Skip to main content

Configure sls-mentor

sls-mentor runs out of the box with no necessary configuration. However you might want to add configuration for it to fit your needs the best.

First you need to create a configuration file. At the root of the project, create a sls-mentor.json file. sls-mentor will look for this file in the directory it's launched.

Ignore resources

You can ask sls-mentor to ignore some resources when running a rule. To do so add the following in sls-mentor.json

{
rules: {
RULE_NAME: {
ignoredResources: [reqex patterns to ignore...]
}
}
}

ignoredResources accepts an array of regex that you wish to ignore. You can either add your resource full ARN or pattern matching the resources you wish to ignore.

The rule name should be one of the following list:

RuleName for configuration file
SES: assign default configuration setassignDefaultConfigurationSet
Lambda: Specify Failure Destination for Async FunctionsasyncSpecifyFailureDestination
Autoscaling is possible for RDS instancesautoscaleRdsInstanceEnabled
CloudFront: use only https or redirect http to https on the cache behaviors of your distributionscloudFrontNoHttp
CloudFront: your distributions should be associated with a SSL certificate (ACM or IAM).cloudFrontSSLCertificate
CloudFront: use SecurityHeadersPolicy on the cache behaviors of your distributionscloudFrontSecurityHeaders
User Pools enforce passwords of at least 10 characterscognitoEnforceLongPasswords
Cognito: use case insensitivity on the username inputcognitoSignInCaseInsensitivity
SES configuration sets should enable suppression listconfigurationSetEnableSuppresionList
SES: Custom MAIL FROM DomaincustomMailFromDomain
Backup: Defined Backup Retention Period or Transition to Cold StoragedefinedBackupRetentionPeriodOrTransitionToColdStorage
CloudWatch Logs: Define a retention durationdefinedLogsRetentionDuration
DynamoDB: Define a backup configurationdynamodbBackupConfig
Enable block public accessenableBlockPublicAccess
Enable the Deletion protection on DynamoDB tablesenableDeletionProtectionOnDynamoDBTables
SES : Reputation Metrics Enabled on Configuration SetenableReputationMetrics
SNS: Topics should be encryptedencryptedSnsTopics
Lambda: Light BundlelightBundle
Lambda: Limited Amount of VersionslimitedAmountOfVersions
Lambda: No Deprecated RuntimenoDeprecatedRuntime
Lambda: No Maximum TimeoutnoMaxTimeout
Lambda: No Mono PackagenoMonoPackage
Lambda: No Provisioned ConcurrencynoProvisionedConcurrency
Lambda: No Shared IAM RolesnoSharedIamRoles
Api Gateway V2: Use Authorized RoutesnoUnauthorizedApiGatewaysV2Routes
Rest Api Gateway: Use Authorized RoutesnoUnauthorizedRestApiGatewaysRoutes
SES: No Email IdentitiesnoSESEmailIdentity
S3: Use HTTPS requests onlys3OnlyAllowHTTPS
SNS: Subscription has redrive policysnsRedrivePolicy
Specifying a DLQ on EventBridge events targetsspecifyDlqOnEventBridgeRule
Specifying a DLQ on SQSspecifyDlqOnSqs
Lambda: Timeout compatible with SQS trigger visibility timeouttimeoutSmallEnoughForSqsVisibility
Lambda: Under Maximum MemoryunderMaxMemory
Lambda: Use an ARM ArchitectureuseArm
S3: Use Intelligent TieringuseIntelligentTiering

For example you can add the following:

{
rules: {
noSharedIamRoles: {
ignoredResources: [
'arn:aws:lambda:us-west-2:123456789012:function:my-function',
'arn:aws:lambda:us-west-1:.*'
]
}
}
}