Rule Config
Allows to overwrite the default behaviour of the rule, such as changing the rule mode and risk value. It accepts a more granular configuration using the filter.
class RuleConfig(BaseModel): rule_mode: Optional[RuleMode] = None risk_value: Optional[RuleRisk] = None filters: List[Filter] = []
Filters¶
When adding a failure or warning it will check if there is a filter that matches the current context and set the new risk or mode. Context depends on each rule and is available inside each rule's documentation. The object accepts a reason parameter to say why that filter exists.
class Filter(BaseModel): reason: str = "" eval: Union[Dict, Callable] rule_mode: Optional[RuleMode] = None risk_value: Optional[RuleRisk] = None @validator("eval", pre=True) def set_eval(cls, eval): return build_evaluator(eval) def __call__(self, **kwargs): return self.eval(kwargs)
Warning
Only available for the following rules:
- Not supported yet
Filter preference¶
Following the cascade style, takes preference always the last value set following this structure:
Rule Standard -> Rule Config -> Filter #1 -> ... -> Filter #N
Implemented filter functions¶
Function | Description | Example |
---|---|---|
eq |
Same as a == b | {"eq": ["string", "string"]} |
ne |
Same as a != b | {"ne": ["string", "not_that_string"]} |
lt |
Same as a < b | {"lt": [0, 1]} |
gt |
Same as a > b | {"gt": [1, 0]} |
le |
Same as a <= b | {"le": [1, 1]} |
ge |
Same as a >= b | {"ge": [1, 1]} |
not |
Same as not a | {"not": True} |
or |
True if any arg is True | {"or": [False, True]} |
and |
True if all args are True | {"and": [True, True]} |
in |
Same as a in b | {"in": ["b", ["a", "b"]]} |
regex |
True if b match pattern a | {"regex": [r"^\d+$", "5"]} |
ref |
Get the value at any depth of the context based on the path described by a. | {"ref": "param_a.param_b"} |
Examples¶
Disable the rule if the role name is prefixed with sandbox-
and the principal equals arn:aws:iam::123456789012:role/test-role
.
Filter( reason="", rule_mode=RuleMode.DISABLED, eval={ "and": [ {"regex": ["^sandbox-.*$", {"ref": "resource.Properties.RoleName"}]}, {"eq": [{"ref": "principal"}, "arn:aws:iam::123456789012:role/test-role"]}, ] }, )