-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathlambda_function.py
More file actions
43 lines (30 loc) · 1.29 KB
/
lambda_function.py
File metadata and controls
43 lines (30 loc) · 1.29 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
import boto3
import json
def lambda_handler(event, context):
# Get the specific EC2 instance.
ec2_client = boto3.client('ec2')
# Assume compliant by default
compliance_status = "COMPLIANT"
# Extract the configuration item from the invokingEvent
config = json.loads(event['invokingEvent'])
configuration_item = config["configurationItem"]
# Extract the instanceId
instance_id = configuration_item['configuration']['instanceId']
# Get complete Instance details
instance = ec2_client.describe_instances(InstanceIds=[instance_id])['Reservations'][0]['Instances'][0]
# Check if the specific EC2 instance has Cloud Trail logging enabled.
if not instance['Monitoring']['State'] == "enabled":
compliance_status = "NON_COMPLIANT"
evaluation = {
'ComplianceResourceType': 'AWS::EC2::Instance',
'ComplianceResourceId': instance_id,
'ComplianceType': compliance_status,
'Annotation': 'Detailed monitoring is not enabled.',
'OrderingTimestamp': config['notificationCreationTime']
}
config_client = boto3.client('config')
response = config_client.put_evaluations(
Evaluations=[evaluation],
ResultToken=event['resultToken']
)
return response