search

awslabs / aws-config-rules

[Node, Python, Java] Repository of sample Custom Rules for AWS Config.
http://aws.amazon.com/config/
Creative Commons Zero v1.0 Universal
1.6k stars 854 forks source link

New rule on Elasticache Redis cluster automatic backup enabled #150

Closed santosh-at-github closed 5 years ago

santosh-at-github commented 5 years ago 
'''
Rule Name:
  ELASTICACHE_REDIS_CLUSTER_AUTOMATIC_BACKUP_CHECK

Description:
  Check whether the Amazon ElastiCache Redis clusters have automatic backup turned on. The rule is NON_COMPLIANT if the SnapshotRetentionLimit of an Amazon Elasticache Redis cluster is 0.

Trigger:
  Periodic

Reports on:
  AWS::ElastiCache::CacheCluster

Rule Parameters:
  snapshotRetentionPeriod
   Optional
   Minimum snapshot retention period in days for Amazon ElastiCache Redis cluster. Default is 15 days.

Scenarios:
  Scenario: 1
     Given: No Amazon ElastiCache Redis cluster in the AWS Account
      Then: Return "NOT_APPLICABLE"
  Scenario: 2
     Given: Parameter snapshotRetentionPeriod is configured
       And: It is not a positive integer greater then 0
      Then: Return an error
  Scenario: 3
     Given: At least 1 Amazon Elasticache Redis cluster is present
       And: The SnapshotRetentionLimit is set to 0
      Then: Return NON_COMPLIANT with Annotation "Automatic backup not enabled for Amazon ElastiCache cluster {Cluster_ID}"
  Scenario: 4
     Given: At least 1 Amazon Elasticache Redis cluster is present
       And: The SnapshotRetentionLimit is less than snapshotRetentionPeriod
      Then: Return NON_COMPLAINT with Annotation "Automatic backup retention period for Amazon ElastiCache cluster {Cluster_ID} is less then {snapshotRetentionPeriod} day(s)."
  Scenario: 5
     Given: At least 1 Amazon Elasticache Redis cluster is present
       And: The SnapshotRetentionLimit is greater than or equal to snapshotRetentionPeriod
      Then: Return COMPLAINT
'''
jongogogo commented 5 years ago

Can you write the scenarios as "The Elasticache Redis cluster has automatic backup enabled" not "All ...". It is because you report on individual resources. You would write "One or more..." if you were reporting on AWS::::Account.

Scenario 1 needs to report COMPLIANT

You need another Scenario if there is no Cluster, reporting NOT_APPLICABLE

santosh-at-github commented 5 years ago

Gherkin has been updated as per above suggestion.

jongogogo commented 5 years ago

Updated:

Idea: Since you mention 0, then it is probably worth to have an optional parameter that allow to configure a target number of days, with 90 days by default. What do you think?

santosh-at-github commented 5 years ago

Thank you for making those changes.

Using parameter for the snapshot retention period is a good idea, however it's default value of 90 days will be too long I think. 15 days default snapshot retention period would be fine?

jongogogo commented 5 years ago

Good to go!