search

awslabs / aws-config-rules

[Node, Python, Java] Repository of sample Custom Rules for AWS Config.
http://aws.amazon.com/config/
Creative Commons Zero v1.0 Universal
1.58k stars 851 forks source link

New Rule: EC2_INFRASTRUCTURE_TAG_MATCHING #336

Open fuellbie opened 3 years ago

fuellbie commented 3 years ago

Feedback would be appreciated. Once this is approved, I will finalize the pull request.

Description
   Compares the tags of the EC2 instance and the related resources (VPC, SecurityGroups, ENIs, Subnet and Volumes). The rule parameters define which tag will be compared (TagName) and which infrastracture resources will be evaluated.

Trigger
   Configuration Change on AWS::EC2::Instance

Reports on:
   AWS::EC2::Instance

Rule Parameters:
   TagName (mandatory):
      The name of the Tag which is compared.
   VPC (mandatory):
      True/False - If True, the value of Tag "TagName" attached to this resource is compared to the value of the same Tag on the EC2 instance. If False, this resource is ignored for the evaluation.
   SecurityGroups (optional):
      True/False - If True, the value of Tag "TagName" attached to this resource is compared to the value of the same Tag on the EC2 instance. If False, this resource is ignored for the evaluation.
   ENIs (optional):
      True/False - If True, the value of Tag "TagName" attached to this resource is compared to the value of the same Tag on the EC2 instance. If False, this resource is ignored for the evaluation.
   Subnet (optional):
      True/False - If True, the value of Tag "TagName" attached to this resource is compared to the value of the same Tag on the EC2 instance. If False, this resource is ignored for the evaluation.
   Volumes (optional):
      True/False - If True, the value of Tag "TagName" attached to this resource is compared to the value of the same Tag on the EC2 instance. If False, this resource is ignored for the evaluation.

Scenarios:
  Scenario 1:
  Given: EC2 instance not tagged with "TagName".
   Then: Return NOT_APPLICABLE

  Scenario 2:
  Given: Resource is not tagged with "TagName"
  And:    Rule Parameter for these Resources are set to "True"
   Then: Return NON_COMPLIANT

  Scenario 3:
  Given: Resource is not tagged with "TagName"
  And:    Rule Parameter for these Resources are set to "False"
   Then: Return COMPLIANT

  Scenario 4:
  Given: Resource Tag and EC2 Tag do not match
  And:   Rule Parameter for this Resource is set to "True"
   Then: Return NON_COMPLIANT

  Scenario 5:
  Given: Resource Tag and EC2 Tag do not match
  And:   Rule Parameter for these Resources are set to "False"
   Then: Return COMPLIANT

  Scenario 6:
  Given: Resource Tag and EC2 Tag do match
  And:   Rule Parameter for these Resources are set to "True"
   Then: Return COMPLIANT