aws.ebs-snapshot

Filters

age

EBS Snapshot Age Filter

Filters an EBS snapshot based on the age of the snapshot (in days)

example:

policies:
  - name: ebs-snapshots-week-old
    resource: ebs-snapshot
    filters:
      - type: age
        days: 7
        op: ge
properties:
  days:
    type: number
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - age
required:
- type

cross-account

Check a resource’s embedded iam policy for cross account access.

properties:
  actions:
    items:
      type: string
    type: array
  everyone_only:
    type: boolean
  type:
    enum:
    - cross-account
  whitelist:
    items:
      type: string
    type: array
  whitelist_conditions:
    items:
      type: string
    type: array
  whitelist_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  whitelist_orgids:
    items:
      type: string
    type: array
  whitelist_orgids_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  whitelist_vpc:
    items:
      type: string
    type: array
  whitelist_vpc_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  whitelist_vpce:
    items:
      type: string
    type: array
  whitelist_vpce_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
required:
- type

Permissions - ec2:DescribeSnapshotAttribute

skip-ami-snapshots

Filter to remove snapshots of AMIs from results

This filter is ‘true’ by default.

example:

implicit with no parameters, ‘true’ by default

policies:
  - name: delete-ebs-stale-snapshots
    resource: ebs-snapshot
    filters:
      - type: age
        days: 28
        op: ge
      - skip-ami-snapshots
example:

explicit with parameter

policies:
  - name: delete-snapshots
    resource: ebs-snapshot
    filters:
      - type: age
        days: 28
        op: ge
      - type: skip-ami-snapshots
        value: false
properties:
  type:
    enum:
    - skip-ami-snapshots
  value:
    type: boolean
required:
- type

Permissions - ec2:DescribeImages

unused

Filters snapshots based on usage

true: snapshot is not used by launch-template, launch-config, or ami.

false: snapshot is being used by launch-template, launch-config, or ami.

example:

policies:
  - name: snapshot-unused
    resource: ebs-snapshot
    filters:
      - type: unused
        value: true
properties:
  type:
    enum:
    - unused
  value:
    type: boolean
required:
- type

Permissions - autoscaling:DescribeAutoScalingGroups, autoscaling:DescribeLaunchConfigurations, ec2:DescribeImages

volume

Filter EBS snapshots by their volume attributes.

policies:
  - name: snapshot-with-no-volume
    description: Find any snapshots that do not have a corresponding volume.
    resource: aws.ebs-snapshot
    filters:
      - type: volume
        key: VolumeId
        value: absent
  - name: find-snapshots-from-volume
    resource: aws.ebs-snapshot
    filters:
      - type: volume
        key: VolumeId
        value: vol-foobarbaz
properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
  type:
    enum:
    - volume
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

Permissions - ec2:DescribeVolumes

Actions

copy

Copy a snapshot across regions

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-copy-snapshot.html

example:

policies:
  - name: copy-snapshot-east-west
    resource: ebs-snapshot
    filters:
      - type: age
        days: 7
        op: le
    actions:
      - type: copy
        target_region: us-west-2
        target_key: target_kms_key
        encrypted: true
properties:
  encrypted:
    type: boolean
  target_key:
    type: string
  target_region:
    type: string
  type:
    enum:
    - copy
required:
- type

Permissions - ec2:CreateTags, ec2:CopySnapshot, ec2:DescribeSnapshots

delete

Deletes EBS snapshots

example:

policies:
  - name: delete-stale-snapshots
    resource: ebs-snapshot
    filters:
      - type: age
        days: 28
        op: ge
    actions:
      - delete
properties:
  skip-ami-snapshots:
    type: boolean
  type:
    enum:
    - delete
required:
- type

Permissions - ec2:DeleteSnapshot

set-permissions

Action to set permissions for creating volumes from a snapshot

Use the ‘add’ and ‘remove’ parameters to control which accounts to add or remove respectively. The default is to remove any create volume permissions granted to other AWS accounts.

Combining this action with the ‘cross-account’ filter allows you greater control over which accounts will be removed, e.g. using a whitelist:

example:

policies:
  - name: ebs-dont-share-cross-account
    resource: ebs-snapshot
    filters:
      - type: cross-account
        whitelist:
        - '112233445566'
    actions:
      - type: set-permissions
        remove: matched
properties:
  add:
    items:
      maxLength: 12
      minLength: 12
      type: string
    type: array
  remove:
    oneOf:
    - enum:
      - matched
    - items:
        maxLength: 12
        minLength: 12
        type: string
      type: array
  type:
    enum:
    - set-permissions
required:
- type

Permissions - ec2:ModifySnapshotAttribute