Class: Aws::AuditManager::Types::SourceKeyword

Inherits:
Struct
  • Object
show all
Includes:
Structure
Defined in:
lib/aws-sdk-auditmanager/types.rb

Overview

A keyword that relates to the control data source.

For manual evidence, this keyword indicates if the manual evidence is a file or text.

For automated evidence, this keyword identifies a specific CloudTrail event, Config rule, Security Hub control, or Amazon Web Services API name.

To learn more about the supported keywords that you can use when mapping a control data source, see the following pages in the *Audit Manager User Guide*:

  • Config rules supported by Audit Manager][1
  • Security Hub controls supported by Audit Manager][2
  • API calls supported by Audit Manager][3
  • CloudTrail event names supported by Audit Manager][4

[1]: docs.aws.amazon.com/audit-manager/latest/userguide/control-data-sources-config.html [2]: docs.aws.amazon.com/audit-manager/latest/userguide/control-data-sources-ash.html [3]: docs.aws.amazon.com/audit-manager/latest/userguide/control-data-sources-api.html [4]: docs.aws.amazon.com/audit-manager/latest/userguide/control-data-sources-cloudtrail.html

Constant Summary collapse

SENSITIVE =
[]

Instance Attribute Summary collapse

Instance Attribute Details

#keyword_input_typeString

The input method for the keyword.

  • ‘SELECT_FROM_LIST` is used when mapping a data source for automated evidence.

    • When ‘keywordInputType` is `SELECT_FROM_LIST`, a keyword must be selected to collect automated evidence. For example, this keyword can be a CloudTrail event name, a rule name for Config, a Security Hub control, or the name of an Amazon Web Services API call.

    ^

  • ‘UPLOAD_FILE` and `INPUT_TEXT` are only used when mapping a data source for manual evidence.

    • When ‘keywordInputType` is `UPLOAD_FILE`, a file must be uploaded as manual evidence.

    • When ‘keywordInputType` is `INPUT_TEXT`, text must be entered as manual evidence.

Returns:

  • (String)


4376
4377
4378
4379
4380
4381
# File 'lib/aws-sdk-auditmanager/types.rb', line 4376

class SourceKeyword < Struct.new(
  :keyword_input_type,
  :keyword_value)
  SENSITIVE = []
  include Aws::Structure
end

#keyword_valueString

The value of the keyword that’s used when mapping a control data source. For example, this can be a CloudTrail event name, a rule name for Config, a Security Hub control, or the name of an Amazon Web Services API call.

If you’re mapping a data source to a rule in Config, the ‘keywordValue` that you specify depends on the type of rule:

  • For [managed rules], you can use the rule identifier as the ‘keywordValue`. You can find the rule identifier from the [list of Config managed rules]. For some rules, the rule identifier is different from the rule name. For example, the rule name `restricted-ssh` has the following rule identifier: `INCOMING_SSH_DISABLED`. Make sure to use the rule identifier, not the rule name.

    Keyword example for managed rules:

  • For [custom rules], you form the ‘keywordValue` by adding the `Custom_` prefix to the rule name. This prefix distinguishes the custom rule from a managed rule.

    Keyword example for custom rules:

    • Custom rule name: my-custom-config-rule

      ‘keywordValue`: `Custom_my-custom-config-rule`

  • For [service-linked rules], you form the ‘keywordValue` by adding the `Custom_` prefix to the rule name. In addition, you remove the suffix ID that appears at the end of the rule name.

    Keyword examples for service-linked rules:

    • Service-linked rule name: CustomRuleForAccount-conformance-pack-szsm1uv0w

      ‘keywordValue`: `Custom_CustomRuleForAccount-conformance-pack`

    • Service-linked rule name: OrgConfigRule-s3-bucket-versioning-enabled-dbgzf8ba

      ‘keywordValue`: `Custom_OrgConfigRule-s3-bucket-versioning-enabled`

The ‘keywordValue` is case sensitive. If you enter a value incorrectly, Audit Manager might not recognize the data source mapping. As a result, you might not successfully collect evidence from that data source as intended.

Keep in mind the following requirements, depending on the data

source type that you’re using.

1.  For Config:

   * For managed rules, make sure that the `keywordValue` is the
     rule identifier in `ALL_CAPS_WITH_UNDERSCORES`. For example,
     `CLOUDWATCH_LOG_GROUP_ENCRYPTED`. For accuracy, we recommend
     that you reference the list of [supported Config managed
     rules][6].

   * For custom rules, make sure that the `keywordValue` has the
     `Custom_` prefix followed by the custom rule name. The format
     of the custom rule name itself may vary. For accuracy, we
     recommend that you visit the [Config console][7] to verify
     your custom rule name.
  1. For Security Hub: The format varies for Security Hub control names. For accuracy, we recommend that you reference the list of [supported Security Hub controls].

  2. For Amazon Web Services API calls: Make sure that the ‘keywordValue` is written as `serviceprefix_ActionName`. For example, `iam_ListGroups`. For accuracy, we recommend that you reference the list of [supported API calls].

  3. For CloudTrail: Make sure that the ‘keywordValue` is written as `serviceprefix_ActionName`. For example, `cloudtrail_StartLogging`. For accuracy, we recommend that you review the Amazon Web Service prefix and action names in the [Service Authorization Reference].

[1]: docs.aws.amazon.com/config/latest/developerguide/evaluate-config_use-managed-rules.html [2]: docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html [3]: docs.aws.amazon.com/config/latest/developerguide/s3-bucket-acl-prohibited.html [4]: docs.aws.amazon.com/config/latest/developerguide/evaluate-config_develop-rules.html [5]: docs.aws.amazon.com/config/latest/developerguide/service-linked-awsconfig-rules.html [6]: docs.aws.amazon.com/audit-manager/latest/userguide/control-data-sources-config.html [7]: console.aws.amazon.com/config/ [8]: docs.aws.amazon.com/audit-manager/latest/userguide/control-data-sources-ash.html [9]: docs.aws.amazon.com/audit-manager/latest/userguide/control-data-sources-api.html [10]: docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html

Returns:

  • (String)


4376
4377
4378
4379
4380
4381
# File 'lib/aws-sdk-auditmanager/types.rb', line 4376

class SourceKeyword < Struct.new(
  :keyword_input_type,
  :keyword_value)
  SENSITIVE = []
  include Aws::Structure
end