aws.dynamodb-table
Filters
consecutive-aws-backups
Returns resources where number of consective backups (based on the periodicity defined in the filter) is equal to/or greater than n units. This filter supports the resources that use AWS Backup service for backups.
- example:
policies:
- name: dynamodb-consecutive-aws-backup-count
resource: dynamodb-table
filters:
- type: consecutive-aws-backups
count: 7
period: days
status: 'COMPLETED'
properties:
count:
minimum: 1
type: number
period:
enum:
- hours
- days
- weeks
status:
enum:
- COMPLETED
- PARTIAL
- DELETING
- EXPIRED
type:
enum:
- consecutive-aws-backups
required:
- count
- period
- status
- type
Permissions - backup:ListRecoveryPointsByResource
consecutive-backups
Returns tables where number of consective daily backups is equal to/or greater than n days.
- example:
policies:
- name: dynamodb-daily-backup-count
resource: dynamodb-table
filters:
- type: consecutive-backups
count: 7
period: days
backuptype: SYSTEM
status: AVAILABLE
properties:
backuptype:
enum:
- SYSTEM
- USER
- AWS_BACKUP
- ALL
count:
minimum: 1
type: number
period:
enum:
- hours
- days
- weeks
status:
enum:
- AVAILABLE
- CREATING
- DELETED
type:
enum:
- consecutive-backups
required:
- count
- period
- status
- backuptype
- type
Permissions - dynamodb:ListBackups, dynamodb:DescribeBackup, dynamodb:DescribeTable
continuous-backup
Check for continuous backups and point in time recovery (PITR) on a dynamodb table.
- example:
policies:
- name: dynamodb-continuous-backups-disabled
resource: aws.dynamodb-table
filters:
- type: continuous-backup
key: ContinuousBackupsStatus
op: eq
value: DISABLED
- name: dynamodb-pitr-disabled
resource: aws.dynamodb-table
filters:
- type: continuous-backup
key: PointInTimeRecoveryDescription.PointInTimeRecoveryStatus
op: ne
value: ENABLED
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- continuous-backup
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- type
Permissions - dynamodb:DescribeContinuousBackups
cross-account
Check a resource’s embedded iam policy for cross account access.
properties:
actions:
items:
type: string
type: array
everyone_only:
type: boolean
type:
enum:
- cross-account
whitelist:
items:
type: string
type: array
whitelist_conditions:
items:
type: string
type: array
whitelist_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
whitelist_orgids:
items:
type: string
type: array
whitelist_orgids_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
whitelist_vpc:
items:
type: string
type: array
whitelist_vpc_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
whitelist_vpce:
items:
type: string
type: array
whitelist_vpce_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
required:
- type
Permissions - dynamodb:GetResourcePolicy
has-statement
Find resources with matching access policy statements.
If you want to return resource statements that include the listed Action or NotAction, you can use PartialMatch instead of an exact match.
- example:
policies:
- name: sns-check-statement-id
resource: sns
filters:
- type: has-statement
statement_ids:
- BlockNonSSL
policies:
- name: sns-check-block-non-ssl
resource: sns
filters:
- type: has-statement
statements:
- Effect: Deny
Action: 'SNS:Publish'
Principal: '*'
Condition:
Bool:
"aws:SecureTransport": "false"
PartialMatch: 'Action'
properties:
statement_ids:
items:
type: string
type: array
statements:
items:
properties:
Action:
anyOf:
- type: string
- type: array
Condition:
type: object
Effect:
enum:
- Allow
- Deny
type: string
NotAction:
anyOf:
- type: string
- type: array
NotPrincipal:
anyOf:
- type: object
- type: array
NotResource:
anyOf:
- type: string
- type: array
PartialMatch:
anyOf:
- enum:
- Action
- NotAction
type: string
- items:
- enum:
- Action
- NotAction
type: string
type: array
Principal:
anyOf:
- type: string
- type: object
- type: array
Resource:
anyOf:
- type: string
- type: array
Sid:
type: string
required:
- Effect
type: object
type: array
type:
enum:
- has-statement
required:
- type
Permissions - dynamodb:GetResourcePolicy
json-diff
Compute the diff from the current resource to a previous version.
A resource matches the filter if a diff exists between the current resource and the selected revision.
Utilizes config as a resource revision database.
Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).
properties:
selector:
enum:
- previous
- date
- locked
selector_value:
type: string
type:
enum:
- json-diff
required:
- type
Permissions - config:GetResourceConfigHistory
kms-key
Filter a resource by its associated kms key and optionally the aliasname of the kms key by using ‘c7n:AliasName’
- example:
Match a specific key alias:
policies: - name: dms-encrypt-key-check resource: dms-instance filters: - type: kms-key key: "c7n:AliasName" value: alias/aws/dms
Or match against native key attributes such as KeyManager, which
more explicitly distinguishes between AWS and CUSTOMER-managed
keys. The above policy can also be written as:
policies: - name: dms-aws-managed-key resource: dms-instance filters: - type: kms-key key: KeyManager value: AWS
properties:
default:
type: object
key:
type: string
match-resource:
type: boolean
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
operator:
enum:
- and
- or
type:
enum:
- kms-key
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- type
Permissions - kms:ListKeys, tag:GetResources, kms:ListResourceTags, kms:DescribeKey
Actions
backup
- Creates a manual backup of a DynamoDB table. Use of the optional
prefix flag will attach a user specified prefix. Otherwise, the backup prefix will default to ‘Backup’.
- example:
policies:
- name: dynamodb-create-backup
resource: dynamodb-table
actions:
- type: backup
prefix: custom
properties:
prefix:
type: string
type:
enum:
- backup
required:
- type
Permissions - dynamodb:CreateBackup
delete
Action to delete dynamodb tables
- example:
policies:
- name: delete-empty-tables
resource: dynamodb-table
filters:
- TableSizeBytes: 0
actions:
- delete
properties:
force:
default: false
type: boolean
type:
enum:
- delete
required:
- type
Permissions - dynamodb:UpdateTable, dynamodb:DeleteTable
rename-tag
Rename an existing tag key to a new value.
- example:
rename Application, and Bap to App, if a resource has both of the old keys then we’ll use the value specified by Application, which is based on the order of values of old_keys.
policies: - name: rename-tags-example resource: aws.log-group filters: - or: - "tag:Bap": present - "tag:Application": present actions: - type: rename-tag old_keys: [Application, Bap] new_key: App
properties:
new_key:
type: string
old_key:
type: string
old_keys:
items:
type: string
type: array
type:
enum:
- rename-tag
required:
- type
Permissions - tag:TagResources, tag:UntagResources
set-continuous-backup
Set continuous backups and point in time recovery (PITR) on a dynamodb table.
- example:
policies:
- name: dynamodb-continuous-backups-disabled-set
resource: aws.dynamodb-table
filters:
- type: continuous-backup
key: ContinuousBackupsStatus
op: eq
value: DISABLED
actions:
- type: set-continuous-backup
properties:
state:
default: true
type: boolean
type:
enum:
- set-continuous-backup
required:
- type
Permissions - dynamodb:UpdateContinuousBackups
set-stream
Action to enable/disable streams on table.
- example:
policies:
- name: stream-update
resource: dynamodb-table
filters:
- TableName: 'test'
- TableStatus: 'ACTIVE'
actions:
- type: set-stream
state: True
stream_view_type: 'NEW_IMAGE'
properties:
state:
type: boolean
stream_view_type:
type: string
type:
enum:
- set-stream
required:
- type
Permissions - dynamodb:UpdateTable
update
Modifies the provisioned throughput settings, global secondary indexes, or DynamoDB Streams settings for a given table.
- example:
policies:
- name: dynamodb-change-billing-mode
resource: aws.dynamodb-table
actions:
- type: update
BillingMode: PAY_PER_REQUEST
properties:
BillingMode:
enum:
- PROVISIONED
- PAY_PER_REQUEST
DeletionProtectionEnabled:
enum:
- true
- false
ProvisionedThroughput:
properties:
ReadCapacityUnits:
type: integer
WriteCapacityUnits:
type: integer
type: object
type:
enum:
- update
required:
- type
Permissions - dynamodb:UpdateTable