Ctrlk
Edit

Multiple Environments

Apply different AMI allowlists per environment in a single rule. This example uses vars.custom.account_id to select Prod, Staging, or Dev.

Prompt

The following can be used with the gomboc-enterprise-skills.

/gomboc:fix

I want to create an ORL rule that checks that the AMI used for EC2 instances, launch configurations, or launch templates is one of the following AMIs, based on environment:

- Prod (129483756201):
  - ami-0a1b2c3d4e5f67890
  - ami-0987654321fedcba0
  - ami-0ff11223344556677
  - ami-0abcdef1234567890
  - ami-0123456789abcdef0
- Staging (884920193475):
  - ami-0a1b2c3d4e5f6g7h8
  - ami-1234567890abcdef0
  - ami-9876543210fedcba9
  - ami-z9y8x7w6v5u4t3s2r
  - ami-f0e1d2c3b4a596877
- Dev (340912837456):
  - ami-0a1b2c3d4e5f6g7h8
  - ami-08e1a47b2c9f3d6a1
  - ami-0c5f8d2e1b4a79362
  - ami-0fb92e1d7c4b3a850
  - ami-0d6a2f4c1e9b7a3d8

Do not remediate. Audit only, using an error message that lists the valid AMIs for the detected environment.

**Important**: The account ID SHOULD be provided via `vars.custom.account_id`.  If that is not defined then assume `Prod`.

Use /gomboc-community:fix if you have the gomboc-community-skills installed.

Include the full allowlist for each environment and specify a default (Prod here) when vars.custom.account_id is unset.

Rule Output Example

The ruleset repeats the same environment logic for each resource type that accepts an AMI. skip_finding selects the allowlist from vars.custom.account_id (defaulting to Prod). The audit message lists valid AMIs for all environments so reviewers can see every option.

PreviousMaintaining RulesNextPolicy-as-Code

Last updated