Prometheus Exporter for AWS Config Compliance (forked from chaspy - thanks!)
$ go run main.go
AWS_CONFIG_SCRAPE_PREFIX should be set and is used to determine which rules to alert on.
This allows us to alert based on environment.
AWS_API_INTERVAL specifies how often to scrape. Defaults to 60 seconds if you do not set it.
AWS_REGION you will need to set this if you are running in an environment that uses IAM role instead of an aws config.
Get the binary file from Releases and run it.
$ curl -s localhost:8083/metrics | grep aws_custom_config_compliance
# HELP aws_custom_config_compliance Number of compliance
# TYPE aws_custom_config_compliance gauge
aws_custom_config_compliance{cap_exceeded="false",compliance="COMPLIANT",config_rule_name="securityhub-efs-encrypted-check-bd414301"} 0
aws_custom_config_compliance{cap_exceeded="false",compliance="INSUFFICIENT_DATA",config_rule_name="securityhub-dms-replication-not-public-1f6729b8"} 0
aws_custom_config_compliance{cap_exceeded="false",compliance="INSUFFICIENT_DATA",config_rule_name="securityhub-ec2-managedinstance-patch-compliance-440fg71a"} 0
aws_custom_config_compliance{cap_exceeded="false",compliance="NON_COMPLIANT",config_rule_name="eip-attached"} 2
aws_custom_config_compliance{cap_exceeded="false",compliance="NON_COMPLIANT",config_rule_name="s3-bukcet-logging-enabled"} 23
The following policy must be attached to the AWS role to be executed.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"config:DescribeComplianceByConfigRule",
],
"Resource": "*"
}
]
}