File tree Expand file tree Collapse file tree 3 files changed +40
-1
lines changed Expand file tree Collapse file tree 3 files changed +40
-1
lines changed Original file line number Diff line number Diff line change 1010
1111## Version History
1212
13+ ### v1.13.0
14+
15+ - :tada : Add and enforce ECS Execute Enabled = true check
16+
1317### v1.12.0
1418
15- - :rocket : Fix error in Cloudformatio -Drift subject call
19+ - :rocket : Fix error in Cloudformation -Drift subject call
1620
1721### v1.11.0
1822
Original file line number Diff line number Diff line change @@ -2,6 +2,40 @@ import cf from '@openaddresses/cloudfriend';
22
33const resources = {
44 Resources : {
5+ ECSRestrictedExecute : {
6+ Type : "AWS::Config::ConfigRule" ,
7+ Properties : {
8+ ConfigRuleName : 'ECS-Service-Execute-Disabled' ,
9+ Scope : {
10+ ComplianceResourceTypes : [ "AWS::ECS::Service" ]
11+ } ,
12+ Source : {
13+ "Owner" : "CUSTOM_POLICY" ,
14+ SourceDetails : [ {
15+ EventSource : "aws.config" ,
16+ MessageType : "ConfigurationItemChangeNotification"
17+ } , {
18+ EventSource : "aws.config" ,
19+ MessageType : "OversizedConfigurationItemChangeNotification"
20+ } ] ,
21+ CustomPolicyDetails : {
22+ PolicyRuntime : "guard-2.x.x" ,
23+ PolicyText : `
24+ rule ecs_service_execute_disabled
25+ when
26+ resourceType == "AWS::ECS::Service"
27+ {
28+ configuration.EnableExecuteCommand == false
29+ }
30+ ` ,
31+ EnableDebugLogDelivery : false
32+ }
33+ } ,
34+ EvaluationModes : [ {
35+ Mode : "DETECTIVE"
36+ } ]
37+ }
38+ } ,
539 OpenSsh : {
640 Type : "AWS::Config::ConfigRule" ,
741 Properties : {
Original file line number Diff line number Diff line change @@ -5,6 +5,7 @@ const Enabled_Urgent_Rules = [
55 'Required-Tags' ,
66 'Restricted-SSH' ,
77 'Cloudformation-Drift' ,
8+ 'ECS-Service-Execute-Disabled' ,
89 'Certificate-Expiration'
910] ;
1011
You can’t perform that action at this time.
0 commit comments