Scope By Resource Tags

[tony-caffe]

Hi,

As you all know, PCI is either in scope or not in scope. I would love to use this template PCI conformance pack all in the Console but the console doesnt give me the option to add a Scope of resources and more specifically ones I tag as 'in scope' for pci.

Here is an example of the first rule in your conformance pack. I added the scope and it registers greatly in the console to now even display the scope. To have any way to force this, I have to add a Scope: section for every resource listed in the YAML as well as having to fork it and upload a custom one.

Parameters:
  AccessKeysRotatedParamMaxAccessKeyAge:
    Default: '90'
    Type: String
Resources:
  AccessKeysRotated:
    Properties:
      ConfigRuleName: access-keys-rotated
      InputParameters:
        maxAccessKeyAge:
          Fn::If:
          - accessKeysRotatedParamMaxAccessKeyAge
          - Ref: AccessKeysRotatedParamMaxAccessKeyAge
          - Ref: AWS::NoValue
      Scope:
        TagKey: Compliance Framework
        TagValue: PCI
      Source:
        Owner: AWS
        SourceIdentifier: ACCESS_KEYS_ROTATED
    Type: AWS::Config::ConfigRule
Conditions:
  accessKeysRotatedParamMaxAccessKeyAge:
    Fn::Not:
    - Fn::Equals:
      - ''
      - Ref: AccessKeysRotatedParamMaxAccessKeyAge

Two suggestions:

1. Add the ability to add custom scope to any rule/conformance pack by tags, as they are super powerful and easy to mark up resources as all of us know.

2. Make a default scope in the yaml instead of me having to 'reuse' code on every single resource instead of only updating a resource when the resource is to overwrite or add to the tag I have in global scope.

I went to AWS Summit NYC this week and learned about AWS Config for this purpose and I wish I knew this was a current limitation as I could have brought it up there.

Thank you!

Anthony Affee