Class: Aws::AuditManager::Types::SourceKeyword

Inherits:

Struct

Object
Struct
Aws::AuditManager::Types::SourceKeyword

show all

Includes:: Structure

Defined in:: lib/aws-sdk-auditmanager/types.rb

Overview

A keyword that relates to the control data source.

For manual evidence, this keyword indicates if the manual evidence is a file or text.

For automated evidence, this keyword identifies a specific CloudTrail event, Config rule, Security Hub control, or Amazon Web Services API name.

To learn more about the supported keywords that you can use when mapping a control data source, see the following pages in the *Audit Manager User Guide*:

Config rules supported by Audit Manager][1
Security Hub controls supported by Audit Manager][2
API calls supported by Audit Manager][3
CloudTrail event names supported by Audit Manager][4

[1]: docs.aws.amazon.com/audit-manager/latest/userguide/control-data-sources-config.html [2]: docs.aws.amazon.com/audit-manager/latest/userguide/control-data-sources-ash.html [3]: docs.aws.amazon.com/audit-manager/latest/userguide/control-data-sources-api.html [4]: docs.aws.amazon.com/audit-manager/latest/userguide/control-data-sources-cloudtrail.html

Constant Summary collapse

SENSITIVE =

[]

Instance Attribute Summary collapse

#keyword_input_type ⇒ String

The input method for the keyword.
#keyword_value ⇒ String

The value of the keyword that’s used when mapping a control data source.

Instance Attribute Details

#keyword_input_type ⇒ `String`

The input method for the keyword.

SELECT_FROM_LIST is used when mapping a data source for automated evidence.
- When keywordInputType is SELECT_FROM_LIST, a keyword must be selected to collect automated evidence. For example, this keyword can be a CloudTrail event name, a rule name for Config, a Security Hub control, or the name of an Amazon Web Services API call.
^
UPLOAD_FILE and INPUT_TEXT are only used when mapping a data source for manual evidence.
- When keywordInputType is UPLOAD_FILE, a file must be uploaded as manual evidence.
- When keywordInputType is INPUT_TEXT, text must be entered as manual evidence.

Returns:

(String)

# File 'lib/aws-sdk-auditmanager/types.rb', line 4398

class SourceKeyword < Struct.new(
  :keyword_input_type,
  :keyword_value)
  SENSITIVE = []
  include Aws::Structure
end

#keyword_value ⇒ `String`

The value of the keyword that’s used when mapping a control data source. For example, this can be a CloudTrail event name, a rule name for Config, a Security Hub control, or the name of an Amazon Web Services API call.

If you’re mapping a data source to a rule in Config, the keywordValue that you specify depends on the type of rule:

For [managed rules], you can use the rule identifier as the keywordValue. You can find the rule identifier from the [list of Config managed rules]. For some rules, the rule identifier is different from the rule name. For example, the rule name restricted-ssh has the following rule identifier: INCOMING_SSH_DISABLED. Make sure to use the rule identifier, not the rule name.

Keyword example for managed rules:
- Managed rule name: [s3-bucket-acl-prohibited]
  
  keywordValue: S3_BUCKET_ACL_PROHIBITED
For [custom rules], you form the keywordValue by adding the Custom_ prefix to the rule name. This prefix distinguishes the custom rule from a managed rule.

Keyword example for custom rules:
- Custom rule name: my-custom-config-rule
  
  keywordValue: Custom_my-custom-config-rule
For [service-linked rules], you form the keywordValue by adding the Custom_ prefix to the rule name. In addition, you remove the suffix ID that appears at the end of the rule name.

Keyword examples for service-linked rules:
- Service-linked rule name: CustomRuleForAccount-conformance-pack-szsm1uv0w
  
  keywordValue: Custom_CustomRuleForAccount-conformance-pack
- Service-linked rule name: OrgConfigRule-s3-bucket-versioning-enabled-dbgzf8ba
  
  keywordValue: Custom_OrgConfigRule-s3-bucket-versioning-enabled

The keywordValue is case sensitive. If you enter a value incorrectly, Audit Manager might not recognize the data source mapping. As a result, you might not successfully collect evidence from that data source as intended.

Keep in mind the following requirements, depending on the data

source type that you’re using.

1.  For Config:

   * For managed rules, make sure that the `keywordValue` is the
     rule identifier in `ALL_CAPS_WITH_UNDERSCORES`. For example,
     `CLOUDWATCH_LOG_GROUP_ENCRYPTED`. For accuracy, we recommend
     that you reference the list of [supported Config managed
     rules][6].

   * For custom rules, make sure that the `keywordValue` has the
     `Custom_` prefix followed by the custom rule name. The format
     of the custom rule name itself may vary. For accuracy, we
     recommend that you visit the [Config console][7] to verify
     your custom rule name.

For Security Hub: The format varies for Security Hub control names. For accuracy, we recommend that you reference the list of [supported Security Hub controls].
For Amazon Web Services API calls: Make sure that the keywordValue is written as serviceprefix_ActionName. For example, iam_ListGroups. For accuracy, we recommend that you reference the list of [supported API calls].
For CloudTrail: Make sure that the keywordValue is written as serviceprefix_ActionName. For example, cloudtrail_StartLogging. For accuracy, we recommend that you review the Amazon Web Services service prefix and action names in the [Service Authorization Reference].