aws.ebs-snapshot¶
Filters¶
age¶
EBS Snapshot Age Filter
Filters an EBS snapshot based on the age of the snapshot (in days)
- example
policies:
- name: ebs-snapshots-week-old
resource: ebs-snapshot
filters:
- type: age
days: 7
op: ge
properties:
days:
type: number
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
type:
enum:
- age
required:
- type
cross-account¶
Check a resource’s embedded iam policy for cross account access.
properties:
actions:
items:
type: string
type: array
everyone_only:
type: boolean
type:
enum:
- cross-account
whitelist:
items:
type: string
type: array
whitelist_conditions:
items:
type: string
type: array
whitelist_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
whitelist_orgids:
items:
type: string
type: array
whitelist_orgids_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
whitelist_vpc:
items:
type: string
type: array
whitelist_vpc_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
whitelist_vpce:
items:
type: string
type: array
whitelist_vpce_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
url:
type: string
required:
- url
type: object
required:
- type
Permissions - ec2:DescribeSnapshotAttribute
skip-ami-snapshots¶
Filter to remove snapshots of AMIs from results
This filter is ‘true’ by default.
- example
implicit with no parameters, ‘true’ by default
policies:
- name: delete-ebs-stale-snapshots
resource: ebs-snapshot
filters:
- type: age
days: 28
op: ge
- skip-ami-snapshots
- example
explicit with parameter
policies:
- name: delete-snapshots
resource: ebs-snapshot
filters:
- type: age
days: 28
op: ge
- type: skip-ami-snapshots
value: false
properties:
type:
enum:
- skip-ami-snapshots
value:
type: boolean
required:
- type
Permissions - ec2:DescribeImages
unused¶
Filters snapshots based on usage
true: snapshot is not used by launch-template, launch-config, or ami.
false: snapshot is being used by launch-template, launch-config, or ami.
- example
policies:
- name: snapshot-unused
resource: ebs-snapshot
filters:
- type: unused
value: true
properties:
type:
enum:
- unused
value:
type: boolean
required:
- type
Permissions - autoscaling:DescribeAutoScalingGroups, autoscaling:DescribeLaunchConfigurations, ec2:DescribeImages
Actions¶
copy¶
Copy a snapshot across regions
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-copy-snapshot.html
- example
policies:
- name: copy-snapshot-east-west
resource: ebs-snapshot
filters:
- type: age
days: 7
op: le
actions:
- type: copy
target_region: us-west-2
target_key: target_kms_key
encrypted: true
properties:
encrypted:
type: boolean
target_key:
type: string
target_region:
type: string
type:
enum:
- copy
required:
- type
Permissions - ec2:CreateTags, ec2:CopySnapshot, ec2:DescribeSnapshots
delete¶
Deletes EBS snapshots
- example
policies:
- name: delete-stale-snapshots
resource: ebs-snapshot
filters:
- type: age
days: 28
op: ge
actions:
- delete
properties:
skip-ami-snapshots:
type: boolean
type:
enum:
- delete
required:
- type
Permissions - ec2:DeleteSnapshot