aws.ami¶
Filters¶
cross-account¶
Check a resource’s embedded iam policy for cross account access.
properties:
type:
enum:
- cross-account
whitelist:
items:
type: string
type: array
whitelist_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
required:
- type
Permissions - ec2:DescribeImageAttribute
image-age¶
Filters images based on the age (in days)
- example
policies:
- name: ami-remove-launch-permissions
resource: ami
filters:
- type: image-age
days: 30
properties:
days:
minimum: 0
type: number
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
type:
enum:
- image-age
required:
- type
image-attribute¶
AMI Image Value Filter on a given image attribute.
Filters AMI’s with the given AMI attribute
- example
policies:
- name: ami-unused-recently
resource: ami
filters:
- type: image-attribute
attribute: lastLaunchedTime
key: "Value"
op: gte
value_type: age
value: 30
properties:
attribute:
enum:
- description
- kernel
- ramdisk
- launchPermissions
- productCodes
- blockDeviceMapping
- sriovNetSupport
- bootMode
- tpmSupport
- uefiData
- lastLaunchedTime
- imdsSupport
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
type:
enum:
- image-attribute
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
required:
- attribute
Permissions - ec2:DescribeImageAttribute
unused¶
Filters images based on usage
true: image has no instances spawned from it false: image has instances spawned from it
- example
policies:
- name: ami-unused
resource: ami
filters:
- type: unused
value: true
properties:
type:
enum:
- unused
value:
type: boolean
required:
- type
Permissions - autoscaling:DescribeAutoScalingGroups, autoscaling:DescribeLaunchConfigurations, ec2:DescribeInstances, ec2:DescribeTags
Actions¶
copy¶
Action to copy AMIs with optional encryption
This action can copy AMIs while optionally encrypting or decrypting the target AMI. It is advised to use in conjunction with a filter.
Note there is a max in flight of 5 per account/region.
- example
policies:
- name: ami-ensure-encrypted
resource: ami
filters:
- type: value
key: encrypted
value: true
actions:
- type: copy
encrypt: true
key-id: 00000000-0000-0000-0000-000000000000
properties:
description:
type: string
encrypt:
type: boolean
key-id:
type: string
name:
type: string
region:
type: string
type:
enum:
- copy
Permissions - ec2:CopyImage
deregister¶
Action to deregister AMI
To prevent deregistering all AMI, it is advised to use in conjunction with a filter (such as image-age)
- example
policies:
- name: ami-deregister-old
resource: ami
filters:
- type: image-age
days: 90
actions:
- deregister
properties:
delete-snapshots:
type: boolean
type:
enum:
- deregister
required:
- type
Permissions - ec2:DeregisterImage
remove-launch-permissions¶
Action to remove the ability to launch an instance from an AMI
DEPRECATED - use set-permissions instead to support AWS Organizations sharing as well as adding permissions
This action will remove any launch permissions granted to other AWS accounts from the image, leaving only the owner capable of launching it
- example
policies:
- name: ami-stop-share-old
resource: ami
filters:
- type: image-age
days: 60
actions:
- type: remove-launch-permissions
properties:
accounts:
oneOf:
- enum:
- matched
- maxLength: 12
minLength: 12
type: string
type:
enum:
- remove-launch-permissions
required:
- type
Permissions - ec2:ResetImageAttribute, ec2:ModifyImageAttribute
set-deprecation¶
Action to enable or disable AMI deprecation
To prevent deprecation of all AMIs, it is advised to use in conjunction with a filter (such as image-age)
- example
policies:
- name: ami-deprecate-old
resource: ami
filters:
- type: image-age
days: 30
actions:
- type: set-deprecation
#Number of days from AMI creation
age: 90
#Number of days from now
#days: 90
#Specific date/time
#date: "2023-11-30"
properties:
age:
type: integer
date:
type: string
days:
type: integer
type:
enum:
- set-deprecation
required:
- type
Permissions - ec2:EnableImageDeprecation, ec2:DisableImageDeprecation
set-permissions¶
Set or remove AMI launch permissions
This action will add or remove launch permissions granted to other AWS accounts, organizations or organizational units from the image.
Use the ‘add’ and ‘remove’ parameters to control which principals to add or remove, respectively. The default is to remove any permissions granted to other AWS accounts. Principals can be an AWS account id, an organization ARN, or an organizational unit ARN
Use ‘remove: matched’ in combination with the ‘cross-account’ filter for more flexible removal options such as preserving access for a set of whitelisted accounts:
- example
policies:
- name: ami-share-remove-cross-account
resource: ami
filters:
- type: cross-account
whitelist:
- '112233445566'
- 'arn:aws:organizations::112233445566:organization/o-xxyyzzaabb'
- 'arn:aws:organizations::112233445566:ou/o-xxyyzzaabb/ou-xxyy-aabbccdd'
actions:
- type: set-permissions
remove: matched
# To remove all permissions
# - type: set-permissions
# To remove public permissions
# - type: set-permissions
# remove:
# - all
# To remove specific permissions
# - type: set-permissions
# remove:
# - '223344556677'
# - 'arn:aws:organizations::112233445566:organization/o-zzyyxxbbaa'
# - 'arn:aws:organizations::112233445566:ou/o-zzyyxxbbaa/ou-xxyy-ddccbbaa'
# To set specific permissions
# - type: set-permissions
# remove: matched
# add:
# - '223344556677'
# - 'arn:aws:organizations::112233445566:organization/o-zzyyxxbbaa'
# - 'arn:aws:organizations::112233445566:ou/o-zzyyxxbbaa/ou-xxyy-ddccbbaa'
properties:
add:
items:
type: string
type: array
remove:
oneOf:
- enum:
- matched
- items:
type: string
type: array
type:
enum:
- set-permissions
required:
- type
Permissions - ec2:ResetImageAttribute, ec2:ModifyImageAttribute