OptionalconfigThis policy's configuration schema.
For example:
{
configSchema: {
properties: {
expiration: {
type: "integer",
default: 14,
},
identifier: {
type: "string",
},
},
},
validateResource: (args, reportViolation) => {
const { expiration, identifier } = args.getConfig<{ expiration: number; identifier?: string; }>();
// ...
}),
}
A brief description of the policy rule. e.g., "S3 buckets should have default encryption enabled."
OptionaldisplayAn optional pretty name for the policy.
OptionalenforcementIndicates what to do on policy violation, e.g., block deployment but allow override with proper permissions.
OptionalframeworkThe compliance framework that this policy belongs to.
An ID for the policy. Must be unique within the current policy set.
OptionalremediationA description of the steps to take to remediate a policy violation.
OptionalseverityThe severity of the policy.
OptionaltagsTags associated with the policy.
OptionalurlAn optional URL to more information about the policy.
A policy function that returns true if a resource definition violates some policy (e.g., "no public S3 buckets"), and a set of metadata useful for generating helpful messages when the policy is violated.