You must be logged in to view saved presets
A Config rule that checks that security groups prefixed with "launch-wizard" are not associated with network interfaces.
AWSTemplateFormatVersion: '2010-09-09'
Description: ''
Resources:
CustomConfigRule:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: ec2_launch_wizard_security_group_prohibited
Scope:
ComplianceResourceTypes:
- 'AWS::EC2::NetworkInterface'
Description: A Config rule that checks that security groups prefixed with "launch-wizard" are not associated with network interfaces.
Source:
Owner: CUSTOM_LAMBDA
SourceIdentifier:
'Fn::GetAtt':
- LambdaFunctionCustomConfigRule
- Arn
SourceDetails:
- EventSource: aws.config
MessageType: ConfigurationItemChangeNotification
- EventSource: aws.config
MessageType: OversizedConfigurationItemChangeNotification
DependsOn: LambdaInvokePermissionsCustomConfigRule
LambdaInvokePermissionsCustomConfigRule:
Type: 'AWS::Lambda::Permission'
Properties:
FunctionName:
'Fn::GetAtt':
- LambdaFunctionCustomConfigRule
- Arn
Action: 'lambda:InvokeFunction'
Principal: config.amazonaws.com
LambdaFunctionCustomConfigRule:
Type: 'AWS::Lambda::Function'
Properties:
FunctionName: LambdaForec2_launch_wizard_security_group_prohibited
Handler: index.lambda_handler
Role:
'Fn::GetAtt':
- LambdaIamRoleCustomConfigRule
- Arn
Runtime: python3.9
Code:
ZipFile:
'Fn::Join':
- |+
- - ''
- '# This file made available under CC0 1.0 Universal (https://creativecommons.org/publicdomain/zero/1.0/legalcode)'
- '#'
- '# Description: Check that security groups prefixed with "launch-wizard"'
- '# are not associated with network interfaces.'
- '#'
- '# Trigger Type: Change Triggered'
- '# Scope of Changes: EC2:NetworkInterface'
- '# Accepted Parameters: None'
- ''
- import boto3
- import json
- ''
- ''
- 'APPLICABLE_RESOURCES = ["AWS::EC2::NetworkInterface"]'
- ''
- ''
- 'def evaluate_compliance(configuration_item):'
- ''
- ' # Start as compliant'
- ' compliance_type = ''COMPLIANT'''
- ' annotation = "Resource is compliant."'
- ''
- ' # Check resource for applicability'
- ' if configuration_item["resourceType"] not in APPLICABLE_RESOURCES:'
- ' compliance_type = ''NOT_APPLICABLE'''
- ' annotation = "The rule doesn''t apply to resources of type " + configuration_item["resourceType"] + "."'
- ''
- ' # Iterate over security groups'
- ' for sg in configuration_item[''configuration''][''groups'']:'
- ' if "launch-wizard" in sg[''groupName'']:'
- ' compliance_type = ''NON_COMPLIANT'''
- ' annotation = ''A launch-wizard security group '' ''is attached to '' + configuration_item[''configuration''][''privateIpAddress'']'
- ' break'
- ''
- ' return {'
- ' "compliance_type": compliance_type,'
- ' "annotation": annotation'
- ' }'
- ''
- ''
- 'def lambda_handler(event, context):'
- ''
- ' invoking_event = json.loads(event[''invokingEvent''])'
- ' configuration_item = invoking_event["configurationItem"]'
- ' evaluation = evaluate_compliance(configuration_item)'
- ' config = boto3.client(''config'')'
- ''
- ' print(''Compliance evaluation for %s: %s'' % (configuration_item[''resourceId''], evaluation["compliance_type"]))'
- ' print(''Annotation: %s'' % (evaluation["annotation"]))'
- ''
- ' response = config.put_evaluations('
- ' Evaluations=['
- ' {'
- ' ''ComplianceResourceType'': invoking_event[''configurationItem''][''resourceType''],'
- ' ''ComplianceResourceId'': invoking_event[''configurationItem''][''resourceId''],'
- ' ''ComplianceType'': evaluation["compliance_type"],'
- ' "Annotation": evaluation["annotation"],'
- ' ''OrderingTimestamp'': invoking_event[''configurationItem''][''configurationItemCaptureTime'']'
- ' },'
- ' ],'
- ' ResultToken=event[''resultToken''])'
- ''
Timeout: 300
DependsOn: LambdaIamRoleCustomConfigRule
LambdaIamRoleCustomConfigRule:
Type: 'AWS::IAM::Role'
Properties:
RoleName: IAMRoleForec2_launch_wizard_security_group_prohibitedXvs
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- 'sts:AssumeRole'
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess'
- 'arn:aws:iam::aws:policy/service-role/AWSConfigRulesExecutionRole'
- 'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'
Parameters: {}
Metadata: {}
Conditions: {}