Skip to main content

AWS Config

AWS Config checks .

apiVersion: canaries.flanksource.com/v1
kind: Canary
metadata:
  name: exec-check
spec:
  interval: 30
  awsConfig:
    - description: 'Check the config'
      name: config check
      query: 'SELECT * FROM aws_config_rule'
FieldDescriptionSchemeRequired
queryThe SQL query SELECT commandstringtrue
aggregatorNameSpecify the name of the configuration aggregatorstring
nameName of the check, must be unique within the canarystringYes
descriptionDescription for the checkstring
iconIcon for overwriting default icon on the dashboardstring
labelsLabels for checkmap[string]string
testEvaluate whether a check is healthyExpression
displayExpression to change the formatting of the displayExpression
transformTransform data from a check into multiple individual checksExpression
metricsMetrics to export from[]Metrics
Connection
accessKeyEnvVarYes
secretKeyEnvVarYes
endpointCustom AWS endpointstring
regionAWS regionstring
skipTLSVerifySkip TLS verify when connecting to AWSbool

Connecting to AWS

There are 3 options when connecting to AWS:

  1. An AWS instance profile or pod identity (the default if no connection or accessKey is specified)

    aws-config.yaml
    apiVersion: canaries.flanksource.com/v1
    kind: Canary
    metadata:
      name: aws-config-rule
    spec:
      interval: 30
      awsConfig:
        - name: AWS Config check
          query: 'SELECT * FROM aws_config_rule'

  2. connection, this is the recommended method, connections are reusable and secure

    aws-connection.yaml
    apiVersion: canaries.flanksource.com/v1
    kind: Canary
    metadata:
      name: aws-config-rule
    spec:
      interval: 30
      awsConfig:
        - name: AWS Config check
          connection: connection://aws/internal
          query: 'SELECT * FROM aws_config_rule'

  3. accessKey and secretKey EnvVar with the credentials stored in a secret

    aws-static.yaml
    apiVersion: canaries.flanksource.com/v1
    kind: Canary
    metadata:
      name: aws-config-rule
    spec:
      interval: 30
      awsConfig:
        - accessKey:
            valueFrom:
              secretKeyRef:
                name: aws-credentials
                key: AWS_ACCESS_KEY_ID
          secretKey:
            valueFrom:
              secretKeyRef:
                name: aws-credentials
                key: AWS_SECRET_ACCESS_KEY
          region: us-east-1
         name: AWS Config check
         query: "SELECT * FROM aws_config_rule"