Skip to content

Rule Config

Allows to overwrite the default behaviour of the rule, such as changing the rule mode and risk value. It accepts a more granular configuration using the filter.

class RuleConfig(BaseModel):
    rule_mode: Optional[RuleMode] = None
    risk_value: Optional[RuleRisk] = None
    filters: List[Filter] = []


When adding a failure or warning it will check if there is a filter that matches the current context and set the new risk or mode. Context depends on each rule and is available inside each rule's documentation. The object accepts a reason parameter to say why that filter exists.

class Filter(BaseModel):
    reason: str = ""
    eval: Union[Dict, Callable]
    rule_mode: Optional[RuleMode] = None
    risk_value: Optional[RuleRisk] = None

    @validator("eval", pre=True)
    def set_eval(cls, eval):
        return build_evaluator(eval)

    def __call__(self, **kwargs):
        return self.eval(kwargs)


Only available for the following rules:

  • CrossAccountCheckingRule
  • CrossAccountTrustRule
  • EC2SecurityGroupIngressOpenToWorldRule
  • EC2SecurityGroupMissingEgressRule
  • EC2SecurityGroupOpenToWorldRule
  • KMSKeyCrossAccountTrustRule
  • S3CrossAccountTrustRule
  • WildcardResourceRule

Filter preference

Following the cascade style, takes preference always the last value set following this structure:

Rule Standard -> Rule Config -> Filter #1 -> ... -> Filter #N

Implemented filter functions

Function Description Example
eq Same as a == b {"eq": ["string", "string"]}
ne Same as a != b {"ne": ["string", "not_that_string"]}
lt Same as a < b {"lt": [0, 1]}
gt Same as a > b {"gt": [1, 0]}
le Same as a <= b {"le": [1, 1]}
ge Same as a >= b {"ge": [1, 1]}
not Same as not a {"not": True}
or True if any arg is True {"or": [False, True]}
and True if all args are True {"and": [True, True]}
in Same as a in b {"in": ["b", ["a", "b"]]}
regex True if b match pattern a (case sensitive) {"regex": [r"^\d+$", "5"]}
regex:ignorecase True if b match pattern a (case insensitive) {"regex:ignorecase": [r"^AA$", "aa"]}
exists True if a is not None {"exists": None}
empty True if len(a) equals 0 {"empty": []}
ref Get the value at any depth of the context based on the path described by a. {"ref": "param_a.param_b"}


Disable the rule if the role name is prefixed with sandbox- and the principal equals arn:aws:iam::123456789012:role/test-role.

        "and": [
            {"regex": ["^sandbox-.*$", {"ref": "resource.Properties.RoleName"}]},
            {"eq": [{"ref": "principal"}, "arn:aws:iam::123456789012:role/test-role"]},