CfnGuardHookProps

class aws_cdk.CfnGuardHookProps(*, alias, execution_role, failure_mode, hook_status, rule_location, target_operations, log_bucket=None, options=None, stack_filters=None, target_filters=None)

Bases: object

Properties for defining a CfnGuardHook.

Parameters:

alias (str) – The type name alias for the Hook. This alias must be unique per account and Region. The alias must be in the form Name1::Name2::Name3 and must not begin with AWS . For example, Private::Guard::MyTestHook .
execution_role (str) – The IAM role that the Hook assumes to retrieve your Guard rules from S3 and optionally write a detailed Guard output report back.
failure_mode (str) – Specifies how the Hook responds when rules fail their evaluation. - FAIL : Prevents the action from proceeding. This is helpful for enforcing strict compliance or security policies. - WARN : Issues warnings to users but allows actions to continue. This is useful for non-critical validations or informational checks. Default: - “WARN”
hook_status (str) – Specifies if the Hook is ENABLED or DISABLED . Default: - “DISABLED”
rule_location (Union[IResolvable, S3LocationProperty, Dict[str, Any]]) – Specifies the S3 location of your Guard rules.
target_operations (Sequence[str]) – Specifies the list of operations the Hook is run against. For more information, see Hook targets in the AWS CloudFormation Hooks User Guide . Valid values: STACK | RESOURCE | CHANGE_SET | CLOUD_CONTROL
log_bucket (Optional[str]) – Specifies the name of an S3 bucket to store the Guard output report. This report contains the results of your Guard rule validations.
options (Union[IResolvable, OptionsProperty, Dict[str, Any], None]) – Specifies the S3 location of your input parameters.
stack_filters (Union[IResolvable, StackFiltersProperty, Dict[str, Any], None]) – Specifies the stack level filters for the Hook. Example stack level filter in JSON: "StackFilters": {"FilteringCriteria": "ALL", "StackNames": {"Exclude": [ "stack-1", "stack-2"]}} Example stack level filter in YAML: StackFilters: FilteringCriteria: ALL StackNames: Exclude: - stack-1 - stack-2
target_filters (Union[IResolvable, TargetFiltersProperty, Dict[str, Any], None]) – Specifies the target filters for the Hook. Example target filter in JSON: "TargetFilters": {"Actions": [ "CREATE", "UPDATE", "DELETE" ]} Example target filter in YAML: TargetFilters: Actions: - CREATE - UPDATE - DELETE

See:

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudformation-guardhook.html

ExampleMetadata:

fixture=_generated

Example:

# The code below shows an example of how to instantiate this type.
# The values are placeholders you should change.
import aws_cdk as cdk

cfn_guard_hook_props = cdk.CfnGuardHookProps(
    alias="alias",
    execution_role="executionRole",
    failure_mode="failureMode",
    hook_status="hookStatus",
    rule_location=cdk.CfnGuardHook.S3LocationProperty(
        uri="uri",

        # the properties below are optional
        version_id="versionId"
    ),
    target_operations=["targetOperations"],

    # the properties below are optional
    log_bucket="logBucket",
    options=cdk.CfnGuardHook.OptionsProperty(
        input_params=cdk.CfnGuardHook.S3LocationProperty(
            uri="uri",

            # the properties below are optional
            version_id="versionId"
        )
    ),
    stack_filters=cdk.CfnGuardHook.StackFiltersProperty(
        filtering_criteria="filteringCriteria",

        # the properties below are optional
        stack_names=cdk.CfnGuardHook.StackNamesProperty(
            exclude=["exclude"],
            include=["include"]
        ),
        stack_roles=cdk.CfnGuardHook.StackRolesProperty(
            exclude=["exclude"],
            include=["include"]
        )
    ),
    target_filters=cdk.CfnGuardHook.TargetFiltersProperty(
        targets=[cdk.CfnGuardHook.HookTargetProperty(
            action="action",
            invocation_point="invocationPoint",
            target_name="targetName"
        )],

        # the properties below are optional
        actions=["actions"],
        invocation_points=["invocationPoints"],
        target_names=["targetNames"]
    )
)

Attributes

alias

The type name alias for the Hook. This alias must be unique per account and Region.

The alias must be in the form Name1::Name2::Name3 and must not begin with AWS . For example, Private::Guard::MyTestHook .

See:: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudformation-guardhook.html#cfn-cloudformation-guardhook-alias

execution_role

The IAM role that the Hook assumes to retrieve your Guard rules from S3 and optionally write a detailed Guard output report back.

See:: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cloudformation-guardhook.html#cfn-cloudformation-guardhook-executionrole

failure_mode

Specifies how the Hook responds when rules fail their evaluation.

FAIL : Prevents the action from proceeding. This is helpful for enforcing strict compliance or security policies.
WARN : Issues warnings to users but allows actions to continue. This is useful for non-critical validations or informational checks.

Default: