I have a requirement to deploy config rules conditionally based on certain parameters. Here below is one
config.ManagedRule(self, "AccessKeysRotated",
identifier=config.ManagedRuleIdentifiers.ACCESS_KEYS_ROTATED,
input_parameters={
"max_access_key_age": 60
},
maximum_execution_frequency=config.MaximumExecutionFrequency.TWELVE_HOURS
)
Here below is another one
config.ManagedRule(self, "S3BucketLogging",
identifier=config.ManagedRuleIdentifiers.S3_BUCKET_LOGGING_ENABLED,
config_rule_name="S3BucketLogging"
)
The managed rule identifiers are in the hundreds. I don't want to have all of these in one big file but each rule stored in a separate file. I can then read off a dynamodb where I store the account name and a csv list of rules that pertain to that account. Each item in the csv can be a single file which has a single rule. Is there a way to do this?
Sure. Create a aws_config_stack, which you deploy once per account/region pair.
In the constructor, get the environment's rule names from DynamoDB with a get_item SDK call. The boto3 command gets called at synth-time, which is keeping with CDK best practices.
Define the rules in whatever files you want. Wrap each rule in a function that accepts a scope and returns the rule:
# make_access_keys_rotated_rule.py
# One function per ManagedRule. Add to the rule dictionary. Called by `make_rule`
def make_access_keys_rotated_rule(scope: Construct) -> config.ManagedRule:
return config.ManagedRule(scope, "AccessKeysRotated",
identifier=config.ManagedRuleIdentifiers.ACCESS_KEYS_ROTATED,
input_parameters={
"max_access_key_age": 60
},
maximum_execution_frequency=config.MaximumExecutionFrequency.TWELVE_HOURS
)
Add each rule function to a dictionary, where the keys are the rule name. Perhaps add the dictionary lookup logic to a method in your aws_config_stack subclass. A make_rule method looks up the rule-making function by name and executes it, adding a single rule to the stack.
# aws_config_stack.py method
# Look up and execute a ManagedRule function by rule name. Called in the constructor.
def make_rule(self: Construct, rule_name: str) -> config.ManagedRule:
rule_dict = {
"AccessKeysRotated": make_access_keys_rotated_rule
}
return rule_dict[rule_name](self)
Finally, in the stack constructor, call make_rule for every name in the rule-name list from DynamoDB.
# aws_config_stack.py constructor
rules: list[config.ManagedRule] = [self.make_rule(r) for r in rule_names_from_dynamo]
After synth, a cdk diff should reveal rules being added and deleted from the stack to match the list from DynamoDB.
P.S. Optionally add the Delivery Channel (CfnDeliveryChannel + Bucket) resources and Configuration Recorder (CfnConfigurationRecorder + Role) resources to the same stack to have the CDK fully manage the AWS Config resources.