2. API Reference

2.1. Rules

class awslambdahelper.AWSConfigRule(applicable_resources=None)[source]

Defines the business logic for processing either scheduled or config change AWS Config rules

If this rule is for handling ConfigurationChange events, then the “Applicable Resources” attribute must be set. If this is for handling Scheduled events, then no item is required.

Parameters:applicable_resources (Union[List,Tuple]) – A list of AWS resources which this rule evaluates. Only applicable for Configuration Change rules, and not Scheduled rules. See Evaluating Additional Resource Types, and Supported AWS Resource Types.
APPLICABLE_RESOURCES = []

List of resources which this rule can evaluate. Only application for ConfigurationChange rules.

CALL_TYPE_CONFIGURATION_CHANGE = 'ConfigurationItemChangeNotification'

Specifies an AWS Config Rule which is triggered by a resource configuration

CALL_TYPE_SCHEDULED = 'ScheduledNotification'

Specifies an AWS Config Rule which is triggered on a scheduled basis

evaluate_compliance(rule_parameters, event, config=None)[source]

A facade to delegate the event to either the find_violation_config_change(), or find_violation_scheduled().

Parameters:
  • rule_parameters – A list of key/pairs which are to be provided to the rule.
  • event
  • config
Type:

dict

Returns:

find_violation_config_change(rule_parameters, config)[source]

Place holder function for configuration change rules. Needs to be overriden by super class.

Raises:

NotImplementedError

Parameters:
  • rule_parameters
  • config
Returns:

None

find_violation_scheduled(rule_parameters, accountid)[source]

Place holder function for configuration change rules. Needs to be overriden by super class.

Parameters:
  • rule_parameters
  • accountid
Returns:

None

classmethod handler(event, context)[source]

Allow a single entrypoint without extra boilerplate code.

>>> from awslambdahelper import AWSConfigRule,InsufficientDataEvaluation
>>> class MyAwesomeRule(AWSConfigRule):
...     APPLICABLE_RESOURCES = ["AWS::EC2::Instance"]
...     def find_violation_config_change(self, rule_parameters, config):
...         return [InsufficientDataEvaluation()]
>>>
>>> # The entrypoint for lambda would be set as "file_name.MyAwesomeRule.handler"
Parameters:
Returns:

lambda_handler(event, context)[source]

Deprecated since version 1.1.4: Use handler()

2.2. Evaluations

2.2.1. CompliantEvaluation

class awslambdahelper.CompliantEvaluation(Annotation='This resource is compliant with the rule.', ResourceType=None, ResourceId=None, OrderingTimestamp=None)[source]

A rule is compliant if all of the resources that the rule evaluates comply with it,

Parameters:
  • Annotation (str) – An explanation to attach to the evaluation result. Shown in the AWS Config Console.
  • ResourceType (str) –

    A list of AWS resources which this rule evaluates. See Evaluating Additional Resource Types, and Supported AWS Resource Types.

  • ResourceId – The id (eg, id-000000) or the ARN (eg, arn:aws:iam:01234567890:eu-west-1:..) for the resource
  • OrderingTimestamp – The time of the event in AWS Config that triggered the evaluation.

2.2.2. NonCompliantEvaluation

class awslambdahelper.NonCompliantEvaluation(Annotation, ResourceType=None, ResourceId=None, OrderingTimestamp=None)[source]

A rule is noncompliant if any of these resources do not comply.

Parameters:
  • Annotation (str) – An explanation to attach to the evaluation result. Shown in the AWS Config Console.
  • ResourceType (str) –

    A list of AWS resources which this rule evaluates. See Evaluating Additional Resource Types, and Supported AWS Resource Types.

  • ResourceId – The id (eg, id-000000) or the ARN (eg, arn:aws:iam:01234567890:eu-west-1:..) for the resource
  • OrderingTimestamp – The time of the event in AWS Config that triggered the evaluation.

2.2.3. NotApplicableEvaluation

class awslambdahelper.NotApplicableEvaluation(ResourceType, ResourceId=None, OrderingTimestamp=None)[source]

This resource is not applicable for this rule.

Parameters:
  • ResourceType (str) –

    A list of AWS resources which this rule evaluates. See Evaluating Additional Resource Types, and Supported AWS Resource Types.

  • ResourceId – The id (eg, id-000000) or the ARN (eg, arn:aws:iam:01234567890:eu-west-1:..) for the resource
  • OrderingTimestamp – The time of the event in AWS Config that triggered the evaluation.

2.2.4. InsufficientDataEvaluation

class awslambdahelper.InsufficientDataEvaluation(Annotation, ResourceType=None, ResourceId=None, OrderingTimestamp=None)[source]

AWS Config returns the INSUFFICIENT_DATA value when no evaluation results are available for the AWS resource or Config rule.

Parameters:
  • Annotation (str) – An explanation to attach to the evaluation result. Shown in the AWS Config Console.
  • ResourceType (str) –

    A list of AWS resources which this rule evaluates. See Evaluating Additional Resource Types, and Supported AWS Resource Types.

  • ResourceId (str) – The id (eg, id-000000) or the ARN (eg, arn:aws:iam:01234567890:eu-west-1:..) for the resource
  • OrderingTimestamp – The time of the event in AWS Config that triggered the evaluation.