Skip to main content

AWS Config

AWS Config checks .

apiVersion: canaries.flanksource.com/v1
kind: Canary
metadata:
name: exec-check
spec:
interval: 30
awsConfig:
- description: "Check the config"
name: config check
query: "SELECT * FROM aws_config_rule"
FieldDescriptionSchemeRequired
queryThe SQL query SELECT commandstringtrue
aggregatorNameSpecify the name of the configuration aggregatorstring
nameName of the check, must be unique within the canarystringYes
descriptionDescription for the checkstring
iconIcon for overwriting default icon on the dashboardstring
labelsLabels for checkmap[string]string
testEvaluate whether a check is healthyExpression
displayExpression to change the formatting of the displayExpression
transformTransform data from a check into multiple individual checksExpression
metricsMetrics to export from[]Metrics
Connection
connection< Path of existing connection e.g. connection://aws/instance Connection
accessKey Mutually exclusive with connection EnvVarYes
secretKey Mutually exclusive with connection EnvVarYes
endpointCustom AWS endpointstring
regionAWS regionstring
skipTLSVerifySkip TLS verify when connecting to AWSbool

Connecting to AWS

There are 3 options when connecting to AWS:

  1. An AWS instance profile or pod identity (the default if no connection or accessKey is specified)

    aws-config.yaml
    apiVersion: canaries.flanksource.com/v1
    kind: Canary
    metadata:
    name: aws-config-rule
    spec:
    interval: 30
    awsConfig:
    - name: AWS Config check
    query: "SELECT * FROM aws_config_rule"
  2. connection, this is the recommended method, connections are reusable and secure

    aws-connection.yaml
    apiVersion: canaries.flanksource.com/v1
    kind: Canary
    metadata:
    name: aws-config-rule
    spec:
    interval: 30
    awsConfig:
    - name: AWS Config check
    connection: connection://aws/internal
    query: "SELECT * FROM aws_config_rule"
  3. accessKey and secretKey EnvVar with the credentials stored in a secret

    aws-static.yaml
    apiVersion: canaries.flanksource.com/v1
    kind: Canary
    metadata:
    name: aws-config-rule
    spec:
    interval: 30
    awsConfig:
    - accessKey:
    valueFrom:
    secretKeyRef:
    name: aws-credentials
    key: AWS_ACCESS_KEY_ID
    secretKey:
    valueFrom:
    secretKeyRef:
    name: aws-credentials
    key: AWS_SECRET_ACCESS_KEY
    region: us-east-1
    name: AWS Config check
    query: "SELECT * FROM aws_config_rule"