Scope By Resource Tags
tony-caffe opened this issue · 0 comments
Hi,
As you all know, PCI is either in scope or not in scope. I would love to use this template PCI conformance pack all in the Console but the console doesnt give me the option to add a Scope of resources and more specifically ones I tag as 'in scope' for pci.
Here is an example of the first rule in your conformance pack. I added the scope and it registers greatly in the console to now even display the scope. To have any way to force this, I have to add a Scope:
section for every resource listed in the YAML as well as having to fork it and upload a custom one.
Parameters:
AccessKeysRotatedParamMaxAccessKeyAge:
Default: '90'
Type: String
Resources:
AccessKeysRotated:
Properties:
ConfigRuleName: access-keys-rotated
InputParameters:
maxAccessKeyAge:
Fn::If:
- accessKeysRotatedParamMaxAccessKeyAge
- Ref: AccessKeysRotatedParamMaxAccessKeyAge
- Ref: AWS::NoValue
Scope:
TagKey: Compliance Framework
TagValue: PCI
Source:
Owner: AWS
SourceIdentifier: ACCESS_KEYS_ROTATED
Type: AWS::Config::ConfigRule
Conditions:
accessKeysRotatedParamMaxAccessKeyAge:
Fn::Not:
- Fn::Equals:
- ''
- Ref: AccessKeysRotatedParamMaxAccessKeyAge
Two suggestions:
-
Add the ability to add custom scope to any rule/conformance pack by tags, as they are super powerful and easy to mark up resources as all of us know.
-
Make a default scope in the yaml instead of me having to 'reuse' code on every single resource instead of only updating a resource when the resource is to overwrite or add to the tag I have in global scope.
I went to AWS Summit NYC this week and learned about AWS Config for this purpose and I wish I knew this was a current limitation as I could have brought it up there.
Thank you!
Anthony Affee