A config rule that checks whether whether the ElasticSearch Domains are in VPC and not as a public endpoint.
AWSTemplateFormatVersion: '2010-09-09'
Description: ''
Resources:
CustomConfigRule:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: elasticsearch_in_vpc_only
Description: >-
A config rule that checks whether whether the ElasticSearch Domains are
in VPC and not as a public endpoint.
Scope:
ComplianceResourceTypes:
- 'AWS::::Account'
Source:
Owner: CUSTOM_LAMBDA
SourceIdentifier:
'Fn::GetAtt':
- LambdaFunction
- Arn
SourceDetails:
- EventSource: aws.config
MessageType: ScheduledNotification
MaximumExecutionFrequency: TwentyFour_Hours
DependsOn: LambdaInvokePermissions
LambdaInvokePermissions:
Type: 'AWS::Lambda::Permission'
Properties:
FunctionName:
'Fn::GetAtt':
- LambdaFunction
- Arn
Action: 'lambda:InvokeFunction'
Principal: config.amazonaws.com
LambdaFunction:
Type: 'AWS::Lambda::Function'
Properties:
FunctionName: LambdaForelasticsearch_in_vpc_only
Handler: index.lambda_handler
Role:
'Fn::GetAtt':
- LambdaIamRole
- Arn
Runtime: python3.6
Code:
S3Bucket:
'Fn::Sub':
- 'asecure-cloud-cf-aux-${Region}'
- Region:
Ref: 'AWS::Region'
S3Key: ELASTICSEARCH_IN_VPC_ONLY.zip
Timeout: 300
DependsOn: LambdaIamRole
LambdaIamRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- 'sts:AssumeRole'
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/ReadOnlyAccess'
- 'arn:aws:iam::aws:policy/service-role/AWSConfigRulesExecutionRole'
- 'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'
Policies: []
RoleName: IAMRoleForelasticsearch_in_vpc_onlyXwv
Parameters: {}
Metadata: {}
Conditions: {}
Configuration Source: AWS Config Rule Repository
Additional Documentation: