interface CfnGuardHookProps
| Language | Type name |
|---|---|
 .NET | Amazon.CDK.CfnGuardHookProps |
 Go | github.com/aws/aws-cdk-go/awscdk/v2#CfnGuardHookProps |
 Java | software.amazon.awscdk.CfnGuardHookProps |
 Python | aws_cdk.CfnGuardHookProps |
 TypeScript | aws-cdk-lib » CfnGuardHookProps |
Properties for defining a CfnGuardHook.
Example
// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import * as cdk from 'aws-cdk-lib';
const cfnGuardHookProps: cdk.CfnGuardHookProps = {
alias: 'alias',
executionRole: 'executionRole',
failureMode: 'failureMode',
hookStatus: 'hookStatus',
ruleLocation: {
uri: 'uri',
// the properties below are optional
versionId: 'versionId',
},
targetOperations: ['targetOperations'],
// the properties below are optional
logBucket: 'logBucket',
options: {
inputParams: {
uri: 'uri',
// the properties below are optional
versionId: 'versionId',
},
},
stackFilters: {
filteringCriteria: 'filteringCriteria',
// the properties below are optional
stackNames: {
exclude: ['exclude'],
include: ['include'],
},
stackRoles: {
exclude: ['exclude'],
include: ['include'],
},
},
targetFilters: {
actions: ['actions'],
invocationPoints: ['invocationPoints'],
targetNames: ['targetNames'],
},
};
Properties
| Name | Type | Description |
|---|---|---|
| alias | string | The type name alias for the Hook. This alias must be unique per account and Region. |
| execution | string | The IAM role that the Hook assumes to retrieve your Guard rules from S3 and optionally write a detailed Guard output report back. |
| failure | string | Specifies how the Hook responds when rules fail their evaluation. |
| hook | string | Specifies if the Hook is ENABLED or DISABLED . |
| rule | IResolvable | S3 | Specifies the S3 location of your Guard rules. |
| target | string[] | Specifies which type of operation the Hook is run against. |
| log | string | Specifies the name of an S3 bucket to store the Guard output report. |
| options? | IResolvable | Options | Specifies the S3 location of your input parameters. |
| stack | IResolvable | Stack | Specifies the stack level filters for the Hook. |
| target | IResolvable | Target | Specifies the target filters for the Hook. |
alias
Type:
string
The type name alias for the Hook. This alias must be unique per account and Region.
The alias must be in the form Name1::Name2::Name3 and must not begin with AWS . For example, Private::Guard::MyTestHook .
executionRole
Type:
string
The IAM role that the Hook assumes to retrieve your Guard rules from S3 and optionally write a detailed Guard output report back.
failureMode
Type:
string
Specifies how the Hook responds when rules fail their evaluation.
FAIL: Prevents the action from proceeding. This is helpful for enforcing strict compliance or security policies.WARN: Issues warnings to users but allows actions to continue. This is useful for non-critical validations or informational checks.
hookStatus
Type:
string
Specifies if the Hook is ENABLED or DISABLED .
ruleLocation
Type:
IResolvable | S3
Specifies the S3 location of your Guard rules.
targetOperations
Type:
string[]
Specifies which type of operation the Hook is run against.
Valid values: STACK | RESOURCE | CHANGE_SET | CLOUD_CONTROL
logBucket?
Type:
string
(optional)
Specifies the name of an S3 bucket to store the Guard output report.
This report contains the results of your Guard rule validations.
options?
Type:
IResolvable | Options
(optional)
Specifies the S3 location of your input parameters.
stackFilters?
Type:
IResolvable | Stack
(optional)
Specifies the stack level filters for the Hook.
targetFilters?
Type:
IResolvable | Target
(optional)
Specifies the target filters for the Hook.