aws.ami

Filters

cross-account

Check a resource’s embedded iam policy for cross account access.

properties:
  type:
    enum:
    - cross-account
  whitelist:
    items:
      type: string
    type: array
  whitelist_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      query:
        type: string
      url:
        type: string
    required:
    - url
    type: object
required:
- type

Permissions - ec2:DescribeImageAttribute

image-age

Filters images based on the age (in days)

example:

policies:
  - name: ami-remove-launch-permissions
    resource: ami
    filters:
      - type: image-age
        days: 30
properties:
  days:
    minimum: 0
    type: number
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
    - mod
  type:
    enum:
    - image-age
required:
- type

image-attribute

AMI Image Value Filter on a given image attribute.

Filters AMI’s with the given AMI attribute

example:

policies:
  - name: ami-unused-recently
    resource: ami
    filters:
      - type: image-attribute
        attribute: lastLaunchedTime
        key: "Value"
        op: gte
        value_type: age
        value: 30
properties:
  attribute:
    enum:
    - description
    - kernel
    - ramdisk
    - launchPermissions
    - productCodes
    - blockDeviceMapping
    - sriovNetSupport
    - bootMode
    - tpmSupport
    - uefiData
    - lastLaunchedTime
    - imdsSupport
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
    - mod
  type:
    enum:
    - image-attribute
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      query:
        type: string
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- attribute

Permissions - ec2:DescribeImageAttribute

unused

Filters images based on usage

true: image has no instances spawned from it false: image has instances spawned from it

example:

policies:
  - name: ami-unused
    resource: ami
    filters:
      - type: unused
        value: true
properties:
  type:
    enum:
    - unused
  value:
    type: boolean
required:
- type

Permissions - autoscaling:DescribeAutoScalingGroups, autoscaling:DescribeTags, autoscaling:DescribeLaunchConfigurations, ec2:DescribeInstances, ec2:DescribeTags, ec2:DescribeTags

Actions

cancel-launch-permission

Action to cancel this account’s access to another another account’s shared AMI

If another AWS account shares an image with your account, and you no longer want to allow its use in your account, this action will remove the permission for your account to laucnh from the image.

As this is not reversible without accessing the AMI source account, it defaults to running in dryrun mode. Set dryrun to false to enforce.

Note this does not apply to AMIs shared by Organization or OU. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/cancel-sharing-an-AMI.html

example:

policies:
  - name: ami-cancel-share-to-me-old
    resource: ami
    query:
      - ExecutableUsers: [self]
      - Owners: []
    filters:
      - type: image-age
        days: 90
    actions:
      - type: cancel-launch-permission
properties:
  dryrun:
    type: boolean
  type:
    enum:
    - cancel-launch-permission
required:
- type

Permissions - ec2:CancelImageLaunchPermission

copy

Action to copy AMIs with optional encryption

This action can copy AMIs while optionally encrypting or decrypting the target AMI. It is advised to use in conjunction with a filter.

Note there is a max in flight of 5 per account/region.

example:

policies:
  - name: ami-ensure-encrypted
    resource: ami
    filters:
      - type: value
        key: encrypted
        value: true
    actions:
      - type: copy
        encrypt: true
        key-id: 00000000-0000-0000-0000-000000000000
properties:
  description:
    type: string
  encrypt:
    type: boolean
  key-id:
    type: string
  name:
    type: string
  region:
    type: string
  type:
    enum:
    - copy

Permissions - ec2:CopyImage

deregister

Action to deregister AMI

To prevent deregistering all AMI, it is advised to use in conjunction with a filter (such as image-age)

example:

policies:
  - name: ami-deregister-old
    resource: ami
    filters:
      - type: image-age
        days: 90
    actions:
      - deregister
properties:
  delete-snapshots:
    type: boolean
  type:
    enum:
    - deregister
required:
- type

Permissions - ec2:DeregisterImage

remove-launch-permissions

Action to remove the ability to launch an instance from an AMI

DEPRECATED - use set-permissions instead to support AWS Organizations sharing as well as adding permissions

This action will remove any launch permissions granted to other AWS accounts from the image, leaving only the owner capable of launching it

example:

policies:
  - name: ami-stop-share-old
    resource: ami
    filters:
      - type: image-age
        days: 60
    actions:
      - type: remove-launch-permissions
properties:
  accounts:
    oneOf:
    - enum:
      - matched
    - maxLength: 12
      minLength: 12
      type: string
  type:
    enum:
    - remove-launch-permissions
required:
- type

Permissions - ec2:ResetImageAttribute, ec2:ModifyImageAttribute

set-deprecation

Action to enable or disable AMI deprecation

To prevent deprecation of all AMIs, it is advised to use in conjunction with a filter (such as image-age)

example:

policies:
  - name: ami-deprecate-old
    resource: ami
    filters:
      - type: image-age
        days: 30
    actions:
      - type: set-deprecation
        #Number of days from AMI creation
        age: 90
        #Number of days from now
        #days: 90
        #Specific date/time
        #date: "2023-11-30"
properties:
  age:
    type: integer
  date:
    type: string
  days:
    type: integer
  type:
    enum:
    - set-deprecation
required:
- type

Permissions - ec2:EnableImageDeprecation, ec2:DisableImageDeprecation

set-permissions

Set or remove AMI launch permissions

This action will add or remove launch permissions granted to other AWS accounts, organizations or organizational units from the image.

Use the ‘add’ and ‘remove’ parameters to control which principals to add or remove, respectively. The default is to remove any permissions granted to other AWS accounts. Principals can be an AWS account id, an organization ARN, or an organizational unit ARN

Use ‘remove: matched’ in combination with the ‘cross-account’ filter for more flexible removal options such as preserving access for a set of whitelisted accounts:

example:

policies:
  - name: ami-share-remove-cross-account
    resource: ami
    filters:
      - type: cross-account
        whitelist:
          - '112233445566'
          - 'arn:aws:organizations::112233445566:organization/o-xxyyzzaabb'
          - 'arn:aws:organizations::112233445566:ou/o-xxyyzzaabb/ou-xxyy-aabbccdd'
    actions:
      - type: set-permissions
        remove: matched
    # To remove all permissions
    # - type: set-permissions
    # To remove public permissions
    # - type: set-permissions
    #   remove:
    #     - all
    # To remove specific permissions
    # - type: set-permissions
    #   remove:
    #     - '223344556677'
    #     - 'arn:aws:organizations::112233445566:organization/o-zzyyxxbbaa'
    #     - 'arn:aws:organizations::112233445566:ou/o-zzyyxxbbaa/ou-xxyy-ddccbbaa'
    # To set specific permissions
    # - type: set-permissions
    #   remove: matched
    #   add:
    #     - '223344556677'
    #     - 'arn:aws:organizations::112233445566:organization/o-zzyyxxbbaa'
    #     - 'arn:aws:organizations::112233445566:ou/o-zzyyxxbbaa/ou-xxyy-ddccbbaa'
properties:
  add:
    items:
      type: string
    type: array
  remove:
    oneOf:
    - enum:
      - matched
    - items:
        type: string
      type: array
  type:
    enum:
    - set-permissions
required:
- type

Permissions - ec2:ResetImageAttribute, ec2:ModifyImageAttribute