awslabs / aws-config-resource-schema Goto Github PK

Add the ability for AWS:Config to record details on Log Groups, AWS::Logs::LogGroup. Additional details of the resource should also be considered

• Tags
• Subscriptions
• Log Retention
• Creation time
• Storage Size
• Latest event

This resource does contribute to the AWS Cost, therefore visibility of this data from AWS:Config would aide in managing costs.

Is it possible to retrieve the AWS account alias as well as the account number?

I am producing reports using AWS config and would like to show the account name. At the moment I have to download the list of Accounts from AWS organizations and use VLOOKUP in Excel to get this.

Would be nice to have it in the same query direct from AWS Config if possible.

Thanks

The property vpcid should be vpcId.

https://github.com/awslabs/aws-config-resource-schema/blob/master/config/properties/resource-types/AWS::ElasticLoadBalancing::LoadBalancer.properties.json#L36

Problem

Some of the types defined in the EC2 property file are incorrect. The AWS Config API returns floats for all numerical types but all numerical types are defined as integers in the EC2 property file.

The AWS Config Configuration Item spec states that the configuration data associated with a configuration item is in the form of the Describe<resource> or List<resource> api response of the resource in question but the EC2DescribeInstance response spec defines the types as integers. This suggests that the issue is with the AWS Config API rather than the definitions but the definitions should reflect what is returned from the API.

How would I raise this issue for the AWS Config API itself?

since 06.07.2023 we are unable to find AWS::ElasticLoadBalancingV2::Listener resources in eu-central-1 using the query editor. This worked before that date.

Example SQL Query:

SELECT
  *,
  relationships,
  configuration,
  tags
WHERE
  resourceType = 'AWS::ElasticLoadBalancingV2::Listener'

The resources AWS::ElasticLoadBalancingV2::Listener can still be found using the Resources tab in the AWS Config GUI.

I have a parameter that is deployed across all accounts in my organization.

The parameter has been configured differently in some accounts. I want to check how the configuration varies across the organization.

Specifically I want to check which parameters with a given name across the organization are using standard-tier v advanced-tier.

So I was surprised to discover today that AWS Config does not yet support SSM Parameters at all.

I expected a query like this to give me a summary of one type versus the other.

SELECT
  configuration.tier,
  COUNT(*)
WHERE
  resourceType = 'AWS::SSM::Parameter'
  AND resourceName = '/my/org/wide/param'
GROUP BY
  configuration.tier
;

With a result like this:

It appears that the properties here for AWS::CloudWatch::Alarm only support old-style CloudWatch Alarms with namespace, metricName and dimensions defined at the top level of configuration, not new-style alarms with a metrics array.

Hello there,

Can you add functionality to select resource tags as columns?

For example, this query would output a Name column and contain the name of every EC2 instance:

SELECT
  resourceId,
  tag.Name
WHERE
  resourceType = 'AWS::EC2::Instance'

Currently it's not possible to query the Loadbalancer configuration regarding WAF and TLS settings.

The TLS settings are not supported at all, because currently Config doesn't support Listeners as ResourceType. ResourceType WAF has atleast an association to Loadbalancers, but not the other way around. Without the association of the Loadbalancer to the WebACL it is not possible to check settings to verify compliance.

I'll suggest to extend AWS::ElasticLoadBalancingV2::LoadBalancer by adding an additional property with the assigned WebACL and to introduce support of a new resourcetype AWS::ElasticLoadBalancingV2::Listener, which contains SslPolicy .

Is that possible?

Hi,

I do have a query, I dont find any properties where config query can check if aws s3 has static website enabled or not. I think this is very much needed. In an organization where we have more than 10K buckets and from security standpoint we dont know which one is enabled as static website hosting.

Is there any other way we can check this?

Support for ECS and EKS

I need to get the last used date from a role, but it is recorded as null. Is it possible to obtain that information from config?

"roleLastUsed": null

Please add advanced query support for glue jobs. Thank you!

Add the ability for AWS:Config to record details on Amazon ElastiCache cache cluster, AWS::ElastiCache::CacheCluster. Additional details of the resource should also be considered.

Tags
Engine
Engine Version
Number of Nodes
Node Endpoints
Security Groups attached
Maintenance Windows
Creation time
Node Type
Location Region/AZ

This resource type does contribute to the AWS Cost, therefore visibility of this data from AWS:Config would aide in managing costs.

Hi,
Collecting the following, at a minimum, AMI properties would be very useful; BlockDeviceMappings.Ebs. SnapshotId, CreationDate, ImageId ,Tags

We need to run a query using the "last activity" property as a key value of the query. We need the Last Activity property be added to the IAM Role resource type. Is that possible?

We were expecting with the AWS What´s new announcement the support of the Container Services in the Advanced query of AWS Config. [1]

Unfortunately, there is no support currently for the Advanced Query of the resourceTypes. This was confirmed by the AWS Support.

Example Query:

SELECT
  *
WHERE
  resourceType = 'AWS::ECR::Repository'

Reference:
[1] https://aws.amazon.com/about-aws/whats-new/2021/02/aws-config-supports-amazon-container-services/

It would be very helpful to have TableClassSummary/TableClass added to AWS::DynamoDB::Table so that we can query the current table class of the table.

API Link: https://docs.aws.amazon.com/amazondynamodb/latest/APIReference/API_TableClassSummary.html

While playing with AWS Config - Advanced Query I discovered that keys for configuration items which do not have a value are not returned in the configuration item json, hence you can not query on them with the current subset of SQL used in the service.

Example:

• Launch an EC2 instance without an SSH key attached to it
• Examine the configuration item

You will see that the configuration.keyName (in this case) is not present in the returned object.

Since the wild-char matches are only supported for 3+ character long matches it is currently not possible to:

• Query on resource where this key exists with arbitrary value
• Query on resource where this key does not exist

I suggest either

• Returning a pre-defined value for these cases (like null, or false)
• Expanding the subset of SQL used in the service to make it possible to find these resources

We need the ability to query all the SageMaker Endpoints running in all accounts in our Org. Currently SageMaker Endpoints are not available in the Config aggregator and advanced query section.

Running a query such as the below returns no results and this should display all SageMaker Endpoints:
SELECT
resourceId
WHERE
resourceType LIKE 'AWS::SageMaker%'

It would be helpful to have other SageMaker resources available to query in Config such as Notebooks, but Endpoints are currently the critical resource we need to be able to query.

Per https://aws.amazon.com/blogs/aws/vpc-flow-logs-log-and-view-network-traffic-flows/, you can create up to two Flow Logs on one resource.

I would expect that the Resource Id would be the Flow Log id. But instead it is the VPC id. This doesn't make sense, because the post seems to indicate that a VPC can have two Flow Logs, which would then share the same Resource Id.

Example I'm seeing in the logs:

resourceId | vpc-cXXeXXaX
resourceType | AWS::EC2::FlowLog

which I expect should be fl-0dXXXcXX, the flowLogId

I want to handle AWS::Events::Rule in AWS Config Advanced Queries.
Is it possible?

Hy,

Currently it's not possible to query the EC2 Instance configuration regarding platformDetails and usageOperation settings.

I'll suggest to extend AWS::EC2::Instance by adding :

• configuration.platformDetails
• configuration.usageOperation

Is that possible ?
Thanks in advance.

Regards,
Julien Mourgues

I want to see the environment variables set on some functions in my organization.

I don't see how to do that with the current schema.

I'd expect something like this to work.

SELECT
  configuration.environmentVariables
WHERE
  resourceType = 'AWS::Lambda::Function' AND ...;

Since environment variables are key value pairs, maybe a structure similar to the general tags would give most flexibility.

See title, both resource types are missing recorded resource information.

Hi Team,

Is there is a way I can get the configuration.complianceType e.g 'NON_COMPLIANT' based on tag when I select the resource.

Thank you,
Kahil

Are there any plans to add Canary resource types. We have a use case to ensure RUNNING status on some production checks.

Instance Profiles on an Ec2 instance are not available via AWS Config

ECS resources have been supported since Jan 2021. Can we please have docs on their schemas here?

This is a feature request to add ability to query iam user access key ids and group by count. I would like to be able to see which iam users have more than 1 access key ids. Not sure if this query would be correct but I am looking for something close to this.

SELECT
resourceId,
resourceName,
resourceType,
resourceCreationTime,
tags,
configuration.accessKeyId
COUNT(*)
WHERE
resourceType = 'AWS::IAM::User'
GROUPBY
configuration.accessKeyId

The AWS::CloudTrail::Trail configuration item doesn't record the IsLogging property from the GetTrailStatus API.

Its inclusion would be useful in two situations.

First, in an organization with a single-account trail deployed to each account, this would be an easy way to confirm that each trail is actually logging.

Second, when migrating from multiple single-account trails to an organization trail, this would help to discover existing trails that need to be stopped to avoid incuring duplicate logging costs, and would also help to identify stopped trails that can be deleted.

The AWS::EC2::Instance configuration item records the state of the EC2 instance. This allows us to find stopped instances that could be terminated, for example.

AWS::Athena::DataCatalog is not available with Advance Query although it is listed as a legitimate discovered resources

Hi there,

I would like to know if it's possible to get the AMI ID of the instances using a SQL Query ?
I thought it was: https://github.com/awslabs/aws-config-resource-schema/blob/master/config/properties/resource-types/AWS::EC2::Instance.properties.json#L6 but it's empty instead of "ubuntu" or an id referring to that image.
Is there a view per service where I can find what we can or can't query/access ?

Can we do these queries via a CLI or it's only possible via the console at https://console.aws.amazon.com/config/home?region=us-east-1#/resources/query ?

Best,

Nolan

For resources that don't have a "native" name property, the Name tag (if present) should be used to resolve the resourceName property.

Our primary use case is being able to view all EC2 instances across accounts, along with the instance names.

Thoughts?

I'm looking for libraries to convert AWS Config Schema to CFN Schema. Is there any public Python library available for that?

Hi,

Pretty self explanatory from the title. I have followed the contributing guidelines and as far as I can see this resource type is not supported. Can you please confirm?

I ultimately want to run a AWS config advanced query against this resource type. Is it necessary for the schema to be added here first? I am just a little confused as the resource type is listed as supported (https://docs.aws.amazon.com/config/latest/developerguide/resource-config-reference.html).
I would be happy to submit a PR for this issue.

Thanks