The CDK Construct Library for AWS::Config
Project description
AWS Config Construct Library
---
All classes with the
Cfnprefix in this module (CFN Resources) are always stable and safe to use.
The APIs of higher level constructs in this module are in developer preview before they become stable. We will only make breaking changes to address unforeseen API issues. Therefore, these APIs are not subject to Semantic Versioning, and breaking changes will be announced in release notes. This means that while you may use them, you may need to update your source code when upgrading to a newer version of this package.
This module is part of the AWS Cloud Development Kit project.
Supported:
- Config rules
Not supported
- Configuration recoder
- Delivery channel
- Aggregation
Initial Setup
Before using the constructs provided in this module, you need to setup AWS Config in the region you plan on using it in. This setup includes:
ConfigurationRecorder: Configure which resources will be recorded for config changes.DeliveryChannel: Configure where to store the recorded data.
Following are the guides to setup AWS Config:
Rules
AWS managed rules
To set up a managed rule, define a ManagedRule and specify its identifier:
# Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
ManagedRule(self, "AccessKeysRotated",
identifier="ACCESS_KEYS_ROTATED"
)
Available identifiers and parameters are listed in the List of AWS Config Managed Rules.
Higher level constructs for managed rules are available, see Managed Rules. Prefer to use those constructs when available (PRs welcome to add more of those).
Custom rules
To set up a custom rule, define a CustomRule and specify the Lambda Function to run and the trigger types:
# Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
CustomRule(self, "CustomRule",
lambda_function=my_fn,
configuration_changes=True,
periodic=True
)
Restricting the scope
By default rules are triggered by changes to all resources. Use the scopeToResource(), scopeToResources() or scopeToTag() methods to restrict the scope of both managed and custom rules:
# Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
ssh_rule = ManagedRule(self, "SSH",
identifier="INCOMING_SSH_DISABLED"
)
# Restrict to a specific security group
rule.scope_to_resource("AWS::EC2::SecurityGroup", "sg-1234567890abcdefgh")
custom_rule = CustomRule(self, "CustomRule",
lambda_function=my_fn,
configuration_changes=True
)
# Restrict to a specific tag
custom_rule.scope_to_tag("Cost Center", "MyApp")
Only one type of scope restriction can be added to a rule (the last call to scopeToXxx() sets the scope).
Events
To define Amazon CloudWatch event rules, use the onComplianceChange() or onReEvaluationStatus() methods:
# Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
rule = CloudFormationStackDriftDetectionCheck(self, "Drift")
rule.on_compliance_change("TopicEvent",
target=targets.SnsTopic(topic)
)
Example
Creating custom and managed rules with scope restriction and events:
# Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
# A custom rule that runs on configuration changes of EC2 instances
fn = lambda.Function(self, "CustomFunction",
code=lambda.AssetCode.from_inline("exports.handler = (event) => console.log(event);"),
handler="index.handler",
runtime=lambda.Runtime.NODEJS_10_X
)
custom_rule = config.CustomRule(self, "Custom",
configuration_changes=True,
lambda_function=fn
)
custom_rule.scope_to_resource("AWS::EC2::Instance")
# A rule to detect stacks drifts
drift_rule = config.CloudFormationStackDriftDetectionCheck(self, "Drift")
# Topic for compliance events
compliance_topic = sns.Topic(self, "ComplianceTopic")
# Send notification on compliance change
drift_rule.on_compliance_change("ComplianceChange",
target=targets.SnsTopic(compliance_topic)
)
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file aws-cdk.aws-config-1.46.0.tar.gz.
File metadata
- Download URL: aws-cdk.aws-config-1.46.0.tar.gz
- Upload date:
- Size: 120.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.1.1 pkginfo/1.5.0.1 requests/2.24.0 setuptools/39.0.1 requests-toolbelt/0.9.1 tqdm/4.46.1 CPython/3.6.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
6495e6ff60d8b5fce1a9290e9c74f4abf10d88b00b72d90cb3e12d9e191201e5
|
|
| MD5 |
64d6ab3f46aded057214cca5d37696be
|
|
| BLAKE2b-256 |
92d6ba80e78efd856f9edf8896ef0c068b544ad6331f91545a6e1b877f614b10
|
File details
Details for the file aws_cdk.aws_config-1.46.0-py3-none-any.whl.
File metadata
- Download URL: aws_cdk.aws_config-1.46.0-py3-none-any.whl
- Upload date:
- Size: 118.7 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.1.1 pkginfo/1.5.0.1 requests/2.24.0 setuptools/39.0.1 requests-toolbelt/0.9.1 tqdm/4.46.1 CPython/3.6.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
9b800fd32f4339d1c8a0a37217311176f9f137ce2bbd722cc774553bd25d4c5d
|
|
| MD5 |
bd4cde4c13c5b608d6cfc168ed08f456
|
|
| BLAKE2b-256 |
8f14f6cb7913a258f6dc30950df026c236da9c09f613b1262dcb35e9b6c9d642
|
