aws.ami¶
Filters¶
cross-account¶
Check a resource’s embedded iam policy for cross account access.
properties:
type:
enum:
- cross-account
whitelist:
items:
type: string
type: array
whitelist_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
required:
- type
Permissions - ec2:DescribeImageAttribute
image-age¶
Filters images based on the age (in days)
- example
policies:
- name: ami-remove-launch-permissions
resource: ami
filters:
- type: image-age
days: 30
properties:
days:
minimum: 0
type: number
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
type:
enum:
- image-age
required:
- type
unused¶
Filters images based on usage
true: image has no instances spawned from it false: image has instances spawned from it
- example
policies:
- name: ami-unused
resource: ami
filters:
- type: unused
value: true
properties:
type:
enum:
- unused
value:
type: boolean
required:
- type
Permissions - autoscaling:DescribeAutoScalingGroups, autoscaling:DescribeLaunchConfigurations, ec2:DescribeInstances, ec2:DescribeTags
Actions¶
copy¶
Action to copy AMIs with optional encryption
This action can copy AMIs while optionally encrypting or decrypting the target AMI. It is advised to use in conjunction with a filter.
Note there is a max in flight of 5 per account/region.
- example
policies:
- name: ami-ensure-encrypted
resource: ami
filters:
- type: value
key: encrypted
value: true
actions:
- type: copy
encrypt: true
key-id: 00000000-0000-0000-0000-000000000000
properties:
description:
type: string
encrypt:
type: boolean
key-id:
type: string
name:
type: string
region:
type: string
type:
enum:
- copy
Permissions - ec2:CopyImage
deregister¶
Action to deregister AMI
To prevent deregistering all AMI, it is advised to use in conjunction with a filter (such as image-age)
- example
policies:
- name: ami-deregister-old
resource: ami
filters:
- type: image-age
days: 90
actions:
- deregister
properties:
delete-snapshots:
type: boolean
type:
enum:
- deregister
required:
- type
Permissions - ec2:DeregisterImage
remove-launch-permissions¶
Action to remove the ability to launch an instance from an AMI
This action will remove any launch permissions granted to other AWS accounts from the image, leaving only the owner capable of launching it
- example
policies:
- name: ami-stop-share-old
resource: ami
filters:
- type: image-age
days: 60
actions:
- remove-launch-permissions
properties:
accounts:
oneOf:
- enum:
- matched
- maxLength: 12
minLength: 12
type: string
type:
enum:
- remove-launch-permissions
required:
- type
Permissions - ec2:ResetImageAttribute, ec2:ModifyImageAttribute