forked from davidclin/cloudcustodian-policies
-
Notifications
You must be signed in to change notification settings - Fork 0
/
public-instance-audit.yml
48 lines (48 loc) · 1.34 KB
/
public-instance-audit.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
policies:
- name: public-instance-audit
resource: ec2
description: |
Cloud Custodian Public Instance Audit
comments: |
Retrieve list of all instances that
- are not in whitelist
- attached to a public subnet
- have public IP address
mode:
type: ec2-instance-state
role: arn:aws:iam::1234567890:role/CloudCustodian
events:
- pending
filters:
- not:
- type: value
key: "tag:Name"
value: (david-VPN|davidi-Bastion)
op: regex
- or:
- type: subnet
key: "tag:Name"
op: regex
value: ".*pub"
- type: value
key: "PublicIpAddress"
value: not-null
- and:
- type: value
key: VpcId
value: vpc-12345678
actions:
- type: notify
template: public-instance-audit.html
slack_template: slack-public-instance-audit
template_format: 'html'
priority_header: '5'
subject: 'Security Audit: Public EC2 Instance Launched'
to:
- <your-email-address-goes-here>
- slack://#<slack-channel>
owner_absent_contact:
- <your-email-address-goes-here>
transport:
type: sqs
queue: https://sqs.us-east-1.amazonaws.com/1234567890/cloud-cloudcustodian