aws.ami¶
Filters¶
cross-account¶
Check a resource’s embedded iam policy for cross account access.
properties:
type:
enum:
- cross-account
whitelist:
items:
type: string
type: array
whitelist_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
url:
type: string
required:
- url
type: object
required:
- type
Permissions - ec2:DescribeImageAttribute
image-age¶
Filters images based on the age (in days)
- example:
policies:
- name: ami-remove-launch-permissions
resource: ami
filters:
- type: image-age
days: 30
properties:
days:
minimum: 0
type: number
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
type:
enum:
- image-age
required:
- type
image-attribute¶
AMI Image Value Filter on a given image attribute.
Filters AMI’s with the given AMI attribute
- example:
policies:
- name: ami-unused-recently
resource: ami
filters:
- type: image-attribute
attribute: lastLaunchedTime
key: "Value"
op: gte
value_type: age
value: 30
properties:
attribute:
enum:
- description
- kernel
- ramdisk
- launchPermissions
- productCodes
- blockDeviceMapping
- sriovNetSupport
- bootMode
- tpmSupport
- uefiData
- lastLaunchedTime
- imdsSupport
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
type:
enum:
- image-attribute
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- attribute
Permissions - ec2:DescribeImageAttribute
unused¶
Filters images based on usage
true: image has no instances spawned from it false: image has instances spawned from it
- example:
policies:
- name: ami-unused
resource: ami
filters:
- type: unused
value: true
properties:
type:
enum:
- unused
value:
type: boolean
required:
- type
Permissions - autoscaling:DescribeAutoScalingGroups, autoscaling:DescribeLaunchConfigurations, ec2:DescribeInstances, ec2:DescribeTags
Actions¶
cancel-launch-permission¶
Action to cancel this account’s access to another another account’s shared AMI
If another AWS account shares an image with your account, and you no longer want to allow its use in your account, this action will remove the permission for your account to laucnh from the image.
As this is not reversible without accessing the AMI source account, it defaults to running in dryrun mode. Set dryrun to false to enforce.
Note this does not apply to AMIs shared by Organization or OU. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/cancel-sharing-an-AMI.html
- example:
policies:
- name: ami-cancel-share-to-me-old
resource: ami
query:
- ExecutableUsers: [self]
- Owners: []
filters:
- type: image-age
days: 90
actions:
- type: cancel-launch-permission
properties:
dryrun:
type: boolean
type:
enum:
- cancel-launch-permission
required:
- type
Permissions - ec2:CancelImageLaunchPermission
copy¶
Action to copy AMIs with optional encryption
This action can copy AMIs while optionally encrypting or decrypting the target AMI. It is advised to use in conjunction with a filter.
Note there is a max in flight of 5 per account/region.
- example:
policies:
- name: ami-ensure-encrypted
resource: ami
filters:
- type: value
key: encrypted
value: true
actions:
- type: copy
encrypt: true
key-id: 00000000-0000-0000-0000-000000000000
properties:
description:
type: string
encrypt:
type: boolean
key-id:
type: string
name:
type: string
region:
type: string
type:
enum:
- copy
Permissions - ec2:CopyImage
deregister¶
Action to deregister AMI
To prevent deregistering all AMI, it is advised to use in conjunction with a filter (such as image-age)
- example:
policies:
- name: ami-deregister-old
resource: ami
filters:
- type: image-age
days: 90
actions:
- deregister
properties:
delete-snapshots:
type: boolean
type:
enum:
- deregister
required:
- type
Permissions - ec2:DeregisterImage
remove-launch-permissions¶
Action to remove the ability to launch an instance from an AMI
DEPRECATED - use set-permissions instead to support AWS Organizations sharing as well as adding permissions
This action will remove any launch permissions granted to other AWS accounts from the image, leaving only the owner capable of launching it
- example:
policies:
- name: ami-stop-share-old
resource: ami
filters:
- type: image-age
days: 60
actions:
- type: remove-launch-permissions
properties:
accounts:
oneOf:
- enum:
- matched
- maxLength: 12
minLength: 12
type: string
type:
enum:
- remove-launch-permissions
required:
- type
Permissions - ec2:ResetImageAttribute, ec2:ModifyImageAttribute
set-deprecation¶
Action to enable or disable AMI deprecation
To prevent deprecation of all AMIs, it is advised to use in conjunction with a filter (such as image-age)
- example:
policies:
- name: ami-deprecate-old
resource: ami
filters:
- type: image-age
days: 30
actions:
- type: set-deprecation
#Number of days from AMI creation
age: 90
#Number of days from now
#days: 90
#Specific date/time
#date: "2023-11-30"
properties:
age:
type: integer
date:
type: string
days:
type: integer
type:
enum:
- set-deprecation
required:
- type
Permissions - ec2:EnableImageDeprecation, ec2:DisableImageDeprecation
set-permissions¶
Set or remove AMI launch permissions
This action will add or remove launch permissions granted to other AWS accounts, organizations or organizational units from the image.
Use the ‘add’ and ‘remove’ parameters to control which principals to add or remove, respectively. The default is to remove any permissions granted to other AWS accounts. Principals can be an AWS account id, an organization ARN, or an organizational unit ARN
Use ‘remove: matched’ in combination with the ‘cross-account’ filter for more flexible removal options such as preserving access for a set of whitelisted accounts:
- example:
policies:
- name: ami-share-remove-cross-account
resource: ami
filters:
- type: cross-account
whitelist:
- '112233445566'
- 'arn:aws:organizations::112233445566:organization/o-xxyyzzaabb'
- 'arn:aws:organizations::112233445566:ou/o-xxyyzzaabb/ou-xxyy-aabbccdd'
actions:
- type: set-permissions
remove: matched
# To remove all permissions
# - type: set-permissions
# To remove public permissions
# - type: set-permissions
# remove:
# - all
# To remove specific permissions
# - type: set-permissions
# remove:
# - '223344556677'
# - 'arn:aws:organizations::112233445566:organization/o-zzyyxxbbaa'
# - 'arn:aws:organizations::112233445566:ou/o-zzyyxxbbaa/ou-xxyy-ddccbbaa'
# To set specific permissions
# - type: set-permissions
# remove: matched
# add:
# - '223344556677'
# - 'arn:aws:organizations::112233445566:organization/o-zzyyxxbbaa'
# - 'arn:aws:organizations::112233445566:ou/o-zzyyxxbbaa/ou-xxyy-ddccbbaa'
properties:
add:
items:
type: string
type: array
remove:
oneOf:
- enum:
- matched
- items:
type: string
type: array
type:
enum:
- set-permissions
required:
- type
Permissions - ec2:ResetImageAttribute, ec2:ModifyImageAttribute