 41 | - PROACTIVE 42 | - BOTH 43 | Conditions: 44 | RemoveEventScope: 45 | Fn::Or: 46 | - Fn::Not: 47 | - Condition: EventTriggered 48 | - Fn::Equals: 49 | - Fn::Join: 50 | - "," 51 | - Ref: SourceEvents 52 | - ALL 53 | EventTriggered: 54 | Fn::Not: 55 | - Fn::Equals: 56 | - Fn::Join: 57 | - "," 58 | - Ref: SourceEvents 59 | - NONE 60 | PeriodicTriggered: 61 | Fn::Not: 62 | - Fn::Equals: 63 | - Ref: SourcePeriodic 64 | - NONE 65 | UseBothEvaluationModes: 66 | Fn::Equals: 67 | - Ref: EvaluationMode 68 | - "BOTH" 69 | Resources: 70 | rdkConfigRule: 71 | Type: AWS::Config::ConfigRule 72 | Properties: 73 | ConfigRuleName: 74 | Ref: RuleName 75 | Description: 76 | Ref: Description 77 | Scope: 78 | Fn::If: 79 | - RemoveEventScope 80 | - Ref: AWS::NoValue 81 | - ComplianceResourceTypes: 82 | Ref: SourceEvents 83 | MaximumExecutionFrequency: 84 | Fn::If: 85 | - PeriodicTriggered 86 | - Ref: SourcePeriodic 87 | - Ref: AWS::NoValue 88 | Source: 89 | Owner: AWS 90 | SourceIdentifier: 91 | Ref: SourceIdentifier 92 | InputParameters: 93 | Ref: SourceInputParameters 94 | EvaluationModes: 95 | Fn::If: 96 | - UseBothEvaluationModes 97 | - 98 | - Mode: DETECTIVE 99 | - Mode: PROACTIVE 100 | - 101 | - Mode: 102 | Ref: EvaluationMode 103 | -------------------------------------------------------------------------------- /rdk/template/configRuleAssumeRolePolicyDoc.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Sid": "", 6 | "Effect": "Allow", 7 | "Principal": { 8 | "Service": [ 9 | "config.amazonaws${PARTITIONURL}" 10 | ] 11 | }, 12 | "Action": "sts:AssumeRole" } ] 13 | } 14 | -------------------------------------------------------------------------------- /rdk/template/deliveryPermissionsPolicy.json: -------------------------------------------------------------------------------- 1 | { 2 | "Version": "2012-10-17", 3 | "Statement": [ 4 | { 5 | "Effect": "Allow", 6 | "Action": "s3:PutObject*", 7 | "Resource": "arn:${PARTITION}:s3:::config-bucket-${ACCOUNTID}/AWSLogs/${ACCOUNTID}/*", 8 | "Condition": { 9 | "StringLike": { 10 | "s3:x-amz-acl": "bucket-owner-full-control" 11 | } 12 | } 13 | }, 14 | { 15 | "Effect": "Allow", 16 | "Action": "s3:GetBucketAcl", 17 | "Resource": "arn:${PARTITION}:s3:::config-bucket-${ACCOUNTID}" 18 | } 19 | ] 20 | } 21 | -------------------------------------------------------------------------------- /rdk/template/example_ci/AWS_ACM_Certificate.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "1.3", 3 | "accountId": "1236456789012", 4 | "configurationItemCaptureTime": "datetime.datetime(2020, 4, 22, 13, 13, 17, 718000, tzinfo=tzlocal())", 5 | "configurationItemStatus": "OK", 6 | "configurationStateId": "1587582797718", 7 | "configurationItemMD5Hash": "", 8 | "arn": "arn:aws:acm:us-east-2:1236456789012:certificate/aaa111a1-1aaa-1aa1-1aaa-aaa1a11aa111", 9 | "resourceType": "AWS::ACM::Certificate", 10 | "resourceId": "arn:aws:acm:us-east-2:1236456789012:certificate/aaa111a1-1aaa-1aa1-1aaa-aaa1a11aa111", 11 | "awsRegion": "us-east-2", 12 | "availabilityZone": "Regional", 13 | "resourceCreationTime": "datetime.datetime(2020, 4, 22, 13, 13, 17, 718000, tzinfo=tzlocal())", 14 | "tags": {}, 15 | "relatedEvents": [], 16 | "relationships": [], 17 | "configuration": { 18 | "certificateArn": "arn:aws:acm:us-east-2:1236456789012:certificate/aaa111a1-1aaa-1aa1-1aaa-aaa1a11aa111", 19 | "domainName": "www.example.com", 20 | "subjectAlternativeNames": [ 21 | "www.example.com" 22 | ], 23 | "domainValidationOptions": [ 24 | { 25 | "domainName": "www.example.com", 26 | "validationDomain": "www.example.com", 27 | "validationStatus": "FAILED", 28 | "validationMethod": "DNS" 29 | } 30 | ], 31 | "subject": "CN=www.example.com", 32 | "issuer": "Amazon", 33 | "createdAt": "datetime.datetime(2020, 4, 22, 13, 13, 17, 718000, tzinfo=tzlocal())", 34 | "status": "FAILED", 35 | "keyAlgorithm": "RSA-2048", 36 | "signatureAlgorithm": "SHA256WITHRSA", 37 | "inUseBy": [], 38 | "failureReason": "INVALID_PUBLIC_DOMAIN", 39 | "type": "AMAZON_ISSUED", 40 | "keyUsages": [], 41 | "extendedKeyUsages": [], 42 | "renewalEligibility": "INELIGIBLE", 43 | "options": { 44 | "certificateTransparencyLoggingPreference": "ENABLED" 45 | } 46 | }, 47 | "supplementaryConfiguration": { 48 | "Tags": [] 49 | }, 50 | "resourceTransitionStatus": "None" 51 | } -------------------------------------------------------------------------------- /rdk/template/example_ci/AWS_ApiGatewayV2_Api.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "1.3", 3 | "accountId": "123456789012", 4 | "configurationItemCaptureTime": "2022-02-21T18:36:34.575Z", 5 | "configurationItemStatus": "ResourceDiscovered", 6 | "configurationStateId": "1645468594575", 7 | "configurationItemMD5Hash": "", 8 | "arn": "arn:aws:apigateway:us-east-2::/apis/test", 9 | "resourceType": "AWS::ApiGatewayV2::Api", 10 | "resourceId": "arn:aws:apigateway:us-east-2::/apis/test", 11 | "resourceName": "test", 12 | "awsRegion": "us-east-2", 13 | "availabilityZone": "Not Applicable", 14 | "resourceCreationTime": "2022-02-21T18:36:34.386Z", 15 | "tags": {}, 16 | "relatedEvents": [], 17 | "relationships": [], 18 | "configuration": { 19 | "apiId": "test", 20 | "name": "test", 21 | "protocolType": "HTTP", 22 | "routeSelectionExpression": "$request.method $request.path", 23 | "apiKeySelectionExpression": "$request.header.x-api-key", 24 | "apiEndpoint": "https://test.execute-api.us-east-2.amazonaws.com", 25 | "createdDate": "Feb 21, 2022 6:36:34 PM", 26 | "tags": { 27 | "internalId": "test", 28 | "resourceArn": "arn:aws:apigateway:us-east-2::/apis/test" 29 | }, 30 | "disableExecuteApiEndpoint": false 31 | }, 32 | "supplementaryConfiguration": {} 33 | } -------------------------------------------------------------------------------- /rdk/template/example_ci/AWS_ApiGatewayV2_Stage.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "1.3", 3 | "accountId": "123456789012", 4 | "configurationItemCaptureTime": "2022-02-21T18:36:35.045Z", 5 | "configurationItemStatus": "ResourceDiscovered", 6 | "configurationStateId": "123456789012", 7 | "configurationItemMD5Hash": "", 8 | "arn": "arn:aws:apigateway:us-east-2::/apis/test/stages/$default", 9 | "resourceType": "AWS::ApiGatewayV2::Stage", 10 | "resourceId": "arn:aws:apigateway:us-east-2::/apis/test/stages/$default", 11 | "resourceName": "$default", 12 | "awsRegion": "us-east-2", 13 | "availabilityZone": "Not Applicable", 14 | "resourceCreationTime": "2022-02-21T18:36:34.905Z", 15 | "tags": {}, 16 | "relatedEvents": [], 17 | "relationships": [ 18 | { 19 | "resourceType": "AWS::ApiGatewayV2::Api", 20 | "resourceId": "arn:aws:apigateway:us-east-2::/apis/test", 21 | "resourceName": "test", 22 | "relationshipName": "Is contained in " 23 | } 24 | ], 25 | "configuration": { 26 | "stageName": "$default", 27 | "defaultRouteSettings": { 28 | "detailedMetricsEnabled": false 29 | }, 30 | "routeSettings": {}, 31 | "stageVariables": {}, 32 | "autoDeploy": true, 33 | "createdDate": "Feb 21, 2022 6:36:34 PM", 34 | "lastUpdatedDate": "Feb 21, 2022 6:36:34 PM", 35 | "tags": { 36 | "internalId": "trub", 37 | "resourceArn": "arn:aws:apigateway:us-east-2::/apis/test/stages/$default" 38 | } 39 | }, 40 | "supplementaryConfiguration": {}, 41 | "resourceTransitionStatus": "None" 42 | } -------------------------------------------------------------------------------- /rdk/template/example_ci/AWS_ApiGateway_RestApi.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "1.3", 3 | "accountId": "123456789012", 4 | "configurationItemCaptureTime": "2022-02-21T18:36:56.299Z", 5 | "configurationItemStatus": "ResourceDiscovered", 6 | "configurationStateId": "1645468616299", 7 | "configurationItemMD5Hash": "", 8 | "arn": "arn:aws:apigateway:us-east-2::/restapis/test", 9 | "resourceType": "AWS::ApiGateway::RestApi", 10 | "resourceId": "arn:aws:apigateway:us-east-2::/restapis/test", 11 | "resourceName": "test", 12 | "awsRegion": "us-east-2", 13 | "availabilityZone": "Not Applicable", 14 | "resourceCreationTime": "2022-02-21T18:36:56.236Z", 15 | "tags": {}, 16 | "relatedEvents": [], 17 | "relationships": [], 18 | "configuration": { 19 | "id": "test", 20 | "name": "test", 21 | "createdDate": "Feb 21, 2022 6:36:56 PM", 22 | "apiKeySource": "HEADER", 23 | "endpointConfiguration": { 24 | "types": [ 25 | "REGIONAL" 26 | ] 27 | } 28 | }, 29 | "supplementaryConfiguration": {} 30 | } -------------------------------------------------------------------------------- /rdk/template/example_ci/AWS_ApiGateway_Stage.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "1.3", 3 | "accountId": "123456789012", 4 | "configurationItemCaptureTime": "2022-02-21T18:37:48.975Z", 5 | "configurationItemStatus": "ResourceDiscovered", 6 | "configurationStateId": "1645468668975", 7 | "configurationItemMD5Hash": "", 8 | "arn": "arn:aws:apigateway:us-east-2::/restapis/test/stages/test", 9 | "resourceType": "AWS::ApiGateway::Stage", 10 | "resourceId": "arn:aws:apigateway:us-east-2::/restapis/test/stages/test", 11 | "resourceName": "test", 12 | "awsRegion": "us-east-2", 13 | "availabilityZone": "Not Applicable", 14 | "resourceCreationTime": "2022-02-21T18:37:48.843Z", 15 | "tags": {}, 16 | "relatedEvents": [], 17 | "relationships": [ 18 | { 19 | "resourceType": "AWS::ApiGateway::RestApi", 20 | "resourceId": "arn:aws:apigateway:us-east-2::/restapis/test", 21 | "resourceName": "test", 22 | "relationshipName": "Is contained in " 23 | } 24 | ], 25 | "configuration": { 26 | "deploymentId": "jmlwbd", 27 | "stageName": "test", 28 | "cacheClusterEnabled": false, 29 | "cacheClusterStatus": "NOT_AVAILABLE", 30 | "methodSettings": {}, 31 | "tracingEnabled": false, 32 | "createdDate": "Feb 21, 2022 6:37:48 PM", 33 | "lastUpdatedDate": "Feb 21, 2022 6:37:48 PM" 34 | }, 35 | "supplementaryConfiguration": {}, 36 | "resourceTransitionStatus": "None" 37 | } -------------------------------------------------------------------------------- /rdk/template/example_ci/AWS_AutoScaling_AutoScalingGroup.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "1.3", 3 | "accountId": "123456789012", 4 | "configurationItemCaptureTime": "2022-02-21T18:57:35.374Z", 5 | "configurationItemStatus": "ResourceDiscovered", 6 | "configurationStateId": "1645469855374", 7 | "configurationItemMD5Hash": "", 8 | "arn": "arn:aws:autoscaling:us-east-2:123456789012:autoScalingGroup:test:autoScalingGroupName/asg1", 9 | "resourceType": "AWS::AutoScaling::AutoScalingGroup", 10 | "resourceId": "arn:aws:autoscaling:us-east-2:123456789012:autoScalingGroup:test:autoScalingGroupName/asg1", 11 | "resourceName": "asg1", 12 | "awsRegion": "us-east-2", 13 | "availabilityZone": "Multiple Availability Zones", 14 | "resourceCreationTime": "2022-02-21T18:55:35.472Z", 15 | "tags": {}, 16 | "relatedEvents": [], 17 | "relationships": [ 18 | { 19 | "resourceType": "AWS::AutoScaling::LaunchConfiguration", 20 | "resourceName": "lc1", 21 | "relationshipName": "Is associated with " 22 | }, 23 | { 24 | "resourceType": "AWS::EC2::Subnet", 25 | "resourceId": "subnet-test", 26 | "relationshipName": "Is associated with " 27 | } 28 | ], 29 | "configuration": { 30 | "autoScalingGroupName": "asg1", 31 | "autoScalingGroupARN": "arn:aws:autoscaling:us-east-2:123456789012:autoScalingGroup:test:autoScalingGroupName/test", 32 | "launchConfigurationName": "test", 33 | "minSize": 1, 34 | "maxSize": 1, 35 | "desiredCapacity": 1, 36 | "defaultCooldown": 300, 37 | "availabilityZones": [ 38 | "us-east-2a" 39 | ], 40 | "loadBalancerNames": [], 41 | "targetGroupARNs": [], 42 | "healthCheckType": "EC2", 43 | "healthCheckGracePeriod": 300, 44 | "instances": [], 45 | "createdTime": 1645469735472, 46 | "suspendedProcesses": [], 47 | "enabledMetrics": [], 48 | "tags": [], 49 | "terminationPolicies": [ 50 | "Default" 51 | ], 52 | "newInstancesProtectedFromScaleIn": false, 53 | "serviceLinkedRoleARN": "arn:aws:iam::123456789012:role/aws-service-role/autoscaling.amazonaws.com/test", 54 | "capacityRebalance": true, 55 | "vpczoneIdentifier": "subnet-test" 56 | }, 57 | "supplementaryConfiguration": { 58 | "LifeCycleHooks": [] 59 | }, 60 | "resourceTransitionStatus": "None" 61 | } -------------------------------------------------------------------------------- /rdk/template/example_ci/AWS_AutoScaling_LaunchConfiguration.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "1.3", 3 | "accountId": "123456789012", 4 | "configurationItemCaptureTime": "2022-02-21T18:55:25.285Z", 5 | "configurationItemStatus": "ResourceDiscovered", 6 | "configurationStateId": "1645469725285", 7 | "configurationItemMD5Hash": "", 8 | "arn": "arn:aws:autoscaling:us-east-2:123456789012:launchConfiguration:test:launchConfigurationName/test", 9 | "resourceType": "AWS::AutoScaling::LaunchConfiguration", 10 | "resourceId": "arn:aws:autoscaling:us-east-2:123456789012:launchConfiguration:test2:launchConfigurationName/test", 11 | "resourceName": "lc1", 12 | "awsRegion": "us-east-2", 13 | "availabilityZone": "Not Applicable", 14 | "resourceCreationTime": "2022-02-21T18:54:30.080Z", 15 | "tags": {}, 16 | "relatedEvents": [], 17 | "relationships": [ 18 | { 19 | "resourceType": "AWS::EC2::SecurityGroup", 20 | "resourceId": "sg-test", 21 | "relationshipName": "Is associated with " 22 | } 23 | ], 24 | "configuration": { 25 | "launchConfigurationName": "lc1", 26 | "launchConfigurationARN": "arn:aws:autoscaling:us-east-2:123456789012:launchConfiguration:test/test", 27 | "imageId": "ami-test", 28 | "keyName": "", 29 | "securityGroups": [ 30 | "sg-test" 31 | ], 32 | "classicLinkVPCSecurityGroups": [], 33 | "userData": "", 34 | "instanceType": "t2.nano", 35 | "kernelId": "", 36 | "ramdiskId": "", 37 | "blockDeviceMappings": [ 38 | { 39 | "deviceName": "/dev/sdj", 40 | "ebs": { 41 | "volumeSize": 5, 42 | "volumeType": "gp2", 43 | "deleteOnTermination": false, 44 | "encrypted": true 45 | } 46 | }, 47 | { 48 | "deviceName": "/dev/sda1", 49 | "ebs": { 50 | "snapshotId": "snap-test", 51 | "volumeSize": 8, 52 | "volumeType": "gp2", 53 | "deleteOnTermination": true, 54 | "encrypted": false 55 | } 56 | }, 57 | { 58 | "deviceName": "/dev/sdc", 59 | "noDevice": true 60 | }, 61 | { 62 | "deviceName": "/dev/sdh", 63 | "ebs": { 64 | "volumeSize": 20, 65 | "volumeType": "gp2", 66 | "deleteOnTermination": false, 67 | "encrypted": true 68 | } 69 | }, 70 | { 71 | "deviceName": "/dev/sdi", 72 | "ebs": { 73 | "volumeSize": 10, 74 | "volumeType": "gp2", 75 | "deleteOnTermination": false, 76 | "encrypted": true 77 | } 78 | }, 79 | { 80 | "deviceName": "/dev/sdb", 81 | "noDevice": true 82 | } 83 | ], 84 | "instanceMonitoring": { 85 | "enabled": false 86 | }, 87 | "iamInstanceProfile": "arn:aws:iam::123456789012:instance-profile/test", 88 | "createdTime": 1645469670080, 89 | "ebsOptimized": false 90 | }, 91 | "supplementaryConfiguration": {}, 92 | "resourceTransitionStatus": "None" 93 | } -------------------------------------------------------------------------------- /rdk/template/example_ci/AWS_AutoScaling_ScalingPolicy.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "1.3", 3 | "accountId": "123456789012", 4 | "configurationItemCaptureTime": "2022-02-21T19:36:05.998Z", 5 | "configurationItemStatus": "ResourceDiscovered", 6 | "configurationStateId": "1645472165998", 7 | "configurationItemMD5Hash": "", 8 | "arn": "arn:aws:autoscaling:us-east-2:123456789012:scalingPolicy:test:autoScalingGroupName/test:policyName/Target Tracking Policy", 9 | "resourceType": "AWS::AutoScaling::ScalingPolicy", 10 | "resourceId": "arn:aws:autoscaling:us-east-2:123456789012:scalingPolicy:test:autoScalingGroupName/test:policyName/Target Tracking Policy", 11 | "resourceName": "Target Tracking Policy", 12 | "awsRegion": "us-east-2", 13 | "availabilityZone": "Not Applicable", 14 | "tags": {}, 15 | "relatedEvents": [], 16 | "relationships": [ 17 | { 18 | "resourceType": "AWS::CloudWatch::Alarm", 19 | "resourceId": "TargetTracking-test-AlarmHigh-test", 20 | "resourceName": "TargetTracking-test-AlarmHigh-test", 21 | "relationshipName": "Is associated with " 22 | }, 23 | { 24 | "resourceType": "AWS::AutoScaling::AutoScalingGroup", 25 | "resourceName": "test", 26 | "relationshipName": "Is associated with " 27 | }, 28 | { 29 | "resourceType": "AWS::CloudWatch::Alarm", 30 | "resourceId": "TargetTracking-test-AlarmLow-test", 31 | "resourceName": "TargetTracking-test-AlarmLow-test", 32 | "relationshipName": "Is associated with " 33 | } 34 | ], 35 | "configuration": { 36 | "autoScalingGroupName": "test", 37 | "policyName": "Target Tracking Policy", 38 | "policyARN": "arn:aws:autoscaling:us-east-2:123456789012:scalingPolicy:test:autoScalingGroupName/test:policyName/Target Tracking Policy", 39 | "policyType": "TargetTrackingScaling", 40 | "stepAdjustments": [], 41 | "estimatedInstanceWarmup": 1500, 42 | "alarms": [ 43 | { 44 | "alarmName": "TargetTracking-test-AlarmHigh-test", 45 | "alarmARN": "arn:aws:cloudwatch:us-east-2:123456789012:alarm:TargetTracking-test-AlarmHigh-test" 46 | }, 47 | { 48 | "alarmName": "TargetTracking-test-AlarmLow-test", 49 | "alarmARN": "arn:aws:cloudwatch:us-east-2:123456789012:alarm:TargetTracking-test-AlarmLow-test" 50 | } 51 | ], 52 | "targetTrackingConfiguration": { 53 | "predefinedMetricSpecification": { 54 | "predefinedMetricType": "ASGAverageCPUUtilization" 55 | }, 56 | "targetValue": 50, 57 | "disableScaleIn": false 58 | }, 59 | "enabled": true 60 | }, 61 | "supplementaryConfiguration": {}, 62 | "resourceTransitionStatus": "None" 63 | } -------------------------------------------------------------------------------- /rdk/template/example_ci/AWS_AutoScaling_ScheduledAction.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "1.3", 3 | "accountId": "123456789012", 4 | "configurationItemCaptureTime": "2022-02-21T19:40:25.738Z", 5 | "configurationItemStatus": "ResourceDiscovered", 6 | "configurationStateId": "1645472425738", 7 | "configurationItemMD5Hash": "", 8 | "arn": "arn:aws:autoscaling:us-east-2:123456789012:scheduledUpdateGroupAction:test:autoScalingGroupName/test:scheduledActionName/test", 9 | "resourceType": "AWS::AutoScaling::ScheduledAction", 10 | "resourceId": "arn:aws:autoscaling:us-east-2:123456789012:scheduledUpdateGroupAction:test:autoScalingGroupName/test:scheduledActionName/test", 11 | "resourceName": "test", 12 | "awsRegion": "us-east-2", 13 | "availabilityZone": "Not Applicable", 14 | "tags": {}, 15 | "relatedEvents": [], 16 | "relationships": [ 17 | { 18 | "resourceType": "AWS::AutoScaling::AutoScalingGroup", 19 | "resourceName": "test", 20 | "relationshipName": "Is associated with " 21 | } 22 | ], 23 | "configuration": { 24 | "autoScalingGroupName": "test", 25 | "scheduledActionName": "test", 26 | "scheduledActionARN": "arn:aws:autoscaling:us-east-2:123456789012:scheduledUpdateGroupAction:test:autoScalingGroupName/test:scheduledActionName/test", 27 | "minSize": 1, 28 | "maxSize": 1, 29 | "desiredCapacity": 1, 30 | "timeZone": "Etc/UTC" 31 | }, 32 | "supplementaryConfiguration": {}, 33 | "resourceTransitionStatus": "None" 34 | } -------------------------------------------------------------------------------- /rdk/template/example_ci/AWS_CLOUDFRONT_STREAMINGDISTRIBUTION.json: -------------------------------------------------------------------------------- 1 | { 2 | "relatedEvents": [], 3 | "relationships": [ 4 | { 5 | "resourceId": "access-log-123456789012us-standard", 6 | "resourceName": "access-log-123456789012us-standard", 7 | "resourceType": "AWS::S3::Bucket", 8 | "name": "Is associated with " 9 | } 10 | ], 11 | "configuration": { 12 | "id": "E2KEY2W6AMVSOZ", 13 | "arn": "arn:aws:cloudfront::123456789012:streaming-distribution/E2KEY2W6AMVSOZ", 14 | "domainName": "s2l5fwedgp14l5.cloudfront.net", 15 | "streamingDistributionConfig": { 16 | "aliases": { 17 | "quantity": 0 18 | }, 19 | "enabled": true, 20 | "priceClass": "PriceClass_100", 21 | "callerReference": "1549939218400", 22 | "comment": "", 23 | "s3Origin": { 24 | "originAccessIdentity": "", 25 | "domainName": "access-log-123456789012us-standard.s3.amazonaws.com" 26 | }, 27 | "logging": { 28 | "enabled": false, 29 | "prefix": "", 30 | "bucket": "" 31 | }, 32 | "trustedSigners": { 33 | "items": [ 34 | "self" 35 | ], 36 | "enabled": true, 37 | "quantity": 1 38 | } 39 | }, 40 | "activeTrustedSigners": { 41 | "enabled": true, 42 | "items": [ 43 | { 44 | "keyPairIds": { 45 | "quantity": 0 46 | }, 47 | "awsAccountNumber": "self" 48 | } 49 | ], 50 | "quantity": 1 51 | }, 52 | "lastModifiedTime": "2019-02-12T02:40:18.754Z" 53 | }, 54 | "supplementaryConfiguration": {}, 55 | "tags": {}, 56 | "configurationItemVersion": "1.3", 57 | "configurationItemCaptureTime": "2019-02-12T02:40:24.328Z", 58 | "configurationStateId": 1549952781028, 59 | "awsAccountId": "123456789012", 60 | "configurationItemStatus": "ResourceDiscovered", 61 | "resourceType": "AWS::CloudFront::StreamingDistribution", 62 | "resourceId": "E2KEY2W6AMVSOZ", 63 | "resourceName": null, 64 | "ARN": "arn:aws:cloudfront::123456789012:streaming-distribution/E2KEY2W6AMVSOZ", 65 | "awsRegion": "global", 66 | "availabilityZone": "Not Applicable", 67 | "configurationStateMd5Hash": "", 68 | "resourceCreationTime": "2019-02-12T02:40:18.754Z" 69 | } 70 | -------------------------------------------------------------------------------- /rdk/template/example_ci/AWS_CloudFormation_Stack.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "1.3", 3 | "accountId": "123456789012", 4 | "configurationItemCaptureTime": "2022-02-21T18:24:55.063Z", 5 | "configurationItemStatus": "OK", 6 | "configurationStateId": "1587582797718", 7 | "configurationItemMD5Hash": "", 8 | "arn": "arn:aws:cloudformation:us-east-1:123456789012:stack/example-stack/ee155870-38af-11ea-865a-0a8540e42a70", 9 | "resourceType": "AWS::CloudFormation::Stack", 10 | "resourceId": "arn:aws:cloudformation:us-east-1:123456789012:stack/example-stack/ee155870-38af-11ea-865a-0a8540e42a70", 11 | "resourceName": "example-stack", 12 | "awsRegion": "us-east-1", 13 | "availabilityZone": "Regional", 14 | "resourceCreationTime": "datetime.datetime(2020, 1, 16, 15, 31, 25, 438000, tzinfo=tzlocal())", 15 | "tags": { 16 | "Name": "example-stack" 17 | }, 18 | "relatedEvents": [], 19 | "relationships": [], 20 | "configuration": { 21 | "stackId": "arn:aws:cloudformation:us-east-1:123456789012:stack/example-stack/ee155870-38af-11ea-865a-0a8540e42a70", 22 | "stackName": "example-stack", 23 | "description": "Example Stack Configuration Item", 24 | "parameters": [ 25 | { 26 | "parameterKey": "TopicARN", 27 | "parameterValue": "arn:aws:sns:us-east-1:123456789012:example-topic" 28 | } 29 | ], 30 | "creationTime": "Jan 16, 2020 10:31:25 PM", 31 | "stackStatus": "CREATE_COMPLETE", 32 | "disableRollback": "false", 33 | "notificationARNs": [], 34 | "capabilities":[ 35 | "CAPABILITY_NAMED_IAM", 36 | "CAPABILITY_AUTO_EXPAND" 37 | ], 38 | "outputs": [], 39 | "tags":[ 40 | { 41 | "key": "Name", 42 | "value": "example-stack" 43 | } 44 | ], 45 | "enableTerminationProtection": "false", 46 | "driftInformation": { 47 | "stackDriftStatus": "IN_SYNC" 48 | } 49 | }, 50 | "supplementaryConfiguration": { 51 | "EnableTerminationProtection": "false", 52 | "StackDriftDetectionInformation": { 53 | "DetectionStatus": "DETECTION_COMPLETE" 54 | }, 55 | "StackResourceSummaries": [ 56 | { 57 | "logicalResourceId": "Subscription", 58 | "physicalResourceId": "arn:aws:sns:us-east-1:123456789012:example-topic:6d5412ed-84ab-4216-b57e-769d11719e08", 59 | "resourceType": "AWS::SNS::Subscription", 60 | "lastUpdatedTimestamp": "Jan 16, 2020 10:31:30 PM", 61 | "resourceStatus": "CREATE_COMPLETE", 62 | "driftInformation": { 63 | "stackResourceDriftStatus": "NOT_CHECKED" 64 | } 65 | } 66 | ], 67 | "unsupportedResources": [ 68 | { 69 | "resourceId": "arn:aws:sns:us-east-1:123456789012:example-topic:6d5412ed-84ab-4216-b57e-769d11719e08", 70 | "resourceType": "AWS::SNS::Subscription" 71 | } 72 | ] 73 | } 74 | } 75 | -------------------------------------------------------------------------------- /rdk/template/example_ci/AWS_CloudWatch_Alarm.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "1.2", 3 | "accountId": "681361479661", 4 | "configurationItemCaptureTime": "2017-05-17T00:53:27.675Z", 5 | "configurationItemStatus": "ResourceDiscovered", 6 | "configurationStateId": "1494982407675", 7 | "configurationItemMD5Hash": "", 8 | "arn": "arn:aws:cloudwatch:us-east-1:681361479661:alarm:qwd", 9 | "resourceType": "AWS::CloudWatch::Alarm", 10 | "resourceId": "qwd", 11 | "resourceName": "qwd", 12 | "awsRegion": "us-east-1", 13 | "availabilityZone": "Not Applicable", 14 | "tags": {}, 15 | "relatedEvents": [], 16 | "relationships": [], 17 | "configuration": { 18 | "alarmName": "qwd", 19 | "alarmArn": "arn:aws:cloudwatch:us-east-1:681361479661:alarm:qwd", 20 | "alarmConfigurationUpdatedTimestamp": 1494981900510, 21 | "actionsEnabled": true, 22 | "alarmActions": [ 23 | "arn:aws:sns:us-east-1:681361479661:config-topic" 24 | ], 25 | "insufficientDataActions": [ 26 | "arn:aws:sns:us-east-1:681361479661:config-topic" 27 | ], 28 | "metricName": "CPUUtilization", 29 | "namespace": "AWS/EC2", 30 | "statistic": "Average", 31 | "dimensions": [ 32 | { 33 | "name": "InstanceId", 34 | "value": "i-03402838daac1d611" 35 | } 36 | ], 37 | "period": 300, 38 | "evaluationPeriods": 1, 39 | "threshold": 0, 40 | "comparisonOperator": "GreaterThanOrEqualToThreshold", 41 | "okactions": [] 42 | }, 43 | "supplementaryConfiguration": {} 44 | } 45 | -------------------------------------------------------------------------------- /rdk/template/example_ci/AWS_Cloudtrail_Trail.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "1.3", 3 | "accountId": "212591712841", 4 | "configurationItemCaptureTime": "2018-09-18T17:42:35.043Z", 5 | "configurationItemStatus": "OK", 6 | "configurationStateId": "1519183538560", 7 | "configurationItemMD5Hash": "", 8 | "arn": "arn:aws:cloudtrail:ap-southeast-1:123456789012:trail/APJCCloudTrail", 9 | "resourceType": "AWS::CloudTrail::Trail", 10 | "resourceId": "APJCCloudTrail", 11 | "awsRegion": "ap-southeast-1", 12 | "availabilityZone": "Regional", 13 | "tags": {}, 14 | "relatedEvents": [], 15 | "relationships": [], 16 | "configuration": { 17 | "name": "APJCCloudTrail", 18 | "s3BucketName": "mborch-apjc-cloudtrail-bucket", 19 | "s3KeyPrefix": "CloudTrail", 20 | "includeGlobalServiceEvents": true, 21 | "isMultiRegionTrail": true, 22 | "homeRegion": "ap-southeast-1", 23 | "trailARN": "arn:aws:cloudtrail:ap-southeast-1:123456789012:trail/APJCCloudTrail", 24 | "logFileValidationEnabled": true, 25 | "hasCustomEventSelectors": true 26 | }, 27 | "supplementaryConfiguration": { 28 | "Tags": [] 29 | } 30 | } 31 | -------------------------------------------------------------------------------- /rdk/template/example_ci/AWS_CodeBuild_Project.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "1.3", 3 | "accountId": "123456789012", 4 | "configurationItemCaptureTime": "2022-02-21T15:58:19.279Z", 5 | "configurationItemStatus": "ResourceDiscovered", 6 | "configurationStateId": "1645459099279", 7 | "configurationItemMD5Hash": "", 8 | "arn": "arn:aws:codebuild:us-east-2:123456789012:project/test", 9 | "resourceType": "AWS::CodeBuild::Project", 10 | "resourceId": "48182ee8-95ac-4073-b682-7b7f5c98cb84", 11 | "resourceName": "RDK", 12 | "awsRegion": "us-east-2", 13 | "availabilityZone": "Not Applicable", 14 | "resourceCreationTime": "2022-02-21T15:06:29.624Z", 15 | "tags": {}, 16 | "relatedEvents": [], 17 | "relationships": [ 18 | { 19 | "resourceType": "AWS::IAM::Role", 20 | "resourceName": "codebuild-RDK-service-role", 21 | "relationshipName": "Is associated with " 22 | } 23 | ], 24 | "configuration": { 25 | "name": "RDK", 26 | "source": [ 27 | { 28 | "type": "GITHUB", 29 | "buildSpec": "testing/linux-python3-buildspec.yaml", 30 | "location": "https://github.com/awslabs/aws-config-rdk", 31 | "gitCloneDepth": 1, 32 | "gitSubmodulesConfig": { 33 | "fetchSubmodules": false 34 | }, 35 | "reportBuildStatus": false 36 | } 37 | ], 38 | "sourceVersion": "staging", 39 | "artifacts": [ 40 | { 41 | "type": "NO_ARTIFACTS" 42 | } 43 | ], 44 | "secondarySources": [], 45 | "secondarySourceVersions": [], 46 | "secondaryArtifacts": [], 47 | "serviceRole": "arn:aws:iam::123456789012:role/service-role/codebuild-RDK-service-role", 48 | "timeoutInMinutes": 60, 49 | "queuedtimeoutInMinutes": 480, 50 | "environment": { 51 | "type": "LINUX_CONTAINER", 52 | "image": "aws/codebuild/amazonlinux2-x86_64-standard:3.0", 53 | "computeType": "BUILD_GENERAL1_SMALL", 54 | "privilegedMode": false, 55 | "environmentVariables": [], 56 | "imagePullCredentialsType": "CODEBUILD" 57 | }, 58 | "encryptionKey": "arn:aws:kms:us-east-2:123456789012:alias/aws/s3", 59 | "tags": [], 60 | "cache": { 61 | "type": "NO_CACHE" 62 | }, 63 | "logsConfig": { 64 | "cloudWatchLogs": { 65 | "status": "ENABLED" 66 | }, 67 | "s3Logs": { 68 | "status": "DISABLED" 69 | } 70 | } 71 | }, 72 | "supplementaryConfiguration": {}, 73 | "resourceTransitionStatus": "None" 74 | } -------------------------------------------------------------------------------- /rdk/template/example_ci/AWS_DynamoDB_Table.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "1.3", 3 | "accountId": "123456789012", 4 | "configurationItemCaptureTime": "2022-02-21T15:58:19.450Z", 5 | "configurationItemStatus": "ResourceDiscovered", 6 | "configurationStateId": "1645459099450", 7 | "configurationItemMD5Hash": "", 8 | "arn": "arn:aws:dynamodb:us-east-2:123456789012:table/test", 9 | "resourceType": "AWS::DynamoDB::Table", 10 | "resourceId": "test", 11 | "resourceName": "test", 12 | "awsRegion": "us-east-2", 13 | "availabilityZone": "Not Applicable", 14 | "resourceCreationTime": "2022-01-13T15:28:08.890Z", 15 | "tags": {}, 16 | "relatedEvents": [], 17 | "relationships": [], 18 | "configuration": { 19 | "attributeDefinitions": [ 20 | { 21 | "attributeName": "primary", 22 | "attributeType": "S" 23 | } 24 | ], 25 | "tableName": "test", 26 | "keySchema": [ 27 | { 28 | "attributeName": "LockID", 29 | "keyType": "HASH" 30 | } 31 | ], 32 | "tableStatus": "ACTIVE", 33 | "creationDateTime": 1642087688890, 34 | "provisionedThroughput": { 35 | "numberOfDecreasesToday": 0, 36 | "readCapacityUnits": 0, 37 | "writeCapacityUnits": 0 38 | }, 39 | "tableArn": "arn:aws:dynamodb:us-east-2:123456789012:table/test", 40 | "tableId": "test", 41 | "billingModeSummary": { 42 | "billingMode": "PAY_PER_REQUEST", 43 | "lastUpdateToPayPerRequestDateTime": 1642087688890 44 | } 45 | }, 46 | "supplementaryConfiguration": { 47 | "ContinuousBackupsDescription": { 48 | "continuousBackupsStatus": "ENABLED", 49 | "pointInTimeRecoveryDescription": { 50 | "pointInTimeRecoveryStatus": "DISABLED" 51 | } 52 | }, 53 | "Tags": [] 54 | }, 55 | "resourceTransitionStatus": "None" 56 | } -------------------------------------------------------------------------------- /rdk/template/example_ci/AWS_EC2_CapacityReservation.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "1.3", 3 | "accountId": "111111111111", 4 | "configurationItemCaptureTime": "2024-01-18T17:36:03.851Z", 5 | "configurationItemStatus": "ResourceDiscovered", 6 | "configurationStateId": "1705599363851", 7 | "configurationItemMD5Hash": "", 8 | "arn": "arn:aws:ec2:us-west-2:111111111111:capacity-reservation/cr-0123456789abcdef", 9 | "resourceType": "AWS::EC2::CapacityReservation", 10 | "resourceId": "cr-0123456789abcdef", 11 | "awsRegion": "us-west-2", 12 | "availabilityZone": "us-west-2a", 13 | "resourceCreationTime": "2024-01-18T17:33:54.000Z", 14 | "tags": {}, 15 | "relatedEvents": [], 16 | "relationships": [], 17 | "configuration": { 18 | "Id": "cr-0123456789abcdef", 19 | "Tenancy": "default", 20 | "EndDateType": "limited", 21 | "AvailabilityZone": "us-west-2a", 22 | "TotalInstanceCount": 1, 23 | "EndDate": "2024-01-25T08:05:00Z", 24 | "EbsOptimized": true, 25 | "InstanceCount": 1, 26 | "AvailableInstanceCount": 1, 27 | "InstancePlatform": "Linux/UNIX", 28 | "InstanceType": "m4.large", 29 | "EphemeralStorage": false, 30 | "InstanceMatchCriteria": "open", 31 | "TagSpecifications": [ 32 | { 33 | "ResourceType": "capacity-reservation", 34 | "Tags": [] 35 | } 36 | ] 37 | }, 38 | "supplementaryConfiguration": { 39 | "Arn": "arn:aws:ec2:us-west-2:111111111111:capacity-reservation/cr-0123456789abcdef" 40 | } 41 | } 42 | -------------------------------------------------------------------------------- /rdk/template/example_ci/AWS_EC2_CustomerGateway.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "1.2", 3 | "accountId": "264683526309", 4 | "configurationItemCaptureTime": "2016-11-11T22:56:58.339Z", 5 | "configurationItemStatus": "ResourceDiscovered", 6 | "configurationStateId": "1478905018339", 7 | "configurationItemMD5Hash": "70691b885b535bb32e6d1848b7f87fce", 8 | "arn": "arn:aws:ec2:us-east-1:264683526309:customer-gateway/cgw-5699703f", 9 | "resourceType": "AWS::EC2::CustomerGateway", 10 | "resourceId": "cgw-5699703f", 11 | "awsRegion": "Not Applicable", 12 | "availabilityZone": "Not Applicable", 13 | "tags": { 14 | "Name": "MyCustomerGateway-Gamma" 15 | }, 16 | "relatedEvents": [], 17 | "relationships": [], 18 | "configuration": { 19 | "customerGatewayId": "cgw-5699703f", 20 | "state": "available", 21 | "type": "ipsec.1", 22 | "ipAddress": "65.102.80.1", 23 | "bgpAsn": "65000", 24 | "tags": [ 25 | { 26 | "key": "Name", 27 | "value": "MyCustomerGateway-Gamma" 28 | } 29 | ] 30 | }, 31 | "supplementaryConfiguration": {} 32 | } 33 | -------------------------------------------------------------------------------- /rdk/template/example_ci/AWS_EC2_EIP.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "1.2", 3 | "accountId": "264683526309", 4 | "configurationItemCaptureTime": "2016-09-22T01:19:20.737Z", 5 | "configurationItemStatus": "ResourceDiscovered", 6 | "configurationStateId": "1", 7 | "configurationItemMD5Hash": "0c9d051e36e7494c37300714e1c9aa68", 8 | "arn": "arn:aws:ec2:us-east-1:264683526309:eip-allocation/eipalloc-b67d33ce", 9 | "resourceType": "AWS::EC2::EIP", 10 | "resourceId": "eipalloc-b67d33ce", 11 | "awsRegion": "us-east-1", 12 | "availabilityZone": "Not Applicable", 13 | "tags": {}, 14 | "relatedEvents": [], 15 | "relationships": [], 16 | "configuration": { 17 | "publicIp": "52.45.95.91", 18 | "allocationId": "eipalloc-b67d33ce", 19 | "domain": "vpc" 20 | }, 21 | "supplementaryConfiguration": {} 22 | } 23 | -------------------------------------------------------------------------------- /rdk/template/example_ci/AWS_EC2_FlowLog.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "1.3", 3 | "accountId": "123456789012", 4 | "configurationItemCaptureTime": "2022-02-22T09:38:19.227Z", 5 | "configurationItemStatus": "ResourceDiscovered", 6 | "configurationStateId": "1645522699227", 7 | "configurationItemMD5Hash": "", 8 | "arn": "arn:aws:ec2:us-east-2:123456789012:flow-log/fl-test", 9 | "resourceType": "AWS::EC2::FlowLog", 10 | "resourceId": "test", 11 | "awsRegion": "us-east-2", 12 | "availabilityZone": "Not Applicable", 13 | "resourceCreationTime": "2022-02-21T18:15:20.361Z", 14 | "tags": { 15 | "Name": "test" 16 | }, 17 | "relatedEvents": [], 18 | "relationships": [], 19 | "configuration": { 20 | "creationTime": 1645467320361, 21 | "deliverLogsPermissionArn": "arn:aws:iam::123456789012:role/test", 22 | "deliverLogsStatus": "SUCCESS", 23 | "flowLogId": "test", 24 | "flowLogStatus": "ACTIVE", 25 | "logGroupName": "test", 26 | "resourceId": "test", 27 | "trafficType": "ALL", 28 | "logDestinationType": "cloud-watch-logs", 29 | "logFormat": "${version} ${account-id} ${interface-id} ${srcaddr} ${dstaddr} ${srcport} ${dstport} ${protocol} ${packets} ${bytes} ${start} ${end} ${action} ${log-status}", 30 | "tags": [ 31 | { 32 | "key": "Name", 33 | "value": "fltest3" 34 | } 35 | ], 36 | "maxAggregationInterval": 60 37 | }, 38 | "supplementaryConfiguration": {}, 39 | "resourceTransitionStatus": "None" 40 | } -------------------------------------------------------------------------------- /rdk/template/example_ci/AWS_EC2_Host.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "1.3", 3 | "accountId": "123456789012", 4 | "configurationItemCaptureTime": "2021-12-02T17:29:00.471Z", 5 | "configurationItemStatus": "ResourceDiscovered", 6 | "configurationStateId": "1638466140471", 7 | "configurationItemMD5Hash": "", 8 | "resourceType": "AWS::EC2::Host", 9 | "resourceId": "h-test", 10 | "awsRegion": "us-east-1", 11 | "availabilityZone": "us-east-1a", 12 | "tags": {}, 13 | "relatedEvents": [], 14 | "relationships": [], 15 | "configuration": { 16 | "autoPlacement": "off", 17 | "availabilityZone": "us-east-1a", 18 | "availableCapacity": { 19 | "availableInstanceCapacity": [ 20 | { 21 | "availableCapacity": 8, 22 | "instanceType": "c5.2xlarge", 23 | "totalCapacity": 8 24 | } 25 | ], 26 | "availableVCpus": 64 27 | }, 28 | "clientToken": "test", 29 | "hostId": "h-test", 30 | "hostProperties": { 31 | "cores": 36, 32 | "instanceType": "c5.2xlarge", 33 | "sockets": 2, 34 | "totalVCpus": 64 35 | }, 36 | "instances": [], 37 | "state": "available", 38 | "allocationTime": "2021-12-02T17:28:18.000Z", 39 | "tags": [], 40 | "hostRecovery": "off", 41 | "allowsMultipleInstanceTypes": "off", 42 | "ownerId": "123456789012", 43 | "availabilityZoneId": "use1-az2", 44 | "memberOfServiceLinkedResourceGroup": false 45 | }, 46 | "supplementaryConfiguration": {} 47 | } -------------------------------------------------------------------------------- /rdk/template/example_ci/AWS_EC2_InternetGateway.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "1.2", 3 | "accountId": "264683526309", 4 | "configurationItemCaptureTime": "2016-09-24T17:47:03.765Z", 5 | "configurationItemStatus": "OK", 6 | "configurationStateId": "949", 7 | "configurationItemMD5Hash": "4b662f4dface6f87805284f4632263c3", 8 | "arn": "arn:aws:ec2:us-east-1:264683526309:internet-gateway/igw-a5f227c1", 9 | "resourceType": "AWS::EC2::InternetGateway", 10 | "resourceId": "igw-a5f227c1", 11 | "awsRegion": "us-east-1", 12 | "availabilityZone": "Multiple Availability Zones", 13 | "tags": {}, 14 | "relatedEvents": [ 15 | "7656056e-4df8-4db6-a2fc-cf83e5461f7f" 16 | ], 17 | "relationships": [ 18 | { 19 | "resourceType": "AWS::EC2::VPC", 20 | "resourceId": "vpc-0990dc6d", 21 | "relationshipName": "Is attached to Vpc" 22 | } 23 | ], 24 | "configuration": { 25 | "internetGatewayId": "igw-a5f227c1", 26 | "attachments": [ 27 | { 28 | "vpcId": "vpc-0990dc6d", 29 | "state": "available" 30 | } 31 | ], 32 | "tags": [] 33 | }, 34 | "supplementaryConfiguration": {} 35 | } 36 | -------------------------------------------------------------------------------- /rdk/template/example_ci/AWS_EC2_LaunchTemplate.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "1.3", 3 | "accountId": "123456789012", 4 | "configurationItemCaptureTime": "2022-02-21T18:55:25.306Z", 5 | "configurationItemStatus": "ResourceDiscovered", 6 | "configurationStateId": "1645469725306", 7 | "configurationItemMD5Hash": "", 8 | "arn": "arn:aws:ec2:us-east-2:123456789012:launch-template/lt-test", 9 | "resourceType": "AWS::EC2::LaunchTemplate", 10 | "resourceId": "lt-test", 11 | "resourceName": "test", 12 | "awsRegion": "us-east-2", 13 | "availabilityZone": "Regional", 14 | "tags": {}, 15 | "relatedEvents": [], 16 | "relationships": [], 17 | "configuration": { 18 | "LaunchTemplateName": "test", 19 | "Id": "lt-test", 20 | "LaunchTemplateData": { 21 | "BlockDeviceMappings": [], 22 | "NetworkInterfaces": [], 23 | "ImageId": "ami-test", 24 | "TagSpecifications": [], 25 | "ElasticGpuSpecifications": [], 26 | "ElasticInferenceAccelerators": [], 27 | "SecurityGroupIds": [], 28 | "SecurityGroups": [], 29 | "LicenseSpecifications": [] 30 | }, 31 | "DefaultVersionNumber": "1", 32 | "LatestVersionNumber": "1", 33 | "TagSpecifications": [] 34 | }, 35 | "supplementaryConfiguration": {}, 36 | "resourceTransitionStatus": "None" 37 | } -------------------------------------------------------------------------------- /rdk/template/example_ci/AWS_EC2_NatGateway.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "1.3", 3 | "accountId": "123456789012", 4 | "configurationItemCaptureTime": "2022-02-21T18:24:55.063Z", 5 | "configurationItemStatus": "ResourceDiscovered", 6 | "configurationStateId": "1645463774899", 7 | "configurationItemMD5Hash": "", 8 | "arn": "arn:aws:ec2:us-east-2:123456789012:natgateway/nat-test", 9 | "resourceType": "AWS::EC2::NatGateway", 10 | "resourceId": "nat-test", 11 | "awsRegion": "us-east-2", 12 | "availabilityZone": "Not Applicable", 13 | "resourceCreationTime": "2022-02-21T18:24:55.063Z", 14 | "tags": { 15 | "Name": "test" 16 | }, 17 | "relatedEvents": [], 18 | "relationships": [ 19 | { 20 | "resourceType": "AWS::EC2::VPC", 21 | "resourceId": "vpc-test", 22 | "relationshipName": "Is contained in " 23 | }, 24 | { 25 | "resourceType": "AWS::EC2::Subnet", 26 | "resourceId": "subnet-test", 27 | "relationshipName": "Is contained in " 28 | } 29 | ], 30 | "configuration": { 31 | "createTime": 1645463702000, 32 | "natGatewayAddresses": [ 33 | { 34 | "allocationId": "eipalloc-test", 35 | "networkInterfaceId": "eni-test", 36 | "privateIp": "0.0.0.0" 37 | } 38 | ], 39 | "natGatewayId": "nat-test", 40 | "state": "pending", 41 | "subnetId": "subnet-test", 42 | "vpcId": "vpc-test", 43 | "tags": [ 44 | { 45 | "key": "Name", 46 | "value": "test" 47 | } 48 | ], 49 | "connectivityType": "public" 50 | }, 51 | "supplementaryConfiguration": {}, 52 | "resourceTransitionStatus": "None" 53 | } -------------------------------------------------------------------------------- /rdk/template/example_ci/AWS_EC2_NetworkAcl.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "1.2", 3 | "accountId": "264683526309", 4 | "configurationItemCaptureTime": "2016-09-24T17:47:04.219Z", 5 | "configurationItemStatus": "OK", 6 | "configurationStateId": "949", 7 | "configurationItemMD5Hash": "6d0a7e737d25752747799994f0088091", 8 | "arn": "arn:aws:ec2:us-east-1:264683526309:network-acl/acl-b48fd1d0", 9 | "resourceType": "AWS::EC2::NetworkAcl", 10 | "resourceId": "acl-b48fd1d0", 11 | "awsRegion": "us-east-1", 12 | "availabilityZone": "Multiple Availability Zones", 13 | "tags": {}, 14 | "relatedEvents": [ 15 | "7656056e-4df8-4db6-a2fc-cf83e5461f7f" 16 | ], 17 | "relationships": [ 18 | { 19 | "resourceType": "AWS::EC2::Subnet", 20 | "resourceId": "subnet-29428871", 21 | "relationshipName": "Is attached to Subnet" 22 | }, 23 | { 24 | "resourceType": "AWS::EC2::Subnet", 25 | "resourceId": "subnet-32e85b44", 26 | "relationshipName": "Is attached to Subnet" 27 | }, 28 | { 29 | "resourceType": "AWS::EC2::Subnet", 30 | "resourceId": "subnet-38c20312", 31 | "relationshipName": "Is attached to Subnet" 32 | }, 33 | { 34 | "resourceType": "AWS::EC2::Subnet", 35 | "resourceId": "subnet-e83ba2d5", 36 | "relationshipName": "Is attached to Subnet" 37 | }, 38 | { 39 | "resourceType": "AWS::EC2::VPC", 40 | "resourceId": "vpc-0990dc6d", 41 | "relationshipName": "Is contained in Vpc" 42 | } 43 | ], 44 | "configuration": { 45 | "networkAclId": "acl-b48fd1d0", 46 | "vpcId": "vpc-0990dc6d", 47 | "isDefault": true, 48 | "entries": [ 49 | { 50 | "ruleNumber": 100, 51 | "protocol": "-1", 52 | "ruleAction": "allow", 53 | "egress": true, 54 | "cidrBlock": "0.0.0.0/0" 55 | }, 56 | { 57 | "ruleNumber": 32767, 58 | "protocol": "-1", 59 | "ruleAction": "deny", 60 | "egress": true, 61 | "cidrBlock": "0.0.0.0/0" 62 | }, 63 | { 64 | "ruleNumber": 100, 65 | "protocol": "-1", 66 | "ruleAction": "allow", 67 | "egress": false, 68 | "cidrBlock": "0.0.0.0/0" 69 | }, 70 | { 71 | "ruleNumber": 32767, 72 | "protocol": "-1", 73 | "ruleAction": "deny", 74 | "egress": false, 75 | "cidrBlock": "0.0.0.0/0" 76 | } 77 | ], 78 | "associations": [ 79 | { 80 | "networkAclAssociationId": "aclassoc-6073b518", 81 | "networkAclId": "acl-b48fd1d0", 82 | "subnetId": "subnet-38c20312" 83 | }, 84 | { 85 | "networkAclAssociationId": "aclassoc-6d73b515", 86 | "networkAclId": "acl-b48fd1d0", 87 | "subnetId": "subnet-32e85b44" 88 | }, 89 | { 90 | "networkAclAssociationId": "aclassoc-6f73b517", 91 | "networkAclId": "acl-b48fd1d0", 92 | "subnetId": "subnet-e83ba2d5" 93 | }, 94 | { 95 | "networkAclAssociationId": "aclassoc-6e73b516", 96 | "networkAclId": "acl-b48fd1d0", 97 | "subnetId": "subnet-29428871" 98 | } 99 | ], 100 | "tags": [] 101 | }, 102 | "supplementaryConfiguration": {} 103 | } 104 | -------------------------------------------------------------------------------- /rdk/template/example_ci/AWS_EC2_NetworkInterface.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "version": "1.2", 4 | "accountId": "264683526309", 5 | "configurationItemCaptureTime": "2016-09-24T17:47:04.330Z", 6 | "configurationItemStatus": "OK", 7 | "configurationStateId": "102", 8 | "configurationItemMD5Hash": "3d84055ae93d4891a3bc97a0837c9d43", 9 | "arn": "arn:aws:ec2:us-east-1:264683526309:network-interface/eni-2a768b39", 10 | "resourceType": "AWS::EC2::NetworkInterface", 11 | "resourceId": "eni-2a768b39", 12 | "awsRegion": "us-east-1", 13 | "availabilityZone": "us-east-1c", 14 | "tags": {}, 15 | "relatedEvents": [ 16 | "7656056e-4df8-4db6-a2fc-cf83e5461f7f" 17 | ], 18 | "relationships": [ 19 | { 20 | "resourceType": "AWS::EC2::Instance", 21 | "resourceId": "i-d46cc9e5", 22 | "relationshipName": "Is attached to Instance" 23 | }, 24 | { 25 | "resourceType": "AWS::EC2::SecurityGroup", 26 | "resourceId": "sg-e627199e", 27 | "relationshipName": "Is associated with SecurityGroup" 28 | }, 29 | { 30 | "resourceType": "AWS::EC2::SecurityGroup", 31 | "resourceId": "sg-e868d092", 32 | "relationshipName": "Is associated with SecurityGroup" 33 | }, 34 | { 35 | "resourceType": "AWS::EC2::Subnet", 36 | "resourceId": "subnet-38c20312", 37 | "relationshipName": "Is contained in Subnet" 38 | }, 39 | { 40 | "resourceType": "AWS::EC2::VPC", 41 | "resourceId": "vpc-0990dc6d", 42 | "relationshipName": "Is contained in Vpc" 43 | } 44 | ], 45 | "configuration": { 46 | "networkInterfaceId": "eni-2a768b39", 47 | "subnetId": "subnet-38c20312", 48 | "vpcId": "vpc-0990dc6d", 49 | "availabilityZone": "us-east-1c", 50 | "description": "", 51 | "ownerId": "264683526309", 52 | "requesterManaged": false, 53 | "status": "in-use", 54 | "macAddress": "12:32:f4:14:77:95", 55 | "privateIpAddress": "172.31.59.126", 56 | "privateDnsName": "ip-172-31-59-126.ec2.internal", 57 | "sourceDestCheck": true, 58 | "groups": [ 59 | { 60 | "groupName": "MyTestGroup", 61 | "groupId": "sg-e627199e" 62 | }, 63 | { 64 | "groupName": "launch-wizard-9", 65 | "groupId": "sg-e868d092" 66 | } 67 | ], 68 | "attachment": { 69 | "attachmentId": "eni-attach-75a835dd", 70 | "instanceId": "i-d46cc9e5", 71 | "instanceOwnerId": "264683526309", 72 | "deviceIndex": 0, 73 | "status": "attached", 74 | "attachTime": "2016-08-30T17:21:01.000Z", 75 | "deleteOnTermination": true 76 | }, 77 | "tagSet": [], 78 | "privateIpAddresses": [ 79 | { 80 | "privateIpAddress": "172.31.59.126", 81 | "privateDnsName": "ip-172-31-59-126.ec2.internal", 82 | "primary": true 83 | } 84 | ] 85 | }, 86 | "supplementaryConfiguration": {} 87 | } 88 | -------------------------------------------------------------------------------- /rdk/template/example_ci/AWS_EC2_RouteTable.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "1.2", 3 | "accountId": "264683526309", 4 | "configurationItemCaptureTime": "2016-09-24T17:47:03.866Z", 5 | "configurationItemStatus": "OK", 6 | "configurationStateId": "949", 7 | "configurationItemMD5Hash": "89475da7d6c00dcd9ee1681a997d88ab", 8 | "arn": "arn:aws:ec2:us-east-1:264683526309:route-table/rtb-50b9b034", 9 | "resourceType": "AWS::EC2::RouteTable", 10 | "resourceId": "rtb-50b9b034", 11 | "awsRegion": "us-east-1", 12 | "availabilityZone": "Not Applicable", 13 | "tags": {}, 14 | "relatedEvents": [ 15 | "7656056e-4df8-4db6-a2fc-cf83e5461f7f" 16 | ], 17 | "relationships": [ 18 | { 19 | "resourceType": "AWS::EC2::VPC", 20 | "resourceId": "vpc-0990dc6d", 21 | "relationshipName": "Is contained in Vpc" 22 | } 23 | ], 24 | "configuration": { 25 | "routeTableId": "rtb-50b9b034", 26 | "vpcId": "vpc-0990dc6d", 27 | "routes": [ 28 | { 29 | "destinationCidrBlock": "172.31.0.0/16", 30 | "gatewayId": "local", 31 | "state": "active", 32 | "origin": "CreateRouteTable" 33 | }, 34 | { 35 | "destinationCidrBlock": "0.0.0.0/0", 36 | "gatewayId": "igw-a5f227c1", 37 | "state": "active", 38 | "origin": "CreateRoute" 39 | } 40 | ], 41 | "associations": [ 42 | { 43 | "routeTableAssociationId": "rtbassoc-82f661e5", 44 | "routeTableId": "rtb-50b9b034", 45 | "main": true 46 | } 47 | ], 48 | "tags": [], 49 | "propagatingVgws": [] 50 | }, 51 | "supplementaryConfiguration": {} 52 | } 53 | -------------------------------------------------------------------------------- /rdk/template/example_ci/AWS_EC2_SecurityGroup.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "1.2", 3 | "accountId": "264683526309", 4 | "configurationItemCaptureTime": "2016-06-09T08:59:59.139Z", 5 | "configurationItemStatus": "OK", 6 | "configurationStateId": "58", 7 | "configurationItemMD5Hash": "d5256a780a70ecb28fbd02b10c2a1662", 8 | "arn": "arn:aws:ec2:us-east-1:264683526309:security-group/sg-1d56fc66", 9 | "resourceType": "AWS::EC2::SecurityGroup", 10 | "resourceId": "sg-1d56fc66", 11 | "awsRegion": "us-east-1", 12 | "availabilityZone": "Not Applicable", 13 | "tags": {}, 14 | "relatedEvents": [], 15 | "relationships": [ 16 | { 17 | "resourceType": "AWS::EC2::VPC", 18 | "resourceId": "vpc-0990dc6d", 19 | "relationshipName": "Is contained in Vpc" 20 | } 21 | ], 22 | "configuration": { 23 | "ownerId": "264683526309", 24 | "groupName": "launch-wizard-7", 25 | "groupId": "sg-1d56fc66", 26 | "description": "launch-wizard-7 created 2016-05-26T14:26:12.992-07:00", 27 | "ipPermissions": [ 28 | { 29 | "ipProtocol": "tcp", 30 | "fromPort": 22, 31 | "toPort": 22, 32 | "userIdGroupPairs": [], 33 | "ipRanges": [ 34 | "0.0.0.0/0" 35 | ], 36 | "prefixListIds": [] 37 | } 38 | ], 39 | "ipPermissionsEgress": [ 40 | { 41 | "ipProtocol": "-1", 42 | "userIdGroupPairs": [], 43 | "ipRanges": [ 44 | "0.0.0.0/0" 45 | ], 46 | "prefixListIds": [] 47 | } 48 | ], 49 | "vpcId": "vpc-0990dc6d", 50 | "tags": [] 51 | }, 52 | "supplementaryConfiguration": {} 53 | } 54 | -------------------------------------------------------------------------------- /rdk/template/example_ci/AWS_EC2_Subnet.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "1.2", 3 | "accountId": "264683526309", 4 | "configurationItemCaptureTime": "2016-10-28T00:41:33.513Z", 5 | "configurationItemStatus": "OK", 6 | "configurationStateId": "1477615293513", 7 | "configurationItemMD5Hash": "4a857647e7ffd1495a78a76bccee9fd1", 8 | "arn": "arn:aws:ec2:us-east-1:264683526309:subnet/subnet-29428871", 9 | "resourceType": "AWS::EC2::Subnet", 10 | "resourceId": "subnet-29428871", 11 | "awsRegion": "us-east-1", 12 | "availabilityZone": "us-east-1a", 13 | "tags": {}, 14 | "relatedEvents": [], 15 | "relationships": [ 16 | { 17 | "resourceType": "AWS::EC2::NetworkAcl", 18 | "resourceId": "acl-b48fd1d0", 19 | "relationshipName": "Is attached to NetworkAcl" 20 | }, 21 | { 22 | "resourceType": "AWS::EC2::NetworkInterface", 23 | "resourceId": "eni-70a4b7bf", 24 | "relationshipName": "Contains NetworkInterface" 25 | }, 26 | { 27 | "resourceType": "AWS::EC2::NetworkInterface", 28 | "resourceId": "eni-c09a049e", 29 | "relationshipName": "Contains NetworkInterface" 30 | }, 31 | { 32 | "resourceType": "AWS::EC2::Instance", 33 | "resourceId": "i-ebf3e058", 34 | "relationshipName": "Contains Instance" 35 | }, 36 | { 37 | "resourceType": "AWS::EC2::VPC", 38 | "resourceId": "vpc-0990dc6d", 39 | "relationshipName": "Is contained in Vpc" 40 | } 41 | ], 42 | "configuration": { 43 | "subnetId": "subnet-29428871", 44 | "state": "available", 45 | "vpcId": "vpc-0990dc6d", 46 | "cidrBlock": "172.31.16.0/20", 47 | "availableIpAddressCount": 4089, 48 | "availabilityZone": "us-east-1a", 49 | "defaultForAz": true, 50 | "mapPublicIpOnLaunch": true, 51 | "tags": [] 52 | }, 53 | "supplementaryConfiguration": {} 54 | } 55 | -------------------------------------------------------------------------------- /rdk/template/example_ci/AWS_EC2_VPCPeeringConnection.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "1.3", 3 | "accountId": "123456789012", 4 | "configurationItemCaptureTime": "2021-08-18T15:55:41.284Z", 5 | "configurationItemStatus": "OK", 6 | "configurationStateId": "1629302141284", 7 | "configurationItemMD5Hash": "", 8 | "arn": "arn:aws:ec2:us-east-1:123456789012:vpc-peering-connection/pcx-test", 9 | "resourceType": "AWS::EC2::VPCPeeringConnection", 10 | "resourceId": "pcx-test", 11 | "awsRegion": "us-east-1", 12 | "availabilityZone": "Not Applicable", 13 | "tags": { 14 | "Name": "pcx-1" 15 | }, 16 | "relatedEvents": [], 17 | "relationships": [ 18 | { 19 | "resourceType": "AWS::EC2::VPC", 20 | "resourceId": "vpc-test", 21 | "relationshipName": "Is associated with " 22 | }, 23 | { 24 | "resourceType": "AWS::EC2::VPC", 25 | "resourceId": "vpc-test", 26 | "relationshipName": "Is associated with " 27 | } 28 | ], 29 | "configuration": { 30 | "accepterVpcInfo": { 31 | "cidrBlock": "10.0.0.0/28", 32 | "ipv6CidrBlockSet": [], 33 | "cidrBlockSet": [ 34 | { 35 | "cidrBlock": "10.0.0.0/28" 36 | } 37 | ], 38 | "ownerId": "123456789012", 39 | "peeringOptions": { 40 | "allowDnsResolutionFromRemoteVpc": true, 41 | "allowEgressFromLocalClassicLinkToRemoteVpc": false, 42 | "allowEgressFromLocalVpcToRemoteClassicLink": false 43 | }, 44 | "vpcId": "vpc-04beaa07c4832fa62", 45 | "region": "us-east-1" 46 | }, 47 | "requesterVpcInfo": { 48 | "cidrBlock": "10.0.1.0/28", 49 | "ipv6CidrBlockSet": [], 50 | "cidrBlockSet": [ 51 | { 52 | "cidrBlock": "10.0.1.0/28" 53 | } 54 | ], 55 | "ownerId": "123456789012", 56 | "peeringOptions": { 57 | "allowDnsResolutionFromRemoteVpc": true, 58 | "allowEgressFromLocalClassicLinkToRemoteVpc": false, 59 | "allowEgressFromLocalVpcToRemoteClassicLink": false 60 | }, 61 | "vpcId": "vpc-0916508f3632dad66", 62 | "region": "us-east-1" 63 | }, 64 | "status": { 65 | "code": "active", 66 | "message": "Active" 67 | }, 68 | "tags": [ 69 | { 70 | "key": "Name", 71 | "value": "pcx-1" 72 | } 73 | ], 74 | "vpcPeeringConnectionId": "pcx-test" 75 | }, 76 | "supplementaryConfiguration": {}, 77 | "resourceTransitionStatus": "None" 78 | } -------------------------------------------------------------------------------- /rdk/template/example_ci/AWS_EC2_VPNGateway.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "1.2", 3 | "accountId": "264683526309", 4 | "configurationItemCaptureTime": "2016-11-11T22:56:58.508Z", 5 | "configurationItemStatus": "ResourceDiscovered", 6 | "configurationStateId": "1478905018508", 7 | "configurationItemMD5Hash": "e97b9c7499298297759073826f7567e7", 8 | "arn": "arn:aws:ec2:us-east-1:264683526309:vpn-gateway/vgw-2ccb2245", 9 | "resourceType": "AWS::EC2::VPNGateway", 10 | "resourceId": "vgw-2ccb2245", 11 | "awsRegion": "us-east-1", 12 | "availabilityZone": "Regional", 13 | "tags": { 14 | "Name": "MyVirtualPrivateGateway-Gamma" 15 | }, 16 | "relatedEvents": [ 17 | "da71988b-3383-424c-80e7-b052a02ac87c" 18 | ], 19 | "relationships": [ 20 | { 21 | "resourceType": "AWS::EC2::VPC", 22 | "resourceId": "vpc-0990dc6d", 23 | "relationshipName": "Is attached to Vpc" 24 | } 25 | ], 26 | "configuration": { 27 | "vpnGatewayId": "vgw-2ccb2245", 28 | "state": "available", 29 | "type": "ipsec.1", 30 | "vpcAttachments": [ 31 | { 32 | "vpcId": "vpc-0990dc6d", 33 | "state": "attached" 34 | } 35 | ], 36 | "tags": [ 37 | { 38 | "key": "Name", 39 | "value": "MyVirtualPrivateGateway-Gamma" 40 | } 41 | ] 42 | }, 43 | "supplementaryConfiguration": {} 44 | } 45 | -------------------------------------------------------------------------------- /rdk/template/example_ci/AWS_EC2_Volume.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "1.2", 3 | "accountId": "264683526309", 4 | "configurationItemCaptureTime": "2016-10-28T00:41:34.826Z", 5 | "configurationItemStatus": "ResourceDiscovered", 6 | "configurationStateId": "1477615294826", 7 | "configurationItemMD5Hash": "3688d18cf3af179aac4d5060aa5e49f0", 8 | "arn": "arn:aws:ec2:us-east-1:264683526309:volume/vol-a416b170", 9 | "resourceType": "AWS::EC2::Volume", 10 | "resourceId": "vol-a416b170", 11 | "awsRegion": "us-east-1", 12 | "availabilityZone": "us-east-1c", 13 | "resourceCreationTime": "2016-10-28T00:33:43.651Z", 14 | "tags": {}, 15 | "relatedEvents": [], 16 | "relationships": [ 17 | { 18 | "resourceType": "AWS::EC2::Instance", 19 | "resourceId": "i-29e75b19", 20 | "relationshipName": "Is attached to Instance" 21 | } 22 | ], 23 | "configuration": { 24 | "volumeId": "vol-a416b170", 25 | "size": 8, 26 | "snapshotId": "snap-2a2a8752", 27 | "availabilityZone": "us-east-1c", 28 | "state": "in-use", 29 | "createTime": "2016-10-28T00:33:43.651Z", 30 | "attachments": [ 31 | { 32 | "volumeId": "vol-a416b170", 33 | "instanceId": "i-29e75b19", 34 | "device": "/dev/xvda", 35 | "state": "attached", 36 | "attachTime": "2016-10-28T00:33:43.000Z", 37 | "deleteOnTermination": true 38 | } 39 | ], 40 | "tags": [], 41 | "volumeType": "gp2", 42 | "iops": 100, 43 | "encrypted": true, 44 | "kmsKeyId": "arn:aws:kms:ap-southeast-1:055409840355:key/bd41e26b-d347-4c59-ab0b-32aee30fcf8d" 45 | }, 46 | "supplementaryConfiguration": {} 47 | } 48 | -------------------------------------------------------------------------------- /rdk/template/example_ci/AWS_ECR_PublicRepository.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "1.3", 3 | "accountId": "123456789012", 4 | "configurationItemCaptureTime": "2022-02-17T00:33:41.230Z", 5 | "configurationItemStatus": "ResourceDiscovered", 6 | "configurationStateId": "1645058021230", 7 | "configurationItemMD5Hash": "", 8 | "arn": "arn:aws:ecr-public::123456789012:repository/test", 9 | "resourceType": "AWS::ECR::PublicRepository", 10 | "resourceId": "test", 11 | "resourceName": "test", 12 | "awsRegion": "us-east-1", 13 | "availabilityZone": "Regional", 14 | "tags": {}, 15 | "relatedEvents": [], 16 | "relationships": [], 17 | "configuration": { 18 | "Arn": "arn:aws:ecr-public::123456789012:repository/test", 19 | "RepositoryName": "test", 20 | "RepositoryCatalogData": { 21 | "RepositoryDescription": "", 22 | "Architectures": [], 23 | "OperatingSystems": [], 24 | "AboutText": "", 25 | "UsageText": "" 26 | }, 27 | "Tags": [] 28 | }, 29 | "supplementaryConfiguration": {}, 30 | "resourceTransitionStatus": "None" 31 | } -------------------------------------------------------------------------------- /rdk/template/example_ci/AWS_ECR_Repository.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "1.3", 3 | "accountId": "123456789012", 4 | "configurationItemCaptureTime": "2021-11-04T16:52:50.612Z", 5 | "configurationItemStatus": "ResourceDiscovered", 6 | "configurationStateId": "1636044770612", 7 | "configurationItemMD5Hash": "", 8 | "arn": "arn:aws:ecr:us-east-1:123456789012:repository/test", 9 | "resourceType": "AWS::ECR::Repository", 10 | "resourceId": "test", 11 | "resourceName": "test", 12 | "awsRegion": "us-east-1", 13 | "availabilityZone": "Regional", 14 | "tags": {}, 15 | "relatedEvents": [], 16 | "relationships": [], 17 | "configuration": { 18 | "Arn": "arn:aws:ecr:us-east-1:123456789012:repository/test", 19 | "ImageScanningConfiguration": { 20 | "ScanOnPush": false 21 | }, 22 | "ImageTagMutability": "MUTABLE", 23 | "RepositoryName": "test", 24 | "LifecyclePolicy": {}, 25 | "RepositoryPolicyText": {}, 26 | "Tags": [] 27 | }, 28 | "supplementaryConfiguration": {}, 29 | "resourceTransitionStatus": "None" 30 | } -------------------------------------------------------------------------------- /rdk/template/example_ci/AWS_ECS_TaskDefinition.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "1.3", 3 | "accountId": "111111111111", 4 | "configurationItemCaptureTime": "2024-01-18T21:47:11.981Z", 5 | "configurationItemStatus": "ResourceDiscovered", 6 | "configurationStateId": "1705614431981", 7 | "configurationItemMD5Hash": "", 8 | "arn": "arn:aws:ecs:us-west-2:111111111111:task-definition/testtaskdef:1", 9 | "resourceType": "AWS::ECS::TaskDefinition", 10 | "resourceId": "testtaskdef", 11 | "resourceName": "testtaskdef:1", 12 | "awsRegion": "us-west-2", 13 | "availabilityZone": "Regional", 14 | "tags": {}, 15 | "relatedEvents": [], 16 | "relationships": [], 17 | "configuration": { 18 | "ContainerDefinitions": [ 19 | { 20 | "Name": "test", 21 | "Image": "arn:aws:imagebuilder:us-west-2:aws:image/amazon-linux-2023-x86-2023/2023.10.12", 22 | "Cpu": 0, 23 | "Links": [], 24 | "PortMappings": [ 25 | { 26 | "ContainerPort": 80, 27 | "HostPort": 80, 28 | "Protocol": "tcp", 29 | "Name": "test-80-tcp", 30 | "AppProtocol": "http" 31 | } 32 | ], 33 | "Essential": true, 34 | "EntryPoint": [], 35 | "Command": [], 36 | "Environment": [], 37 | "EnvironmentFiles": [], 38 | "MountPoints": [], 39 | "VolumesFrom": [], 40 | "Secrets": [], 41 | "DependsOn": [], 42 | "DnsServers": [], 43 | "DnsSearchDomains": [], 44 | "ExtraHosts": [], 45 | "DockerSecurityOptions": [], 46 | "DockerLabels": {}, 47 | "Ulimits": [], 48 | "LogConfiguration": { 49 | "LogDriver": "awslogs", 50 | "Options": { 51 | "awslogs-group": "/ecs/testtaskdef", 52 | "awslogs-region": "us-west-2", 53 | "awslogs-create-group": "true", 54 | "awslogs-stream-prefix": "ecs" 55 | }, 56 | "SecretOptions": [] 57 | }, 58 | "SystemControls": [], 59 | "ResourceRequirements": [], 60 | "CredentialSpecs": [] 61 | } 62 | ], 63 | "Cpu": "1024", 64 | "ExecutionRoleArn": "arn:aws:iam::111111111111:role/ecsTaskExecutionRole", 65 | "Family": "testtaskdef", 66 | "InferenceAccelerators": [], 67 | "Memory": "3072", 68 | "NetworkMode": "awsvpc", 69 | "PlacementConstraints": [], 70 | "RequiresCompatibilities": ["EC2", "FARGATE"], 71 | "Status": "ACTIVE", 72 | "Tags": [], 73 | "TaskDefinitionArn": "arn:aws:ecs:us-west-2:111111111111:task-definition/testtaskdef:1", 74 | "Volumes": [] 75 | }, 76 | "supplementaryConfiguration": {} 77 | } 78 | -------------------------------------------------------------------------------- /rdk/template/example_ci/AWS_EKS_Cluster.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "1.3", 3 | "accountId": "123456789012", 4 | "configurationItemCaptureTime": "2022-03-01T21:46:11.377Z", 5 | "configurationItemStatus": "ResourceDiscovered", 6 | "configurationStateId": "1646171171377", 7 | "configurationItemMD5Hash": "", 8 | "arn": "arn:aws:eks:us-east-2:123456789012:cluster/test", 9 | "resourceType": "AWS::EKS::Cluster", 10 | "resourceId": "test", 11 | "resourceName": "test", 12 | "awsRegion": "us-east-2", 13 | "availabilityZone": "Regional", 14 | "tags": {}, 15 | "relatedEvents": [], 16 | "relationships": [], 17 | "configuration": { 18 | "Arn": "arn:aws:eks:us-east-2:123456789012:cluster/test", 19 | "Name": "test", 20 | "ResourcesVpcConfig": { 21 | "SecurityGroupIds": [], 22 | "SubnetIds": [ 23 | "subnet-test", 24 | "subnet-test", 25 | "subnet-test" 26 | ] 27 | }, 28 | "RoleArn": "arn:aws:iam::123456789012:role/test", 29 | "Version": "1.21", 30 | "Tags": [] 31 | }, 32 | "supplementaryConfiguration": {}, 33 | "resourceTransitionStatus": "None" 34 | } -------------------------------------------------------------------------------- /rdk/template/example_ci/AWS_ElasticBeanstalk_Application.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "1.3", 3 | "accountId": "123456789012", 4 | "configurationItemCaptureTime": "2021-11-19T19:01:57.869Z", 5 | "configurationItemStatus": "OK", 6 | "configurationStateId": "1637348517869", 7 | "configurationItemMD5Hash": "", 8 | "arn": "arn:aws:elasticbeanstalk:us-east-1:123456789012:application/test", 9 | "resourceType": "AWS::ElasticBeanstalk::Application", 10 | "resourceId": "arn:aws:elasticbeanstalk:us-east-1:123456789012:application/test", 11 | "resourceName": "test", 12 | "awsRegion": "us-east-1", 13 | "availabilityZone": "Not Applicable", 14 | "resourceCreationTime": "2021-10-11T19:44:02.042Z", 15 | "tags": {}, 16 | "relatedEvents": [], 17 | "relationships": [ 18 | { 19 | "resourceType": "AWS::ElasticBeanstalk::ApplicationVersion", 20 | "resourceId": "arn:aws:elasticbeanstalk:us-east-1:123456789012:applicationversion/test/Sample Application", 21 | "resourceName": "Sample Application", 22 | "relationshipName": "Contains " 23 | } 24 | ], 25 | "configuration": { 26 | "applicationName": "test", 27 | "dateCreated": "Oct 11, 2021 7:44:02 PM", 28 | "dateUpdated": "Oct 11, 2021 7:44:02 PM", 29 | "resourceLifecycleConfig": { 30 | "versionLifecycleConfig": { 31 | "maxAgeRule": { 32 | "enabled": false, 33 | "deleteSourceFromS3": false, 34 | "maxAgeInDays": 180 35 | }, 36 | "maxCountRule": { 37 | "enabled": false, 38 | "deleteSourceFromS3": false, 39 | "maxCount": 200 40 | } 41 | } 42 | }, 43 | "versions": [ 44 | "Sample Application" 45 | ] 46 | }, 47 | "supplementaryConfiguration": {}, 48 | "resourceTransitionStatus": "None" 49 | } -------------------------------------------------------------------------------- /rdk/template/example_ci/AWS_ElasticBeanstalk_ApplicationVersion.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "1.3", 3 | "accountId": "123456789012", 4 | "configurationItemCaptureTime": "2021-11-19T19:01:57.936Z", 5 | "configurationItemStatus": "OK", 6 | "configurationStateId": "1637348517936", 7 | "configurationItemMD5Hash": "", 8 | "arn": "arn:aws:elasticbeanstalk:us-east-1:123456789012:applicationversion/test/Sample Application", 9 | "resourceType": "AWS::ElasticBeanstalk::ApplicationVersion", 10 | "resourceId": "arn:aws:elasticbeanstalk:us-east-1:123456789012:applicationversion/test/Sample Application", 11 | "resourceName": "Sample Application", 12 | "awsRegion": "us-east-1", 13 | "availabilityZone": "Not Applicable", 14 | "resourceCreationTime": "2021-10-11T19:44:19.988Z", 15 | "tags": {}, 16 | "relatedEvents": [], 17 | "relationships": [ 18 | { 19 | "resourceType": "AWS::ElasticBeanstalk::Application", 20 | "resourceId": "arn:aws:elasticbeanstalk:us-east-1:123456789012:application/test", 21 | "resourceName": "test", 22 | "relationshipName": "Is contained in " 23 | } 24 | ], 25 | "configuration": { 26 | "applicationName": "test", 27 | "dateCreated": "Oct 11, 2021 7:44:19 PM", 28 | "dateModified": "Oct 11, 2021 7:44:19 PM", 29 | "status": "UNPROCESSED", 30 | "versionLabel": "Sample Application" 31 | }, 32 | "supplementaryConfiguration": {}, 33 | "resourceTransitionStatus": "None" 34 | } -------------------------------------------------------------------------------- /rdk/template/example_ci/AWS_ElasticLoadBalancingV2_Listener.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "1.3", 3 | "accountId": "111111111111", 4 | "configurationItemCaptureTime": "2023-07-21T17:06:43.815Z", 5 | "configurationItemStatus": "ResourceDiscovered", 6 | "configurationStateId": "1689959212345", 7 | "configurationItemMD5Hash": "", 8 | "arn": "arn:aws:elasticloadbalancing:us-east-2:111111111111:listener/app/test/abcd95d05fc9fc53/abcd983295de2c72", 9 | "resourceType": "AWS::ElasticLoadBalancingV2::Listener", 10 | "resourceId": "arn:aws:elasticloadbalancing:us-east-2:111111111111:listener/app/test/abcd95d05fc9fc53/abcd983295de2c72", 11 | "awsRegion": "us-east-2", 12 | "availabilityZone": "Regional", 13 | "tags": {}, 14 | "relatedEvents": [], 15 | "relationships": [], 16 | "configuration": { 17 | "LoadBalancerArn": "arn:aws:elasticloadbalancing:us-east-2:111111111111:loadbalancer/app/test/abcd95d05fc9fc53", 18 | "DefaultActions": [ 19 | { 20 | "Type": "forward", 21 | "TargetGroupArn": "arn:aws:elasticloadbalancing:us-east-2:111111111111:targetgroup/test/abcd9b2e38491ce1", 22 | "ForwardConfig": { 23 | "TargetGroups": [ 24 | { 25 | "TargetGroupArn": "arn:aws:elasticloadbalancing:us-east-2:111111111111:targetgroup/test/abcd9b2e38491ce1", 26 | "Weight": 1 27 | } 28 | ], 29 | "TargetGroupStickinessConfig": { 30 | "Enabled": false 31 | } 32 | } 33 | } 34 | ], 35 | "Port": 80, 36 | "Certificates": [], 37 | "Protocol": "HTTP", 38 | "ListenerArn": "arn:aws:elasticloadbalancing:us-east-2:111111111111:listener/app/test/abcd95d05fc9fc53/abcd983295de2c72", 39 | "AlpnPolicy": [] 40 | }, 41 | "supplementaryConfiguration": {}, 42 | "resourceTransitionStatus": "None" 43 | } 44 | -------------------------------------------------------------------------------- /rdk/template/example_ci/AWS_ElasticLoadBalancingV2_LoadBalancer.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "1.2", 3 | "accountId": "264683526309", 4 | "configurationItemCaptureTime": "2016-11-11T02:22:46.556Z", 5 | "configurationItemStatus": "ResourceDiscovered", 6 | "configurationStateId": "1478830966556", 7 | "configurationItemMD5Hash": "c7647c4051b0d45ded82997c2e964cef", 8 | "arn": "arn:aws:elasticloadbalancing:us-east-1:264683526309:loadbalancer/app/MyALB/268aa84731d32825", 9 | "resourceType": "AWS::ElasticLoadBalancingV2::LoadBalancer", 10 | "resourceId": "arn:aws:elasticloadbalancing:us-east-1:264683526309:loadbalancer/app/MyALB/268aa84731d32825", 11 | "resourceName": "MyALB", 12 | "awsRegion": "us-east-1", 13 | "availabilityZone": "Multiple Availability Zones", 14 | "resourceCreationTime": "2016-11-11T02:13:38.770Z", 15 | "tags": {}, 16 | "relatedEvents": [ 17 | "6cfc8538-2fb0-4e90-b3b5-82d05800cbc4" 18 | ], 19 | "relationships": [ 20 | { 21 | "resourceType": "AWS::EC2::SecurityGroup", 22 | "resourceId": "sg-2ed0d557", 23 | "relationshipName": "Is associated with SecurityGroup" 24 | }, 25 | { 26 | "resourceType": "AWS::EC2::Subnet", 27 | "resourceId": "subnet-29428871", 28 | "relationshipName": "Is attached to Subnet" 29 | }, 30 | { 31 | "resourceType": "AWS::EC2::Subnet", 32 | "resourceId": "subnet-38c20312", 33 | "relationshipName": "Is attached to Subnet" 34 | }, 35 | { 36 | "resourceType": "AWS::EC2::VPC", 37 | "resourceId": "vpc-0990dc6d", 38 | "relationshipName": "Is contained in Vpc" 39 | } 40 | ], 41 | "configuration": { 42 | "loadBalancerArn": "arn:aws:elasticloadbalancing:us-east-1:264683526309:loadbalancer/app/MyALB/268aa84731d32825", 43 | "dNSName": "MyALB-1278615410.us-east-1.elb.amazonaws.com", 44 | "canonicalHostedZoneId": "Z35SXDOTRQ7X7K", 45 | "createdTime": "2016-11-11T02:13:38.770Z", 46 | "loadBalancerName": "MyALB", 47 | "scheme": "internet-facing", 48 | "vpcId": "vpc-0990dc6d", 49 | "state": { 50 | "code": "active" 51 | }, 52 | "type": "application", 53 | "availabilityZones": [ 54 | { 55 | "zoneName": "us-east-1a", 56 | "subnetId": "subnet-29428871" 57 | }, 58 | { 59 | "zoneName": "us-east-1c", 60 | "subnetId": "subnet-38c20312" 61 | } 62 | ], 63 | "securityGroups": [ 64 | "sg-2ed0d557" 65 | ] 66 | }, 67 | "supplementaryConfiguration": { 68 | "LoadBalancerAttributes": [ 69 | { 70 | "key": "access_logs.s3.enabled", 71 | "value": "false" 72 | }, 73 | { 74 | "key": "idle_timeout.timeout_seconds", 75 | "value": "60" 76 | }, 77 | { 78 | "key": "access_logs.s3.prefix", 79 | "value": "" 80 | }, 81 | { 82 | "key": "deletion_protection.enabled", 83 | "value": "false" 84 | }, 85 | { 86 | "key": "access_logs.s3.bucket", 87 | "value": "" 88 | } 89 | ], 90 | "Tags": [] 91 | } 92 | } 93 | 94 | -------------------------------------------------------------------------------- /rdk/template/example_ci/AWS_Glue_Classifier.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "1.3", 3 | "accountId": "111111111111", 4 | "configurationItemCaptureTime": "2024-08-01T19:21:17.720Z", 5 | "configurationItemStatus": "ResourceDiscovered", 6 | "configurationStateId": "1234567890123", 7 | "configurationItemMD5Hash": "", 8 | "resourceType": "AWS::Glue::Classifier", 9 | "resourceId": "TestClassifier", 10 | "resourceName": "TestClassifier", 11 | "awsRegion": "us-east-1", 12 | "availabilityZone": "Regional", 13 | "resourceCreationTime": "2024-08-01T19:20:24.000Z", 14 | "tags": {}, 15 | "relatedEvents": [], 16 | "relationships": [], 17 | "configuration": { 18 | "Id": "TestClassifier", 19 | "GrokClassifier": { 20 | "Classification": "special-logs", 21 | "GrokPattern": "%{IPV4:ip} - %{WORD:identity} \\[ %{HTTPDATE:timestamp} \\] \"%{WORD:method} %{URIPATH:request} HTTP/%{NUMBER:http_version}\" %{NUMBER:status_code} %{NUMBER:bytes}", 22 | "Name": "TestClassifier" 23 | } 24 | }, 25 | "supplementaryConfiguration": {} 26 | } -------------------------------------------------------------------------------- /rdk/template/example_ci/AWS_Glue_Job.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "1.3", 3 | "accountId": "111111111111", 4 | "configurationItemCaptureTime": "2024-07-25T15:18:58.479Z", 5 | "configurationItemStatus": "ResourceDiscovered", 6 | "configurationStateId": "1111222233334", 7 | "configurationItemMD5Hash": "", 8 | "arn": "arn:aws:glue:us-east-1:111111111111:job/test", 9 | "resourceType": "AWS::Glue::Job", 10 | "resourceId": "test", 11 | "resourceName": "test", 12 | "awsRegion": "us-east-1", 13 | "availabilityZone": "Regional", 14 | "tags": {}, 15 | "relatedEvents": [], 16 | "relationships": [], 17 | "configuration": { 18 | "Id": "test", 19 | "MaxRetries": 0, 20 | "Description": "", 21 | "Timeout": 2880, 22 | "AllocatedCapacity": 10, 23 | "Name": "test", 24 | "Role": "arn:aws:iam::111111111111:role/AWSGlueServiceRole-lab", 25 | "DefaultArguments": { 26 | "--enable-metrics": "true", 27 | "--enable-spark-ui": "true", 28 | "--spark-event-logs-path": "s3://aws-glue-assets-111111111111-us-east-1/sparkHistoryLogs/", 29 | "--enable-job-insights": "false", 30 | "--enable-observability-metrics": "true", 31 | "--enable-glue-datacatalog": "true", 32 | "--enable-continuous-cloudwatch-log": "true", 33 | "--job-bookmark-option": "job-bookmark-disable", 34 | "--job-language": "python", 35 | "--TempDir": "s3://aws-glue-assets-111111111111-us-east-1/temporary/" 36 | }, 37 | "WorkerType": "G.1X", 38 | "Command": { 39 | "Name": "glueetl", 40 | "ScriptLocation": "s3://aws-glue-assets-111111111111-us-east-1/scripts/test.py", 41 | "PythonVersion": "3" 42 | }, 43 | "GlueVersion": "4.0", 44 | "ExecutionProperty": { 45 | "MaxConcurrentRuns": 1 46 | }, 47 | "NumberOfWorkers": 10, 48 | "MaxCapacity": 10, 49 | "Tags": {} 50 | }, 51 | "supplementaryConfiguration": {} 52 | } 53 | -------------------------------------------------------------------------------- /rdk/template/example_ci/AWS_Glue_MLTransform.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "1.3", 3 | "accountId": "111111111111", 4 | "configurationItemCaptureTime": "2024-08-01T19:25:39.896Z", 5 | "configurationItemStatus": "ResourceDiscovered", 6 | "configurationStateId": "1234567890123", 7 | "configurationItemMD5Hash": "", 8 | "arn": "arn:aws:glue:us-east-1:111111111111:mlTransform/tfm-1111111122222222333333334444444455555555", 9 | "resourceType": "AWS::Glue::MLTransform", 10 | "resourceId": "tfm-1111111122222222333333334444444455555555", 11 | "resourceName": "TestMachineLearning", 12 | "awsRegion": "us-east-1", 13 | "availabilityZone": "Regional", 14 | "resourceCreationTime": "2024-08-01T19:23:32.122Z", 15 | "tags": {}, 16 | "relatedEvents": [], 17 | "relationships": [], 18 | "configuration": { 19 | "MaxRetries": 0, 20 | "Description": "This is an example CI for ML Transforms", 21 | "TransformEncryption": { 22 | "MLUserDataEncryption": { 23 | "MLUserDataEncryptionMode": "DISABLED" 24 | } 25 | }, 26 | "Timeout": 2880, 27 | "Name": "TestMachineLearning", 28 | "Role": "arn:aws:iam::111111111111:role/MyGlueServiceRole", 29 | "WorkerType": "G.2X", 30 | "GlueVersion": "2.0", 31 | "TransformParameters": { 32 | "TransformType": "FIND_MATCHES", 33 | "FindMatchesParameters": { 34 | "PrimaryKeyColumnName": "eventversion", 35 | "PrecisionRecallTradeoff": 0.5, 36 | "AccuracyCostTradeoff": 0.5, 37 | "EnforceProvidedLabels": false 38 | } 39 | }, 40 | "Id": "tfm-1111111122222222333333334444444455555555", 41 | "InputRecordTables": { 42 | "GlueTables": [ 43 | { 44 | "DatabaseName": "configsavingschecker", 45 | "TableName": "cloudtrail_logs" 46 | } 47 | ] 48 | }, 49 | "NumberOfWorkers": 10, 50 | "Tags": {} 51 | }, 52 | "supplementaryConfiguration": {} 53 | } -------------------------------------------------------------------------------- /rdk/template/example_ci/AWS_IAM_Group.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "1.2", 3 | "accountId": "264683526309", 4 | "configurationItemCaptureTime": "2016-11-06T17:46:39.415Z", 5 | "configurationItemStatus": "ResourceDiscovered", 6 | "configurationStateId": "1478454399415", 7 | "configurationItemMD5Hash": "ebed5291340f4f5149a34e23e049d4bd", 8 | "arn": "arn:aws:iam::264683526309:group/MyTestGroup", 9 | "resourceType": "AWS::IAM::Group", 10 | "resourceId": "AGPAJNIBGFRSRIKL7VAD6", 11 | "resourceName": "MyTestGroup", 12 | "awsRegion": "global", 13 | "availabilityZone": "Not Applicable", 14 | "resourceCreationTime": "2016-11-06T17:42:15.000Z", 15 | "tags": {}, 16 | "relatedEvents": [ 17 | "147a470a-dd7a-468d-85ce-53c95769005b" 18 | ], 19 | "relationships": [ 20 | { 21 | "resourceType": "AWS::IAM::User", 22 | "resourceId": "AIDAIJBD5UKDCJ3FVAIMU", 23 | "resourceName": "aaronkhoo", 24 | "relationshipName": "Contains User" 25 | }, 26 | { 27 | "resourceType": "AWS::IAM::User", 28 | "resourceId": "AIDAIK37QSK4WVPTLQJVE", 29 | "resourceName": "FalconConsoleUser", 30 | "relationshipName": "Contains User" 31 | }, 32 | { 33 | "resourceType": "AWS::IAM::User", 34 | "resourceId": "AIDAILEDWOGIPJFAKOJKW", 35 | "resourceName": "aaronfre", 36 | "relationshipName": "Contains User" 37 | } 38 | ], 39 | "configuration": { 40 | "path": "/", 41 | "groupName": "MyTestGroup", 42 | "groupId": "AGPAJNIBGFRSRIKL7VAD6", 43 | "arn": "arn:aws:iam::264683526309:group/MyTestGroup", 44 | "createDate": "2016-11-06T17:42:15.000Z", 45 | "groupPolicyList": [], 46 | "attachedManagedPolicies": [ 47 | { 48 | "policyName": "AdministratorAccess", 49 | "policyArn": "arn:aws:iam::aws:policy/AdministratorAccess" 50 | } 51 | ] 52 | }, 53 | "supplementaryConfiguration": {} 54 | } 55 | -------------------------------------------------------------------------------- /rdk/template/example_ci/AWS_IAM_Policy.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "1.2", 3 | "accountId": "264683526309", 4 | "configurationItemCaptureTime": "2016-09-24T17:32:17.358Z", 5 | "configurationItemStatus": "OK", 6 | "configurationStateId": "151", 7 | "configurationItemMD5Hash": "c3f9f3e66088b6163d2ef19d49aa108d", 8 | "arn": "arn:aws:iam::264683526309:policy/ELB-policy", 9 | "resourceType": "AWS::IAM::Policy", 10 | "resourceId": "ANPAIJWML3NX3NT6UAGO4", 11 | "resourceName": "ELB-policy", 12 | "awsRegion": "global", 13 | "availabilityZone": "Not Applicable", 14 | "resourceCreationTime": "2016-04-29T17:11:26.000Z", 15 | "tags": {}, 16 | "relatedEvents": [], 17 | "relationships": [ 18 | { 19 | "resourceType": "AWS::IAM::Role", 20 | "resourceId": "AROAIVXMURFRN7EZGVNNA", 21 | "resourceName": "config-role", 22 | "relationshipName": "Is attached to Role" 23 | }, 24 | { 25 | "resourceType": "AWS::IAM::Role", 26 | "resourceId": "AROAIY7FPU7KRV7IZBNPC", 27 | "resourceName": "config-role-ezcrc2", 28 | "relationshipName": "Is attached to Role" 29 | }, 30 | { 31 | "resourceType": "AWS::IAM::Role", 32 | "resourceId": "AROAJH5PQZ7LNGREGFM3K", 33 | "resourceName": "config-role-ezcrc", 34 | "relationshipName": "Is attached to Role" 35 | }, 36 | { 37 | "resourceType": "AWS::IAM::Role", 38 | "resourceId": "AROAJPQ3VWRJFHJWRDBDY", 39 | "resourceName": "config-role-ezcrc3", 40 | "relationshipName": "Is attached to Role" 41 | } 42 | ], 43 | "configuration": { 44 | "policyName": "ELB-policy", 45 | "policyId": "ANPAIJWML3NX3NT6UAGO4", 46 | "arn": "arn:aws:iam::264683526309:policy/ELB-policy", 47 | "path": "/", 48 | "defaultVersionId": "v1", 49 | "attachmentCount": 4, 50 | "isAttachable": true, 51 | "createDate": "2016-04-29T17:11:26.000Z", 52 | "updateDate": "2016-04-29T17:11:26.000Z", 53 | "policyVersionList": [ 54 | { 55 | "document": [ 56 | { 57 | "Version": "2012-10-17", 58 | "Statement": [ 59 | { 60 | "Sid": "Stmt1461949544000", 61 | "Effect": "Allow", 62 | "Action": [ 63 | "elasticloadbalancing:Describe*" 64 | ], 65 | "Resource": [ 66 | "*" 67 | ] 68 | } 69 | ] 70 | } 71 | ], 72 | "versionId": "v1", 73 | "isDefaultVersion": true, 74 | "createDate": "April 29, 2016 10:11:26 AM" 75 | } 76 | ] 77 | }, 78 | "supplementaryConfiguration": {} 79 | } 80 | -------------------------------------------------------------------------------- /rdk/template/example_ci/AWS_IAM_Role.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "1.2", 3 | "accountId": "264683526309", 4 | "configurationItemCaptureTime": "2016-11-06T03:41:52.719Z", 5 | "configurationItemStatus": "OK", 6 | "configurationStateId": "1478403712719", 7 | "configurationItemMD5Hash": "91a47a3c0184f9b29cfb3e354ff887dd", 8 | "arn": "arn:aws:iam::264683526309:role/service-role/config-role-ezcrc2", 9 | "resourceType": "AWS::IAM::Role", 10 | "resourceId": "AROAIY7FPU7KRV7IZBNPC", 11 | "resourceName": "config-role-ezcrc2", 12 | "awsRegion": "global", 13 | "availabilityZone": "Not Applicable", 14 | "resourceCreationTime": "2016-03-10T23:52:10.000Z", 15 | "tags": {}, 16 | "relatedEvents": [], 17 | "relationships": [ 18 | { 19 | "resourceType": "AWS::IAM::Policy", 20 | "resourceId": "ANPAIJWML3NX3NT6UAGO4", 21 | "resourceName": "ELB-policy", 22 | "relationshipName": "Is attached to CustomerManagedPolicy" 23 | }, 24 | { 25 | "resourceType": "AWS::IAM::Policy", 26 | "resourceId": "ANPAILY3GNWH4C77WJ6QM", 27 | "resourceName": "config-role-ezcrc2-AWSConfigDeliveryPermissions-us-west-2", 28 | "relationshipName": "Is attached to CustomerManagedPolicy" 29 | } 30 | ], 31 | "configuration": { 32 | "path": "/service-role/", 33 | "roleName": "config-role-ezcrc2", 34 | "roleId": "AROAIY7FPU7KRV7IZBNPC", 35 | "arn": "arn:aws:iam::264683526309:role/service-role/config-role-ezcrc2", 36 | "createDate": "2016-03-10T23:52:10.000Z", 37 | "assumeRolePolicyDocument": { 38 | "Version": "2012-10-17", 39 | "Statement": [ 40 | { 41 | "Sid": "", 42 | "Effect": "Allow", 43 | "Principal": { 44 | "Service": "config.amazonaws.com" 45 | }, 46 | "Action": "sts:AssumeRole" 47 | } 48 | ] 49 | }, 50 | "instanceProfileList": [], 51 | "rolePolicyList": [], 52 | "attachedManagedPolicies": [ 53 | { 54 | "policyName": "ELB-policy", 55 | "policyArn": "arn:aws:iam::264683526309:policy/ELB-policy" 56 | }, 57 | { 58 | "policyName": "config-role-ezcrc2-AWSConfigDeliveryPermissions-us-west-2", 59 | "policyArn": "arn:aws:iam::264683526309:policy/service-role/config-role-ezcrc2-AWSConfigDeliveryPermissions-us-west-2" 60 | }, 61 | { 62 | "policyName": "AWS_ConfigRole", 63 | "policyArn": "arn:aws:iam::aws:policy/service-role/AWS_ConfigRole" 64 | } 65 | ] 66 | }, 67 | "supplementaryConfiguration": {} 68 | } 69 | -------------------------------------------------------------------------------- /rdk/template/example_ci/AWS_IAM_User.json: -------------------------------------------------------------------------------- 1 | { 2 | "accountId": "112233445566", 3 | "configurationItemCaptureTime": "2016-11-06T17:56:56.560Z", 4 | "configurationItemVersion": "1.3", 5 | "configurationItemStatus": "OK", 6 | "configurationStateId": "1478455016560", 7 | "configurationItemMD5Hash": "0a2aae6878d94cd28a9ec808a10e8402", 8 | "ARN": "arn:aws:iam::112233445566:user/johndoe", 9 | "resourceType": "AWS::IAM::User", 10 | "resourceId": "AIDAILEDWOGIPJFAKOJKW", 11 | "resourceName": "johndoe", 12 | "awsRegion": "global", 13 | "availabilityZone": "Not Applicable", 14 | "resourceCreationTime": "2016-09-22T05:55:07.000Z", 15 | "tags": {}, 16 | "relatedEvents": [ 17 | "d7a1f320-addf-4069-8f5a-8dac2e01f54f" 18 | ], 19 | "relationships": [ 20 | { 21 | "resourceType": "AWS::IAM::Group", 22 | "resourceId": "AGPAJNIBGFRSRIKL7VAD6", 23 | "resourceName": "MyTestGroup", 24 | "relationshipName": "Is attached to Group" 25 | }, 26 | { 27 | "resourceType": "AWS::IAM::Policy", 28 | "resourceId": "ANPAIJWML3NX3NT6UAGO4", 29 | "resourceName": "ELB-policy", 30 | "relationshipName": "Is attached to CustomerManagedPolicy" 31 | }, 32 | { 33 | "resourceType": "AWS::IAM::Policy", 34 | "resourceId": "ANPAJCD3LXS23FNRP2AJY", 35 | "resourceName": "config-role-ap-northeast-1_AWSConfigDeliveryPermissions_ap-northeast-1", 36 | "relationshipName": "Is attached to CustomerManagedPolicy" 37 | } 38 | ], 39 | "configuration": { 40 | "path": "/", 41 | "userName": "johndoe", 42 | "userId": "AIDAILEDWOGIPJFAKOJKW", 43 | "arn": "arn:aws:iam::112233445566:user/johndoe", 44 | "createDate": "2016-09-22T05:55:07.000Z", 45 | "userPolicyList": [ 46 | { 47 | "policyName": "policygen-johndoe-201611060951", 48 | "policyDocument": [ 49 | { 50 | "Version": "2012-10-17", 51 | "Statement": [ 52 | { 53 | "Sid": "Stmt1478454695000", 54 | "Effect": "Allow", 55 | "Action": [ 56 | "codedeploy:*" 57 | ], 58 | "Resource": [ 59 | "*" 60 | ] 61 | } 62 | ] 63 | } 64 | ] 65 | } 66 | ], 67 | "groupList": [ 68 | "MyTestGroup" 69 | ], 70 | "attachedManagedPolicies": [ 71 | { 72 | "policyName": "ELB-policy", 73 | "policyArn": "arn:aws:iam::264683526309:policy/ELB-policy" 74 | }, 75 | { 76 | "policyName": "AdministratorAccess", 77 | "policyArn": "arn:aws:iam::aws:policy/AdministratorAccess" 78 | }, 79 | { 80 | "policyName": "config-role-ap-northeast-1_AWSConfigDeliveryPermissions_ap-northeast-1", 81 | "policyArn": "arn:aws:iam::264683526309:policy/service-role/config-role-ap-northeast-1_AWSConfigDeliveryPermissions_ap-northeast-1" 82 | } 83 | ] 84 | }, 85 | "supplementaryConfiguration": {} 86 | } 87 | 88 | -------------------------------------------------------------------------------- /rdk/template/example_ci/AWS_KMS_Key.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "1.3", 3 | "accountId": "123456789012", 4 | "configurationItemCaptureTime": "2021-09-29T23:33:38.881Z", 5 | "configurationItemStatus": "OK", 6 | "configurationStateId": "1632958418881", 7 | "configurationItemMD5Hash": "", 8 | "arn": "arn:aws:kms:us-east-1:123456789012:key/test", 9 | "resourceType": "AWS::KMS::Key", 10 | "resourceId": "test", 11 | "awsRegion": "us-east-1", 12 | "availabilityZone": "Not Applicable", 13 | "resourceCreationTime": "2021-05-14T20:42:04.302Z", 14 | "tags": {}, 15 | "relatedEvents": [], 16 | "relationships": [], 17 | "configuration": { 18 | "keyId": "test", 19 | "arn": "arn:aws:kms:us-east-1:123456789012:key/123456789012", 20 | "creationDate": 1621024924302, 21 | "enabled": true, 22 | "description": "Default master key that protects my Lambda functions when no other key is defined", 23 | "keyUsage": "ENCRYPT_DECRYPT", 24 | "keyState": "Enabled", 25 | "origin": "AWS_KMS", 26 | "keyManager": "AWS", 27 | "customerMasterKeySpec": "SYMMETRIC_DEFAULT", 28 | "keySpec": "SYMMETRIC_DEFAULT", 29 | "encryptionAlgorithms": [ 30 | "SYMMETRIC_DEFAULT" 31 | ], 32 | "signingAlgorithms": [], 33 | "multiRegion": false, 34 | "awsaccountId": "123456789012" 35 | }, 36 | "supplementaryConfiguration": { 37 | "Policy": "{\n \"Version\" : \"2012-10-17\",\n \"Id\" : \"auto-awslambda\",\n \"Statement\" : [ {\n \"Sid\" : \"Allow access through AWS Lambda for all principals in the account that are authorized to use AWS Lambda\",\n \"Effect\" : \"Allow\",\n \"Principal\" : {\n \"AWS\" : \"*\"\n },\n \"Action\" : [ \"kms:Encrypt\", \"kms:Decrypt\", \"kms:ReEncrypt*\", \"kms:GenerateDataKey*\", \"kms:CreateGrant\", \"kms:DescribeKey\" ],\n \"Resource\" : \"*\",\n \"Condition\" : {\n \"StringEquals\" : {\n \"kms:CallerAccount\" : \"123456789012\",\n \"kms:ViaService\" : \"lambda.us-east-1.amazonaws.com\"\n }\n }\n }, {\n \"Sid\" : \"Allow direct access to key metadata to the account\",\n \"Effect\" : \"Allow\",\n \"Principal\" : {\n \"AWS\" : \"arn:aws:iam::123456789012:root\"\n },\n \"Action\" : [ \"kms:Describe*\", \"kms:Get*\", \"kms:List*\", \"kms:RevokeGrant\" ],\n \"Resource\" : \"*\"\n } ]\n}" 38 | }, 39 | "resourceTransitionStatus": "None" 40 | } -------------------------------------------------------------------------------- /rdk/template/example_ci/AWS_LAMBDA_FUNCTION.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "version": "1.3", 4 | "accountId": "823362693882", 5 | "configurationItemCaptureTime": "2018-05-11T17:53:48.872Z", 6 | "configurationItemStatus": "OK", 7 | "configurationStateId": "1526061228872", 8 | "configurationItemMD5Hash": "", 9 | "arn": "arn:aws:lambda:us-east-1:823362693882:function:test-function", 10 | "resourceType": "AWS::Lambda::Function", 11 | "resourceId": "test-function", 12 | "resourceName": "test-function", 13 | "awsRegion": "us-east-1", 14 | "availabilityZone": "Not Applicable", 15 | "tags": { 16 | "test": "value" 17 | }, 18 | "relatedEvents": [], 19 | "relationships": [ 20 | { 21 | "resourceType": "AWS::IAM::Role", 22 | "resourceName": "lambda_basic_execution", 23 | "relationshipName": "Is associated with " 24 | }, 25 | { 26 | "resourceType": "AWS::EC2::SecurityGroup", 27 | "resourceId": "sg-e463c89c", 28 | "relationshipName": "Is associated with " 29 | }, 30 | { 31 | "resourceType": "AWS::EC2::Subnet", 32 | "resourceId": "subnet-23deb22f", 33 | "relationshipName": "Is contained in " 34 | }, 35 | { 36 | "resourceType": "AWS::EC2::Subnet", 37 | "resourceId": "subnet-8dee48a7", 38 | "relationshipName": "Is contained in " 39 | } 40 | ], 41 | "configuration": { 42 | "functionName": "test-function", 43 | "functionArn": "arn:aws:lambda:us-east-1:823362693882:function:test-function", 44 | "runtime": "nodejs6.10", 45 | "role": "arn:aws:iam::823362693882:role/lambda_basic_execution", 46 | "handler": "index.handler", 47 | "codeSize": 216, 48 | "description": "", 49 | "timeout": 3, 50 | "memorySize": 128, 51 | "lastModified": "2018-05-11T17:51:41.919+0000", 52 | "codeSha256": "IIwUc2FF9nrH3U856beLym8t6M2ZBgwZJ5MLu3OWGAo=", 53 | "version": "$LATEST", 54 | "vpcConfig": { 55 | "subnetIds": [ 56 | "subnet-8dee48a7", 57 | "subnet-23deb22f" 58 | ], 59 | "securityGroupIds": [ 60 | "sg-e463c89c" 61 | ] 62 | }, 63 | "tracingConfig": { 64 | "mode": "PassThrough" 65 | }, 66 | "revisionId": "156c57a0-7f2f-41d2-8240-29797b0132ed" 67 | }, 68 | "supplementaryConfiguration": { 69 | "Tags": { 70 | "test": "value" 71 | } 72 | } 73 | } 74 | ] 75 | -------------------------------------------------------------------------------- /rdk/template/example_ci/AWS_NetworkFirewall_RuleGroup.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "1.3", 3 | "accountId": "123456789012", 4 | "configurationItemCaptureTime": "2022-02-21T19:03:14.057Z", 5 | "configurationItemStatus": "ResourceDiscovered", 6 | "configurationStateId": "test", 7 | "configurationItemMD5Hash": "", 8 | "arn": "arn:aws:network-firewall:us-east-2:123456789012:stateless-rulegroup/test", 9 | "resourceType": "AWS::NetworkFirewall::RuleGroup", 10 | "resourceId": "test", 11 | "resourceName": "test", 12 | "awsRegion": "us-east-2", 13 | "availabilityZone": "Not Applicable", 14 | "tags": {}, 15 | "relatedEvents": [], 16 | "relationships": [], 17 | "configuration": { 18 | "ruleGroup": { 19 | "rulesSource": { 20 | "statelessRulesAndCustomActions": { 21 | "customActions": [], 22 | "statelessRules": [ 23 | { 24 | "priority": 1, 25 | "ruleDefinition": { 26 | "actions": [ 27 | "aws:pass" 28 | ], 29 | "matchAttributes": { 30 | "destinations": [ 31 | { 32 | "addressDefinition": "0.0.0.0/0" 33 | } 34 | ], 35 | "sources": [ 36 | { 37 | "addressDefinition": "0.0.0.0/0" 38 | } 39 | ] 40 | } 41 | } 42 | } 43 | ] 44 | } 45 | } 46 | }, 47 | "ruleGroupResponse": { 48 | "capacity": 1, 49 | "consumedCapacity": 1, 50 | "numberOfAssociations": 0, 51 | "ruleGroupArn": "arn:aws:network-firewall:us-east-2:123456789012:stateless-rulegroup/test", 52 | "ruleGroupId": "test", 53 | "ruleGroupName": "test", 54 | "ruleGroupStatus": "ACTIVE", 55 | "tags": [], 56 | "type": "STATELESS" 57 | }, 58 | "updateToken": "ec7708d3-a707-4342-920f-39581f1fccef" 59 | }, 60 | "supplementaryConfiguration": {}, 61 | "resourceTransitionStatus": "None" 62 | } -------------------------------------------------------------------------------- /rdk/template/example_ci/AWS_OpenSearch_Domain.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "1.3", 3 | "accountId": "123456789012", 4 | "configurationItemCaptureTime": "2022-02-21T18:24:55.063Z", 5 | "configurationItemStatus": "ResourceDiscovered", 6 | "configurationStateId": "1645467895063", 7 | "configurationItemMD5Hash": "", 8 | "arn": "arn:aws:es:us-east-2:123456789012:domain/test", 9 | "resourceType": "AWS::OpenSearch::Domain", 10 | "resourceId": "test", 11 | "resourceName": "test", 12 | "awsRegion": "us-east-2", 13 | "availabilityZone": "Regional", 14 | "tags": {}, 15 | "relatedEvents": [], 16 | "relationships": [], 17 | "configuration": { 18 | "Id": "123456789012/test", 19 | "VPCOptions": { 20 | "SecurityGroupIds": [ 21 | "sg-test" 22 | ], 23 | "SubnetIds": [ 24 | "subnet-test" 25 | ] 26 | }, 27 | "EBSOptions": { 28 | "EBSEnabled": true, 29 | "VolumeSize": 10, 30 | "VolumeType": "gp2" 31 | }, 32 | "DomainEndpointOptions": { 33 | "EnforceHTTPS": true, 34 | "TLSSecurityPolicy": "Policy-Min-TLS-1-0-2019-07", 35 | "CustomEndpointEnabled": false 36 | }, 37 | "ClusterConfig": { 38 | "InstanceType": "r6g.large.search", 39 | "InstanceCount": 1, 40 | "DedicatedMasterEnabled": false, 41 | "ZoneAwarenessEnabled": false, 42 | "WarmEnabled": false 43 | }, 44 | "AccessPolicies": { 45 | "Version": "2012-10-17", 46 | "Statement": [ 47 | { 48 | "Effect": "Deny", 49 | "Principal": { 50 | "AWS": "*" 51 | }, 52 | "Action": "es:*", 53 | "Resource": "arn:aws:es:us-east-2:123456789012:domain/test/*" 54 | } 55 | ] 56 | }, 57 | "Tags": [], 58 | "DomainName": "test", 59 | "Arn": "arn:aws:es:us-east-2:123456789012:domain/test", 60 | "EngineVersion": "OpenSearch_1.1", 61 | "SnapshotOptions": {}, 62 | "CognitoOptions": { 63 | "Enabled": false 64 | }, 65 | "EncryptionAtRestOptions": { 66 | "Enabled": true, 67 | "KmsKeyId": "arn:aws:kms:us-east-2:123456789012:key/test" 68 | }, 69 | "NodeToNodeEncryptionOptions": { 70 | "Enabled": true 71 | }, 72 | "AdvancedOptions": { 73 | "indices.fielddata.cache.size": "20", 74 | "override_main_response_version": "false", 75 | "indices.query.bool.max_clause_count": "1024", 76 | "rest.action.multi.allow_explicit_index": "true" 77 | }, 78 | "LogPublishingOptions": {}, 79 | "AdvancedSecurityOptions": { 80 | "Enabled": true, 81 | "InternalUserDatabaseEnabled": true, 82 | "AnonymousAuthEnabled": false 83 | } 84 | }, 85 | "supplementaryConfiguration": {}, 86 | "resourceTransitionStatus": "None" 87 | } -------------------------------------------------------------------------------- /rdk/template/example_ci/AWS_R53_HostedZone.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "1.3", 3 | "accountId": "123456789012", 4 | "configurationItemCaptureTime": "2023-05-01T18:00:07.672Z", 5 | "configurationItemStatus": "ResourceDiscovered", 6 | "configurationStateId": "1682964007672", 7 | "configurationItemMD5Hash": "", 8 | "arn": "arn:aws:route53:::hostedzone/Z017455410COBZEF0ABCD", 9 | "resourceType": "AWS::Route53::HostedZone", 10 | "resourceId": "Z017455410COBZEF0ABCD", 11 | "resourceName": "testdomain.lab.", 12 | "awsRegion": "us-east-1", 13 | "availabilityZone": "Regional", 14 | "tags": {}, 15 | "relatedEvents": [], 16 | "relationships": [], 17 | "configuration": { 18 | "Id": "Z017455410COBZEF0ABCD", 19 | "HostedZoneConfig": { 20 | "Comment": "This is a test domain" 21 | }, 22 | "Name": "testdomain.lab.", 23 | "NameServers": [ 24 | "ns-1965.awsdns-53.co.uk", 25 | "ns-944.awsdns-54.net", 26 | "ns-1144.awsdns-15.org", 27 | "ns-430.awsdns-53.com" 28 | ], 29 | "VPCs": [], 30 | "HostedZoneTags": [ 31 | { 32 | "Key": "cost_center", 33 | "Value": "payroll" 34 | } 35 | ] 36 | }, 37 | "supplementaryConfiguration": {}, 38 | "resourceTransitionStatus": "None" 39 | } -------------------------------------------------------------------------------- /rdk/template/example_ci/AWS_RDS_DBClusterSnapshot.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "1.3", 3 | "accountId": "123456789012", 4 | "configurationItemCaptureTime": "2022-02-21T18:46:35.200Z", 5 | "configurationItemStatus": "ResourceDiscovered", 6 | "configurationStateId": "1645469195200", 7 | "configurationItemMD5Hash": "", 8 | "arn": "arn:aws:rds:us-east-2:123456789012:cluster-snapshot:test", 9 | "resourceType": "AWS::RDS::DBClusterSnapshot", 10 | "resourceId": "test", 11 | "resourceName": "test", 12 | "awsRegion": "us-east-2", 13 | "availabilityZone": "Multiple Availability Zones", 14 | "resourceCreationTime": "2022-02-21T18:45:31.883Z", 15 | "tags": {}, 16 | "relatedEvents": [], 17 | "relationships": [ 18 | { 19 | "resourceType": "AWS::EC2::VPC", 20 | "resourceId": "vpc-test", 21 | "relationshipName": "Is associated with " 22 | }, 23 | { 24 | "resourceType": "AWS::RDS::DBCluster", 25 | "resourceName": "database-1", 26 | "relationshipName": "Is associated with " 27 | } 28 | ], 29 | "configuration": { 30 | "availabilityZones": [ 31 | "us-east-2a", 32 | "us-east-2b", 33 | "us-east-2c" 34 | ], 35 | "snapshotCreateTime": 1645469131883, 36 | "engine": "aurora-mysql", 37 | "engineMode": "provisioned", 38 | "allocatedStorage": 1, 39 | "status": "creating", 40 | "port": 0, 41 | "vpcId": "vpc-test", 42 | "clusterCreateTime": 1645468867743, 43 | "masterUsername": "admin", 44 | "engineVersion": "5.7.mysql_aurora.2.07.2", 45 | "licenseModel": "aurora-mysql", 46 | "snapshotType": "manual", 47 | "percentProgress": 0, 48 | "storageEncrypted": true, 49 | "kmsKeyId": "arn:aws:kms:us-east-2:123456789012:key/test", 50 | "tagList": [], 51 | "iamdatabaseAuthenticationEnabled": false, 52 | "dbclusterSnapshotArn": "arn:aws:rds:us-east-2:123456789012:cluster-snapshot:test", 53 | "dbclusterIdentifier": "database-1", 54 | "dbclusterSnapshotIdentifier": "test" 55 | }, 56 | "supplementaryConfiguration": { 57 | "DBClusterSnapshotAttributes": [ 58 | { 59 | "attributeName": "restore", 60 | "attributeValues": [] 61 | } 62 | ], 63 | "Tags": [] 64 | }, 65 | "resourceTransitionStatus": "None" 66 | } -------------------------------------------------------------------------------- /rdk/template/example_ci/AWS_RDS_DBSecurityGroup.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "1.2", 3 | "accountId": "264683526309", 4 | "configurationItemCaptureTime": "2016-07-25T17:54:07.601Z", 5 | "configurationItemStatus": "OK", 6 | "configurationStateId": "29", 7 | "configurationItemMD5Hash": "4128c6317609bb15a8eb83f045f5bac6", 8 | "arn": "arn:aws:rds:us-east-1:264683526309:secgrp:default", 9 | "resourceType": "AWS::RDS::DBSecurityGroup", 10 | "resourceId": "default", 11 | "resourceName": "default", 12 | "awsRegion": "us-east-1", 13 | "availabilityZone": "Not Applicable", 14 | "tags": {}, 15 | "relatedEvents": [], 16 | "relationships": [], 17 | "configuration": { 18 | "ownerId": "264683526309", 19 | "dBSecurityGroupName": "default", 20 | "dBSecurityGroupDescription": "default", 21 | "eC2SecurityGroups": [], 22 | "iPRanges": [] 23 | }, 24 | "supplementaryConfiguration": { 25 | "Tags": [] 26 | } 27 | } 28 | -------------------------------------------------------------------------------- /rdk/template/example_ci/AWS_RDS_DBSnapshot.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "1.2", 3 | "accountId": "264683526309", 4 | "configurationItemCaptureTime": "2016-10-21T00:41:53.585Z", 5 | "configurationItemStatus": "ResourceDiscovered", 6 | "configurationStateId": "1477010513585", 7 | "configurationItemMD5Hash": "dd408ea3937400462a249d4666bbd92c", 8 | "arn": "arn:aws:rds:us-east-1:264683526309:snapshot:rds:myrdstest-2016-10-20-23-52", 9 | "resourceType": "AWS::RDS::DBSnapshot", 10 | "resourceId": "rds:myrdstest-2016-10-20-23-52", 11 | "resourceName": "rds:myrdstest-2016-10-20-23-52", 12 | "awsRegion": "us-east-1", 13 | "availabilityZone": "us-east-1a", 14 | "resourceCreationTime": "2016-10-20T23:54:07.992Z", 15 | "tags": {}, 16 | "relatedEvents": [], 17 | "relationships": [ 18 | { 19 | "resourceType": "AWS::EC2::VPC", 20 | "resourceId": "vpc-0990dc6d", 21 | "relationshipName": "Is associated with Vpc" 22 | } 23 | ], 24 | "configuration": { 25 | "dBSnapshotIdentifier": "rds:myrdstest-2016-10-20-23-52", 26 | "dBInstanceIdentifier": "myrdstest", 27 | "snapshotCreateTime": "2016-10-20T23:54:07.992Z", 28 | "engine": "mysql", 29 | "allocatedStorage": 100, 30 | "status": "available", 31 | "port": 3306, 32 | "availabilityZone": "us-east-1a", 33 | "vpcId": "vpc-0990dc6d", 34 | "instanceCreateTime": "2016-10-20T23:42:39.639Z", 35 | "masterUsername": "foo", 36 | "engineVersion": "5.6.27", 37 | "licenseModel": "general-public-license", 38 | "snapshotType": "automated", 39 | "iops": 1000, 40 | "optionGroupName": "default:mysql-5-6", 41 | "percentProgress": 100, 42 | "storageType": "io1", 43 | "encrypted": true, 44 | "kmsKeyId": "arn:aws:kms:us-east-1:264683526309:key/e20f3a10-781f-4582-93d7-6dfe67cac827" 45 | }, 46 | "supplementaryConfiguration": { 47 | "DBSnapshotAttributes": [ 48 | { 49 | "attributeName": "restore", 50 | "attributeValues": [] 51 | } 52 | ], 53 | "Tags": [] 54 | } 55 | } 56 | -------------------------------------------------------------------------------- /rdk/template/example_ci/AWS_RDS_DBSubnetGroup.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "1.2", 3 | "accountId": "264683526309", 4 | "configurationItemCaptureTime": "2016-09-25T00:41:22.151Z", 5 | "configurationItemStatus": "OK", 6 | "configurationStateId": "156", 7 | "configurationItemMD5Hash": "a2321f67df5d6d13db8117cf815ad5ee", 8 | "arn": "arn:aws:rds:us-east-1:264683526309:subgrp:default", 9 | "resourceType": "AWS::RDS::DBSubnetGroup", 10 | "resourceId": "default", 11 | "resourceName": "default", 12 | "awsRegion": "us-east-1", 13 | "availabilityZone": "Multiple Availability Zones", 14 | "tags": {}, 15 | "relatedEvents": [], 16 | "relationships": [ 17 | { 18 | "resourceType": "AWS::EC2::Subnet", 19 | "resourceId": "subnet-29428871", 20 | "relationshipName": "Is associated with Subnet" 21 | }, 22 | { 23 | "resourceType": "AWS::EC2::Subnet", 24 | "resourceId": "subnet-32e85b44", 25 | "relationshipName": "Is associated with Subnet" 26 | }, 27 | { 28 | "resourceType": "AWS::EC2::Subnet", 29 | "resourceId": "subnet-38c20312", 30 | "relationshipName": "Is associated with Subnet" 31 | }, 32 | { 33 | "resourceType": "AWS::EC2::Subnet", 34 | "resourceId": "subnet-e83ba2d5", 35 | "relationshipName": "Is associated with Subnet" 36 | }, 37 | { 38 | "resourceType": "AWS::EC2::VPC", 39 | "resourceId": "vpc-0990dc6d", 40 | "relationshipName": "Is associated with Vpc" 41 | } 42 | ], 43 | "configuration": { 44 | "dBSubnetGroupName": "default", 45 | "dBSubnetGroupDescription": "default", 46 | "vpcId": "vpc-0990dc6d", 47 | "subnetGroupStatus": "Complete", 48 | "subnets": [ 49 | { 50 | "subnetIdentifier": "subnet-29428871", 51 | "subnetAvailabilityZone": { 52 | "name": "us-east-1a" 53 | }, 54 | "subnetStatus": "Active" 55 | }, 56 | { 57 | "subnetIdentifier": "subnet-38c20312", 58 | "subnetAvailabilityZone": { 59 | "name": "us-east-1c" 60 | }, 61 | "subnetStatus": "Active" 62 | }, 63 | { 64 | "subnetIdentifier": "subnet-e83ba2d5", 65 | "subnetAvailabilityZone": { 66 | "name": "us-east-1e" 67 | }, 68 | "subnetStatus": "Active" 69 | }, 70 | { 71 | "subnetIdentifier": "subnet-32e85b44", 72 | "subnetAvailabilityZone": { 73 | "name": "us-east-1d" 74 | }, 75 | "subnetStatus": "Active" 76 | } 77 | ] 78 | }, 79 | "supplementaryConfiguration": { 80 | "Tags": [] 81 | } 82 | } 83 | -------------------------------------------------------------------------------- /rdk/template/example_ci/AWS_RDS_EventSubscription.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "1.2", 3 | "accountId": "264683526309", 4 | "configurationItemCaptureTime": "2016-11-12T06:56:53.125Z", 5 | "configurationItemStatus": "OK", 6 | "configurationStateId": "1478933813125", 7 | "configurationItemMD5Hash": "24454d84f1c6f05857e9be2b47a68f0d", 8 | "arn": "arn:aws:rds:us-east-1:264683526309:es:MyEventSub", 9 | "resourceType": "AWS::RDS::EventSubscription", 10 | "resourceId": "MyEventSub", 11 | "resourceName": "MyEventSub", 12 | "awsRegion": "us-east-1", 13 | "availabilityZone": "Not Applicable", 14 | "resourceCreationTime": "2016-10-20T23:46:27.865Z", 15 | "tags": {}, 16 | "relatedEvents": [ 17 | "94f00b50-be46-4081-8813-3417e86b50c4" 18 | ], 19 | "relationships": [], 20 | "configuration": { 21 | "customerAwsId": "264683526309", 22 | "custSubscriptionId": "MyEventSub", 23 | "snsTopicArn": "arn:aws:sns:us-east-1:264683526309:config-topic", 24 | "status": "active", 25 | "subscriptionCreationTime": "2016-10-20 23:46:27.865", 26 | "sourceType": "db-instance", 27 | "sourceIdsList": [ 28 | "myrdstest" 29 | ], 30 | "eventCategoriesList": [ 31 | "availability", 32 | "backup", 33 | "creation", 34 | "deletion" 35 | ], 36 | "enabled": true 37 | }, 38 | "supplementaryConfiguration": { 39 | "Tags": [] 40 | } 41 | } 42 | -------------------------------------------------------------------------------- /rdk/template/example_ci/AWS_Redshift_ClusterSecurityGroup.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "1.2", 3 | "accountId": "786334434281", 4 | "configurationItemCaptureTime": "2016-10-14T17:53:17.275Z", 5 | "configurationItemStatus": "ResourceDiscovered", 6 | "configurationStateId": "1476467597275", 7 | "configurationItemMD5Hash": "52761ea7b6dab5a0e22d079a3e85ad92", 8 | "arn": "arn:aws:redshift:us-west-2:786334434281:securitygroup:default", 9 | "resourceType": "AWS::Redshift::ClusterSecurityGroup", 10 | "resourceId": "default", 11 | "resourceName": "default", 12 | "awsRegion": "us-west-2", 13 | "availabilityZone": "Not Applicable", 14 | "tags": { 15 | "Tag1": "Value1", 16 | "Tag2": "Value2" 17 | }, 18 | "relatedEvents": [], 19 | "relationships": [], 20 | "configuration": { 21 | "clusterSecurityGroupName": "default", 22 | "description": "default", 23 | "eC2SecurityGroups": [ 24 | { 25 | "status": "authorized", 26 | "eC2SecurityGroupName": "default", 27 | "eC2SecurityGroupOwnerId": "786334434281", 28 | "tags": [] 29 | } 30 | ], 31 | "iPRanges": [ 32 | { 33 | "status": "authorized", 34 | "cIDRIP": "205.251.233.51/32", 35 | "tags": [] 36 | } 37 | ], 38 | "tags": [ 39 | { 40 | "key": "Tag1", 41 | "value": "Value1" 42 | }, 43 | { 44 | "key": "Tag2", 45 | "value": "Value2" 46 | } 47 | ] 48 | }, 49 | "supplementaryConfiguration": {} 50 | } 51 | 52 | 53 | -------------------------------------------------------------------------------- /rdk/template/example_ci/AWS_Redshift_ClusterSnapshot.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "1.2", 3 | "accountId": "382822795712", 4 | "configurationItemCaptureTime": "2016-10-13T22:35:45.739Z", 5 | "configurationItemStatus": "OK", 6 | "configurationStateId": "1476398145739", 7 | "configurationItemMD5Hash": "a89662e7677d910dd125273799641741", 8 | "arn": "arn:aws:redshift:us-west-2:382822795712:snapshot:cluster-with-kms/cluster-with-kms-snapshot", 9 | "resourceType": "AWS::Redshift::ClusterSnapshot", 10 | "resourceId": "cluster-with-kms-snapshot", 11 | "resourceName": "cluster-with-kms-snapshot", 12 | "awsRegion": "us-west-2", 13 | "availabilityZone": "us-west-2c", 14 | "resourceCreationTime": "2016-10-13T22:33:28.161Z", 15 | "tags": {}, 16 | "relatedEvents": [], 17 | "relationships": [ 18 | { 19 | "resourceType": "AWS::Redshift::Cluster", 20 | "resourceId": "cluster-with-kms", 21 | "resourceName": "cluster-with-kms", 22 | "relationshipName": "Is associated with Cluster" 23 | }, 24 | { 25 | "resourceType": "AWS::EC2::VPC", 26 | "resourceId": "vpc-af541fca", 27 | "relationshipName": "Is associated with Vpc" 28 | } 29 | ], 30 | "configuration": { 31 | "snapshotIdentifier": "cluster-with-kms-snapshot", 32 | "clusterIdentifier": "cluster-with-kms", 33 | "snapshotCreateTime": "2016-10-13T22:33:28.161Z", 34 | "status": "available", 35 | "port": 5439, 36 | "availabilityZone": "us-west-2c", 37 | "clusterCreateTime": "2016-10-13T22:26:39.723Z", 38 | "masterUsername": "asdf", 39 | "clusterVersion": "1.0", 40 | "snapshotType": "manual", 41 | "nodeType": "dc1.large", 42 | "numberOfNodes": 1, 43 | "dBName": "asdfffffdb", 44 | "vpcId": "vpc-af541fca", 45 | "encrypted": true, 46 | "kmsKeyId": "arn:aws:kms:us-west-2:382822795712:key/1734c784-c7d1-443c-8629-aef34db98b30", 47 | "encryptedWithHSM": false, 48 | "accountsWithRestoreAccess": [], 49 | "ownerAccount": "382822795712", 50 | "totalBackupSizeInMegaBytes": 12, 51 | "actualIncrementalBackupSizeInMegaBytes": 5, 52 | "backupProgressInMegaBytes": 5, 53 | "currentBackupRateInMegaBytesPerSecond": 3.5361, 54 | "estimatedSecondsToCompletion": 0, 55 | "elapsedTimeInSeconds": 1, 56 | "tags": [], 57 | "restorableNodeTypes": [ 58 | "dc1.large" 59 | ] 60 | }, 61 | "supplementaryConfiguration": {} 62 | } 63 | -------------------------------------------------------------------------------- /rdk/template/example_ci/AWS_Redshift_ClusterSubnetGroup.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "1.2", 3 | "accountId": "382822795712", 4 | "configurationItemCaptureTime": "2016-10-13T21:11:05.898Z", 5 | "configurationItemStatus": "ResourceDiscovered", 6 | "configurationStateId": "1476393065898", 7 | "configurationItemMD5Hash": "415cc9ed7a5c561539df534d97457f07", 8 | "arn": "arn:aws:redshift:us-west-2:382822795712:subnetgroup:default", 9 | "resourceType": "AWS::Redshift::ClusterSubnetGroup", 10 | "resourceId": "default", 11 | "resourceName": "default", 12 | "awsRegion": "us-west-2", 13 | "availabilityZone": "Multiple Availability Zones", 14 | "tags": {}, 15 | "relatedEvents": [], 16 | "relationships": [ 17 | { 18 | "resourceType": "AWS::EC2::Subnet", 19 | "resourceId": "subnet-2810484d", 20 | "relationshipName": "Is associated with Subnet" 21 | }, 22 | { 23 | "resourceType": "AWS::EC2::Subnet", 24 | "resourceId": "subnet-7471e02d", 25 | "relationshipName": "Is associated with Subnet" 26 | }, 27 | { 28 | "resourceType": "AWS::EC2::Subnet", 29 | "resourceId": "subnet-fcf48b8b", 30 | "relationshipName": "Is associated with Subnet" 31 | }, 32 | { 33 | "resourceType": "AWS::EC2::VPC", 34 | "resourceId": "vpc-af541fca", 35 | "relationshipName": "Is associated with Vpc" 36 | } 37 | ], 38 | "configuration": { 39 | "clusterSubnetGroupName": "default", 40 | "description": "default", 41 | "vpcId": "vpc-af541fca", 42 | "subnetGroupStatus": "Complete", 43 | "subnets": [ 44 | { 45 | "subnetIdentifier": "subnet-fcf48b8b", 46 | "subnetAvailabilityZone": { 47 | "name": "us-west-2b" 48 | }, 49 | "subnetStatus": "Active" 50 | }, 51 | { 52 | "subnetIdentifier": "subnet-2810484d", 53 | "subnetAvailabilityZone": { 54 | "name": "us-west-2a" 55 | }, 56 | "subnetStatus": "Active" 57 | }, 58 | { 59 | "subnetIdentifier": "subnet-7471e02d", 60 | "subnetAvailabilityZone": { 61 | "name": "us-west-2c" 62 | }, 63 | "subnetStatus": "Active" 64 | } 65 | ], 66 | "tags": [] 67 | }, 68 | "supplementaryConfiguration": {} 69 | } 70 | -------------------------------------------------------------------------------- /rdk/template/example_ci/AWS_Redshift_EventSubscription.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "1.2", 3 | "accountId": "382822795712", 4 | "configurationItemCaptureTime": "2016-10-13T21:11:05.449Z", 5 | "configurationItemStatus": "ResourceDiscovered", 6 | "configurationStateId": "1476393065449", 7 | "configurationItemMD5Hash": "4bcb322336a1994c2ab7da964fca56a3", 8 | "arn": "arn:aws:redshift:us-west-2:382822795712:eventsubscription:multiple-clusters", 9 | "resourceType": "AWS::Redshift::EventSubscription", 10 | "resourceId": "multiple-clusters", 11 | "resourceName": "multiple-clusters", 12 | "awsRegion": "us-west-2", 13 | "availabilityZone": "Not Applicable", 14 | "resourceCreationTime": "2016-10-10T17:10:41.746Z", 15 | "tags": {}, 16 | "relatedEvents": [], 17 | "relationships": [], 18 | "configuration": { 19 | "customerAwsId": "382822795712", 20 | "custSubscriptionId": "multiple-clusters", 21 | "snsTopicArn": "arn:aws:sns:us-west-2:382822795712:config-topic1111", 22 | "status": "active", 23 | "subscriptionCreationTime": "2016-10-10T17:10:41.746Z", 24 | "sourceType": "cluster", 25 | "sourceIdsList": [ 26 | "more-clusters", 27 | "test-cluster", 28 | "cluster2" 29 | ], 30 | "eventCategoriesList": [ 31 | "security", 32 | "management", 33 | "configuration", 34 | "monitoring" 35 | ], 36 | "severity": "INFO", 37 | "enabled": true, 38 | "tags": [] 39 | }, 40 | "supplementaryConfiguration": {} 41 | } 42 | -------------------------------------------------------------------------------- /rdk/template/example_ci/AWS_S3_AccountPublicAccessBlock.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "1.3", 3 | "accountId": "123456789012", 4 | "configurationItemCaptureTime": "2022-05-20T15:53:57.732Z", 5 | "configurationItemStatus": "ResourceDiscovered", 6 | "configurationStateId": "1653062037732", 7 | "configurationItemMD5Hash": "", 8 | "resourceType": "AWS::S3::AccountPublicAccessBlock", 9 | "resourceId": "123456789012", 10 | "awsRegion": "us-east-1", 11 | "availabilityZone": "Not Applicable", 12 | "tags": {}, 13 | "relatedEvents": [], 14 | "relationships": [], 15 | "configuration": { 16 | "blockPublicAcls": true, 17 | "ignorePublicAcls": true, 18 | "blockPublicPolicy": true, 19 | "restrictPublicBuckets": true 20 | }, 21 | "supplementaryConfiguration": {}, 22 | "resourceTransitionStatus": "None" 23 | } -------------------------------------------------------------------------------- /rdk/template/example_ci/AWS_S3_Bucket.json: -------------------------------------------------------------------------------- 1 | { 2 | "relatedEvents": [], 3 | "relationships": [], 4 | "configuration": { 5 | "name": "mborch-test-bucket-config-item", 6 | "owner": { 7 | "displayName": null, 8 | "id": "8ac813c84b8ad4d9f3e35f80aaeb254f85922a902ce87ed6b49ccbfa188f5a12" 9 | }, 10 | "creationDate": "2019-02-12T07:21:45.000Z" 11 | }, 12 | "supplementaryConfiguration": { 13 | "AccessControlList": "{\"grantSet\":null,\"grantList\":[{\"grantee\":{\"id\":\"8ac813c84b8ad4d9f3e35f80aaeb254f85922a902ce87ed6b49ccbfa188f5a12\",\"displayName\":null},\"permission\":\"FullControl\"}],\"owner\":{\"displayName\":null,\"id\":\"8ac813c84b8ad4d9f3e35f80aaeb254f85922a902ce87ed6b49ccbfa188f5a12\"},\"isRequesterCharged\":false}", 14 | "BucketAccelerateConfiguration": { 15 | "status": null 16 | }, 17 | "BucketLoggingConfiguration": { 18 | "destinationBucketName": null, 19 | "logFilePrefix": null 20 | }, 21 | "BucketNotificationConfiguration": { 22 | "configurations": {} 23 | }, 24 | "BucketPolicy": { 25 | "policyText": "{\"Version\":\"2012-10-17\",\"Id\":\"Policy1478390053757\",\"Statement\":[{\"Sid\":\"Stmt1478389920384\",\"Effect\":\"Deny\",\"Principal\":\"*\",\"Action\":\"s3:*\",\"Resource\":\"arn:aws:s3:::mborch-test-bucket-config-item\",\"Condition\":{\"Bool\":{\"aws:SecureTransport\":\"false\"}}}]}" 26 | }, 27 | "BucketVersioningConfiguration": { 28 | "status": "Enabled", 29 | "isMfaDeleteEnabled": null 30 | }, 31 | "IsRequesterPaysEnabled": false 32 | }, 33 | "tags": {}, 34 | "configurationItemVersion": "1.3", 35 | "configurationItemCaptureTime": "2019-02-12T07:29:16.288Z", 36 | "configurationStateId": 1549956556288, 37 | "awsAccountId": "934654633380", 38 | "configurationItemStatus": "OK", 39 | "resourceType": "AWS::S3::Bucket", 40 | "resourceId": "mborch-test-bucket-config-item", 41 | "resourceName": "mborch-test-bucket-config-item", 42 | "ARN": "arn:aws:s3:::mborch-test-bucket-config-item", 43 | "awsRegion": "us-east-1", 44 | "availabilityZone": "Regional", 45 | "configurationStateMd5Hash": "", 46 | "resourceCreationTime": "2019-02-12T07:21:45.000Z" 47 | } 48 | -------------------------------------------------------------------------------- /rdk/template/example_ci/AWS_SNS_Topic.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "1.3", 3 | "accountId": "123456789012", 4 | "configurationItemCaptureTime": "2021-08-06T04:33:39.914Z", 5 | "configurationItemStatus": "ResourceDiscovered", 6 | "configurationStateId": "1628224419914", 7 | "configurationItemMD5Hash": "", 8 | "arn": "arn:aws:sns:us-east-1:123456789012:topic", 9 | "resourceType": "AWS::SNS::Topic", 10 | "resourceId": "arn:aws:sns:us-east-1:123456789012:topic", 11 | "resourceName": "OpenTopic", 12 | "awsRegion": "us-east-1", 13 | "availabilityZone": "Not Applicable", 14 | "tags": {}, 15 | "relatedEvents": [], 16 | "relationships": [], 17 | "configuration": { 18 | "Policy": "{\"Version\":\"2008-10-17\",\"Id\":\"__default_policy_ID\",\"Statement\":[{\"Sid\":\"__default_statement_ID\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"*\"},\"Action\":[\"SNS:Publish\",\"SNS:RemovePermission\",\"SNS:SetTopicAttributes\",\"SNS:DeleteTopic\",\"SNS:ListSubscriptionsByTopic\",\"SNS:GetTopicAttributes\",\"SNS:Receive\",\"SNS:AddPermission\",\"SNS:Subscribe\"],\"Resource\":\"arn:aws:sns:us-east-1:123456789012:topic\",\"Condition\":{\"StringEquals\":{\"AWS:SourceOwner\":\"123456789012\"}}},{\"Sid\":\"__console_pub_0\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"*\"},\"Action\":\"SNS:Publish\",\"Resource\":\"arn:aws:sns:us-east-1:123456789012:topic\"},{\"Sid\":\"__console_sub_0\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"*\"},\"Action\":[\"SNS:Subscribe\",\"SNS:Receive\"],\"Resource\":\"arn:aws:sns:us-east-1:123456789012:topic\"}]}", 19 | "Owner": "123456789012", 20 | "TopicArn": "arn:aws:sns:us-east-1:123456789012:topic", 21 | "EffectiveDeliveryPolicy": "{\"http\":{\"defaultHealthyRetryPolicy\":{\"minDelayTarget\":20,\"maxDelayTarget\":20,\"numRetries\":3,\"numMaxDelayRetries\":0,\"numNoDelayRetries\":0,\"numMinDelayRetries\":0,\"backoffFunction\":\"linear\"},\"disableSubscriptionOverrides\":false}}", 22 | "DisplayName": "Open" 23 | }, 24 | "supplementaryConfiguration": { 25 | "Tags": [] 26 | }, 27 | "resourceTransitionStatus": "None" 28 | } -------------------------------------------------------------------------------- /rdk/template/example_ci/AWS_ShieldRegional_Protection.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "version": "1.3", 4 | "accountId": "562609128272", 5 | "configurationItemCaptureTime": "2019-11-14T13:50:16.785Z", 6 | "configurationItemStatus": "ResourceDiscovered", 7 | "configurationStateId": "1573740415685", 8 | "configurationItemMD5Hash": "", 9 | "arn": "arn:aws:shield:eu-west-1:562609128272:protection/remediation-protection/87224b0g-1b2d-4236-8271-f45e40a45a82", 10 | "resourceType": "AWS::ShieldRegional::Protection", 11 | "resourceId": "87224b0g-1b2d-4236-8271-f45e40a45a82", 12 | "resourceName": "remediation-protection", 13 | "awsRegion": "eu-west-1", 14 | "availabilityZone": "Multiple Availability Zones", 15 | "resourceCreationTime": "2019-11-14T13:50:16.785Z", 16 | "tags": {}, 17 | "relatedEvents": [], 18 | "relationships": [ 19 | { 20 | "resourceType": "AWS::EC2::EIP", 21 | "resourceId": "eipalloc-23db17t9f4a6e22d3", 22 | "resourceName": "eipalloc-23db17t9f4a6e22d3", 23 | "relationshipName": "Is associated with " 24 | } 25 | ], 26 | "configuration": { 27 | "Id": "87224b0g-1b2d-4236-8271-f45e40a45a82", 28 | "Name": "remediation-protection", 29 | "ResourceArn": "arn:aws:ec2:eu-west-1:562609128272:eip-allocation/eipalloc-23db17t9f4a6e22d3" 30 | }, 31 | "supplementaryConfiguration": {} 32 | } 33 | ] 34 | -------------------------------------------------------------------------------- /rdk/template/example_ci/AWS_Shield_Protection.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "version": "1.3", 4 | "accountId": "524601238342", 5 | "configurationItemCaptureTime": "2019-11-14T13:50:02.120Z", 6 | "configurationItemStatus": "ResourceDiscovered", 7 | "configurationStateId": "1574839403230", 8 | "configurationItemMD5Hash": "", 9 | "arn": "arn:aws:shield::524601238342:protection/remediation-protection/543c11f0-b10x-4f95-8a09-65f9e3cd8e3a", 10 | "resourceType": "AWS::Shield::Protection", 11 | "resourceId": "543c11f0-b10x-4f95-8a09-65f9e3cd8e3a", 12 | "resourceName": "remediation-protection", 13 | "awsRegion": "global", 14 | "availabilityZone": "Not Applicable", 15 | "resourceCreationTime": "2019-11-14T13:50:02.120Z", 16 | "tags": {}, 17 | "relatedEvents": [], 18 | "relationships": [ 19 | { 20 | "resourceType": "AWS::CloudFront::Distribution", 21 | "resourceId": "T2FB2LIU60IEXU", 22 | "resourceName": "T2FB2LIU60IEXU", 23 | "relationshipName": "Is associated with " 24 | } 25 | ], 26 | "configuration": { 27 | "Id": "543c11f0-b10x-4f95-8a09-65f9e3cd8e3a", 28 | "Name": "remediation-protection", 29 | "ResourceArn": "arn:aws:cloudfront::524601238342:distribution/T2FB2LIU60IEXU" 30 | }, 31 | "supplementaryConfiguration": {} 32 | } 33 | ] 34 | -------------------------------------------------------------------------------- /rdk/template/runtime/java8/build.gradle: -------------------------------------------------------------------------------- 1 | apply plugin: 'java' 2 | 3 | repositories { 4 | mavenCentral() 5 | } 6 | 7 | dependencies { 8 | compile ( 9 | 'com.amazonaws:aws-lambda-java-core:1.1.0', 10 | 'com.amazonaws:aws-lambda-java-events:1.2.0', 11 | 'com.amazonaws:aws-java-sdk-config:1.11.228', 12 | 'com.amazonaws:aws-java-sdk-iam:1.10.5', 13 | 'com.fasterxml.jackson.core:jackson-core:2.7.0', 14 | 'org.apache.commons:commons-lang3:3.0' 15 | ) 16 | compile fileTree(dir: 'jars', include: '*.jar') 17 | } 18 | 19 | task buildZip(type: Zip) { 20 | from compileJava 21 | from processResources 22 | into('lib') { 23 | from configurations.runtime 24 | } 25 | } 26 | 27 | build.dependsOn buildZip 28 | -------------------------------------------------------------------------------- /rdk/template/runtime/java8/jars/readme.txt: -------------------------------------------------------------------------------- 1 | Add any Java JAR's that you want to be included in your Lambda function in this directory. 2 | -------------------------------------------------------------------------------- /rdk/template/runtime/java8/src/main/java/com/rdk/RuleCode.java: -------------------------------------------------------------------------------- 1 | package com.rdk; 2 | 3 | import java.io.IOException; 4 | import com.fasterxml.jackson.core.JsonProcessingException; 5 | import com.fasterxml.jackson.databind.JsonNode; 6 | import com.amazonaws.services.config.model.*; 7 | 8 | import com.amazonaws.services.lambda.runtime.Context; 9 | import com.amazonaws.services.lambda.runtime.LambdaLogger; 10 | 11 | 12 | public class RuleCode { 13 | 14 | public static ComplianceType evaluateCompliance(JsonNode invokingEvent, JsonNode ruleParameters, Context context) throws JsonProcessingException, 15 | IOException { 16 | LambdaLogger logger = context.getLogger(); 17 | logger.log("Beginning Custom Config Rule Evaluation"); 18 | 19 | /* 20 | YOUR CODE GOES HERE! 21 | */ 22 | 23 | return ComplianceType.NON_COMPLIANT; 24 | } 25 | } 26 | -------------------------------------------------------------------------------- /rdk/template/runtime/python3.10-lib/rule_code.py: -------------------------------------------------------------------------------- 1 | from rdklib import Evaluator, Evaluation, ConfigRule, ComplianceType 2 | <%ApplicableResources1%> 3 | class <%RuleName%>(ConfigRule): 4 | # NOTE - you should typically only implement one of evaluate_change() or evaluate_periodic()! 5 | # If implementing a periodic rule, you will need to delete evaluate_change() and uncomment evaluate_periodic() 6 | 7 | def evaluate_change(self, event, client_factory, configuration_item, valid_rule_parameters): 8 | ################################################ 9 | # Add your custom change-triggered logic here. # 10 | ################################################ 11 | 12 | return [Evaluation(ComplianceType.NOT_APPLICABLE)] 13 | 14 | 15 | # def evaluate_periodic(self, event, client_factory, valid_rule_parameters): 16 | # ######################################## 17 | # # Add your custom periodic logic here. # 18 | # ######################################## 19 | # # If you are evaluating resources that are not supported by the Config Service... 20 | # # ...it is often helpful to specify the account as the resource type/ID 21 | # account_id = event['accountId'] 22 | # return [ 23 | # Evaluation( 24 | # complianceType=ComplianceType.COMPLIANT, 25 | # resourceId=account_id, 26 | # resourceType="AWS::::Account", 27 | # annotation="Use this field to explain why this evaluation occurred.", 28 | # ) 29 | # ] 30 | 31 | 32 | def evaluate_parameters(self, rule_parameters): 33 | valid_rule_parameters = rule_parameters 34 | return valid_rule_parameters 35 | 36 | 37 | ################################ 38 | # DO NOT MODIFY ANYTHING BELOW # 39 | ################################ 40 | def lambda_handler(event, context): 41 | my_rule = <%RuleName%>() 42 | evaluator = Evaluator(my_rule<%ApplicableResources2%>) 43 | return evaluator.handle(event, context) 44 | -------------------------------------------------------------------------------- /rdk/template/runtime/python3.11-lib/rule_code.py: -------------------------------------------------------------------------------- 1 | from rdklib import Evaluator, Evaluation, ConfigRule, ComplianceType 2 | <%ApplicableResources1%> 3 | class <%RuleName%>(ConfigRule): 4 | # NOTE - you should typically only implement one of evaluate_change() or evaluate_periodic()! 5 | # If implementing a periodic rule, you will need to delete evaluate_change() and uncomment evaluate_periodic() 6 | 7 | def evaluate_change(self, event, client_factory, configuration_item, valid_rule_parameters): 8 | ################################################ 9 | # Add your custom change-triggered logic here. # 10 | ################################################ 11 | 12 | return [Evaluation(ComplianceType.NOT_APPLICABLE)] 13 | 14 | 15 | # def evaluate_periodic(self, event, client_factory, valid_rule_parameters): 16 | # ######################################## 17 | # # Add your custom periodic logic here. # 18 | # ######################################## 19 | # # If you are evaluating resources that are not supported by the Config Service... 20 | # # ...it is often helpful to specify the account as the resource type/ID 21 | # account_id = event['accountId'] 22 | # return [ 23 | # Evaluation( 24 | # complianceType=ComplianceType.COMPLIANT, 25 | # resourceId=account_id, 26 | # resourceType="AWS::::Account", 27 | # annotation="Use this field to explain why this evaluation occurred.", 28 | # ) 29 | # ] 30 | 31 | 32 | def evaluate_parameters(self, rule_parameters): 33 | valid_rule_parameters = rule_parameters 34 | return valid_rule_parameters 35 | 36 | 37 | ################################ 38 | # DO NOT MODIFY ANYTHING BELOW # 39 | ################################ 40 | def lambda_handler(event, context): 41 | my_rule = <%RuleName%>() 42 | evaluator = Evaluator(my_rule<%ApplicableResources2%>) 43 | return evaluator.handle(event, context) 44 | -------------------------------------------------------------------------------- /rdk/template/runtime/python3.12-lib/rule_code.py: -------------------------------------------------------------------------------- 1 | from rdklib import Evaluator, Evaluation, ConfigRule, ComplianceType 2 | <%ApplicableResources1%> 3 | class <%RuleName%>(ConfigRule): 4 | # NOTE - you should typically only implement one of evaluate_change() or evaluate_periodic()! 5 | # If implementing a periodic rule, you will need to delete evaluate_change() and uncomment evaluate_periodic() 6 | 7 | def evaluate_change(self, event, client_factory, configuration_item, valid_rule_parameters): 8 | ################################################ 9 | # Add your custom change-triggered logic here. # 10 | ################################################ 11 | 12 | return [Evaluation(ComplianceType.NOT_APPLICABLE)] 13 | 14 | 15 | # def evaluate_periodic(self, event, client_factory, valid_rule_parameters): 16 | # ######################################## 17 | # # Add your custom periodic logic here. # 18 | # ######################################## 19 | # # If you are evaluating resources that are not supported by the Config Service... 20 | # # ...it is often helpful to specify the account as the resource type/ID 21 | # account_id = event['accountId'] 22 | # return [ 23 | # Evaluation( 24 | # complianceType=ComplianceType.COMPLIANT, 25 | # resourceId=account_id, 26 | # resourceType="AWS::::Account", 27 | # annotation="Use this field to explain why this evaluation occurred.", 28 | # ) 29 | # ] 30 | 31 | 32 | def evaluate_parameters(self, rule_parameters): 33 | valid_rule_parameters = rule_parameters 34 | return valid_rule_parameters 35 | 36 | 37 | ################################ 38 | # DO NOT MODIFY ANYTHING BELOW # 39 | ################################ 40 | def lambda_handler(event, context): 41 | my_rule = <%RuleName%>() 42 | evaluator = Evaluator(my_rule<%ApplicableResources2%>) 43 | return evaluator.handle(event, context) 44 | -------------------------------------------------------------------------------- /rdk/template/runtime/python3.13-lib/rule_code.py: -------------------------------------------------------------------------------- 1 | from rdklib import Evaluator, Evaluation, ConfigRule, ComplianceType 2 | <%ApplicableResources1%> 3 | class <%RuleName%>(ConfigRule): 4 | # NOTE - you should typically only implement one of evaluate_change() or evaluate_periodic()! 5 | # If implementing a periodic rule, you will need to delete evaluate_change() and uncomment evaluate_periodic() 6 | 7 | def evaluate_change(self, event, client_factory, configuration_item, valid_rule_parameters): 8 | ################################################ 9 | # Add your custom change-triggered logic here. # 10 | ################################################ 11 | 12 | return [Evaluation(ComplianceType.NOT_APPLICABLE)] 13 | 14 | 15 | # def evaluate_periodic(self, event, client_factory, valid_rule_parameters): 16 | # ######################################## 17 | # # Add your custom periodic logic here. # 18 | # ######################################## 19 | # # If you are evaluating resources that are not supported by the Config Service... 20 | # # ...it is often helpful to specify the account as the resource type/ID 21 | # account_id = event['accountId'] 22 | # return [ 23 | # Evaluation( 24 | # complianceType=ComplianceType.COMPLIANT, 25 | # resourceId=account_id, 26 | # resourceType="AWS::::Account", 27 | # annotation="Use this field to explain why this evaluation occurred.", 28 | # ) 29 | # ] 30 | 31 | 32 | def evaluate_parameters(self, rule_parameters): 33 | valid_rule_parameters = rule_parameters 34 | return valid_rule_parameters 35 | 36 | 37 | ################################ 38 | # DO NOT MODIFY ANYTHING BELOW # 39 | ################################ 40 | def lambda_handler(event, context): 41 | my_rule = <%RuleName%>() 42 | evaluator = Evaluator(my_rule<%ApplicableResources2%>) 43 | return evaluator.handle(event, context) 44 | -------------------------------------------------------------------------------- /rdk/template/runtime/python3.7-lib/rule_code.py: -------------------------------------------------------------------------------- 1 | from rdklib import Evaluator, Evaluation, ConfigRule, ComplianceType 2 | <%ApplicableResources1%> 3 | class <%RuleName%>(ConfigRule): 4 | # NOTE - you should typically only implement one of evaluate_change() or evaluate_periodic()! 5 | # If implementing a periodic rule, you will need to delete evaluate_change() and uncomment evaluate_periodic() 6 | 7 | def evaluate_change(self, event, client_factory, configuration_item, valid_rule_parameters): 8 | ################################################ 9 | # Add your custom change-triggered logic here. # 10 | ################################################ 11 | 12 | return [Evaluation(ComplianceType.NOT_APPLICABLE)] 13 | 14 | 15 | # def evaluate_periodic(self, event, client_factory, valid_rule_parameters): 16 | # ######################################## 17 | # # Add your custom periodic logic here. # 18 | # ######################################## 19 | # # If you are evaluating resources that are not supported by the Config Service... 20 | # # ...it is often helpful to specify the account as the resource type/ID 21 | # account_id = event['accountId'] 22 | # return [ 23 | # Evaluation( 24 | # complianceType=ComplianceType.COMPLIANT, 25 | # resourceId=account_id, 26 | # resourceType="AWS::::Account", 27 | # annotation="Use this field to explain why this evaluation occurred.", 28 | # ) 29 | # ] 30 | 31 | 32 | def evaluate_parameters(self, rule_parameters): 33 | valid_rule_parameters = rule_parameters 34 | return valid_rule_parameters 35 | 36 | 37 | ################################ 38 | # DO NOT MODIFY ANYTHING BELOW # 39 | ################################ 40 | def lambda_handler(event, context): 41 | my_rule = <%RuleName%>() 42 | evaluator = Evaluator(my_rule<%ApplicableResources2%>) 43 | return evaluator.handle(event, context) 44 | -------------------------------------------------------------------------------- /rdk/template/runtime/python3.8-lib/rule_code.py: -------------------------------------------------------------------------------- 1 | from rdklib import Evaluator, Evaluation, ConfigRule, ComplianceType 2 | <%ApplicableResources1%> 3 | class <%RuleName%>(ConfigRule): 4 | # NOTE - you should typically only implement one of evaluate_change() or evaluate_periodic()! 5 | # If implementing a periodic rule, you will need to delete evaluate_change() and uncomment evaluate_periodic() 6 | 7 | def evaluate_change(self, event, client_factory, configuration_item, valid_rule_parameters): 8 | ################################################ 9 | # Add your custom change-triggered logic here. # 10 | ################################################ 11 | 12 | return [Evaluation(ComplianceType.NOT_APPLICABLE)] 13 | 14 | 15 | # def evaluate_periodic(self, event, client_factory, valid_rule_parameters): 16 | # ######################################## 17 | # # Add your custom periodic logic here. # 18 | # ######################################## 19 | # # If you are evaluating resources that are not supported by the Config Service... 20 | # # ...it is often helpful to specify the account as the resource type/ID 21 | # account_id = event['accountId'] 22 | # return [ 23 | # Evaluation( 24 | # complianceType=ComplianceType.COMPLIANT, 25 | # resourceId=account_id, 26 | # resourceType="AWS::::Account", 27 | # annotation="Use this field to explain why this evaluation occurred.", 28 | # ) 29 | # ] 30 | 31 | 32 | def evaluate_parameters(self, rule_parameters): 33 | valid_rule_parameters = rule_parameters 34 | return valid_rule_parameters 35 | 36 | 37 | ################################ 38 | # DO NOT MODIFY ANYTHING BELOW # 39 | ################################ 40 | def lambda_handler(event, context): 41 | my_rule = <%RuleName%>() 42 | evaluator = Evaluator(my_rule<%ApplicableResources2%>) 43 | return evaluator.handle(event, context) 44 | -------------------------------------------------------------------------------- /rdk/template/runtime/python3.9-lib/rule_code.py: -------------------------------------------------------------------------------- 1 | from rdklib import Evaluator, Evaluation, ConfigRule, ComplianceType 2 | <%ApplicableResources1%> 3 | class <%RuleName%>(ConfigRule): 4 | # NOTE - you should typically only implement one of evaluate_change() or evaluate_periodic()! 5 | # If implementing a periodic rule, you will need to delete evaluate_change() and uncomment evaluate_periodic() 6 | 7 | def evaluate_change(self, event, client_factory, configuration_item, valid_rule_parameters): 8 | ################################################ 9 | # Add your custom change-triggered logic here. # 10 | ################################################ 11 | 12 | return [Evaluation(ComplianceType.NOT_APPLICABLE)] 13 | 14 | 15 | # def evaluate_periodic(self, event, client_factory, valid_rule_parameters): 16 | # ######################################## 17 | # # Add your custom periodic logic here. # 18 | # ######################################## 19 | # # If you are evaluating resources that are not supported by the Config Service... 20 | # # ...it is often helpful to specify the account as the resource type/ID 21 | # account_id = event['accountId'] 22 | # return [ 23 | # Evaluation( 24 | # complianceType=ComplianceType.COMPLIANT, 25 | # resourceId=account_id, 26 | # resourceType="AWS::::Account", 27 | # annotation="Use this field to explain why this evaluation occurred.", 28 | # ) 29 | # ] 30 | 31 | 32 | def evaluate_parameters(self, rule_parameters): 33 | valid_rule_parameters = rule_parameters 34 | return valid_rule_parameters 35 | 36 | 37 | ################################ 38 | # DO NOT MODIFY ANYTHING BELOW # 39 | ################################ 40 | def lambda_handler(event, context): 41 | my_rule = <%RuleName%>() 42 | evaluator = Evaluator(my_rule<%ApplicableResources2%>) 43 | return evaluator.handle(event, context) 44 | -------------------------------------------------------------------------------- /rdk/template/terraform/0.11/variables.tf: -------------------------------------------------------------------------------- 1 | variable "rule_name" { 2 | type = "string" 3 | description = "Rule name to export." 4 | } 5 | 6 | variable "rule_lambda_name" { 7 | type = string 8 | description = "Lambda function name for the Config Rule to export." 9 | } 10 | 11 | variable "source_runtime" { 12 | type = "string" 13 | description = "Runtime for lambda function." 14 | } 15 | 16 | 17 | variable "source_handler" { 18 | type = "string" 19 | description = "Rule name to export." 20 | } 21 | 22 | 23 | variable "source_bucket" { 24 | type = "string" 25 | description = "Amazon S3 bucket used to export the rule code." 26 | } 27 | 28 | 29 | variable "subnet_ids" { 30 | description = "Comma-separated list of Subnets to deploy your Lambda function(s)." 31 | type = "list" 32 | default=[] 33 | } 34 | 35 | 36 | variable "security_group_ids" { 37 | description = "Comma-separated list of Security Groups to deploy with your Lambda function(s)." 38 | type = "list" 39 | default=[] 40 | } 41 | 42 | 43 | variable "source_events" { 44 | description = "Resource types that will trigger event-based Rule evaluation." 45 | type = "list" 46 | } 47 | 48 | 49 | variable "source_input_parameters" { 50 | description = "JSON for required and optional Config parameters." 51 | type = "string" 52 | } 53 | 54 | 55 | variable "lambda_layers" { 56 | type = "list" 57 | description = "Comma-separated list of Lambda Layer ARNs to deploy with your Lambda function(s)." 58 | } 59 | 60 | 61 | variable "source_periodic" { 62 | description = "Maximum execution frequency for scheduled Rules." 63 | type = "string" 64 | } 65 | 66 | 67 | variable "lambda_role_arn" { 68 | description = "Assign existing iam role to lambda functions. If omitted, new lambda role will be created." 69 | type = "string" 70 | } 71 | 72 | variable "lambda_timeout" { 73 | description = "Lambda function timeout" 74 | type = "string" 75 | } 76 | 77 | locals { 78 | event_triggered = "${ length(var.source_events)>0 ? true : false}" 79 | periodic_triggered = "${var.source_periodic == "NONE" ? false : true}" 80 | create_new_lambda_role = "${var.lambda_role_arn == "NONE" ? true : false}" 81 | 82 | } 83 | -------------------------------------------------------------------------------- /rdk/template/terraform/0.12/variables.tf: -------------------------------------------------------------------------------- 1 | variable "rule_name" { 2 | type = string 3 | description = "Rule name to export." 4 | } 5 | 6 | variable "rule_lambda_name" { 7 | type = string 8 | description = "Lambda function name for the Config Rule to export." 9 | } 10 | 11 | variable "source_runtime" { 12 | type = string 13 | description = "Runtime for lambda function." 14 | } 15 | 16 | 17 | variable "source_handler" { 18 | type = string 19 | description = "Rule name to export." 20 | } 21 | 22 | 23 | variable "source_bucket" { 24 | type = string 25 | description = "Amazon S3 bucket used to export the rule code." 26 | } 27 | 28 | 29 | variable "subnet_ids" { 30 | description = "Comma-separated list of Subnets to deploy your Lambda function(s)." 31 | type = list(string) 32 | default=[] 33 | } 34 | 35 | 36 | variable "security_group_ids" { 37 | description = "Comma-separated list of Security Groups to deploy with your Lambda function(s)." 38 | type = list(string) 39 | default=[] 40 | } 41 | 42 | 43 | variable "source_events" { 44 | description = "Resource types that will trigger event-based Rule evaluation." 45 | type = list(string) 46 | } 47 | 48 | 49 | variable "source_input_parameters" { 50 | description = "JSON for required and optional Config parameters." 51 | type = string 52 | } 53 | 54 | 55 | variable "lambda_layers" { 56 | type = list(string) 57 | description = "Comma-separated list of Lambda Layer ARNs to deploy with your Lambda function(s)." 58 | } 59 | 60 | 61 | variable "source_periodic" { 62 | description = "Maximum execution frequency for scheduled Rules." 63 | type = string 64 | } 65 | 66 | 67 | variable "lambda_role_arn" { 68 | description = "Assign existing iam role to lambda functions. If omitted, new lambda role will be created." 69 | type = string 70 | } 71 | 72 | variable "lambda_timeout" { 73 | description = "Lambda function timeout" 74 | type = string 75 | } 76 | 77 | locals { 78 | event_triggered = (length(var.source_events)>0 ? true : false) 79 | periodic_triggered = var.source_periodic != "NONE" ? true : false 80 | create_new_lambda_role = (var.lambda_role_arn == "NONE" ? true : false) 81 | rule_name_source = format("%s.zip", var.rule_name) 82 | 83 | } 84 | -------------------------------------------------------------------------------- /rdk/template/test_event_template.yaml: -------------------------------------------------------------------------------- 1 | configRuleId: config-rule-dummy 2 | version: "1.0" 3 | configRuleName: Dummy-Config-Rule 4 | configRuleArn: arn:aws:config:us-west-2:123456789012:config-rule/config-rule-dummy 5 | invokingEvent: '{"recordVersion":"1.2","configurationItem":{ },"notificationCreationTime":"","messageType":"ConfigurationItemChangeNotification","configurationItemDiff":null}' 6 | resultToken: eyJlbmNyeXB0ZWREYXRhIjpbMTAzLDkwLC0zLDk3LC0xMDUsMjcsLTExMSwxMTgsNjksLTc5LC04NCwxOSwtNDAsLTIxLC0xLDY3LDEyMiwtMTIsLTUwLDEyMSwyMSwxMTMsODMsMzAsNTYsLTQwLC0xMjUsMTEzLC0xMTAsNDYsNTIsLTE4LC03MSw0NSw2MSwtOTYsMTMsODgsLTE2LDExLC00NSw0MywtMTAsLTM3LC02NCwxMjMsODMsOTUsLTIzLC0xMDMsNywtMTAwLC0yOCwtNTAsLTI2LDkxLC05Miw5NCwzLDExNCwzNiw4NSw4MSwtODIsNDksLTEwMSwtNTAsMzMsLTI0LDQ3LDExNCwxMjAsNDEsLTExLC03NSw4LC04NSwtNjUsLTgyLC01NSw3OSwzOCwtMTE1LDY1LC0xOSwtMTE0LC0xLDM3LC00MSwxMTMsLTExLDUzLDMwLDExMSwtNDksLTQ4LC02MCwtNDMsLTM2LC05Myw3NCwtODgsNjksOCwyNSwxMCwtMTE4LC05MSwtMTE1LDUzLDQzLC0zLDEyNywtNzQsLTkwLC0zNyw2NywtMTAzLC0xNiwxNywxMTgsMzksLTEwMCwtNjEsODUsLTEwOCwtNDYsNTYsLTEwOSwtNDAsMiwzOCwtMTI1LDExNSwyNywtMTIyLDczLDkxLDksNjcsLTkyLDk4LC00MSwtMzAsMTcsNDYsLTU4LC00OSwxMjAsLTM1LDI1LDE5LDYsOTksLTMsMTI2LDQsLTYwLDMyLC0yNiwxMTgsMTUsMTIyLC03MCwxOSwxMDQsNTEsMTgsNjMsMTA3LDYsMzQsNDgsLTcsMTEyLDcwLC0xMjQsLTQ1LDE1LDkyLC00OCwxMCw2NywtODcsLTg5LC0xMCwxMCwtNzgsLTUxLC0yMywzNSwyNiwxMjYsLTMwLC0xMjMsLTEwLC00Niw1MCw5NywtMTIyLDY5LDExMywtMTI0LC0xMTcsNTUsMTE2LC0zLDU5LC0xMTMsLTQ4LDE4LC04NiwxMDksMzMsLTE4LDg2LDg0LDM4LC0xMywxMDgsODIsLTI4LC05NSwyMywtMjQsMjMsLTU5LC0xLC04NiwtNjAsNTUsLTE0LDQ3LDEwNCwtMTAsLTcsLTk4LC0xMDUsLTEwNywyOSwyNCwxOCwtMzgsNDIsNDksMTEwLC0yMCw1NywxMDIsLTEwOCwtMTAzLC0xNiw5OSwtNzcsLTE4LC0xMTgsLTgyLC0zNiw0NSwtMTAsMTYsNTEsLTU2LC05MywtMTA5LDEwNCwzMywtNTksNDEsODAsLTQxLDExMywtNjQsMzUsLTk4LC03NCwxNywtMTI0LC0yMywtNTIsOTIsNDAsNDYsODgsMTExLDEwOCwtNTcsLTYxLC03MCwtNDMsNTgsLTExNCwtNzQsMzUsMTEyLDEyMCwtMzUsLTc4LDMxLC0xMTMsODEsLTUzLC02LDEwNiw0OSw3NiwtODksLTcyLDg4LDM5LC0xMTYsMTEyLC05OCw5OSw4OSwyMywtODIsLTEyMCwxMDUsMjAsLTQ2LC01MCw4MSwtMzIsNTgsMjMsLTI5LC02NCw0LC02MSwtODEsLTUzLC0xMjcsNDgsNTAsMTgsLTE1LDEwMyw0OSwtMTIsLTM3LDM2LDg1LDQ5LC05LC0xMTksMTksMSw4MCwtNzUsLTE1LDExMyw4NSwxNywtNDUsNDcsLTEyMSwtNzYsLTg2LC0xMTksLTIxLC00OCw5MCwtOTQsLTExNywzNiwxMDYsNTcsLTE2LDI3LDQsLTgyLDQ4LC05OCw3NSwtMzEsLTEyOCwtNTMsLTQ4LC01MiwtMTYsMzcsMzIsNTcsLTg0LC0yMCw5MSwtMTEyLDU5LDQ4LDMzLDE4LDYzLDYyLDMsMTE0LC0xMDAsLTEyNiwtMTMsLTEyNCw1MCwzNSwxMTAsLTczLC0zNywzMCwtNTAsLTcxLC0xMjgsLTYsLTExNCwxMDUsMjQsLTU2LC05MCw1MCwzMCwxNiwxMDYsNjAsODQsMzAsODAsLTMxLDY5LDUzLC0xMjIsMiw2MywxMTcsMTEyLC0xOSwtMTE1LDQyLC0yNiwzNSw0NSwtMTAsMTAzLDQ2LC0xMSwtMTIsLTQsLTExMiw2NiwtMTAzLC0xMjMsLTEyNSwxNCwtMjUsLTEwNyw1Myw0MiwxMywzOCwtOTMsLTgyLDMyLDYsLTExNSw5NSw5MywtMTI3LDUzLC03MSwtNDQsNTIsMTEwLC05OCwxMTQsLTUsMzEsLTIsMCwtMTA3LDQ2LDQ2LDQwLDYwLDk2LDMzLDMyLC05Niw5NiwtMjEsLTk0LDE2LC03OCwtMjUsNDQsNjcsMjcsMTE0XSwibWF0ZXJpYWxTZXRTZXJpYWxOdW1iZXIiOjEsIml2UGFyYW1ldGVyU3BlYyI6eyJpdiI6Wy0xMSw5NCwtNTMsLTQsMTExLDEyMCwzMywxMCw1LDM5LC00Miw0MSwtMTAzLC0zOCwtNzgsMTIxXX19 7 | eventLeftScope: true 8 | ruleParameters: "" 9 | executionRoleArn: arn:aws:iam::123456789012:role/config-role 10 | accountId: "123456789012" 11 | -------------------------------------------------------------------------------- /test-region.yaml: -------------------------------------------------------------------------------- 1 | default: 2 | - ap-northeast-1 3 | - ap-northeast-2 4 | - ap-northeast-3 5 | - ap-south-1 6 | - ap-southeast-1 7 | - ap-southeast-2 8 | - ca-central-1 9 | - eu-central-1 10 | - eu-north-1 11 | - eu-west-1 12 | - eu-west-2 13 | - eu-west-3 14 | - sa-east-1 15 | - us-east-1 16 | - us-east-2 17 | - us-west-1 18 | - us-west-2 19 | set-opt-in: 20 | - me-south-1 21 | - ap-east-1 22 | - af-south-1 23 | - eu-south-1 24 | set-china: 25 | - cn-north-1 26 | - cn-northwest-1 27 | set-gov: 28 | - us-gov-east-1 29 | - us-gov-west-1 30 | -------------------------------------------------------------------------------- /testing/copy-to-s3-buildspec.yaml: -------------------------------------------------------------------------------- 1 | version: 0.1 2 | 3 | phases: 4 | build: 5 | commands: 6 | - echo Pushing code to S3 for Windows tests 7 | - bash testing/copy_to_s3.sh 8 | post_build: 9 | commands: 10 | - echo S3 sync completed on `date` 11 | -------------------------------------------------------------------------------- /testing/copy_to_s3.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | #MyApp\/(.*?).zip 3 | echo $CODEBUILD_SOURCE_VERSION 4 | if [[ $CODEBUILD_SOURCE_VERSION =~ MyApp\/(.*).zip ]]; then 5 | echo ${BASH_REMATCH[1]}``; 6 | aws s3 sync . s3://rdk-testing-source-bucket/${BASH_REMATCH[1]}/; 7 | fi 8 | -------------------------------------------------------------------------------- /testing/multi_region_execution_test.py: -------------------------------------------------------------------------------- 1 | # Set up test directory 2 | import sys 3 | 4 | import boto3 5 | 6 | test_file_name = "test-region.yaml" 7 | 8 | cfn_client_ap_east = boto3.client("cloudformation", region_name="ap-southeast-1") 9 | stack_status_ap_east = cfn_client_ap_east.describe_stacks(StackName="MFAENABLEDRULE") 10 | print(stack_status_ap_east) 11 | if stack_status_ap_east["Stacks"][0]["StackStatus"] not in ["CREATE_COMPLETE", "UPDATE_COMPLETE"]: 12 | sys.exit(1) 13 | 14 | cfn_client_us_west = boto3.client("cloudformation", region_name="us-west-1") 15 | stack_status_us_west = cfn_client_us_west.describe_stacks(StackName="MFAENABLEDRULE") 16 | print(stack_status_us_west) 17 | if stack_status_us_west["Stacks"][0]["StackStatus"] not in ["CREATE_COMPLETE", "UPDATE_COMPLETE"]: 18 | sys.exit(1) 19 | -------------------------------------------------------------------------------- /testing/partition_test.py: -------------------------------------------------------------------------------- 1 | import boto3 2 | import subprocess 3 | import sys 4 | 5 | testing_regions = { 6 | "aws": ["us-east-1", "ap-southeast-1", "eu-central-1", "sa-east-1"], 7 | "aws-cn": ["cn-north-1", "cn-northwest-1"], 8 | "aws-us-gov": ["us-gov-west-1", "us-gov-east-1"], 9 | } 10 | sts_client = boto3.client("sts") 11 | arn_array = sts_client.get_caller_identity()["Arn"].split(":") 12 | partition = arn_array[1] 13 | region = arn_array[3] 14 | 15 | if region not in testing_regions[partition]: 16 | testing_regions[partition].append(region) 17 | 18 | subprocesses = [subprocess.Popen(["rdk", "-r", region, "init"]) for region in testing_regions[partition]] 19 | 20 | received_bad_return_code = False 21 | 22 | for process in subprocesses: 23 | process.wait() 24 | if process.returncode != 0: 25 | print(process.communicate()) 26 | received_bad_return_code = True 27 | 28 | if received_bad_return_code: 29 | sys.exit(1) 30 | -------------------------------------------------------------------------------- /testing/test_windows.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | #Params 4 | #python_version must be "3" 5 | python_version=$1 6 | 7 | echo $CODEBUILD_SOURCE_VERSION 8 | -------------------------------------------------------------------------------- /testing/win_multi_region_execution_test.py: -------------------------------------------------------------------------------- 1 | # Set up test directory 2 | import sys 3 | 4 | import boto3 5 | 6 | test_file_name = "test-region.yaml" 7 | 8 | cfn_client_ap_east = boto3.client("cloudformation", region_name="ap-southeast-1") 9 | stack_status_ap_east = cfn_client_ap_east.describe_stacks(StackName="WMFAENABLEDRULE") 10 | print(stack_status_ap_east) 11 | if stack_status_ap_east["Stacks"][0]["StackStatus"] not in ["CREATE_COMPLETE", "UPDATE_COMPLETE"]: 12 | sys.exit(1) 13 | 14 | cfn_client_us_west = boto3.client("cloudformation", region_name="us-west-1") 15 | stack_status_us_west = cfn_client_us_west.describe_stacks(StackName="WMFAENABLEDRULE") 16 | print(stack_status_us_west) 17 | if stack_status_us_west["Stacks"][0]["StackStatus"] not in ["CREATE_COMPLETE", "UPDATE_COMPLETE"]: 18 | sys.exit(1) 19 | -------------------------------------------------------------------------------- /testing/win_partition_test.py: -------------------------------------------------------------------------------- 1 | import boto3 2 | import subprocess 3 | import sys 4 | 5 | testing_regions = { 6 | "aws": ["us-east-1", "ap-southeast-1", "eu-central-1", "sa-east-1"], 7 | "aws-cn": ["cn-north-1", "cn-northwest-1"], 8 | "aws-us-gov": ["us-gov-west-1", "us-gov-east-1"], 9 | } 10 | sts_client = boto3.client("sts") 11 | arn_array = sts_client.get_caller_identity()["Arn"].split(":") 12 | partition = arn_array[1] 13 | region = arn_array[3] 14 | 15 | if region not in testing_regions[partition]: 16 | testing_regions[partition].append(region) 17 | 18 | subprocesses = [subprocess.Popen(["rdk", "-r", region, "init"]) for region in testing_regions[partition]] 19 | 20 | received_bad_return_code = False 21 | 22 | for process in subprocesses: 23 | process.wait() 24 | if process.returncode != 0: 25 | print(process.communicate()) 26 | received_bad_return_code = True 27 | 28 | if received_bad_return_code: 29 | sys.exit(1) 30 | -------------------------------------------------------------------------------- /update_rdklib_versions.py: -------------------------------------------------------------------------------- 1 | import yaml 2 | import boto3 3 | 4 | with open("rdk/rdklib_versions.yaml", "r") as f: 5 | # read the file 6 | regions = yaml.safe_load(f) 7 | 8 | version_dict = {"rdklib_layer_versions": {}} 9 | for region in regions["rdklib_layer_versions"]: 10 | lambda_client = boto3.client( 11 | "lambda", 12 | config=boto3.session.Config(region_name=region), 13 | ) 14 | latest_version = lambda_client.list_layer_versions(LayerName="rdklib-layer", MaxItems=1)["LayerVersions"][0][ 15 | "Version" 16 | ] 17 | version_dict["rdklib_layer_versions"][region] = latest_version 18 | 19 | with open("rdk/rdklib_versions.yaml", "w") as f: 20 | f.write( 21 | """ 22 | # This file should be updated to contain the latest stable Lambda layer from the rdklib SAM application. 23 | # Layers are published to each region, which is why some have more versions than others. 24 | # This file was automatically generated by update_rdklib_versions.py; check for accuracy before deploying. 25 | """ 26 | ) 27 | f.write(yaml.dump(version_dict)) 28 | --------------------------------------------------------------------------------