By Implementation

Service Control PoliciesConfig RulesAuto Remediation RulesConformance PacksAmazon GuardDutyAmazon InspectorAWS Security HubAWS Network FirewallRoute53 Resolver SecurityAmazon MacieS3 Bucket PoliciesCloudWatch Alarms and Event RulesAWS WAFAWS Secrets ManagerAWS Systems ManagerSecurity Groups & NACLsAWS KMSIAM Policies

By Service Protected

Configuration Packages

Strategy Guides

Other

Config Rules

Launch Wizard Security Groups are Not Used Check

A Config rule that checks that security groups prefixed with "launch-wizard" are not associated with network interfaces.

AWS Labs (Github)
Items
4
Size
5.7 KB
AWSTemplateFormatVersion: "2010-09-09"
Description: ""
Resources:
  CustomConfigRule:
    Type: "AWS::Config::ConfigRule"
    Properties:
      ConfigRuleName: "ec2_launch_wizard_security_group_prohibited"
      Scope:
        ComplianceResourceTypes:
          - "AWS::EC2::NetworkInterface"
      Description: "A Config rule that checks that security groups prefixed with \"launch-wizard\" are not associated with network interfaces."
      Source:
        Owner: "CUSTOM_LAMBDA"
        SourceIdentifier:
          Fn::GetAtt:
            - "LambdaFunctionCustomConfigRule"
            - "Arn"
        SourceDetails:
          - EventSource: "aws.config"
            MessageType: "ConfigurationItemChangeNotification"
          - EventSource: "aws.config"
            MessageType: "OversizedConfigurationItemChangeNotification"
    DependsOn: "LambdaInvokePermissionsCustomConfigRule"
  LambdaInvokePermissionsCustomConfigRule:
    Type: "AWS::Lambda::Permission"
    Properties:
      FunctionName:
        Fn::GetAtt:
          - "LambdaFunctionCustomConfigRule"
          - "Arn"
      Action: "lambda:InvokeFunction"
      Principal: "config.amazonaws.com"
  LambdaFunctionCustomConfigRule:
    Type: "AWS::Lambda::Function"
    Properties:
      FunctionName: "LambdaForec2_launch_wizard_security_group_prohibited"
      Handler: "index.lambda_handler"
      Role:
        Fn::GetAtt:
          - "LambdaIamRoleCustomConfigRule"
          - "Arn"
      Runtime: "python3.6"
      Code:
        ZipFile:
          Fn::Join:
            - "\n"
            -
              - ""
              - "# This file made available under CC0 1.0 Universal (https://creativecommons.org/publicdomain/zero/1.0/legalcode)"
              - "#"
              - "# Description: Check that security groups prefixed with \"launch-wizard\""
              - "#              are not associated with network interfaces."
              - "#"
              - "# Trigger Type: Change Triggered"
              - "# Scope of Changes: EC2:NetworkInterface"
              - "# Accepted Parameters: None"
              - ""
              - "import boto3"
              - "import json"
              - ""
              - ""
              - "APPLICABLE_RESOURCES = [\"AWS::EC2::NetworkInterface\"]"
              - ""
              - ""
              - "def evaluate_compliance(configuration_item):"
              - ""
              - "    # Start as compliant"
              - "    compliance_type = 'COMPLIANT'"
              - "    annotation = \"Resource is compliant.\""
              - ""
              - "    # Check resource for applicability"
              - "    if configuration_item[\"resourceType\"] not in APPLICABLE_RESOURCES:"
              - "        compliance_type = 'NOT_APPLICABLE'"
              - "        annotation = \"The rule doesn't apply to resources of type \"                      + configuration_item[\"resourceType\"] + \".\""
              - ""
              - "    # Iterate over security groups"
              - "    for sg in configuration_item['configuration']['groups']:"
              - "        if \"launch-wizard\" in sg['groupName']:"
              - "            compliance_type = 'NON_COMPLIANT'"
              - "            annotation = 'A launch-wizard security group '                          'is attached to '                          + configuration_item['configuration']['privateIpAddress']"
              - "            break"
              - ""
              - "    return {"
              - "        \"compliance_type\": compliance_type,"
              - "        \"annotation\": annotation"
              - "    }"
              - ""
              - ""
              - "def lambda_handler(event, context):"
              - ""
              - "    invoking_event = json.loads(event['invokingEvent'])"
              - "    configuration_item = invoking_event[\"configurationItem\"]"
              - "    evaluation = evaluate_compliance(configuration_item)"
              - "    config = boto3.client('config')"
              - ""
              - "    print('Compliance evaluation for %s: %s' % (configuration_item['resourceId'], evaluation[\"compliance_type\"]))"
              - "    print('Annotation: %s' % (evaluation[\"annotation\"]))"
              - ""
              - "    response = config.put_evaluations("
              - "       Evaluations=["
              - "           {"
              - "               'ComplianceResourceType': invoking_event['configurationItem']['resourceType'],"
              - "               'ComplianceResourceId':   invoking_event['configurationItem']['resourceId'],"
              - "               'ComplianceType':         evaluation[\"compliance_type\"],"
              - "               \"Annotation\":             evaluation[\"annotation\"],"
              - "               'OrderingTimestamp':      invoking_event['configurationItem']['configurationItemCaptureTime']"
              - "           },"
              - "       ],"
              - "       ResultToken=event['resultToken'])"
              - ""
      Timeout: 300
    DependsOn: "LambdaIamRoleCustomConfigRule"
  LambdaIamRoleCustomConfigRule:
    Type: "AWS::IAM::Role"
    Properties:
      RoleName: "IAMRoleForec2_launch_wizard_security_group_prohibitedMFV"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Principal:
              Service:
                - "lambda.amazonaws.com"
            Action:
              - "sts:AssumeRole"
      ManagedPolicyArns:
        - "arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess"
        - "arn:aws:iam::aws:policy/service-role/AWSConfigRulesExecutionRole"
        - "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
      Policies: []
Parameters: {}
Metadata: {}
Conditions: {}

Actions



Customize Template

Rule Settings


Rule Parameters

No rule paramters

Trigger Settings

* Required field