AWS Common Filters

Filters

alarm

Filter log metric filters based on associated alarms.

example:

policies:
  - name: log-metrics-with-alarms
    resource: aws.log-metric
    filters:
      - type: alarm
        key: AlarmName
        value: present
properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - alarm
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

api-cache

Filter AppSync GraphQLApi based on the api cache attributes

example:

policies:
  - name: filter-graphql-api-cache
    resource: aws.graphql-api
    filters:
     - type: api-cache
       key: 'apiCachingBehavior'
       value: 'FULL_REQUEST_CACHING'
properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - api-cache
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

bedrock-model-invocation-logging

Filter for account to look at bedrock model invocation logging configuration

The schema to supply to the attrs follows the schema here:

https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/bedrock/client/get_model_invocation_logging_configuration.html

example:

policies:
  - name: bedrock-model-invocation-logging-configuration
    resource: account
    filters:
      - type: bedrock-model-invocation-logging
        attrs:
          - imageDataDeliveryEnabled: True
properties:
  attrs:
    items:
      anyOf:
      - $ref: '#/definitions/filters/value'
      - $ref: '#/definitions/filters/valuekv'
      - additional_properties: false
        properties:
          and:
            items:
              anyOf:
              - $ref: '#/definitions/filters/value'
              - $ref: '#/definitions/filters/valuekv'
            type: array
        type: object
      - additional_properties: false
        properties:
          or:
            items:
              anyOf:
              - $ref: '#/definitions/filters/value'
              - $ref: '#/definitions/filters/valuekv'
            type: array
        type: object
      - additional_properties: false
        properties:
          not:
            items:
              anyOf:
              - $ref: '#/definitions/filters/value'
              - $ref: '#/definitions/filters/valuekv'
            type: array
        type: object
    type: array
  count:
    type: number
  count_op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - bedrock-model-invocation-logging
required:
- type

bucket-replication

Filter for S3 buckets to look at bucket replication configurations

The schema to supply to the attrs follows the schema here:

https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/s3/client/get_bucket_replication.html

example:

policies:
  - name: s3-bucket-replication
    resource: s3
    filters:
      - type: bucket-replication
        attrs:
          - Status: Enabled
          - Filter:
              And:
                Prefix: test
                Tags:
                  - Key: Owner
                    Value: c7n
          - ExistingObjectReplication: Enabled
properties:
  attrs:
    items:
      anyOf:
      - $ref: '#/definitions/filters/value'
      - $ref: '#/definitions/filters/valuekv'
      - additional_properties: false
        properties:
          and:
            items:
              anyOf:
              - $ref: '#/definitions/filters/value'
              - $ref: '#/definitions/filters/valuekv'
            type: array
        type: object
      - additional_properties: false
        properties:
          or:
            items:
              anyOf:
              - $ref: '#/definitions/filters/value'
              - $ref: '#/definitions/filters/valuekv'
            type: array
        type: object
      - additional_properties: false
        properties:
          not:
            items:
              anyOf:
              - $ref: '#/definitions/filters/value'
              - $ref: '#/definitions/filters/valuekv'
            type: array
        type: object
    type: array
  count:
    type: number
  count_op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - bucket-replication
required:
- type

check-permissions

Check IAM permissions associated with a resource.

example:

Find users that can create other users

policies:
  - name: super-users
    resource: aws.iam-user
    filters:
      - type: check-permissions
        match: allowed
        actions:
         - iam:CreateUser
example:

Find users with access to all services and actions

policies:
  - name: admin-users
    resource: aws.iam-user
    filters:
      - type: check-permissions
        match: allowed
        actions:
          - '*:*'

By default permission boundaries are checked.

properties:
  actions:
    items:
      type: string
    type: array
  boundaries:
    type: boolean
  match:
    oneOf:
    - enum:
      - allowed
      - denied
    - $ref: '#/definitions/filters/valuekv'
    - $ref: '#/definitions/filters/value'
  match-operator:
    enum:
    - and
    - or
  type:
    enum:
    - check-permissions
required:
- actions
- match

client-properties

Filter workspace directories based off workspace client properties.

example:

policies:
  - name: workspace-client-credentials
    resource: aws.workspaces-directory
    filters:
     - type: client-properties
       key: ReconnectEnabled
       value: ENABLED
properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - client-properties
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

config-compliance

Filter resources by their compliance with one or more AWS config rules.

An example of using the filter to find all ec2 instances that have been registered as non compliant in the last 30 days against two custom AWS Config rules.

example:

policies:
  - name: non-compliant-ec2
    resource: ec2
    filters:
     - type: config-compliance
       eval_filters:
        - type: value
          key: ResultRecordedTime
          value_type: age
          value: 30
          op: less-than
       rules:
        - custodian-ec2-encryption-required
        - custodian-ec2-tags-required

Also note, custodian has direct support for deploying policies as config rules see https://cloudcustodian.io/docs/policy/lambda.html#config-rules

properties:
  eval_filters:
    items:
      oneOf:
      - $ref: '#/definitions/filters/valuekv'
      - $ref: '#/definitions/filters/value'
    type: array
  op:
    enum:
    - or
    - and
  rules:
    items:
      type: string
    type: array
  states:
    items:
      enum:
      - COMPLIANT
      - NON_COMPLIANT
      - NOT_APPLICABLE
      - INSUFFICIENT_DATA
    type: array
  type:
    enum:
    - config-compliance
required:
- rules

connection-aliases

Filter workspace directories based on connection aliases

example:

policies:
  - name: workspace-connection-alias
    resource: aws.workspaces-directory
    filters:
     - type: connection-aliases
       key: 'ConnectionAliases'
       value: 'empty'
properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - connection-aliases
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

cost-optimization

Cost optimization hub recommendations.

- name: cost-ec2-optimize
  resource: aws.ec2
  filters:
    - type: cost-optimization
      attrs:
       - actionType: Rightsize
       - key: recommendationLookbackPeriodInDays
         op: gte
         value: 10
       - key: estimatedMonthlySavings
         value: 30
         op: gte
properties:
  action:
    enum:
    - Rightsize
    - Stop
    - Upgrade
    - PurchaseSavingsPlans
    - PurchaseReservedInstances
    - MigrateToGraviton
  attrs:
    items:
      anyOf:
      - $ref: '#/definitions/filters/value'
      - $ref: '#/definitions/filters/valuekv'
      - additional_properties: false
        properties:
          and:
            items:
              anyOf:
              - $ref: '#/definitions/filters/value'
              - $ref: '#/definitions/filters/valuekv'
            type: array
        type: object
      - additional_properties: false
        properties:
          or:
            items:
              anyOf:
              - $ref: '#/definitions/filters/value'
              - $ref: '#/definitions/filters/valuekv'
            type: array
        type: object
      - additional_properties: false
        properties:
          not:
            items:
              anyOf:
              - $ref: '#/definitions/filters/value'
              - $ref: '#/definitions/filters/valuekv'
            type: array
        type: object
    type: array
  efforts:
    items:
      enum:
      - VeryLow
      - Low
      - Medium
      - High
      - VeryHigh
    type: array
  type:
    enum:
    - cost-optimization
required:
- type

domain-options

Filter for cloud search domains by their domain options.

example:

policies:
  - name: cloudsearch-detect-https
    resource: cloudsearch
    filters:
      - type: domain-options
        key: Options.EnforceHTTPS
        value: false
properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - domain-options
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

engine

Filter a rds resource based on its Engine Metadata

example:

policies:
    - name: find-deprecated-versions
      resource: aws.rds
      filters:
        - type: engine
          key: Status
          value: deprecated
properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - engine
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

event

Filter a resource based on an event.

properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - event
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

finding

Check if there are Security Hub Findings related to the resources

example:

By default, this filter checks to see if any findings exist for a given resource.

policies:
  - name: iam-roles-with-findings
    resource: aws.iam-role
    filters:
      - finding
example:

The query parameter can look for specific findings. Consult this reference for more information about available filters and their structure. Note that when matching by finding Id, it can be helpful to combine PREFIX comparisons with parameterized account and region information.

policies:
  - name: iam-roles-with-global-kms-decrypt
    resource: aws.iam-role
    filters:
      - type: finding
        query:
          Id:
            - Comparison: PREFIX
              Value: 'arn:aws:securityhub:{region}:{account_id}:subscription/aws-foundational-security-best-practices/v/1.0.0/KMS.2'
          Title:
            - Comparison: EQUALS
              Value: >-
                KMS.2 IAM principals should not have IAM inline policies
                that allow decryption actions on all KMS keys
          ComplianceStatus:
            - Comparison: EQUALS
              Value: 'FAILED'
          RecordState:
            - Comparison: EQUALS
              Value: 'ACTIVE'
properties:
  query:
    type: object
  region:
    type: string
  type:
    enum:
    - finding
required:
- type

flow-logs

Are flow logs enabled on the resource.

This filter reuses list-item filter for arbitrary filtering on the flow log attibutes, it also maintains compatiblity with the legacy flow-log filter.

ie to find all vpcs with flows logs disabled we can do this

example:

policies:
  - name: flow-logs-enabled
    resource: vpc
    filters:
      - flow-logs

or to find all vpcs with flow logs but that don’t match a particular configuration.

example:

policies:
  - name: flow-mis-configured
    resource: vpc
    filters:
      - not:
        - type: flow-logs
          attrs:
            - TrafficType: ALL
            - FlowLogStatus: ACTIVE
            - LogGroupName: vpc-logs
properties:
  attrs:
    items:
      anyOf:
      - $ref: '#/definitions/filters/value'
      - $ref: '#/definitions/filters/valuekv'
      - additional_properties: false
        properties:
          and:
            items:
              anyOf:
              - $ref: '#/definitions/filters/value'
              - $ref: '#/definitions/filters/valuekv'
            type: array
        type: object
      - additional_properties: false
        properties:
          or:
            items:
              anyOf:
              - $ref: '#/definitions/filters/value'
              - $ref: '#/definitions/filters/valuekv'
            type: array
        type: object
      - additional_properties: false
        properties:
          not:
            items:
              anyOf:
              - $ref: '#/definitions/filters/value'
              - $ref: '#/definitions/filters/valuekv'
            type: array
        type: object
    type: array
  count:
    type: number
  count_op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  deliver-status:
    enum:
    - success
    - failure
  destination:
    type: string
  destination-type:
    enum:
    - s3
    - cloud-watch-logs
  enabled:
    default: false
    type: boolean
  log-format:
    type: string
  log-group:
    type: string
  op:
    default: equal
    enum:
    - equal
    - not-equal
  set-op:
    default: or
    enum:
    - or
    - and
  status:
    enum:
    - active
  traffic-type:
    enum:
    - accept
    - reject
    - all
  type:
    enum:
    - flow-logs
required:
- type

health-event

Check if there are operations health events (phd) related to the resources

https://aws.amazon.com/premiumsupport/technology/personal-health-dashboard/

Health events are stored as annotation on a resource.

Custodian also supports responding to phd events via a lambda execution mode.

properties:
  category:
    items:
      enum:
      - issue
      - accountNotification
      - scheduledChange
    type: array
  statuses:
    items:
      enum:
      - open
      - upcoming
      - closed
      type: string
    type: array
  type:
    enum:
    - health-event
  types:
    items:
      type: string
    type: array
required:
- type

iam-analyzer

Analyze resource access policies using AWS IAM Access Analyzer.

Access analyzer uses logic based reasoning to analyze embedded resource iam access policies to determine access outside of a zone of trust.

policies:
  - name: s3-check
    resource: aws.s3
    filters:
      - type: iam-analyzer
        key: isPublic
        value: true
properties:
  analyzer:
    type: string
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - iam-analyzer
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

image

Filter asg by image

example:

policies:
  - name: non-windows-asg
    resource: asg
    filters:
      - type: image
        key: Platform
        value: Windows
        op: ne
properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - image
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

instance-attribute

Filter Connect resources based on instance attributes

example:

policies:

  - name: connect-instance-attribute
    resource: connect-instance
    filters:
      - type: instance-attribute
        key: Attribute.Value
        value: true
        attribute_type: CONTACT_LENS
properties:
  attribute_type:
    type: string
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - instance-attribute
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- attribute_type
- type

intelligent-tiering

Filter for S3 buckets to look at intelligent tiering configurations

The schema to supply to the attrs follows the schema here:

https://botocore.amazonaws.com/v1/documentation/api/latest/reference/services/s3/client/list_bucket_intelligent_tiering_configurations.html

example:

policies:
  - name: s3-intelligent-tiering-configuration
    resource: s3
    filters:
      - type: intelligent-tiering
        attrs:
          - Status: Enabled
          - Filter:
              And:
                Prefix: test
                Tags:
                  - Key: Owner
                    Value: c7n
          - Tierings:
              - Days: 100
              - AccessTier: ARCHIVE_ACCESS
properties:
  attrs:
    items:
      anyOf:
      - $ref: '#/definitions/filters/value'
      - $ref: '#/definitions/filters/valuekv'
      - additional_properties: false
        properties:
          and:
            items:
              anyOf:
              - $ref: '#/definitions/filters/value'
              - $ref: '#/definitions/filters/valuekv'
            type: array
        type: object
      - additional_properties: false
        properties:
          or:
            items:
              anyOf:
              - $ref: '#/definitions/filters/value'
              - $ref: '#/definitions/filters/valuekv'
            type: array
        type: object
      - additional_properties: false
        properties:
          not:
            items:
              anyOf:
              - $ref: '#/definitions/filters/value'
              - $ref: '#/definitions/filters/valuekv'
            type: array
        type: object
    type: array
  count:
    type: number
  count_op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - intelligent-tiering
required:
- type

list-item

Perform multi attribute filtering on items within a list, for example looking for security groups that have rules which include 0.0.0.0/0 and port 22 open.

example:

policies:
  - name: security-group-with-22-open-to-world
    resource: aws.security-group
    filters:
      - type: list-item
        key: IpPermissions
        attrs:
          - type: value
            key: IpRanges[].CidrIp
            value: '0.0.0.0/0'
            op: in
            value_type: swap
          - type: value
            key: FromPort
            value: 22
          - type: value
            key: ToPort
            value: 22
  - name: find-task-def-not-using-registry
    resource: aws.ecs-task-definition
    filters:
      - not:
        - type: list-item
          key: containerDefinitions
          attrs:
            - not:
              - type: value
                key: image
                value: "${account_id}.dkr.ecr.us-east-2.amazonaws.com.*"
                op: regex
properties:
  attrs:
    items:
      anyOf:
      - $ref: '#/definitions/filters/value'
      - $ref: '#/definitions/filters/valuekv'
      - additional_properties: false
        properties:
          and:
            items:
              anyOf:
              - $ref: '#/definitions/filters/value'
              - $ref: '#/definitions/filters/valuekv'
            type: array
        type: object
      - additional_properties: false
        properties:
          or:
            items:
              anyOf:
              - $ref: '#/definitions/filters/value'
              - $ref: '#/definitions/filters/valuekv'
            type: array
        type: object
      - additional_properties: false
        properties:
          not:
            items:
              anyOf:
              - $ref: '#/definitions/filters/value'
              - $ref: '#/definitions/filters/valuekv'
            type: array
        type: object
    type: array
  count:
    type: number
  count_op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  key:
    type: string
  type:
    enum:
    - list-item
required:
- type

logging

Filter by wafv2 logging configuration

example:

policies:
  - name: wafv2-logging-enabled
    resource: aws.wafv2
    filters:
      - not:
          - type: logging
            key: ResourceArn
            value: present

  - name: check-redacted-fields
    resource: aws.wafv2
    filters:
      - type: logging
        key: RedactedFields[].SingleHeader.Name
        value: user-agent
        op: in
        value_type: swap
properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - logging
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

logging-config

Filter for network firewall to look at logging configuration

The schema to supply to the attrs follows the schema here:

https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/network-firewall/client/describe_logging_configuration.html

example:

policies:
  - name: network-firewall-logging-configuration
    resource: firewall
    filters:
      - type: logging-config
        attrs:
          - LogType: FLOW
properties:
  attrs:
    items:
      anyOf:
      - $ref: '#/definitions/filters/value'
      - $ref: '#/definitions/filters/valuekv'
      - additional_properties: false
        properties:
          and:
            items:
              anyOf:
              - $ref: '#/definitions/filters/value'
              - $ref: '#/definitions/filters/valuekv'
            type: array
        type: object
      - additional_properties: false
        properties:
          or:
            items:
              anyOf:
              - $ref: '#/definitions/filters/value'
              - $ref: '#/definitions/filters/valuekv'
            type: array
        type: object
      - additional_properties: false
        properties:
          not:
            items:
              anyOf:
              - $ref: '#/definitions/filters/value'
              - $ref: '#/definitions/filters/valuekv'
            type: array
        type: object
    type: array
  count:
    type: number
  count_op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - logging-config
required:
- type

login-profile

Filter IAM users that have an associated login-profile

For quicker evaluation and reduced API traffic, it is recommended to instead use the ‘credential’ filter with ‘password_enabled’: true when a delay of up to four hours for credential report syncing is acceptable.

(https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html)

example:

properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - login-profile
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

marked-for-op

Filter resources for tag specified future action

Filters resources by a ‘maid_status’ tag which specifies a future date for an action.

The filter parses the tag values looking for an ‘op@date’ string. The date is parsed and compared to do today’s date, the filter succeeds if today’s date is gte to the target date.

The optional ‘skew’ parameter provides for incrementing today’s date a number of days into the future. An example use case might be sending a final notice email a few days before terminating an instance, or snapshotting a volume prior to deletion.

The optional ‘skew_hours’ parameter provides for incrementing the current time a number of hours into the future.

Optionally, the ‘tz’ parameter can get used to specify the timezone in which to interpret the clock (default value is ‘utc’)

policies:
  - name: ec2-stop-marked
    resource: ec2
    filters:
      - type: marked-for-op
        # The default tag used is maid_status
        # but that is configurable
        tag: custodian_status
        op: stop
        # Another optional tag is skew
        tz: utc
    actions:
      - type: stop
properties:
  op:
    type: string
  skew:
    minimum: 0
    type: number
  skew_hours:
    minimum: 0
    type: number
  tag:
    type: string
  type:
    enum:
    - marked-for-op
  tz:
    type: string
required:
- type

metrics

Supports cloud watch metrics filters on resources.

All resources that have cloud watch metrics are supported.

Docs on cloud watch metrics

- name: ec2-underutilized
  resource: ec2
  filters:
    - type: metrics
      name: CPUUtilization
      days: 4
      period: 86400
      value: 30
      op: less-than

Note periods when a resource is not sending metrics are not part of calculated statistics as in the case of a stopped ec2 instance, nor for resources to new to have existed the entire period. ie. being stopped for an ec2 instance wouldn’t lower the average cpu utilization.

The “missing-value” key allows a policy to specify a default value when CloudWatch has no data to report:

- name: elb-low-request-count
  resource: elb
  filters:
    - type: metrics
      name: RequestCount
      statistics: Sum
      days: 7
      value: 7
      missing-value: 0
      op: less-than

This policy matches any ELB with fewer than 7 requests for the past week. ELBs with no requests during that time will have an empty set of metrics. Rather than skipping those resources, “missing-value: 0” causes the policy to treat their request counts as 0.

Note the default statistic for metrics is Average.

properties:
  attr-multiplier:
    type: number
  days:
    type: number
  dimensions:
    patternProperties:
      ^.*$:
        type: string
    type: object
  missing-value:
    type: number
  name:
    type: string
  namespace:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
    type: string
  percent-attr:
    type: string
  period:
    type: number
  statistics:
    type: string
  type:
    enum:
    - metrics
  value:
    type: number
required:
- value
- name

network-location

On a network attached resource, determine intersection of security-group attributes, subnet attributes, and resource attributes.

The use case is a bit specialized, for most use cases using subnet and security-group filters suffice. but say for example you wanted to verify that an ec2 instance was only using subnets and security groups with a given tag value, and that tag was not present on the resource.

Example:

policies:
  - name: ec2-mismatched-sg-remove
    resource: ec2
    filters:
      - type: network-location
        compare: ["resource","security-group"]
        key: "tag:TEAM_NAME"
        ignore:
          - "tag:TEAM_NAME": Enterprise
    actions:
      - type: modify-security-groups
        remove: network-location
        isolation-group: sg-xxxxxxxx
properties:
  compare:
    default:
    - resource
    - subnet
    - security-group
    description: Which elements of network location should be considered when matching.
    items:
      enum:
      - resource
      - subnet
      - security-group
    type: array
  ignore:
    items:
      type: object
    type: array
  key:
    description: The attribute expression that should be matched on
    type: string
  match:
    default: non-equal
    enum:
    - equal
    - not-equal
    - in
    type: string
  max-cardinality:
    default: 1
    title: ''
    type: integer
  missing-ok:
    default: false
    description: How to handle missing keys on elements, by default this causesresources
      to be considered not-equal
    type: boolean
  type:
    enum:
    - network-location
  value:
    items:
      type: string
    type: array
required:
- key
- type

offhour

Schedule offhours for resources see offhours for features and configuration.

properties:
  default_tz:
    type: string
  fallback-schedule:
    type: string
  fallback_schedule:
    type: string
  offhour:
    maximum: 23
    minimum: 0
    type: integer
  opt-out:
    type: boolean
  skip-days:
    items:
      pattern: ^[0-9]{4}-[0-9]{2}-[0-9]{2}
      type: string
    type: array
  skip-days-from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  tag:
    type: string
  type:
    enum:
    - offhour
  weekends:
    type: boolean
  weekends-only:
    type: boolean
required:
- offhour
- default_tz
- type

onhour

Schedule offhours for resources see offhours for features and configuration.

properties:
  default_tz:
    type: string
  fallback-schedule:
    type: string
  fallback_schedule:
    type: string
  onhour:
    maximum: 23
    minimum: 0
    type: integer
  opt-out:
    type: boolean
  skip-days:
    items:
      pattern: ^[0-9]{4}-[0-9]{2}-[0-9]{2}
      type: string
    type: array
  skip-days-from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  tag:
    type: string
  type:
    enum:
    - onhour
  weekends:
    type: boolean
  weekends-only:
    type: boolean
required:
- onhour
- default_tz
- type

ops-item

Filter resources associated to extant OpsCenter operational items.

example:

Find ec2 instances with open ops items.

policies:
  - name: ec2-instances-ops-items
    resource: ec2
    filters:
      - type: ops-item
        # we can filter on source, title, priority
        priority: [1, 2]
properties:
  priority:
    items:
      enum:
      - 1
      - 2
      - 3
      - 4
      - 5
    type: array
  source:
    type: string
  status:
    default:
    - Open
    items:
      enum:
      - Open
      - In progress
      - Resolved
    type: array
  title:
    type: string
  type:
    enum:
    - ops-item
required:
- type

org-unit

Filter resources by their containment within an ou.

policies:
  - name: org-units-by-parent-ou
    resource: aws.org-unit
    filters:
      - type: org-unit
        key: Name
        value: dev

  - name: org-accounts-by-parent-ou
    resource: aws.org-account
    filters:
      - type: org-unit
        key: Name
        value: dev
properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - org-unit
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

ownership

Filter for object ownership controls

Reference: https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html

:example

Find buckets with ACLs disabled

policies:
  - name: s3-bucket-acls-disabled
    resource: aws.s3
    region: us-east-1
    filters:
      - type: ownership
        value: BucketOwnerEnforced

:example

Find buckets with object ownership preferred or enforced

policies:
  - name: s3-bucket-ownership-preferred
    resource: aws.s3
    region: us-east-1
    filters:
      - type: ownership
        op: in
        value:
          - BucketOwnerEnforced
          - BucketOwnerPreferred

:example

Find buckets with no object ownership controls

policies:
  - name: s3-bucket-no-ownership-controls
    resource: aws.s3
    region: us-east-1
    filters:
      - type: ownership
        value: empty
properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - ownership
  value:
    oneOf:
    - enum:
      - BucketOwnerEnforced
      - BucketOwnerPreferred
      - ObjectWriter
      - absent
      - present
      - not-null
      - empty
      type: string
    - items:
        enum:
        - BucketOwnerEnforced
        - BucketOwnerPreferred
        - ObjectWriter
        - absent
        - present
        - not-null
        - empty
        type: string
      type: array
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

policy

Perform multi attribute filtering on items within a list, for example looking for security groups that have rules which include 0.0.0.0/0 and port 22 open.

example:

policies:
  - name: security-group-with-22-open-to-world
    resource: aws.security-group
    filters:
      - type: list-item
        key: IpPermissions
        attrs:
          - type: value
            key: IpRanges[].CidrIp
            value: '0.0.0.0/0'
            op: in
            value_type: swap
          - type: value
            key: FromPort
            value: 22
          - type: value
            key: ToPort
            value: 22
  - name: find-task-def-not-using-registry
    resource: aws.ecs-task-definition
    filters:
      - not:
        - type: list-item
          key: containerDefinitions
          attrs:
            - not:
              - type: value
                key: image
                value: "${account_id}.dkr.ecr.us-east-2.amazonaws.com.*"
                op: regex
properties:
  attrs:
    items:
      anyOf:
      - $ref: '#/definitions/filters/value'
      - $ref: '#/definitions/filters/valuekv'
      - additional_properties: false
        properties:
          and:
            items:
              anyOf:
              - $ref: '#/definitions/filters/value'
              - $ref: '#/definitions/filters/valuekv'
            type: array
        type: object
      - additional_properties: false
        properties:
          or:
            items:
              anyOf:
              - $ref: '#/definitions/filters/value'
              - $ref: '#/definitions/filters/valuekv'
            type: array
        type: object
      - additional_properties: false
        properties:
          not:
            items:
              anyOf:
              - $ref: '#/definitions/filters/value'
              - $ref: '#/definitions/filters/valuekv'
            type: array
        type: object
    type: array
  count:
    type: number
  count_op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  inherited:
    type: boolean
  policy-type:
    enum:
    - SERVICE_CONTROL_POLICY
    - TAG_POLICY
    - BACKUP_POLICY
    - AISERVICES_OPT_OUT_POLICY
  type:
    enum:
    - policy
required:
- policy-type
- type

reduce

Generic reduce filter to group, sort, and limit your resources.

This example will select the longest running instance from each ASG, then randomly choose 10% of those, maxing at 15 total instances.

example:

- name: oldest-instance-by-asg
  resource: ec2
  filters:
    - "tag:aws:autoscaling:groupName": present
    - type: reduce
      group-by: "tag:aws:autoscaling:groupName"
      sort-by: "LaunchTime"
      order: asc
      limit: 1

Or you might want to randomly select a 10 percent of your resources, but no more than 15.

example:

- name: random-selection
  resource: ec2
  filters:
    - type: reduce
      order: randomize
      limit: 15
      limit-percent: 10
properties:
  discard:
    minimum: 0
    type: number
  discard-percent:
    maximum: 100
    minimum: 0
    type: number
  group-by:
    oneOf:
    - type: string
    - key:
        type: string
      type: object
      value_regex: string
      value_type:
        enum:
        - string
        - number
        - date
  limit:
    minimum: 0
    type: number
  limit-percent:
    maximum: 100
    minimum: 0
    type: number
  null-order:
    enum:
    - first
    - last
  order:
    enum:
    - asc
    - desc
    - reverse
    - randomize
  sort-by:
    oneOf:
    - type: string
    - key:
        type: string
      type: object
      value_regex: string
      value_type:
        enum:
        - string
        - number
        - date
  type:
    enum:
    - reduce
required:
- type

safety-rule

Filter the safety rules (the assertion rules and gating rules) that you’ve defined for the routing controls in a control panel.

example:

find a recovery control panel with at least two deployed assertion safety rules with a mininum of 30m wait period.

policies:
  - name: check-safety
    resource: aws.recovery-control-panel
    filters:
      - type: safety-rule
        count: 2
        count_op: gte
        attrs:
         - Type: ASSERTION
         - Status: Deployed
         - type: value
           key: WaitPeriodMs
           op: gte
           value: 30
properties:
  attrs:
    items:
      anyOf:
      - $ref: '#/definitions/filters/value'
      - $ref: '#/definitions/filters/valuekv'
      - additional_properties: false
        properties:
          and:
            items:
              anyOf:
              - $ref: '#/definitions/filters/value'
              - $ref: '#/definitions/filters/valuekv'
            type: array
        type: object
      - additional_properties: false
        properties:
          or:
            items:
              anyOf:
              - $ref: '#/definitions/filters/value'
              - $ref: '#/definitions/filters/valuekv'
            type: array
        type: object
      - additional_properties: false
        properties:
          not:
            items:
              anyOf:
              - $ref: '#/definitions/filters/value'
              - $ref: '#/definitions/filters/valuekv'
            type: array
        type: object
    type: array
  count:
    type: number
  count_op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - safety-rule
required:
- type

security-group

Filter a resource by its associated security groups.

properties:
  default:
    type: object
  key:
    type: string
  match-resource:
    type: boolean
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  operator:
    enum:
    - and
    - or
  type:
    enum:
    - security-group
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

ses-agg-send-stats

This filter queries SES send statistics and aggregates all the data points into a single report.

example:

policies:
  - name: ses-aggregated-send-stats-policy
    resource: account
    filters:
      - type: ses-agg-send-stats
properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - ses-agg-send-stats
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

shield-metrics

Specialized metrics filter for shield

properties:
  attr-multiplier:
    type: number
  days:
    type: number
  dimensions:
    patternProperties:
      ^.*$:
        type: string
    type: object
  missing-value:
    type: number
  name:
    type: string
  namespace:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
    type: string
  percent-attr:
    type: string
  period:
    type: number
  statistics:
    type: string
  type:
    enum:
    - shield-metrics
  value:
    type: number
required:
- type

subnet

Filter a resource by its associated subnets attributes.

This filter is generally available for network attached resources.

ie. to find lambda functions that are vpc attached to subnets with a tag key Location and value Database.

example:

policies:
  - name: lambda
    resource: aws.lambda
    filters:
      - type: subnet
        key: tag:Location
        value: Database

It also supports finding resources on public or private subnets via route table introspection to determine if the subnet is associated to an internet gateway.

example:

policies:
   - name: public-ec2
     resource: aws.ec2
     filters:
       - type: subnet
         igw: True
         key: SubnetId
         value: present
properties:
  default:
    type: object
  igw:
    enum:
    - true
    - false
  key:
    type: string
  match-resource:
    type: boolean
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  operator:
    enum:
    - and
    - or
  type:
    enum:
    - subnet
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

subscription-filter

Filters CloudWatch log groups by subscriptions

example:

policies:
  - name: cloudwatch-groups-with-subscriptions
    resource: log-group
    filters:
      - type: subscription-filter
        key: destinationArn
        value: arn:aws:lambda:us-east-1:123456789876:function:forwarder
properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - subscription-filter
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

tag-count

Simplify tag counting..

ie. these two blocks are equivalent

- filters:
    - type: value
      op: gte
      count: 8

- filters:
    - type: tag-count
      count: 8
properties:
  count:
    minimum: 0
    type: integer
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - tag-count
required:
- type

usage

Filter iam resources by their api/service usage.

Note recent activity (last 4hrs) may not be shown, evaluation is against the last 365 days of data.

Each service access record is evaluated against all specified attributes. Attribute filters can be specified in short form k:v pairs or in long form as a value type filter.

match-operator allows to specify how a resource is treated across service access record matches. ‘any’ means a single matching service record will return the policy resource as matching. ‘all’ means all service access records have to match.

Find iam users that have not used any services in the last year

example:

- name: usage-unused-users
  resource: iam-user
  filters:
    - type: usage
      match-operator: all
      LastAuthenticated: null

Find iam users that have used dynamodb in last 30 days

example:

- name: unused-users
  resource: iam-user
  filters:
    - type: usage
      ServiceNamespace: dynamodb
      TotalAuthenticatedEntities: 1
      LastAuthenticated:
        type: value
        value_type: age
        op: less-than
        value: 30
      match-operator: any

https://aws.amazon.com/blogs/security/automate-analyzing-permissions-using-iam-access-advisor/

properties:
  LastAuthenticated:
    oneOf:
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
    - $ref: '#/definitions/filters/value'
  LastAuthenticatedEntity:
    oneOf:
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
    - $ref: '#/definitions/filters/value'
  ServiceName:
    oneOf:
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
    - $ref: '#/definitions/filters/value'
  ServiceNamespace:
    oneOf:
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
    - $ref: '#/definitions/filters/value'
  TotalAuthenticatedEntities:
    oneOf:
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
    - $ref: '#/definitions/filters/value'
  match-operator:
    enum:
    - all
    - any
  poll-delay:
    type: number
  type:
    enum:
    - usage
required:
- match-operator

usage-metric

Filter service quotas by usage, only compatible with service quotas that return a UsageMetric attribute.

Default limit is 80%. Default min_period (minimal period) is 300 seconds and is automatically set to 60 seconds if users try to set it to anything lower than that.

policies:
    - name: service-quota-usage-limit
      description: |
          find any services that have usage stats of
          over 80%
      resource: aws.service-quota
      filters:
        - UsageMetric: present
        - type: usage-metric
          limit: 19
properties:
  limit:
    type: integer
  min_period:
    type: integer
  type:
    enum:
    - usage-metric
required:
- type

value

Generic value filter using jmespath

properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - value
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

vpc

Filter a resource by its associated vpc.

properties:
  default:
    type: object
  key:
    type: string
  match-resource:
    type: boolean
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  operator:
    enum:
    - and
    - or
  type:
    enum:
    - vpc
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

waf-enabled

Filter API Gateway stage by waf-regional web-acl

example:

policies:
  - name: filter-apigw-waf-regional
    resource: rest-stage
    filters:
      - type: waf-enabled
        state: false
        web-acl: test
properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  state:
    type: boolean
  type:
    enum:
    - waf-enabled
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
  web-acl:
    type: string
required:
- type

wafv2-enabled

Filter Cognito UserPool by wafv2 web-acl

example:

policies:
  - name: filter-userpool-wafv2
    resource: user-pool
    filters:
      - type: wafv2-enabled
        state: false
  - name: filter-userpool-wafv2-regex
    resource: user-pool
    filters:
      - type: wafv2-enabled
        state: false
        web-acl: .*FMManagedWebACLV2-?FMS-.*
properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  state:
    type: boolean
  type:
    enum:
    - wafv2-enabled
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
  web-acl:
    type: string
required:
- type