aws.dynamodb-table

Filters

consecutive-aws-backups

Returns resources where number of consective backups (based on the periodicity defined in the filter) is equal to/or greater than n units. This filter supports the resources that use AWS Backup service for backups.

example:

policies:
  - name: dynamodb-consecutive-aws-backup-count
    resource: dynamodb-table
    filters:
      - type: consecutive-aws-backups
        count: 7
        period: days
        status: 'COMPLETED'
properties:
  count:
    minimum: 1
    type: number
  period:
    enum:
    - hours
    - days
    - weeks
  status:
    enum:
    - COMPLETED
    - PARTIAL
    - DELETING
    - EXPIRED
  type:
    enum:
    - consecutive-aws-backups
required:
- count
- period
- status
- type

Permissions - backup:ListRecoveryPointsByResource

consecutive-backups

Returns tables where number of consective daily backups is equal to/or greater than n days.

example:

policies:
  - name: dynamodb-daily-backup-count
    resource: dynamodb-table
    filters:
      - type: consecutive-backups
        count: 7
        period: days
        backuptype: SYSTEM
        status: AVAILABLE
properties:
  backuptype:
    enum:
    - SYSTEM
    - USER
    - AWS_BACKUP
    - ALL
  count:
    minimum: 1
    type: number
  period:
    enum:
    - hours
    - days
    - weeks
  status:
    enum:
    - AVAILABLE
    - CREATING
    - DELETED
  type:
    enum:
    - consecutive-backups
required:
- count
- period
- status
- backuptype
- type

Permissions - dynamodb:ListBackups, dynamodb:DescribeBackup, dynamodb:DescribeTable

continuous-backup

Check for continuous backups and point in time recovery (PITR) on a dynamodb table.

example:

policies:
  - name: dynamodb-continuous-backups-disabled
    resource: aws.dynamodb-table
    filters:
      - type: continuous-backup
        key: ContinuousBackupsStatus
        op: eq
        value: DISABLED
  - name: dynamodb-pitr-disabled
    resource: aws.dynamodb-table
    filters:
      - type: continuous-backup
        key: PointInTimeRecoveryDescription.PointInTimeRecoveryStatus
        op: ne
        value: ENABLED
properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - continuous-backup
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

Permissions - dynamodb:DescribeContinuousBackups

json-diff

Compute the diff from the current resource to a previous version.

A resource matches the filter if a diff exists between the current resource and the selected revision.

Utilizes config as a resource revision database.

Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).

properties:
  selector:
    enum:
    - previous
    - date
    - locked
  selector_value:
    type: string
  type:
    enum:
    - json-diff
required:
- type

Permissions - config:GetResourceConfigHistory

kms-key

Filter a resource by its associated kms key and optionally the aliasname of the kms key by using ‘c7n:AliasName’

example:

Match a specific key alias:

policies:
    - name: dms-encrypt-key-check
      resource: dms-instance
      filters:
        - type: kms-key
          key: "c7n:AliasName"
          value: alias/aws/dms

Or match against native key attributes such as KeyManager, which more explicitly distinguishes between AWS and CUSTOMER-managed keys. The above policy can also be written as:

policies:
    - name: dms-aws-managed-key
      resource: dms-instance
      filters:
        - type: kms-key
          key: KeyManager
          value: AWS
properties:
  default:
    type: object
  key:
    type: string
  match-resource:
    type: boolean
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  operator:
    enum:
    - and
    - or
  type:
    enum:
    - kms-key
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

Permissions - kms:ListKeys, kms:DescribeKey

Actions

backup

Creates a manual backup of a DynamoDB table. Use of the optional

prefix flag will attach a user specified prefix. Otherwise, the backup prefix will default to ‘Backup’.

example:

policies:
  - name: dynamodb-create-backup
    resource: dynamodb-table
    actions:
      - type: backup
        prefix: custom
properties:
  prefix:
    type: string
  type:
    enum:
    - backup
required:
- type

Permissions - dynamodb:CreateBackup

delete

Action to delete dynamodb tables

example:

policies:
  - name: delete-empty-tables
    resource: dynamodb-table
    filters:
      - TableSizeBytes: 0
    actions:
      - delete
properties:
  force:
    default: false
    type: boolean
  type:
    enum:
    - delete
required:
- type

Permissions - dynamodb:UpdateTable, dynamodb:DeleteTable

rename-tag

Rename an existing tag key to a new value.

example:

rename Application, and Bap to App, if a resource has both of the old keys then we’ll use the value specified by Application, which is based on the order of values of old_keys.

policies:
- name: rename-tags-example
  resource: aws.log-group
  filters:
    - or:
      - "tag:Bap": present
      - "tag:Application": present
  actions:
    - type: rename-tag
      old_keys: [Application, Bap]
      new_key: App
properties:
  new_key:
    type: string
  old_key:
    type: string
  old_keys:
    items:
      type: string
    type: array
  type:
    enum:
    - rename-tag
required:
- type

Permissions - tag:TagResources, tag:UntagResources

set-continuous-backup

Set continuous backups and point in time recovery (PITR) on a dynamodb table.

example:

policies:
  - name: dynamodb-continuous-backups-disabled-set
    resource: aws.dynamodb-table
    filters:
      - type: continuous-backup
        key: ContinuousBackupsStatus
        op: eq
        value: DISABLED
    actions:
      - type: set-continuous-backup
properties:
  state:
    default: true
    type: boolean
  type:
    enum:
    - set-continuous-backup
required:
- type

Permissions - dynamodb:UpdateContinuousBackups

set-stream

Action to enable/disable streams on table.

example:

policies:
  - name: stream-update
    resource: dynamodb-table
    filters:
      - TableName: 'test'
      - TableStatus: 'ACTIVE'
    actions:
      - type: set-stream
        state: True
        stream_view_type: 'NEW_IMAGE'
properties:
  state:
    type: boolean
  stream_view_type:
    type: string
  type:
    enum:
    - set-stream
required:
- type

Permissions - dynamodb:UpdateTable

update

Modifies the provisioned throughput settings, global secondary indexes, or DynamoDB Streams settings for a given table.

example:

policies:
  - name: dynamodb-change-billing-mode
    resource: aws.dynamodb-table
    actions:
      - type: update
        BillingMode: PAY_PER_REQUEST
properties:
  BillingMode:
    enum:
    - PROVISIONED
    - PAY_PER_REQUEST
  DeletionProtectionEnabled:
    enum:
    - true
    - false
  ProvisionedThroughput:
    properties:
      ReadCapacityUnits:
        type: integer
      WriteCapacityUnits:
        type: integer
    type: object
  type:
    enum:
    - update
required:
- type

Permissions - dynamodb:UpdateTable