aws.ebs-snapshot¶
Filters¶
age¶
EBS Snapshot Age Filter
Filters an EBS snapshot based on the age of the snapshot (in days)
- example:
policies:
- name: ebs-snapshots-week-old
resource: ebs-snapshot
filters:
- type: age
days: 7
op: ge
properties:
days:
type: number
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- age
required:
- type
cross-account¶
Check a resource’s embedded iam policy for cross account access.
properties:
actions:
items:
type: string
type: array
everyone_only:
type: boolean
type:
enum:
- cross-account
whitelist:
items:
type: string
type: array
whitelist_conditions:
items:
type: string
type: array
whitelist_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
whitelist_orgids:
items:
type: string
type: array
whitelist_orgids_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
whitelist_vpc:
items:
type: string
type: array
whitelist_vpc_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
whitelist_vpce:
items:
type: string
type: array
whitelist_vpce_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
required:
- type
Permissions - ec2:DescribeSnapshotAttribute
skip-ami-snapshots¶
Filter to remove snapshots of AMIs from results
This filter is ‘true’ by default.
- example:
implicit with no parameters, ‘true’ by default
policies:
- name: delete-ebs-stale-snapshots
resource: ebs-snapshot
filters:
- type: age
days: 28
op: ge
- skip-ami-snapshots
- example:
explicit with parameter
policies:
- name: delete-snapshots
resource: ebs-snapshot
filters:
- type: age
days: 28
op: ge
- type: skip-ami-snapshots
value: false
properties:
type:
enum:
- skip-ami-snapshots
value:
type: boolean
required:
- type
Permissions - ec2:DescribeImages
unused¶
Filters snapshots based on usage
true: snapshot is not used by launch-template, launch-config, or ami.
false: snapshot is being used by launch-template, launch-config, or ami.
- example:
policies:
- name: snapshot-unused
resource: ebs-snapshot
filters:
- type: unused
value: true
properties:
type:
enum:
- unused
value:
type: boolean
required:
- type
Permissions - autoscaling:DescribeAutoScalingGroups, autoscaling:DescribeTags, autoscaling:DescribeLaunchConfigurations, ec2:DescribeImages
volume¶
Filter EBS snapshots by their volume attributes.
policies:
- name: snapshot-with-no-volume
description: Find any snapshots that do not have a corresponding volume.
resource: aws.ebs-snapshot
filters:
- type: volume
key: VolumeId
value: absent
- name: find-snapshots-from-volume
resource: aws.ebs-snapshot
filters:
- type: volume
key: VolumeId
value: vol-foobarbaz
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- volume
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- type
Permissions - ec2:DescribeVolumes
Actions¶
copy¶
Copy a snapshot across regions
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-copy-snapshot.html
- example:
policies:
- name: copy-snapshot-east-west
resource: ebs-snapshot
filters:
- type: age
days: 7
op: le
actions:
- type: copy
target_region: us-west-2
target_key: target_kms_key
encrypted: true
properties:
encrypted:
type: boolean
target_key:
type: string
target_region:
type: string
type:
enum:
- copy
required:
- type
Permissions - ec2:CreateTags, ec2:CopySnapshot, ec2:DescribeSnapshots
delete¶
Deletes EBS snapshots
- example:
policies:
- name: delete-stale-snapshots
resource: ebs-snapshot
filters:
- type: age
days: 28
op: ge
actions:
- delete
properties:
skip-ami-snapshots:
type: boolean
type:
enum:
- delete
required:
- type
Permissions - ec2:DeleteSnapshot
set-permissions¶
Action to set permissions for creating volumes from a snapshot
Use the ‘add’ and ‘remove’ parameters to control which accounts to add or remove respectively. The default is to remove any create volume permissions granted to other AWS accounts.
Combining this action with the ‘cross-account’ filter allows you greater control over which accounts will be removed, e.g. using a whitelist:
- example:
policies:
- name: ebs-dont-share-cross-account
resource: ebs-snapshot
filters:
- type: cross-account
whitelist:
- '112233445566'
actions:
- type: set-permissions
remove: matched
properties:
add:
items:
maxLength: 12
minLength: 12
type: string
type: array
remove:
oneOf:
- enum:
- matched
- items:
maxLength: 12
minLength: 12
type: string
type: array
type:
enum:
- set-permissions
required:
- type
Permissions - ec2:ModifySnapshotAttribute