aws.ami

Filters

• cross-account

• event

• finding

• image-age

• marked-for-op

• ops-item

• reduce

• tag-count

• unused

• value

cross-account

Check a resource’s embedded iam policy for cross account access.

properties:
  type:
    enum:
    - cross-account
  whitelist:
    items:
      type: string
    type: array
  whitelist_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      url:
        type: string
    required:
    - url
    type: object
required:
- type

Permissions - ec2:DescribeImageAttribute

image-age

Filters images based on the age (in days)

example

policies:
  - name: ami-remove-launch-permissions
    resource: ami
    filters:
      - type: image-age
        days: 30

properties:
  days:
    minimum: 0
    type: number
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - image-age
required:
- type

unused

Filters images based on usage

true: image has no instances spawned from it false: image has instances spawned from it

example

policies:
  - name: ami-unused
    resource: ami
    filters:
      - type: unused
        value: true

properties:
  type:
    enum:
    - unused
  value:
    type: boolean
required:
- type

Permissions - autoscaling:DescribeAutoScalingGroups, autoscaling:DescribeLaunchConfigurations, ec2:DescribeInstances, ec2:DescribeTags

Actions

• auto-tag-user

• copy

• copy-related-tag

• deregister

• invoke-lambda

• invoke-sfn

• mark-for-op

• normalize-tag

• notify

• post-finding

• post-item

• put-metric

• remove-launch-permissions

• remove-tag

• rename-tag

• tag

• tag-trim

• webhook

copy

Action to copy AMIs with optional encryption

This action can copy AMIs while optionally encrypting or decrypting the target AMI. It is advised to use in conjunction with a filter.

Note there is a max in flight of 5 per account/region.

example

policies:
  - name: ami-ensure-encrypted
    resource: ami
    filters:
      - type: value
        key: encrypted
        value: true
    actions:
      - type: copy
        encrypt: true
        key-id: 00000000-0000-0000-0000-000000000000

properties:
  description:
    type: string
  encrypt:
    type: boolean
  key-id:
    type: string
  name:
    type: string
  region:
    type: string
  type:
    enum:
    - copy

Permissions - ec2:CopyImage

deregister

Action to deregister AMI

To prevent deregistering all AMI, it is advised to use in conjunction with a filter (such as image-age)

example

policies:
  - name: ami-deregister-old
    resource: ami
    filters:
      - type: image-age
        days: 90
    actions:
      - deregister

properties:
  delete-snapshots:
    type: boolean
  type:
    enum:
    - deregister
required:
- type

Permissions - ec2:DeregisterImage

remove-launch-permissions

Action to remove the ability to launch an instance from an AMI

This action will remove any launch permissions granted to other AWS accounts from the image, leaving only the owner capable of launching it

example

policies:
  - name: ami-stop-share-old
    resource: ami
    filters:
      - type: image-age
        days: 60
    actions:
      - remove-launch-permissions

properties:
  accounts:
    oneOf:
    - enum:
      - matched
    - maxLength: 12
      minLength: 12
      type: string
  type:
    enum:
    - remove-launch-permissions
required:
- type

Permissions - ec2:ResetImageAttribute, ec2:ModifyImageAttribute