AWS Config
AWS Config checks .
apiVersion: canaries.flanksource.com/v1
kind: Canary
metadata:
name: exec-check
spec:
interval: 30
awsConfig:
- description: "Check the config"
name: config check
query: "SELECT * FROM aws_config_rule"
| Field | Description | Scheme | Required |
|---|---|---|---|
query |
The SQL query SELECT command | string |
true |
aggregatorName |
Specify the name of the configuration aggregator | string |
|
* |
All other commons fields | Common | |
| Connection | |||
connection |
Path of existing connection e.g. connection://aws/instance Mutuall exclusive with accessKey, secretKey |
Connection | |
accessKey |
Mutually exclusive with connection |
EnvVar | Yes |
secretKey |
Mutually exclusive with connection |
EnvVar | Yes |
endpoint |
Custom AWS endpoint | string | |
region |
AWS region | string | |
skipTLSVerify |
Skip TLS verify when connecting to AWS | bool |
Connecting to AWS
There are 3 options when connecting to AWS:
-
An AWS instance profile or pod identity (the default if no
connectionoraccessKeyis specified)aws-config.yamlapiVersion: canaries.flanksource.com/v1 kind: Canary metadata: name: aws-config-rule spec: interval: 30 awsConfig: - name: AWS Config check query: "SELECT * FROM aws_config_rule" -
connection, this is the recommended method, connections are reusable and secureaws-connection.yamlapiVersion: canaries.flanksource.com/v1 kind: Canary metadata: name: aws-config-rule spec: interval: 30 awsConfig: - name: AWS Config check connection: connection://aws/internal query: "SELECT * FROM aws_config_rule" -
accessKeyandsecretKeyEnvVar with the credentials stored in a secretaws-static.yamlapiVersion: canaries.flanksource.com/v1 kind: Canary metadata: name: aws-config-rule spec: interval: 30 awsConfig: - accessKey: valueFrom: secretKeyRef: name: aws-credentials key: AWS_ACCESS_KEY_ID secretKey: valueFrom: secretKeyRef: name: aws-credentials key: AWS_SECRET_ACCESS_KEY region: us-east-1 name: AWS Config check query: "SELECT * FROM aws_config_rule"