AWS Common Filters¶
Filters
alarm¶
Filter log metric filters based on associated alarms.
- example
policies:
- name: log-metrics-with-alarms
resource: aws.log-metric
filters:
- type: alarm
key: AlarmName
value: present
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
type:
enum:
- alarm
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
required:
- type
api-cache¶
Filter AppSync GraphQLApi based on the api cache attributes :example: .. code-block:: yaml
- policies:
name: filter-graphql-api-cache resource: aws.graphql-api filters:
type: api-cache key: ‘apiCachingBehavior’ value: ‘FULL_REQUEST_CACHING’
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
type:
enum:
- api-cache
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
required:
- type
check-permissions¶
Check IAM permissions associated with a resource.
- example
Find users that can create other users
policies:
- name: super-users
resource: aws.iam-user
filters:
- type: check-permissions
match: allowed
actions:
- iam:CreateUser
- example
Find users with access to all services and actions
policies:
- name: admin-users
resource: aws.iam-user
filters:
- type: check-permissions
match: allowed
actions:
- '*:*'
By default permission boundaries are checked.
properties:
actions:
items:
type: string
type: array
boundaries:
type: boolean
match:
oneOf:
- enum:
- allowed
- denied
- $ref: '#/definitions/filters/valuekv'
- $ref: '#/definitions/filters/value'
match-operator:
enum:
- and
- or
type:
enum:
- check-permissions
required:
- actions
- match
client-properties¶
Filter workspace directories based off workspace client properties.
- example
policies:
- name: workspace-client-credentials
resource: aws.workspaces-directory
filters:
- type: client-properties
key: ReconnectEnabled
value: ENABLED
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
type:
enum:
- client-properties
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
required:
- type
config-compliance¶
Filter resources by their compliance with one or more AWS config rules.
An example of using the filter to find all ec2 instances that have been registered as non compliant in the last 30 days against two custom AWS Config rules.
- example
policies:
- name: non-compliant-ec2
resource: ec2
filters:
- type: config-compliance
eval_filters:
- type: value
key: ResultRecordedTime
value_type: age
value: 30
op: less-than
rules:
- custodian-ec2-encryption-required
- custodian-ec2-tags-required
Also note, custodian has direct support for deploying policies as config rules see https://cloudcustodian.io/docs/policy/lambda.html#config-rules
properties:
eval_filters:
items:
oneOf:
- $ref: '#/definitions/filters/valuekv'
- $ref: '#/definitions/filters/value'
type: array
op:
enum:
- or
- and
rules:
items:
type: string
type: array
states:
items:
enum:
- COMPLIANT
- NON_COMPLIANT
- NOT_APPLICABLE
- INSUFFICIENT_DATA
type: array
type:
enum:
- config-compliance
required:
- rules
connection-aliases¶
Filter workspace directories based on connection aliases
- example
policies:
- name: workspace-connection-alias
resource: aws.workspaces-directory
filters:
- type: connection-aliases
key: 'ConnectionAliases'
value: 'empty'
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
type:
enum:
- connection-aliases
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
required:
- type
domain-options¶
Filter for cloud search domains by their domain options.
- example
policies:
- name: cloudsearch-detect-https
resource: cloudsearch
filters:
- type: domain-options
key: Options.EnforceHTTPS
value: false
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
type:
enum:
- domain-options
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
required:
- type
engine¶
Filter a rds resource based on its Engine Metadata
- example
policies:
- name: find-deprecated-versions
resource: aws.rds
filters:
- type: engine
key: Status
value: deprecated
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
type:
enum:
- engine
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
required:
- type
event¶
Filter a resource based on an event.
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
type:
enum:
- event
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
required:
- type
finding¶
Check if there are Security Hub Findings related to the resources
properties:
query:
type: object
region:
type: string
type:
enum:
- finding
required:
- type
health-event¶
Check if there are operations health events (phd) related to the resources
https://aws.amazon.com/premiumsupport/technology/personal-health-dashboard/
Health events are stored as annotation on a resource.
Custodian also supports responding to phd events via a lambda execution mode.
properties:
category:
items:
enum:
- issue
- accountNotification
- scheduledChange
type: array
statuses:
items:
enum:
- open
- upcoming
- closed
type: string
type: array
type:
enum:
- health-event
types:
items:
type: string
type: array
required:
- type
iam-analyzer¶
Analyze resource access policies using AWS IAM Access Analyzer.
Access analyzer uses logic based reasoning to analyze embedded resource iam access policies to determine access outside of a zone of trust.
policies:
- name: s3-check
resource: aws.s3
filters:
- type: iam-analyzer
key: isPublic
value: true
properties:
analyzer:
type: string
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
type:
enum:
- iam-analyzer
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
required:
- type
image¶
Filter asg by image
- example
policies:
- name: non-windows-asg
resource: asg
filters:
- type: image
key: Platform
value: Windows
op: ne
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
type:
enum:
- image
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
required:
- type
instance-attribute¶
Filter Connect resources based on instance attributes
- example
policies:
- name: connect-instance-attribute
resource: connect-instance
filters:
- type: instance-attribute
key: Attribute.Value
value: true
attribute_type: CONTACT_LENS
properties:
attribute_type:
type: string
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
type:
enum:
- instance-attribute
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
required:
- attribute_type
- type
logging¶
Filter by wafv2 logging configuration
- example
policies:
- name: wafv2-logging-enabled
resource: aws.wafv2
filters:
- not:
- type: logging
key: ResourceArn
value: present
- name: check-redacted-fields
resource: aws.wafv2
filters:
- type: logging
key: RedactedFields[].SingleHeader.Name
value: user-agent
op: in
value_type: swap
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
type:
enum:
- logging
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
required:
- type
login-profile¶
Filter IAM users that have an associated login-profile
For quicker evaluation and reduced API traffic, it is recommended to instead use the ‘credential’ filter with ‘password_enabled’: true when a delay of up to four hours for credential report syncing is acceptable.
(https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html)
- example
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
type:
enum:
- login-profile
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
required:
- type
marked-for-op¶
Filter resources for tag specified future action
Filters resources by a ‘maid_status’ tag which specifies a future date for an action.
The filter parses the tag values looking for an ‘op@date’ string. The date is parsed and compared to do today’s date, the filter succeeds if today’s date is gte to the target date.
The optional ‘skew’ parameter provides for incrementing today’s date a number of days into the future. An example use case might be sending a final notice email a few days before terminating an instance, or snapshotting a volume prior to deletion.
The optional ‘skew_hours’ parameter provides for incrementing the current time a number of hours into the future.
Optionally, the ‘tz’ parameter can get used to specify the timezone in which to interpret the clock (default value is ‘utc’)
policies:
- name: ec2-stop-marked
resource: ec2
filters:
- type: marked-for-op
# The default tag used is maid_status
# but that is configurable
tag: custodian_status
op: stop
# Another optional tag is skew
tz: utc
actions:
- type: stop
properties:
op:
type: string
skew:
minimum: 0
type: number
skew_hours:
minimum: 0
type: number
tag:
type: string
type:
enum:
- marked-for-op
tz:
type: string
required:
- type
metrics¶
Supports cloud watch metrics filters on resources.
All resources that have cloud watch metrics are supported.
Docs on cloud watch metrics
GetMetricStatistics https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_GetMetricStatistics.html
Supported Metrics https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/aws-services-cloudwatch-metrics.html
- name: ec2-underutilized
resource: ec2
filters:
- type: metrics
name: CPUUtilization
days: 4
period: 86400
value: 30
op: less-than
Note periods when a resource is not sending metrics are not part of calculated statistics as in the case of a stopped ec2 instance, nor for resources to new to have existed the entire period. ie. being stopped for an ec2 instance wouldn’t lower the average cpu utilization.
The “missing-value” key allows a policy to specify a default value when CloudWatch has no data to report:
- name: elb-low-request-count
resource: elb
filters:
- type: metrics
name: RequestCount
statistics: Sum
days: 7
value: 7
missing-value: 0
op: less-than
This policy matches any ELB with fewer than 7 requests for the past week. ELBs with no requests during that time will have an empty set of metrics. Rather than skipping those resources, “missing-value: 0” causes the policy to treat their request counts as 0.
Note the default statistic for metrics is Average.
properties:
attr-multiplier:
type: number
days:
type: number
dimensions:
patternProperties:
^.*$:
type: string
type: object
missing-value:
type: number
name:
type: string
namespace:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
type: string
percent-attr:
type: string
period:
type: number
statistics:
type: string
type:
enum:
- metrics
value:
type: number
required:
- value
- name
network-location¶
On a network attached resource, determine intersection of security-group attributes, subnet attributes, and resource attributes.
The use case is a bit specialized, for most use cases using subnet and security-group filters suffice. but say for example you wanted to verify that an ec2 instance was only using subnets and security groups with a given tag value, and that tag was not present on the resource.
- Example
policies:
- name: ec2-mismatched-sg-remove
resource: ec2
filters:
- type: network-location
compare: ["resource","security-group"]
key: "tag:TEAM_NAME"
ignore:
- "tag:TEAM_NAME": Enterprise
actions:
- type: modify-security-groups
remove: network-location
isolation-group: sg-xxxxxxxx
properties:
compare:
default:
- resource
- subnet
- security-group
description: Which elements of network location should be considered when matching.
items:
enum:
- resource
- subnet
- security-group
type: array
ignore:
items:
type: object
type: array
key:
description: The attribute expression that should be matched on
type: string
match:
default: non-equal
enum:
- equal
- not-equal
type: string
max-cardinality:
default: 1
title: ''
type: integer
missing-ok:
default: false
description: How to handle missing keys on elements, by default this causesresources
to be considered not-equal
type: boolean
type:
enum:
- network-location
required:
- key
- type
offhour¶
Schedule offhours for resources see offhours for features and configuration.
properties:
default_tz:
type: string
fallback_schedule:
type: string
offhour:
maximum: 23
minimum: 0
type: integer
opt-out:
type: boolean
skip-days:
items:
pattern: ^[0-9]{4}-[0-9]{2}-[0-9]{2}
type: string
type: array
skip-days-from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
tag:
type: string
type:
enum:
- offhour
weekends:
type: boolean
weekends-only:
type: boolean
required:
- offhour
- default_tz
- type
onhour¶
Schedule offhours for resources see offhours for features and configuration.
properties:
default_tz:
type: string
fallback_schedule:
type: string
onhour:
maximum: 23
minimum: 0
type: integer
opt-out:
type: boolean
skip-days:
items:
pattern: ^[0-9]{4}-[0-9]{2}-[0-9]{2}
type: string
type: array
skip-days-from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
tag:
type: string
type:
enum:
- onhour
weekends:
type: boolean
weekends-only:
type: boolean
required:
- onhour
- default_tz
- type
ops-item¶
Filter resources associated to extant OpsCenter operational items.
- example
Find ec2 instances with open ops items.
policies:
- name: ec2-instances-ops-items
resource: ec2
filters:
- type: ops-item
# we can filter on source, title, priority
priority: [1, 2]
properties:
priority:
items:
enum:
- 1
- 2
- 3
- 4
- 5
type: array
source:
type: string
status:
default:
- Open
items:
enum:
- Open
- In progress
- Resolved
type: array
title:
type: string
type:
enum:
- ops-item
required:
- type
ownership¶
Filter for object ownership controls
Reference: https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html
:example
Find buckets with ACLs disabled
policies:
- name: s3-bucket-acls-disabled
resource: aws.s3
region: us-east-1
filters:
- type: ownership
value: BucketOwnerEnforced
:example
Find buckets with object ownership preferred or enforced
policies:
- name: s3-bucket-ownership-preferred
resource: aws.s3
region: us-east-1
filters:
- type: ownership
op: in
value:
- BucketOwnerEnforced
- BucketOwnerPreferred
:example
Find buckets with no object ownership controls
policies:
- name: s3-bucket-no-ownership-controls
resource: aws.s3
region: us-east-1
filters:
- type: ownership
value: empty
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
type:
enum:
- ownership
value:
oneOf:
- enum:
- BucketOwnerEnforced
- BucketOwnerPreferred
- ObjectWriter
- absent
- present
- not-null
- empty
type: string
- items:
enum:
- BucketOwnerEnforced
- BucketOwnerPreferred
- ObjectWriter
- absent
- present
- not-null
- empty
type: string
type: array
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
required:
- type
reduce¶
Generic reduce filter to group, sort, and limit your resources.
This example will select the longest running instance from each ASG, then randomly choose 10% of those, maxing at 15 total instances.
- example
- name: oldest-instance-by-asg
resource: ec2
filters:
- "tag:aws:autoscaling:groupName": present
- type: reduce
group-by: "tag:aws:autoscaling:groupName"
sort-by: "LaunchTime"
order: asc
limit: 1
Or you might want to randomly select a 10 percent of your resources, but no more than 15.
- example
- name: random-selection
resource: ec2
filters:
- type: reduce
order: randomize
limit: 15
limit-percent: 10
properties:
discard:
minimum: 0
type: number
discard-percent:
maximum: 100
minimum: 0
type: number
group-by:
oneOf:
- type: string
- key:
type: string
type: object
value_regex: string
value_type:
enum:
- string
- number
- date
limit:
minimum: 0
type: number
limit-percent:
maximum: 100
minimum: 0
type: number
null-order:
enum:
- first
- last
order:
enum:
- asc
- desc
- reverse
- randomize
sort-by:
oneOf:
- type: string
- key:
type: string
type: object
value_regex: string
value_type:
enum:
- string
- number
- date
type:
enum:
- reduce
required:
- type
security-group¶
Filter a resource by its associated security groups.
properties:
default:
type: object
key:
type: string
match-resource:
type: boolean
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
operator:
enum:
- and
- or
type:
enum:
- security-group
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
required:
- type
ses-agg-send-stats¶
This filter queries SES send statistics and aggregates all the data points into a single report.
- example
policies:
- name: ses-aggregated-send-stats-policy
resource: account
filters:
- type: ses-agg-send-stats
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
type:
enum:
- ses-agg-send-stats
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
required:
- type
shield-metrics¶
Specialized metrics filter for shield
properties:
attr-multiplier:
type: number
days:
type: number
dimensions:
patternProperties:
^.*$:
type: string
type: object
missing-value:
type: number
name:
type: string
namespace:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
type: string
percent-attr:
type: string
period:
type: number
statistics:
type: string
type:
enum:
- shield-metrics
value:
type: number
required:
- type
subnet¶
Filter a resource by its associated subnets attributes.
This filter is generally available for network attached resources.
ie. to find lambda functions that are vpc attached to subnets with a tag key Location and value Database.
- example
policies:
- name: lambda
resource: aws.lambda
filters:
- type: subnet
key: tag:Location
value: Database
It also supports finding resources on public or private subnets via route table introspection to determine if the subnet is associated to an internet gateway.
- example
policies:
- name: public-ec2
resource: aws.ec2
filters:
- type: subnet
igw: True
key: SubnetId
value: present
properties:
default:
type: object
igw:
enum:
- true
- false
key:
type: string
match-resource:
type: boolean
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
operator:
enum:
- and
- or
type:
enum:
- subnet
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
required:
- type
subscription-filter¶
Filters CloudWatch log groups by subscriptions
- example
policies:
- name: cloudwatch-groups-with-subscriptions
resource: log-group
filters:
- type: subscription-filter
key: destinationArn
value: arn:aws:lambda:us-east-1:123456789876:function:forwarder
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
type:
enum:
- subscription-filter
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
required:
- type
tag-count¶
Simplify tag counting..
ie. these two blocks are equivalent
- filters:
- type: value
op: gte
count: 8
- filters:
- type: tag-count
count: 8
properties:
count:
minimum: 0
type: integer
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
type:
enum:
- tag-count
required:
- type
usage¶
Filter iam resources by their api/service usage.
Note recent activity (last 4hrs) may not be shown, evaluation is against the last 365 days of data.
Each service access record is evaluated against all specified attributes. Attribute filters can be specified in short form k:v pairs or in long form as a value type filter.
match-operator allows to specify how a resource is treated across service access record matches. ‘any’ means a single matching service record will return the policy resource as matching. ‘all’ means all service access records have to match.
Find iam users that have not used any services in the last year
- example
- name: usage-unused-users
resource: iam-user
filters:
- type: usage
match-operator: all
LastAuthenticated: null
Find iam users that have used dynamodb in last 30 days
- example
- name: unused-users
resource: iam-user
filters:
- type: usage
ServiceNamespace: dynamodb
TotalAuthenticatedEntities: 1
LastAuthenticated:
type: value
value_type: age
op: less-than
value: 30
match-operator: any
https://aws.amazon.com/blogs/security/automate-analyzing-permissions-using-iam-access-advisor/
properties:
LastAuthenticated:
oneOf:
- type: string
- type: boolean
- type: number
- type: 'null'
- $ref: '#/definitions/filters/value'
LastAuthenticatedEntity:
oneOf:
- type: string
- type: boolean
- type: number
- type: 'null'
- $ref: '#/definitions/filters/value'
ServiceName:
oneOf:
- type: string
- type: boolean
- type: number
- type: 'null'
- $ref: '#/definitions/filters/value'
ServiceNamespace:
oneOf:
- type: string
- type: boolean
- type: number
- type: 'null'
- $ref: '#/definitions/filters/value'
TotalAuthenticatedEntities:
oneOf:
- type: string
- type: boolean
- type: number
- type: 'null'
- $ref: '#/definitions/filters/value'
match-operator:
enum:
- all
- any
poll-delay:
type: number
type:
enum:
- usage
required:
- match-operator
usage-metric¶
Filter service quotas by usage, only compatible with service quotas that return a UsageMetric attribute.
Default limit is 80%
policies:
- name: service-quota-usage-limit
description: |
find any services that have usage stats of
over 80%
resource: aws.service-quota
filters:
- UsageMetric: present
- type: usage-metric
limit: 19
properties:
limit:
type: integer
type:
enum:
- usage-metric
required:
- type
value¶
Generic value filter using jmespath
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
type:
enum:
- value
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
required:
- type
vpc¶
Filter a resource by its associated vpc.
properties:
default:
type: object
key:
type: string
match-resource:
type: boolean
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
operator:
enum:
- and
- or
type:
enum:
- vpc
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
required:
- type