aws.dynamodb-table
Filters
consecutive-aws-backups
Returns resources where number of consective backups (based on the periodicity defined in the filter) is equal to/or greater than n units. This filter supports the resources that use AWS Backup service for backups.
- example:
policies:
- name: dynamodb-consecutive-aws-backup-count
resource: dynamodb-table
filters:
- type: consecutive-aws-backups
count: 7
period: days
status: 'COMPLETED'
properties:
count:
minimum: 1
type: number
period:
enum:
- hours
- days
- weeks
status:
enum:
- COMPLETED
- PARTIAL
- DELETING
- EXPIRED
type:
enum:
- consecutive-aws-backups
required:
- count
- period
- status
- type
Permissions - backup:ListRecoveryPointsByResource
consecutive-backups
Returns tables where number of consective daily backups is equal to/or greater than n days.
- example:
policies:
- name: dynamodb-daily-backup-count
resource: dynamodb-table
filters:
- type: consecutive-backups
count: 7
period: days
backuptype: SYSTEM
status: AVAILABLE
properties:
backuptype:
enum:
- SYSTEM
- USER
- AWS_BACKUP
- ALL
count:
minimum: 1
type: number
period:
enum:
- hours
- days
- weeks
status:
enum:
- AVAILABLE
- CREATING
- DELETED
type:
enum:
- consecutive-backups
required:
- count
- period
- status
- backuptype
- type
Permissions - dynamodb:ListBackups, dynamodb:DescribeBackup, dynamodb:DescribeTable
continuous-backup
Check for continuous backups and point in time recovery (PITR) on a dynamodb table.
- example:
policies:
- name: dynamodb-continuous-backups-disabled
resource: aws.dynamodb-table
filters:
- type: continuous-backup
key: ContinuousBackupsStatus
op: eq
value: DISABLED
- name: dynamodb-pitr-disabled
resource: aws.dynamodb-table
filters:
- type: continuous-backup
key: PointInTimeRecoveryDescription.PointInTimeRecoveryStatus
op: ne
value: ENABLED
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- continuous-backup
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- type
Permissions - dynamodb:DescribeContinuousBackups
cross-account
Check a resource’s embedded iam policy for cross account access.
properties:
actions:
items:
type: string
type: array
everyone_only:
type: boolean
type:
enum:
- cross-account
whitelist:
items:
type: string
type: array
whitelist_conditions:
items:
type: string
type: array
whitelist_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
whitelist_orgids:
items:
type: string
type: array
whitelist_orgids_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
whitelist_vpc:
items:
type: string
type: array
whitelist_vpc_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
whitelist_vpce:
items:
type: string
type: array
whitelist_vpce_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
required:
- type
Permissions - dynamodb:GetResourcePolicy
has-statement
Find resources with matching access policy statements. :Example:
policies:
- name: sns-check-statement-id
resource: sns
filters:
- type: has-statement
statement_ids:
- BlockNonSSL
policies:
- name: sns-check-block-non-ssl
resource: sns
filters:
- type: has-statement
statements:
- Effect: Deny
Action: 'SNS:Publish'
Principal: '*'
Condition:
Bool:
"aws:SecureTransport": "false"
properties:
statement_ids:
items:
type: string
type: array
statements:
items:
properties:
Action:
anyOf:
- type: string
- type: array
Condition:
type: object
Effect:
enum:
- Allow
- Deny
type: string
NotAction:
anyOf:
- type: string
- type: array
NotPrincipal:
anyOf:
- type: object
- type: array
NotResource:
anyOf:
- type: string
- type: array
Principal:
anyOf:
- type: string
- type: object
- type: array
Resource:
anyOf:
- type: string
- type: array
Sid:
type: string
required:
- Effect
type: object
type: array
type:
enum:
- has-statement
required:
- type
Permissions - dynamodb:GetResourcePolicy
json-diff
Compute the diff from the current resource to a previous version.
A resource matches the filter if a diff exists between the current resource and the selected revision.
Utilizes config as a resource revision database.
Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).
properties:
selector:
enum:
- previous
- date
- locked
selector_value:
type: string
type:
enum:
- json-diff
required:
- type
Permissions - config:GetResourceConfigHistory
kms-key
Filter a resource by its associated kms key and optionally the aliasname of the kms key by using ‘c7n:AliasName’
- example:
Match a specific key alias:
policies: - name: dms-encrypt-key-check resource: dms-instance filters: - type: kms-key key: "c7n:AliasName" value: alias/aws/dms
Or match against native key attributes such as KeyManager, which
more explicitly distinguishes between AWS and CUSTOMER-managed
keys. The above policy can also be written as:
policies: - name: dms-aws-managed-key resource: dms-instance filters: - type: kms-key key: KeyManager value: AWS
properties:
default:
type: object
key:
type: string
match-resource:
type: boolean
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
operator:
enum:
- and
- or
type:
enum:
- kms-key
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- type
Permissions - kms:ListKeys, tag:GetResources, kms:ListResourceTags, kms:DescribeKey
Actions
backup
- Creates a manual backup of a DynamoDB table. Use of the optional
prefix flag will attach a user specified prefix. Otherwise, the backup prefix will default to ‘Backup’.
- example:
policies:
- name: dynamodb-create-backup
resource: dynamodb-table
actions:
- type: backup
prefix: custom
properties:
prefix:
type: string
type:
enum:
- backup
required:
- type
Permissions - dynamodb:CreateBackup
delete
Action to delete dynamodb tables
- example:
policies:
- name: delete-empty-tables
resource: dynamodb-table
filters:
- TableSizeBytes: 0
actions:
- delete
properties:
force:
default: false
type: boolean
type:
enum:
- delete
required:
- type
Permissions - dynamodb:UpdateTable, dynamodb:DeleteTable
rename-tag
Rename an existing tag key to a new value.
- example:
rename Application, and Bap to App, if a resource has both of the old keys then we’ll use the value specified by Application, which is based on the order of values of old_keys.
policies: - name: rename-tags-example resource: aws.log-group filters: - or: - "tag:Bap": present - "tag:Application": present actions: - type: rename-tag old_keys: [Application, Bap] new_key: App
properties:
new_key:
type: string
old_key:
type: string
old_keys:
items:
type: string
type: array
type:
enum:
- rename-tag
required:
- type
Permissions - tag:TagResources, tag:UntagResources
set-continuous-backup
Set continuous backups and point in time recovery (PITR) on a dynamodb table.
- example:
policies:
- name: dynamodb-continuous-backups-disabled-set
resource: aws.dynamodb-table
filters:
- type: continuous-backup
key: ContinuousBackupsStatus
op: eq
value: DISABLED
actions:
- type: set-continuous-backup
properties:
state:
default: true
type: boolean
type:
enum:
- set-continuous-backup
required:
- type
Permissions - dynamodb:UpdateContinuousBackups
set-stream
Action to enable/disable streams on table.
- example:
policies:
- name: stream-update
resource: dynamodb-table
filters:
- TableName: 'test'
- TableStatus: 'ACTIVE'
actions:
- type: set-stream
state: True
stream_view_type: 'NEW_IMAGE'
properties:
state:
type: boolean
stream_view_type:
type: string
type:
enum:
- set-stream
required:
- type
Permissions - dynamodb:UpdateTable
update
Modifies the provisioned throughput settings, global secondary indexes, or DynamoDB Streams settings for a given table.
- example:
policies:
- name: dynamodb-change-billing-mode
resource: aws.dynamodb-table
actions:
- type: update
BillingMode: PAY_PER_REQUEST
properties:
BillingMode:
enum:
- PROVISIONED
- PAY_PER_REQUEST
DeletionProtectionEnabled:
enum:
- true
- false
ProvisionedThroughput:
properties:
ReadCapacityUnits:
type: integer
WriteCapacityUnits:
type: integer
type: object
type:
enum:
- update
required:
- type
Permissions - dynamodb:UpdateTable