AWS Common Filters
Filters
alarm
Filter log metric filters based on associated alarms.
- example:
policies:
- name: log-metrics-with-alarms
resource: aws.log-metric
filters:
- type: alarm
key: AlarmName
value: present
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- alarm
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- type
api-cache
Filter AppSync GraphQLApi based on the api cache attributes
- example:
policies:
- name: filter-graphql-api-cache
resource: aws.graphql-api
filters:
- type: api-cache
key: 'apiCachingBehavior'
value: 'FULL_REQUEST_CACHING'
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- api-cache
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- type
bedrock-model-invocation-logging
Filter for account to look at bedrock model invocation logging configuration
- The schema to supply to the attrs follows the schema here:
- example:
policies:
- name: bedrock-model-invocation-logging-configuration
resource: account
filters:
- type: bedrock-model-invocation-logging
attrs:
- imageDataDeliveryEnabled: True
properties:
attrs:
items:
anyOf:
- $ref: '#/definitions/filters/value'
- $ref: '#/definitions/filters/valuekv'
- additional_properties: false
properties:
and:
items:
anyOf:
- $ref: '#/definitions/filters/value'
- $ref: '#/definitions/filters/valuekv'
type: array
type: object
- additional_properties: false
properties:
or:
items:
anyOf:
- $ref: '#/definitions/filters/value'
- $ref: '#/definitions/filters/valuekv'
type: array
type: object
- additional_properties: false
properties:
not:
items:
anyOf:
- $ref: '#/definitions/filters/value'
- $ref: '#/definitions/filters/valuekv'
type: array
type: object
type: array
count:
type: number
count_op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- bedrock-model-invocation-logging
required:
- type
bucket-replication
Filter for S3 buckets to look at bucket replication configurations
- The schema to supply to the attrs follows the schema here:
- example:
policies:
- name: s3-bucket-replication
resource: s3
filters:
- type: bucket-replication
attrs:
- Status: Enabled
- Filter:
And:
Prefix: test
Tags:
- Key: Owner
Value: c7n
- ExistingObjectReplication: Enabled
properties:
attrs:
items:
anyOf:
- $ref: '#/definitions/filters/value'
- $ref: '#/definitions/filters/valuekv'
- additional_properties: false
properties:
and:
items:
anyOf:
- $ref: '#/definitions/filters/value'
- $ref: '#/definitions/filters/valuekv'
type: array
type: object
- additional_properties: false
properties:
or:
items:
anyOf:
- $ref: '#/definitions/filters/value'
- $ref: '#/definitions/filters/valuekv'
type: array
type: object
- additional_properties: false
properties:
not:
items:
anyOf:
- $ref: '#/definitions/filters/value'
- $ref: '#/definitions/filters/valuekv'
type: array
type: object
type: array
count:
type: number
count_op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- bucket-replication
required:
- type
check-permissions
Check IAM permissions associated with a resource.
- example:
Find users that can create other users
policies:
- name: super-users
resource: aws.iam-user
filters:
- type: check-permissions
match: allowed
actions:
- iam:CreateUser
- example:
Find users with access to all services and actions
policies:
- name: admin-users
resource: aws.iam-user
filters:
- type: check-permissions
match: allowed
actions:
- '*:*'
By default permission boundaries are checked.
properties:
actions:
items:
type: string
type: array
boundaries:
type: boolean
match:
oneOf:
- enum:
- allowed
- denied
- $ref: '#/definitions/filters/valuekv'
- $ref: '#/definitions/filters/value'
match-operator:
enum:
- and
- or
type:
enum:
- check-permissions
required:
- actions
- match
client-properties
Filter workspace directories based off workspace client properties.
- example:
policies:
- name: workspace-client-credentials
resource: aws.workspaces-directory
filters:
- type: client-properties
key: ReconnectEnabled
value: ENABLED
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- client-properties
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- type
config-compliance
Filter resources by their compliance with one or more AWS config rules.
An example of using the filter to find all ec2 instances that have been registered as non compliant in the last 30 days against two custom AWS Config rules.
- example:
policies:
- name: non-compliant-ec2
resource: ec2
filters:
- type: config-compliance
eval_filters:
- type: value
key: ResultRecordedTime
value_type: age
value: 30
op: less-than
rules:
- custodian-ec2-encryption-required
- custodian-ec2-tags-required
Also note, custodian has direct support for deploying policies as config rules see https://cloudcustodian.io/docs/policy/lambda.html#config-rules
properties:
eval_filters:
items:
oneOf:
- $ref: '#/definitions/filters/valuekv'
- $ref: '#/definitions/filters/value'
type: array
op:
enum:
- or
- and
rules:
items:
type: string
type: array
states:
items:
enum:
- COMPLIANT
- NON_COMPLIANT
- NOT_APPLICABLE
- INSUFFICIENT_DATA
type: array
type:
enum:
- config-compliance
required:
- rules
connection-aliases
Filter workspace directories based on connection aliases
- example:
policies:
- name: workspace-connection-alias
resource: aws.workspaces-directory
filters:
- type: connection-aliases
key: 'ConnectionAliases'
value: 'empty'
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- connection-aliases
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- type
cost-optimization
Cost optimization hub recommendations.
- name: cost-ec2-optimize
resource: aws.ec2
filters:
- type: cost-optimization
attrs:
- actionType: Rightsize
- key: recommendationLookbackPeriodInDays
op: gte
value: 10
- key: estimatedMonthlySavings
value: 30
op: gte
properties:
action:
enum:
- Rightsize
- Stop
- Upgrade
- PurchaseSavingsPlans
- PurchaseReservedInstances
- MigrateToGraviton
attrs:
items:
anyOf:
- $ref: '#/definitions/filters/value'
- $ref: '#/definitions/filters/valuekv'
- additional_properties: false
properties:
and:
items:
anyOf:
- $ref: '#/definitions/filters/value'
- $ref: '#/definitions/filters/valuekv'
type: array
type: object
- additional_properties: false
properties:
or:
items:
anyOf:
- $ref: '#/definitions/filters/value'
- $ref: '#/definitions/filters/valuekv'
type: array
type: object
- additional_properties: false
properties:
not:
items:
anyOf:
- $ref: '#/definitions/filters/value'
- $ref: '#/definitions/filters/valuekv'
type: array
type: object
type: array
efforts:
items:
enum:
- VeryLow
- Low
- Medium
- High
- VeryHigh
type: array
type:
enum:
- cost-optimization
required:
- type
domain-options
Filter for cloud search domains by their domain options.
- example:
policies:
- name: cloudsearch-detect-https
resource: cloudsearch
filters:
- type: domain-options
key: Options.EnforceHTTPS
value: false
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- domain-options
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- type
ec2-metadata-defaults
Filter on the default instance metadata service (IMDS) settings for the specified account and region. NOTE: Any configuration that has never been set (or is set to ‘No Preference’), will not be returned in the response.
- example:
policies:
- name: ec2-imds-defaults
resource: account
filters:
- or:
- type: ec2-metadata-defaults
key: HttpTokens
value: optional
- type: ec2-metadata-defaults
key: HttpTokens
value: absent
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- ec2-metadata-defaults
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- type
engine
Filter a rds resource based on its Engine Metadata
- example:
policies:
- name: find-deprecated-versions
resource: aws.rds
filters:
- type: engine
key: Status
value: deprecated
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- engine
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- type
event
Filter a resource based on an event.
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- event
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- type
finding
Check if there are Security Hub Findings related to the resources
- example:
By default, this filter checks to see if any findings exist for a given resource.
policies:
- name: iam-roles-with-findings
resource: aws.iam-role
filters:
- finding
- example:
The query parameter can look for specific findings. Consult this
reference
for more information about available filters and their structure. Note that when matching
by finding Id, it can be helpful to combine PREFIX comparisons with parameterized
account and region information.
policies:
- name: iam-roles-with-global-kms-decrypt
resource: aws.iam-role
filters:
- type: finding
query:
Id:
- Comparison: PREFIX
Value: 'arn:aws:securityhub:{region}:{account_id}:subscription/aws-foundational-security-best-practices/v/1.0.0/KMS.2'
Title:
- Comparison: EQUALS
Value: >-
KMS.2 IAM principals should not have IAM inline policies
that allow decryption actions on all KMS keys
ComplianceStatus:
- Comparison: EQUALS
Value: 'FAILED'
RecordState:
- Comparison: EQUALS
Value: 'ACTIVE'
properties:
query:
type: object
region:
type: string
type:
enum:
- finding
required:
- type
flow-logs
Are flow logs enabled on the resource.
This filter reuses list-item filter for arbitrary filtering on the flow log attibutes, it also maintains compatiblity with the legacy flow-log filter.
ie to find all vpcs with flows logs disabled we can do this
- example:
policies:
- name: flow-logs-enabled
resource: vpc
filters:
- flow-logs
or to find all vpcs with flow logs but that don’t match a particular configuration.
- example:
policies:
- name: flow-mis-configured
resource: vpc
filters:
- not:
- type: flow-logs
attrs:
- TrafficType: ALL
- FlowLogStatus: ACTIVE
- LogGroupName: vpc-logs
properties:
attrs:
items:
anyOf:
- $ref: '#/definitions/filters/value'
- $ref: '#/definitions/filters/valuekv'
- additional_properties: false
properties:
and:
items:
anyOf:
- $ref: '#/definitions/filters/value'
- $ref: '#/definitions/filters/valuekv'
type: array
type: object
- additional_properties: false
properties:
or:
items:
anyOf:
- $ref: '#/definitions/filters/value'
- $ref: '#/definitions/filters/valuekv'
type: array
type: object
- additional_properties: false
properties:
not:
items:
anyOf:
- $ref: '#/definitions/filters/value'
- $ref: '#/definitions/filters/valuekv'
type: array
type: object
type: array
count:
type: number
count_op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
deliver-status:
enum:
- success
- failure
destination:
type: string
destination-type:
enum:
- s3
- cloud-watch-logs
enabled:
default: false
type: boolean
log-format:
type: string
log-group:
type: string
op:
default: equal
enum:
- equal
- not-equal
set-op:
default: or
enum:
- or
- and
status:
enum:
- active
traffic-type:
enum:
- accept
- reject
- all
type:
enum:
- flow-logs
required:
- type
gateway-route
Filter on appmesh gateway routes as List-Item Filters.
- example:
policies:
- name: appmesh-gateway-route-policy
resource: aws.appmesh-virtualgateway
filters:
- type: gateway-route
attrs:
- type: value
key: meshOwner
op: ne
value: resourceOwner
value_type: expr
properties:
attrs:
items:
anyOf:
- $ref: '#/definitions/filters/value'
- $ref: '#/definitions/filters/valuekv'
- additional_properties: false
properties:
and:
items:
anyOf:
- $ref: '#/definitions/filters/value'
- $ref: '#/definitions/filters/valuekv'
type: array
type: object
- additional_properties: false
properties:
or:
items:
anyOf:
- $ref: '#/definitions/filters/value'
- $ref: '#/definitions/filters/valuekv'
type: array
type: object
- additional_properties: false
properties:
not:
items:
anyOf:
- $ref: '#/definitions/filters/value'
- $ref: '#/definitions/filters/valuekv'
type: array
type: object
type: array
count:
type: number
count_op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- gateway-route
required:
- type
health-event
Check if there are operations health events (phd) related to the resources
https://aws.amazon.com/premiumsupport/technology/personal-health-dashboard/
Health events are stored as annotation on a resource.
Custodian also supports responding to phd events via a lambda execution mode.
properties:
category:
items:
enum:
- issue
- accountNotification
- scheduledChange
type: array
statuses:
items:
enum:
- open
- upcoming
- closed
type: string
type: array
type:
enum:
- health-event
types:
items:
type: string
type: array
required:
- type
iam-analyzer
Analyze resource access policies using AWS IAM Access Analyzer.
Access analyzer uses logic based reasoning to analyze embedded resource iam access policies to determine access outside of a zone of trust.
policies:
- name: s3-check
resource: aws.s3
filters:
- type: iam-analyzer
key: isPublic
value: true
properties:
analyzer:
type: string
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- iam-analyzer
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- type
image
Filter asg by image
- example:
policies:
- name: non-windows-asg
resource: asg
filters:
- type: image
key: Platform
value: Windows
op: ne
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- image
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- type
instance-attribute
Filter Connect resources based on instance attributes
- example:
policies:
- name: connect-instance-attribute
resource: connect-instance
filters:
- type: instance-attribute
key: Attribute.Value
value: true
attribute_type: CONTACT_LENS
properties:
attribute_type:
type: string
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- instance-attribute
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- attribute_type
- type
intelligent-tiering
Filter for S3 buckets to look at intelligent tiering configurations
- The schema to supply to the attrs follows the schema here:
- example:
policies:
- name: s3-intelligent-tiering-configuration
resource: s3
filters:
- type: intelligent-tiering
attrs:
- Status: Enabled
- Filter:
And:
Prefix: test
Tags:
- Key: Owner
Value: c7n
- Tierings:
- Days: 100
- AccessTier: ARCHIVE_ACCESS
properties:
attrs:
items:
anyOf:
- $ref: '#/definitions/filters/value'
- $ref: '#/definitions/filters/valuekv'
- additional_properties: false
properties:
and:
items:
anyOf:
- $ref: '#/definitions/filters/value'
- $ref: '#/definitions/filters/valuekv'
type: array
type: object
- additional_properties: false
properties:
or:
items:
anyOf:
- $ref: '#/definitions/filters/value'
- $ref: '#/definitions/filters/valuekv'
type: array
type: object
- additional_properties: false
properties:
not:
items:
anyOf:
- $ref: '#/definitions/filters/value'
- $ref: '#/definitions/filters/valuekv'
type: array
type: object
type: array
count:
type: number
count_op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- intelligent-tiering
required:
- type
list-item
Perform multi attribute filtering on items within a list, for example looking for security groups that have rules which include 0.0.0.0/0 and port 22 open.
- example:
policies:
- name: security-group-with-22-open-to-world
resource: aws.security-group
filters:
- type: list-item
key: IpPermissions
attrs:
- type: value
key: IpRanges[].CidrIp
value: '0.0.0.0/0'
op: in
value_type: swap
- type: value
key: FromPort
value: 22
- type: value
key: ToPort
value: 22
- name: find-task-def-not-using-registry
resource: aws.ecs-task-definition
filters:
- not:
- type: list-item
key: containerDefinitions
attrs:
- not:
- type: value
key: image
value: "${account_id}.dkr.ecr.us-east-2.amazonaws.com.*"
op: regex
properties:
attrs:
items:
anyOf:
- $ref: '#/definitions/filters/value'
- $ref: '#/definitions/filters/valuekv'
- additional_properties: false
properties:
and:
items:
anyOf:
- $ref: '#/definitions/filters/value'
- $ref: '#/definitions/filters/valuekv'
type: array
type: object
- additional_properties: false
properties:
or:
items:
anyOf:
- $ref: '#/definitions/filters/value'
- $ref: '#/definitions/filters/valuekv'
type: array
type: object
- additional_properties: false
properties:
not:
items:
anyOf:
- $ref: '#/definitions/filters/value'
- $ref: '#/definitions/filters/valuekv'
type: array
type: object
type: array
count:
type: number
count_op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
key:
type: string
type:
enum:
- list-item
required:
- type
lock-configuration
Filter S3 buckets based on their object lock configurations
- example:
Get all buckets where lock configuration mode is COMPLIANCE
policies: - name: lock-configuration-compliance resource: aws.s3 filters: - type: lock-configuration key: Rule.DefaultRetention.Mode value: COMPLIANCE
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- lock-configuration
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- type
logging
Filter by wafv2 logging configuration
- example:
policies:
- name: wafv2-logging-enabled
resource: aws.wafv2
filters:
- not:
- type: logging
key: ResourceArn
value: present
- name: check-redacted-fields
resource: aws.wafv2
filters:
- type: logging
key: RedactedFields[].SingleHeader.Name
value: user-agent
op: in
value_type: swap
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- logging
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- type
logging-config
Filter for network firewall to look at logging configuration
- The schema to supply to the attrs follows the schema here:
- example:
policies:
- name: network-firewall-logging-configuration
resource: firewall
filters:
- type: logging-config
attrs:
- LogType: FLOW
properties:
attrs:
items:
anyOf:
- $ref: '#/definitions/filters/value'
- $ref: '#/definitions/filters/valuekv'
- additional_properties: false
properties:
and:
items:
anyOf:
- $ref: '#/definitions/filters/value'
- $ref: '#/definitions/filters/valuekv'
type: array
type: object
- additional_properties: false
properties:
or:
items:
anyOf:
- $ref: '#/definitions/filters/value'
- $ref: '#/definitions/filters/valuekv'
type: array
type: object
- additional_properties: false
properties:
not:
items:
anyOf:
- $ref: '#/definitions/filters/value'
- $ref: '#/definitions/filters/valuekv'
type: array
type: object
type: array
count:
type: number
count_op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- logging-config
required:
- type
login-profile
Filter IAM users that have an associated login-profile
For quicker evaluation and reduced API traffic, it is recommended to instead use the ‘credential’ filter with ‘password_enabled’: true when a delay of up to four hours for credential report syncing is acceptable.
(https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html)
- example:
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- login-profile
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- type
marked-for-op
Filter resources for tag specified future action
Filters resources by a ‘maid_status’ tag which specifies a future date for an action.
The filter parses the tag values looking for an ‘op@date’ string. The date is parsed and compared to do today’s date, the filter succeeds if today’s date is gte to the target date.
The optional ‘skew’ parameter provides for incrementing today’s date a number of days into the future. An example use case might be sending a final notice email a few days before terminating an instance, or snapshotting a volume prior to deletion.
The optional ‘skew_hours’ parameter provides for incrementing the current time a number of hours into the future.
Optionally, the ‘tz’ parameter can get used to specify the timezone in which to interpret the clock (default value is ‘utc’)
policies:
- name: ec2-stop-marked
resource: ec2
filters:
- type: marked-for-op
# The default tag used is maid_status
# but that is configurable
tag: custodian_status
op: stop
# Another optional tag is skew
tz: utc
actions:
- type: stop
properties:
op:
type: string
skew:
minimum: 0
type: number
skew_hours:
minimum: 0
type: number
tag:
type: string
type:
enum:
- marked-for-op
tz:
type: string
required:
- type
metrics
Supports cloud watch metrics filters on resources.
All resources that have cloud watch metrics are supported.
Docs on cloud watch metrics
GetMetricStatistics https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_GetMetricStatistics.html
Supported Metrics https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/aws-services-cloudwatch-metrics.html
- name: ec2-underutilized
resource: ec2
filters:
- type: metrics
name: CPUUtilization
days: 4
period: 86400
value: 30
op: less-than
Note periods when a resource is not sending metrics are not part of calculated statistics as in the case of a stopped ec2 instance, nor for resources to new to have existed the entire period. ie. being stopped for an ec2 instance wouldn’t lower the average cpu utilization.
The “missing-value” key allows a policy to specify a default value when CloudWatch has no data to report:
- name: elb-low-request-count
resource: elb
filters:
- type: metrics
name: RequestCount
statistics: Sum
days: 7
value: 7
missing-value: 0
op: less-than
This policy matches any ELB with fewer than 7 requests for the past week. ELBs with no requests during that time will have an empty set of metrics. Rather than skipping those resources, “missing-value: 0” causes the policy to treat their request counts as 0.
Note the default statistic for metrics is Average.
properties:
attr-multiplier:
type: number
days:
type: number
dimensions:
patternProperties:
^.*$:
type: string
type: object
missing-value:
type: number
name:
type: string
namespace:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type: string
percent-attr:
type: string
period:
type: number
statistics:
type: string
type:
enum:
- metrics
value:
type: number
required:
- value
- name
network-location
On a network attached resource, determine intersection of security-group attributes, subnet attributes, and resource attributes.
The use case is a bit specialized, for most use cases using subnet and security-group filters suffice. but say for example you wanted to verify that an ec2 instance was only using subnets and security groups with a given tag value, and that tag was not present on the resource.
- Example:
policies:
- name: ec2-mismatched-sg-remove
resource: ec2
filters:
- type: network-location
compare: ["resource","security-group"]
key: "tag:TEAM_NAME"
ignore:
- "tag:TEAM_NAME": Enterprise
actions:
- type: modify-security-groups
remove: network-location
isolation-group: sg-xxxxxxxx
properties:
compare:
default:
- resource
- subnet
- security-group
description: Which elements of network location should be considered when matching.
items:
enum:
- resource
- subnet
- security-group
type: array
ignore:
items:
type: object
type: array
key:
description: The attribute expression that should be matched on
type: string
match:
default: non-equal
enum:
- equal
- not-equal
- in
type: string
max-cardinality:
default: 1
title: ''
type: integer
missing-ok:
default: false
description: How to handle missing keys on elements, by default this causesresources
to be considered not-equal
type: boolean
type:
enum:
- network-location
value:
items:
type: string
type: array
required:
- key
- type
offhour
Schedule offhours for resources see offhours for features and configuration.
properties:
default_tz:
type: string
fallback-schedule:
type: string
fallback_schedule:
type: string
offhour:
maximum: 23
minimum: 0
type: integer
opt-out:
type: boolean
skip-days:
items:
pattern: ^[0-9]{4}-[0-9]{2}-[0-9]{2}
type: string
type: array
skip-days-from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
tag:
type: string
type:
enum:
- offhour
weekends:
type: boolean
weekends-only:
type: boolean
required:
- offhour
- default_tz
- type
onhour
Schedule offhours for resources see offhours for features and configuration.
properties:
default_tz:
type: string
fallback-schedule:
type: string
fallback_schedule:
type: string
onhour:
maximum: 23
minimum: 0
type: integer
opt-out:
type: boolean
skip-days:
items:
pattern: ^[0-9]{4}-[0-9]{2}-[0-9]{2}
type: string
type: array
skip-days-from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
tag:
type: string
type:
enum:
- onhour
weekends:
type: boolean
weekends-only:
type: boolean
required:
- onhour
- default_tz
- type
ops-item
Filter resources associated to extant OpsCenter operational items.
- example:
Find ec2 instances with open ops items.
policies:
- name: ec2-instances-ops-items
resource: ec2
filters:
- type: ops-item
# we can filter on source, title, priority
priority: [1, 2]
properties:
priority:
items:
enum:
- 1
- 2
- 3
- 4
- 5
type: array
source:
type: string
status:
default:
- Open
items:
enum:
- Open
- In progress
- Resolved
type: array
title:
type: string
type:
enum:
- ops-item
required:
- type
org-unit
Filter resources by their containment within an ou.
policies:
- name: org-units-by-parent-ou
resource: aws.org-unit
filters:
- type: org-unit
key: Name
value: dev
- name: org-accounts-by-parent-ou
resource: aws.org-account
filters:
- type: org-unit
key: Name
value: dev
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- org-unit
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- type
ownership
Filter for object ownership controls
Reference: https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html
:example
Find buckets with ACLs disabled
policies:
- name: s3-bucket-acls-disabled
resource: aws.s3
region: us-east-1
filters:
- type: ownership
value: BucketOwnerEnforced
:example
Find buckets with object ownership preferred or enforced
policies:
- name: s3-bucket-ownership-preferred
resource: aws.s3
region: us-east-1
filters:
- type: ownership
op: in
value:
- BucketOwnerEnforced
- BucketOwnerPreferred
:example
Find buckets with no object ownership controls
policies:
- name: s3-bucket-no-ownership-controls
resource: aws.s3
region: us-east-1
filters:
- type: ownership
value: empty
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- ownership
value:
oneOf:
- enum:
- BucketOwnerEnforced
- BucketOwnerPreferred
- ObjectWriter
- absent
- present
- not-null
- empty
type: string
- items:
enum:
- BucketOwnerEnforced
- BucketOwnerPreferred
- ObjectWriter
- absent
- present
- not-null
- empty
type: string
type: array
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- type
policy
Perform multi attribute filtering on items within a list, for example looking for security groups that have rules which include 0.0.0.0/0 and port 22 open.
- example:
policies:
- name: security-group-with-22-open-to-world
resource: aws.security-group
filters:
- type: list-item
key: IpPermissions
attrs:
- type: value
key: IpRanges[].CidrIp
value: '0.0.0.0/0'
op: in
value_type: swap
- type: value
key: FromPort
value: 22
- type: value
key: ToPort
value: 22
- name: find-task-def-not-using-registry
resource: aws.ecs-task-definition
filters:
- not:
- type: list-item
key: containerDefinitions
attrs:
- not:
- type: value
key: image
value: "${account_id}.dkr.ecr.us-east-2.amazonaws.com.*"
op: regex
properties:
attrs:
items:
anyOf:
- $ref: '#/definitions/filters/value'
- $ref: '#/definitions/filters/valuekv'
- additional_properties: false
properties:
and:
items:
anyOf:
- $ref: '#/definitions/filters/value'
- $ref: '#/definitions/filters/valuekv'
type: array
type: object
- additional_properties: false
properties:
or:
items:
anyOf:
- $ref: '#/definitions/filters/value'
- $ref: '#/definitions/filters/valuekv'
type: array
type: object
- additional_properties: false
properties:
not:
items:
anyOf:
- $ref: '#/definitions/filters/value'
- $ref: '#/definitions/filters/valuekv'
type: array
type: object
type: array
count:
type: number
count_op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
inherited:
type: boolean
policy-type:
enum:
- SERVICE_CONTROL_POLICY
- TAG_POLICY
- BACKUP_POLICY
- AISERVICES_OPT_OUT_POLICY
type:
enum:
- policy
required:
- policy-type
- type
reduce
Generic reduce filter to group, sort, and limit your resources.
This example will select the longest running instance from each ASG, then randomly choose 10% of those, maxing at 15 total instances.
- example:
- name: oldest-instance-by-asg
resource: ec2
filters:
- "tag:aws:autoscaling:groupName": present
- type: reduce
group-by: "tag:aws:autoscaling:groupName"
sort-by: "LaunchTime"
order: asc
limit: 1
Or you might want to randomly select a 10 percent of your resources, but no more than 15.
- example:
- name: random-selection
resource: ec2
filters:
- type: reduce
order: randomize
limit: 15
limit-percent: 10
properties:
discard:
minimum: 0
type: number
discard-percent:
maximum: 100
minimum: 0
type: number
group-by:
oneOf:
- type: string
- key:
type: string
type: object
value_regex: string
value_type:
enum:
- string
- number
- date
limit:
minimum: 0
type: number
limit-percent:
maximum: 100
minimum: 0
type: number
null-order:
enum:
- first
- last
order:
enum:
- asc
- desc
- reverse
- randomize
sort-by:
oneOf:
- type: string
- key:
type: string
type: object
value_regex: string
value_type:
enum:
- string
- number
- date
type:
enum:
- reduce
required:
- type
route
Filter on appmesh routes from virtual routers as List-Item Filters.
- example:
policies:
- name: appmesh-route-policy
resource: aws.appmesh-mesh
filters:
- type: route
key: virtualRouters[].routes[]
attrs:
- type: value
key: meshOwner
op: ne
value: resourceOwner
value_type: "expr"
properties:
attrs:
items:
anyOf:
- $ref: '#/definitions/filters/value'
- $ref: '#/definitions/filters/valuekv'
- additional_properties: false
properties:
and:
items:
anyOf:
- $ref: '#/definitions/filters/value'
- $ref: '#/definitions/filters/valuekv'
type: array
type: object
- additional_properties: false
properties:
or:
items:
anyOf:
- $ref: '#/definitions/filters/value'
- $ref: '#/definitions/filters/valuekv'
type: array
type: object
- additional_properties: false
properties:
not:
items:
anyOf:
- $ref: '#/definitions/filters/value'
- $ref: '#/definitions/filters/valuekv'
type: array
type: object
type: array
count:
type: number
count_op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
key:
type: string
type:
enum:
- route
required:
- type
router
Filter on appmesh virtual routers as List-Item Filters.
- example:
policies:
- name: appmesh-router-policy
resource: aws.appmesh-mesh
filters:
- type: router
attrs:
- type: value
key: meshOwner
op: ne
value: resourceOwner
value_type: expr
properties:
attrs:
items:
anyOf:
- $ref: '#/definitions/filters/value'
- $ref: '#/definitions/filters/valuekv'
- additional_properties: false
properties:
and:
items:
anyOf:
- $ref: '#/definitions/filters/value'
- $ref: '#/definitions/filters/valuekv'
type: array
type: object
- additional_properties: false
properties:
or:
items:
anyOf:
- $ref: '#/definitions/filters/value'
- $ref: '#/definitions/filters/valuekv'
type: array
type: object
- additional_properties: false
properties:
not:
items:
anyOf:
- $ref: '#/definitions/filters/value'
- $ref: '#/definitions/filters/valuekv'
type: array
type: object
type: array
count:
type: number
count_op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- router
required:
- type
safety-rule
Filter the safety rules (the assertion rules and gating rules) that you’ve defined for the routing controls in a control panel.
- example:
find a recovery control panel with at least two deployed assertion safety rules with a mininum of 30m wait period.
policies:
- name: check-safety
resource: aws.recovery-control-panel
filters:
- type: safety-rule
count: 2
count_op: gte
attrs:
- Type: ASSERTION
- Status: Deployed
- type: value
key: WaitPeriodMs
op: gte
value: 30
properties:
attrs:
items:
anyOf:
- $ref: '#/definitions/filters/value'
- $ref: '#/definitions/filters/valuekv'
- additional_properties: false
properties:
and:
items:
anyOf:
- $ref: '#/definitions/filters/value'
- $ref: '#/definitions/filters/valuekv'
type: array
type: object
- additional_properties: false
properties:
or:
items:
anyOf:
- $ref: '#/definitions/filters/value'
- $ref: '#/definitions/filters/valuekv'
type: array
type: object
- additional_properties: false
properties:
not:
items:
anyOf:
- $ref: '#/definitions/filters/value'
- $ref: '#/definitions/filters/valuekv'
type: array
type: object
type: array
count:
type: number
count_op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- safety-rule
required:
- type
security-group
Filter a resource by its associated security groups.
properties:
default:
type: object
key:
type: string
match-resource:
type: boolean
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
operator:
enum:
- and
- or
type:
enum:
- security-group
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- type
service
Filter on appmesh virtual services as List-Item Filters.
- example:
policies:
- name: appmesh-virtual-service-policy
resource: aws.appmesh-mesh
filters:
- type: service
attrs:
- or :
- type: value
key: meshOwner
op: ne
value: resourceOwner
value_type: expr
- not :
- type: value
key: virtualServiceName
op : regex
value: '^.*.local$'
properties:
attrs:
items:
anyOf:
- $ref: '#/definitions/filters/value'
- $ref: '#/definitions/filters/valuekv'
- additional_properties: false
properties:
and:
items:
anyOf:
- $ref: '#/definitions/filters/value'
- $ref: '#/definitions/filters/valuekv'
type: array
type: object
- additional_properties: false
properties:
or:
items:
anyOf:
- $ref: '#/definitions/filters/value'
- $ref: '#/definitions/filters/valuekv'
type: array
type: object
- additional_properties: false
properties:
not:
items:
anyOf:
- $ref: '#/definitions/filters/value'
- $ref: '#/definitions/filters/valuekv'
type: array
type: object
type: array
count:
type: number
count_op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- service
required:
- type
service-instance
Filter on service discovery instances in the namespaces as List-Item Filters.
- example:
policies:
- name: servicediscovery-instance-policy
resource: servicediscovery-namespace
filters:
- type: service-instance
key: Services[].Instances[],
attrs:
- or:
- Attributes.AWS_EC2_INSTANCE_ID: present
properties:
attrs:
items:
anyOf:
- $ref: '#/definitions/filters/value'
- $ref: '#/definitions/filters/valuekv'
- additional_properties: false
properties:
and:
items:
anyOf:
- $ref: '#/definitions/filters/value'
- $ref: '#/definitions/filters/valuekv'
type: array
type: object
- additional_properties: false
properties:
or:
items:
anyOf:
- $ref: '#/definitions/filters/value'
- $ref: '#/definitions/filters/valuekv'
type: array
type: object
- additional_properties: false
properties:
not:
items:
anyOf:
- $ref: '#/definitions/filters/value'
- $ref: '#/definitions/filters/valuekv'
type: array
type: object
type: array
count:
type: number
count_op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
key:
type: string
type:
enum:
- service-instance
required:
- type
ses-agg-send-stats
This filter queries SES send statistics and aggregates all the data points into a single report.
- example:
policies:
- name: ses-aggregated-send-stats-policy
resource: account
filters:
- type: ses-agg-send-stats
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- ses-agg-send-stats
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- type
shield-metrics
Specialized metrics filter for shield
properties:
attr-multiplier:
type: number
days:
type: number
dimensions:
patternProperties:
^.*$:
type: string
type: object
missing-value:
type: number
name:
type: string
namespace:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type: string
percent-attr:
type: string
period:
type: number
statistics:
type: string
type:
enum:
- shield-metrics
value:
type: number
required:
- type
snapshots
Filter volumes by all their snapshots.
- example:
policies:
- name: ebs-volumes
resource: aws.ebs
filters:
- not:
- type: snapshots
attrs:
- type: value
key: StartTime
value_type: age
value: 2
op: less-than
properties:
attrs:
items:
anyOf:
- $ref: '#/definitions/filters/value'
- $ref: '#/definitions/filters/valuekv'
- additional_properties: false
properties:
and:
items:
anyOf:
- $ref: '#/definitions/filters/value'
- $ref: '#/definitions/filters/valuekv'
type: array
type: object
- additional_properties: false
properties:
or:
items:
anyOf:
- $ref: '#/definitions/filters/value'
- $ref: '#/definitions/filters/valuekv'
type: array
type: object
- additional_properties: false
properties:
not:
items:
anyOf:
- $ref: '#/definitions/filters/value'
- $ref: '#/definitions/filters/valuekv'
type: array
type: object
type: array
count:
type: number
count_op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- snapshots
required:
- type
subnet
Filters Workspaces Secure Browsers based on their associated subnet
- example:
policies:
- name: workspaces-web-in-subnet-x
resource: workspaces-web
filters:
- type: subnet
key: SubnetId
value: subnet-068dfbf3f275a6ae8
properties:
default:
type: object
igw:
enum:
- true
- false
key:
type: string
match-resource:
type: boolean
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
operator:
enum:
- and
- or
type:
enum:
- subnet
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- type
subscription-filter
Filters CloudWatch log groups by subscriptions
- example:
policies:
- name: cloudwatch-groups-with-subscriptions
resource: log-group
filters:
- type: subscription-filter
key: destinationArn
value: arn:aws:lambda:us-east-1:123456789876:function:forwarder
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- subscription-filter
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- type
tag-count
Simplify tag counting..
ie. these two blocks are equivalent
- filters:
- type: value
op: gte
count: 8
- filters:
- type: tag-count
count: 8
properties:
count:
minimum: 0
type: integer
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- tag-count
required:
- type
trust
Filter directories based on their trust relationships
- example:
policies: - name: trust-enabled-directories resource: directory filters: - type: trust key: TrustState value: Verified - name: trust-remote-domain resource: directory filters: - type: trust key: RemoteDomainName value: example.com
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- trust
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- type
usage
Filter iam resources by their api/service usage.
Note recent activity (last 4hrs) may not be shown, evaluation is against the last 365 days of data.
Each service access record is evaluated against all specified attributes. Attribute filters can be specified in short form k:v pairs or in long form as a value type filter.
match-operator allows to specify how a resource is treated across service access record matches. ‘any’ means a single matching service record will return the policy resource as matching. ‘all’ means all service access records have to match.
Find iam users that have not used any services in the last year
- example:
- name: usage-unused-users
resource: iam-user
filters:
- type: usage
match-operator: all
LastAuthenticated: null
Find iam users that have used dynamodb in last 30 days
- example:
- name: unused-users
resource: iam-user
filters:
- type: usage
ServiceNamespace: dynamodb
TotalAuthenticatedEntities: 1
LastAuthenticated:
type: value
value_type: age
op: less-than
value: 30
match-operator: any
https://aws.amazon.com/blogs/security/automate-analyzing-permissions-using-iam-access-advisor/
properties:
LastAuthenticated:
oneOf:
- type: string
- type: boolean
- type: number
- type: 'null'
- $ref: '#/definitions/filters/value'
LastAuthenticatedEntity:
oneOf:
- type: string
- type: boolean
- type: number
- type: 'null'
- $ref: '#/definitions/filters/value'
ServiceName:
oneOf:
- type: string
- type: boolean
- type: number
- type: 'null'
- $ref: '#/definitions/filters/value'
ServiceNamespace:
oneOf:
- type: string
- type: boolean
- type: number
- type: 'null'
- $ref: '#/definitions/filters/value'
TotalAuthenticatedEntities:
oneOf:
- type: string
- type: boolean
- type: number
- type: 'null'
- $ref: '#/definitions/filters/value'
match-operator:
enum:
- all
- any
poll-delay:
type: number
type:
enum:
- usage
required:
- match-operator
usage-metric
Filter service quotas by usage, only compatible with service quotas that return a UsageMetric attribute.
Default limit is 80%. Default min_period (minimal period) is 300 seconds and is automatically set to 60 seconds if users try to set it to anything lower than that.
policies:
- name: service-quota-usage-limit
description: |
find any services that have usage stats of
over 80%
resource: aws.service-quota
filters:
- UsageMetric: present
- type: usage-metric
limit: 19
properties:
limit:
type: integer
min_period:
type: integer
type:
enum:
- usage-metric
required:
- type
value
Generic value filter using jmespath
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- value
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- type
vpc
Filter a resource by its associated vpc.
properties:
default:
type: object
key:
type: string
match-resource:
type: boolean
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
operator:
enum:
- and
- or
type:
enum:
- vpc
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- type
waf-enabled
Filter API Gateway stage by waf-regional web-acl
- example:
policies:
- name: filter-apigw-waf-regional
resource: rest-stage
filters:
- type: waf-enabled
state: false
web-acl: test
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
state:
type: boolean
type:
enum:
- waf-enabled
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
web-acl:
type: string
required:
- type
wafv2-enabled
Filter Cognito UserPool by wafv2 web-acl
- example:
policies:
- name: filter-userpool-wafv2
resource: user-pool
filters:
- type: wafv2-enabled
state: false
- name: filter-userpool-wafv2-regex
resource: user-pool
filters:
- type: wafv2-enabled
state: false
web-acl: .*FMManagedWebACLV2-?FMS-.*
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
state:
type: boolean
type:
enum:
- wafv2-enabled
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
web-acl:
type: string
required:
- type