aws.ebs-snapshot

Filters

age

EBS Snapshot Age Filter

Filters an EBS snapshot based on the age of the snapshot (in days)

example

policies:
  - name: ebs-snapshots-week-old
    resource: ebs-snapshot
    filters:
      - type: age
        days: 7
        op: ge
properties:
  days:
    type: number
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - age
required:
- type

cross-account

Check a resource’s embedded iam policy for cross account access.

properties:
  actions:
    items:
      type: string
    type: array
  everyone_only:
    type: boolean
  type:
    enum:
    - cross-account
  whitelist:
    items:
      type: string
    type: array
  whitelist_conditions:
    items:
      type: string
    type: array
  whitelist_from: &id001
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      url:
        type: string
    required:
    - url
    type: object
  whitelist_orgids:
    items:
      type: string
    type: array
  whitelist_orgids_from: *id001
  whitelist_vpc:
    items:
      type: string
    type: array
  whitelist_vpc_from: *id001
  whitelist_vpce:
    items:
      type: string
    type: array
  whitelist_vpce_from: *id001
required:
- type

skip-ami-snapshots

Filter to remove snapshots of AMIs from results

This filter is ‘true’ by default.

example

implicit with no parameters, ‘true’ by default

policies:
  - name: delete-ebs-stale-snapshots
    resource: ebs-snapshot
    filters:
      - type: age
        days: 28
        op: ge
      - skip-ami-snapshots
example

explicit with parameter

policies:
  - name: delete-snapshots
    resource: ebs-snapshot
    filters:
      - type: age
        days: 28
        op: ge
      - type: skip-ami-snapshots
        value: false
properties:
  type:
    enum:
    - skip-ami-snapshots
  value:
    type: boolean
required:
- type

unused

Filters snapshots based on usage

true: snapshot is not used by launch-template, launch-config, or ami.

false: snapshot is being used by launch-template, launch-config, or ami.

example

policies:
  - name: snapshot-unused
    resource: ebs-snapshot
    filters:
      - type: unused
        value: true
properties:
  type:
    enum:
    - unused
  value:
    type: boolean
required:
- type

Actions

copy

Copy a snapshot across regions

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-copy-snapshot.html

example

policies:
  - name: copy-snapshot-east-west
    resource: ebs-snapshot
    filters:
      - type: age
        days: 7
        op: le
    actions:
      - type: copy
        target_region: us-west-2
        target_key: target_kms_key
        encrypted: true
properties:
  encrypted:
    type: boolean
  target_key:
    type: string
  target_region:
    type: string
  type:
    enum:
    - copy
required:
- type

delete

Deletes EBS snapshots

example

policies:
  - name: delete-stale-snapshots
    resource: ebs-snapshot
    filters:
      - type: age
        days: 28
        op: ge
    actions:
      - delete
properties:
  skip-ami-snapshots:
    type: boolean
  type:
    enum:
    - delete
required:
- type