The CDK Construct Library for AWS::Config
Project description
AWS Config Construct Library
---| Features | Stability |
|---|---|
| CFN Resources |  |
| Higher level constructs for Config Rules |  |
| Higher level constructs for initial set-up (delivery channel & configuration recorder) |  |
CFN Resources: All classes with the
Cfnprefix in this module (CFN Resources) are always stable and safe to use.
Developer Preview: Higher level constructs in this module that are marked as developer preview have completed their phase of active development and are looking for adoption and feedback. While the same caveats around non-backward compatible as Experimental constructs apply, they will undergo fewer breaking changes. Just as with Experimental constructs, these are not subject to the Semantic Versioning model and breaking changes will be announced in the release notes.
This module is part of the AWS Cloud Development Kit project.
Initial Setup
Before using the constructs provided in this module, you need to set up AWS Config in the region in which it will be used. This setup includes the one-time creation of the following resources per region:
ConfigurationRecorder: Configure which resources will be recorded for config changes.DeliveryChannel: Configure where to store the recorded data.
Following are the guides to setup AWS Config:
Rules
AWS managed rules
To set up a managed rule, define a ManagedRule and specify its identifier:
# Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
ManagedRule(self, "AccessKeysRotated",
identifier="ACCESS_KEYS_ROTATED"
)
Available identifiers and parameters are listed in the List of AWS Config Managed Rules.
Higher level constructs for managed rules are available, see Managed Rules. Prefer to use those constructs when available (PRs welcome to add more of those).
Custom rules
To set up a custom rule, define a CustomRule and specify the Lambda Function to run and the trigger types:
# Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
CustomRule(self, "CustomRule",
lambda_function=my_fn,
configuration_changes=True,
periodic=True
)
Restricting the scope
By default rules are triggered by changes to all resources.
Use the scopeToResource(), scopeToResources() or scopeToTag() APIs to restrict
the scope of both managed and custom rules:
# Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
ssh_rule = ManagedRule(self, "SSH",
identifier="INCOMING_SSH_DISABLED"
)
# Restrict to a specific security group
rule.scope_to_resource("AWS::EC2::SecurityGroup", "sg-1234567890abcdefgh")
custom_rule = CustomRule(self, "CustomRule",
lambda_function=my_fn,
configuration_changes=True
)
# Restrict to a specific tag
custom_rule.scope_to_tag("Cost Center", "MyApp")
Only one type of scope restriction can be added to a rule (the last call to scopeToXxx() sets the scope).
Events
To define Amazon CloudWatch event rules, use the onComplianceChange() or onReEvaluationStatus() methods:
# Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
rule = CloudFormationStackDriftDetectionCheck(self, "Drift")
rule.on_compliance_change("TopicEvent",
target=targets.SnsTopic(topic)
)
Example
The following example creates a custom rule that runs on configuration changes to EC2 instances and publishes compliance events to an SNS topic.
# Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
import aws_cdk.aws_config as config
import aws_cdk.aws_lambda as lambda_
# A custom rule that runs on configuration changes of EC2 instances
fn = lambda_.Function(self, "CustomFunction",
code=lambda_.AssetCode.from_inline("exports.handler = (event) => console.log(event);"),
handler="index.handler",
runtime=lambda_.Runtime.NODEJS_10_X
)
custom_rule = config.CustomRule(self, "Custom",
configuration_changes=True,
lambda_function=fn
)
custom_rule.scope_to_resource("AWS::EC2::Instance")
# A rule to detect stack drifts
drift_rule = config.CloudFormationStackDriftDetectionCheck(self, "Drift")
# Topic to which compliance notification events will be published
compliance_topic = sns.Topic(self, "ComplianceTopic")
# Send notification on compliance change
drift_rule.on_compliance_change("ComplianceChange",
target=targets.SnsTopic(compliance_topic)
)
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file aws-cdk.aws-config-1.67.0.tar.gz.
File metadata
- Download URL: aws-cdk.aws-config-1.67.0.tar.gz
- Upload date:
- Size: 102.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.2.0 pkginfo/1.5.0.1 requests/2.24.0 setuptools/39.0.1 requests-toolbelt/0.9.1 tqdm/4.50.1 CPython/3.6.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
6df67099993c727d3922e2cde9a70797661e24e19ab29e34933762afa9c50a5a
|
|
| MD5 |
bc2e67cb0aa337f62129c747d836bd49
|
|
| BLAKE2b-256 |
4049a7fb4d3c618eb67651266c3c13490896c3812b825c1b0be9684972475f24
|
File details
Details for the file aws_cdk.aws_config-1.67.0-py3-none-any.whl.
File metadata
- Download URL: aws_cdk.aws_config-1.67.0-py3-none-any.whl
- Upload date:
- Size: 100.0 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.2.0 pkginfo/1.5.0.1 requests/2.24.0 setuptools/39.0.1 requests-toolbelt/0.9.1 tqdm/4.50.1 CPython/3.6.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
160583682f6026c43ab41b6a239a4069fb3012797378a8bad69bf0d1f0e5e245
|
|
| MD5 |
a28e02609b873e5057498f2c5012bdb2
|
|
| BLAKE2b-256 |
929a6dd57bca37cd316d3e5b1904b03b7ece08143b6557d0ab135d930fc406d2
|
