in scripts/config_enabled.py [0:0]
def evaluate_compliance(rule_parameters):
# First check configuration recorder is created
config_recorder_response = config.describe_configuration_recorder_status()
if 'ConfigurationRecordersStatus' not in config_recorder_response or \
len(config_recorder_response['ConfigurationRecordersStatus']) < 1:
return {
'compliance_type': 'NON_COMPLIANT',
'annotation': 'Cannot find config recorder status'
}
for config_recorder in config_recorder_response['ConfigurationRecordersStatus']:
if not config_recorder['recording']:
return {
'compliance_type': 'NON_COMPLIANT',
'annotation': 'Config recorder is not recording'
}
# Check that there are delivery channels and that they're mapping to the appropriate buckets
delivery_channels_response = config.describe_delivery_channels()
if 'DeliveryChannels' not in delivery_channels_response or len(delivery_channels_response['DeliveryChannels']) < 1:
return {
'compliance_type': 'NON_COMPLIANT',
'annotation': 'No delivery channel for config recorder'
}
if 's3BucketName' in rule_parameters:
for channel in delivery_channels_response['DeliveryChannels']:
if channel['s3BucketName'] != rule_parameters['s3BucketName']:
return {
'compliance_type': 'NON_COMPLIANT',
'annotation': 'Config recorder writing to incorrect bucket'
}
if 'snsTopicARN' in rule_parameters:
for channel in delivery_channels_response['DeliveryChannels']:
if channel['snsTopicARN'] != rule_parameters['snsTopicARN']:
return {
'compliance_type': 'NON_COMPLIANT',
'annotation': 'Config recording writing to incorrect SNS topic'
}
return {
'compliance_type': 'COMPLIANT',
'annotation': 'Config recorder enabled with appropriate delivery channel'
}